macOS:
Compile using “CFLAGS=\"-DUSEMMAP=1\"”.
iOS:
Apply aflpp-ios.patch, Fpicker needs to be run as root user on iOS, if the target is not running as root user, it will not be able to read and write shared memory. Next, compile using “CFLAGS=\"-DUSEMMAP=1\"”.
Tool installation
Researchers can use the following command to clone the source code of this project locally:
git clone https://github.com/ttdennis/fpicker.git
Project building and running
Fpicker can run on macOS, iOS, or Linux platforms. The Makefile currently only supports building for iOS and macOS platforms, but we can also use the iOS toolchain to build projects for the Linux platform.
make fpicker-macos make fpicker-ios make fpicker-linux
After the project is built, we can continue to build the fuzz testing component.
Firstly, we need to create a custom fuzz testing component for the target (for example, examples/test/test.js).
Next, use frida-compile to compile custom components:
frida-compile test.js -o harness.js
Now, Fpicker can start fuzz testing the target. The specific command to be executed depends on our configuration. Next, we will provide some simple usage examples, most of which are in the “examplesis provided in the directory.
Run Fpicker with AFL++ proxy, bind it to the target process, and then test the specified function:
afl-fuzz -i examples/test-network/in -o https://www.freebuf.com/articles/endpoint/examples/test-network/out -- \ https://www.freebuf.com/articles/endpoint/fpicker --fuzzer-mode afl -e attach -p test-network -f https://www.freebuf.com/articles/endpoint/examples/test-network/harness.js
Run Fpicker in standalone mode, bind to a server, and run a client program to send fuzz testing output:
https://www.freebuf.com/articles/endpoint/fpicker --fuzzer-mode standalone -e attach -p server-process -f harness.js --input-mode cmd \\ --command "https://www.freebuf.com/articles/endpoint/client-send @@" -i indir -o outdir
Run Fpicker in standalone mode, bind to a server, and perform fuzz testing using a custom mutation cmd:
https://www.freebuf.com/articles/endpoint/fpicker --fuzzer-mode active --communication-mode shm -e attach -p server-process -f harness.js \\ -i indir -o outdir --standalone-mutator cmd --mutator-command "radamsa"
Run Fpicker in passive mode, bind to a server, and collect coverage and Payload:
https://www.freebuf.com/articles/endpoint/fpicker --fuzzer-mode passive --communication-mode send -e attach -p server-process -o outdir -f harness.js
Run Fpicker in standalone mode, bind to a running process on a remote device, and perform fuzz testing using a custom mutation cmd:
https://www.freebuf.com/articles/endpoint/fpicker --fuzzer-mode active -e attach -p test -D remote -o examples/test/out/ -i examples/test/in/ \\ -f fuzzer-agent.js --standalone-mutator cmd --mutator-command "radamsa"
Create a custom fuzz testing component
We need to create custom fuzz testing components for different targets. The following is an example of a component implementation:
// Import the fuzzer base class
const Fuzzer = require("harness/fuzzer.js");
// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer.Fuzzer {
constructor() {
// The constructor needs to specify the address of the targeted function and a NativeFunction
// object that can later be called by the fuzzer.
const FUZZ_FUNCTION_ADDR = Module.getExportByName(null, "FUZZ_FUNCTION");
const FUZZ_FUNCTION = new NativeFunction(
FUZZ_FUNCTION_ADDR,
"void", ["pointer", "int64"], {
});
super("test", FUZZ_FUNCTION_ADDR, FUZZ_FUNCTION);
}
}
const f = new TestFuzzer();
exports.fuzzer = f;Project address
Fpicker:【GitHub Gateway】
Reference materials
https://insinuator.net/2021/03/fpicker-fuzzing-with-frida/
https://frida.re/docs/javascript-api/#stalker
https://github.com/AFLplusplus/AFLplusplus/
评论已关闭