A kAFL based hypervisor fuzzer which fully supports nested VMs

Overview

hAFL2

hAFL2 is a kAFL-based hypervisor fuzzer.
It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as it's support nested virtualization, code coverage and detailed crash monitoring.

hAFL2 Hyper-V Fuzzing Architecture


  1. The technical details of the project are described within the TechnicalDetails.md file.
  2. The setup instructions are described within the tutorial.md file.

Disclaimer

  1. I only had 3 weeks in order to implement this project from 0 as I worked at the same time on the hAFL1 project & Black Hat USA 2021 talk, therefore, I worked in a PoC mode (a.k.a. quick and dirty.) If I had the time, I'd definetly add more features and re-write some of the code, but I decided to release it anyway as it worked end-to-end, and I wanted to provide the infosec community a native hypervisor fuzzer because I didn't find a public one. I believe that it can help other researchers to learn the field of hypervisors internals and start their own hypervisor fuzzer.

  2. I personally used it in order to target the Hyper-V networking VSP (VMSwitch), which means that I retreived code coverage out of the root partition VM (L2), and sent fuzzing inputs directly to the child partition VM (L2) where my harness was executed.
    This behavior can be easily modified (e.g. retreiving code coverage out of the hypervisor itself on L1, etc.) and I explained exactly what needs to be done in order to make it work within the TechnicalDetails.md file.

VMSwitch Harness Gaps

Due to a lack of time, I have provided a partial harness for Hyper-V's VMSwitch which provide one the ability to send RNDIS packets from the guest partition to the root partition.

It's imporant to mention that there is a major gap in the harness - it won't provide you an accurate code coverage and I'll try to explain why.

The harness is responsible for the following:

  • Signal (ACQUIRE) hAFL2 to start collecting code coverage from the root partition.
  • Send the fuzzing payload to VMSwitch within the root partition.
  • Wait for a VMBus completion packet.
  • Signal (RELEASE) hAFL2 to stop collecting code coverage.

The problem is that VMSwitch processes packets in an asynchronous manner which means that it will call the interesting parsing code (which we'd like to have within our code coverage) AFTER it already sent a completion packet to the child partition's harness, therefore, the code coverage will be partial.

@OphirHarpaz and I solved a similar problem within hAFL1 by disabling PatchGuard and modifying some VMSwitch logic.
I believe this can be solved in a similar manner, maybe by patching VMSwitch and modifying the call to VmbChannelPacketComplete to occur after VMSwitch has finished the processing part.

Check out the Harness driver of hAFL1 in order to understand how we patched VMSwitch.

Re-Compile and Reload KVM

If you already installed the hAFL2 Linux kernel (with modified KVM) and you wish to modify some of KVM's code without re-compile the whole kernel, you may use ./compile-kvm.sh 5.12.7 in order to do so.
The script will also reload the new compiled version of KVM and KVM-intel.

Credits

  • Ophir Harpaz for working together on the hAFL1 project which inspired me to implement the hAFL2 project.
  • Saar Amar for answering a lot of nVMX-related questions during the implementation of this project, which helped me completing this project on time.
  • SafeBreach Labs which provided me the time to learn and implement this project.
  • The kAFL team (Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel and Thorsten Holz) for providing a fuzzing infrastructure which I heavily modified in order to target hypervisors.
  • The Nyx fuzzer team (Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wör­ner, and Thorsten Holz) for telling their own story of implementing a hypervisor fuzzer.

You might also like...
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

C++ fully undetected shellcode launcher
C++ fully undetected shellcode launcher

charlotte c++ fully undetected shellcode launcher ;) releasing this to celebrate the birth of my newborn description 13/05/2021: c++ shellcode launche

PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe
PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe

PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe with additional features such as malware checker/detector! Also checks file(s) for suspicious words, discord webhooks, discord invites, pastebins, ips etc..

Looks at Python code to search for things which look "dodgy" such as passwords or diffs

dodgy Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions desig

Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking
Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

Big-Papa is a remote cookie stealer which can then be used for session hijacking and Bypassing 2 Factor Authentication

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

Comments
  • Change the setting order in tutorial.md

    Change the setting order in tutorial.md

    blah

    I am configuring the environment according to the tutorial. There is a problem while creating a child partition, so it is registered as an issue. :)

    As-Is

    • Set "HiberbootEnabled" during the root partition setup process. (https://github.com/SafeBreach-Labs/hAFL2/blob/main/tutorial.md#creating-a-root-partition-vm)

      Creating a Root Partition VM

      ... 5. Disable Fast Startup from within an elevated command prompt: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_DWORD /D 1 /F ...

    • And after that, move the iso image file to the child partition. (https://github.com/SafeBreach-Labs/hAFL2/blob/main/tutorial.md#creating-a-child-partition-vm)

      Creating a Child Partition VM

      Copy the Windows10_InsiderPreview_Client_x64-en-us_21354.iso ISO file from a dedicated folder to the root partition VM (wait patiently, it will take a few minutes as it's a large file): copy_files_to_vm.sh [WINDOWS_ISO_FOLDER_PATH] windows.qcow2

    Trouble Shooting

    • There is a mount command in the copy_file_to_vm.sh script that moves the ISO file to the child partition.
    • When I try to execute the mount command, , the bellow error occurs.

      ... Please resume and shutdown Windows fully (no hibernation or fast restarting.) Could not mount read-write, trying read-ony

    • As a result, it was mounted with read-only permission, and copying the ISO file inside qemu failed.

    To-Be

    • It is very simple. Firstly ISO image move to QEMU disk, and then Set "HiberbootEnabled" on HostOS(level1)
    opened by blackcon 0
Owner
SafeBreach Labs
SafeBreach Labs
SafeBreach Labs
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 8, 2022
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Fuzzing PDFs like its 1990s This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things. Some discl

Chaithu 14 Sep 30, 2022
Yet another web fuzzer

yafuzz Yet another web fuzzer Usage This script can run in two modes of operation. Supplying a wordlist -W argument will initiate a multithreaded fuzz

FooBallZ 5 Feb 2, 2022
Unicode fuzzer for various purposes

UnicodeToy Unicode fuzzer for various purposes Unicode based on version 14.0 features Generate the shortest xss domain payload Generate unicode str, u

null 33 Nov 27, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

null 9.4k Jan 4, 2023
A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Hcoder This is a python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Muhammad Hamza 3 Dec 6, 2021
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

Ayoub 861 Feb 18, 2021
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

null 258 Jan 2, 2023
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 8, 2022