Implementing AFL(American Fuzzy Loop)

Fuzz Testing with AFL-Fuzz(American Fuzzy Lop)

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road. The most efficient way to use AFL is to recompile your target application using the modified version of GCC, this allows AFL to pick up on hangs and crashes.

Implementation

The program below uses two characters buffers of 10 characters; one to hold the username and the other one to hold a password. To manage user input, we used the well-known insecure gets() function, which fails to check buffer boundaries and leads to buffer overflows Once executed, the program first asks for a username and a password. The inputs are stored in the login and passwd variables. Their value is then compared with the expected value using strcmp().Here it is implementated in kali linux.

#include<stdio.h>
#include<string.h>
void main(void)
{
        char username[10];
        char password[10];
        printf("Enter the username:");
        gets(username);
        printf("Enter the password:");
        gets(password);
        if(strncmp(username,"user")==0){
                if(strncmp(password,"default")==0)
                {
                        printf("\n User Succefully Logged in.\n");
                }
                else{
                        printf("\n password enter is invalid\n");
                }
        }
        else
        {
                printf("\nUsername Entered is Invalid.\n");
        }
}

To simplify the exploitation process , we will compile this program with absolutely no memory protection, i.e. NX will be disabled and no stack canary. Disabling these protection mechanisms can be achieved using the following GCC command:

gcc -fno-stack-protector -z execstack filename.c -o filename

Disabling NX

The -fno-stack-protector will disable the stack canaries while the -z execstack makes both the heap and stack executable We Create a directory called test cases and in it, create 3 files representing these cases, After creating these 3 files, create another directory called results, which will contain the results of the fuzzing run.

start AFL using afl-fuzz with the following command:

afl-fuzz -i ./testcases/ -o ./results/ ./aflvul

After few more cycles

The total paths field is 4, which is what we expected based on the code of vuln1. As such, once we reached 4 paths, we can stop AFL by pressing Ctrl-C. The most interesting field is the unique crashes, which indicates that some of the inputs, stored in the results directory, have successfully crashed the program and should be investigated. We have 3 files in the results/crashes directory:

Each file contains the input that crashed the program so you can reproduce the event and investigate to see if the crash is exploitable, We can confirm the crash and observe a segmentation fault by piping the contents of the crash to our login.c

Conclusion

a powerful fuzzer that can be leveraged on source code and binaries to find potential vulnerabilities. This step is usually the first step in exploit development.