Tracing wasn't working for me. The error was that the afl tracer path was incorrect, which appears to be right since it was being pointed to a directory that didn't exist (afl-unix/tracers/unix). The correct path seems to be afl-unix/tracers/i386 for example. Not sure the other implications of this change, but it seems to make fuzzer work for me.

I tried to run shellphuzz after a long and painful installation of fuzzer and driller with all the prereqs for python 3 on Ubuntu 16.04 and got this: [*] Creating fuzzer... Traceback (most recent call last): File "/home/kburova/.virtualenvs/devis/bin/shellphuzz", line 87, in <module> memory=args.memory, seeds=seeds, timeout=args.run_timeout, protocol_fuzz=args.opc_afl, AttributeError: 'Namespace' object has no attribute 'opc_afl'

I removed protocol_fuzz=args.opc_afl, form this line:

fuzzer = fuzzer.Fuzzer( args.binary, args.work_dir, afl_count=args.afl_cores, force_interval=args.force_interval, args.binary, args.work_dir, afl_count=args.afl_cores, force_interval=args.force_interval, create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback, time_limit=args.timeout, create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback, time_limit=args.timeout, memory=args.memory, seeds=seeds, timeout=args.run_timeout memory=args.memory, seeds=seeds, timeout=args.run_timeout, protocol_fuzz=args.opc_afl, )

to make it work, but I'm not sure if that's the best solution.

• Ability to automatically extend length of inputs passed to driller (requires a PR in the driller repo to work)
• Ability to change the timeouts for AFL runs of the binary and driller runs
• Ability to change the memory limit
• Ability to use shellphuzz with neither first_crash nor timeout args
• Ability to seed shellphuzz with an existing directory of inputs

I'm having trouble running fuzzer on 32-bit ELF binaries. Looking at the init code, it appears the call to setup which afl to run is:

            p = angr.Project(binary_path)

            self.os = p.loader.main_bin.os

            afl_dir               = shellphish_afl.afl_dir(self.os)

            # the path to AFL capable of calling driller
            self.afl_path         = shellphish_afl.afl_bin(self.os)

            self.afl_path_var     = shellphish_afl.afl_path_var(self.os)

            # set up libraries
            self._export_library_path(p)

Given the os variable really only says "unix", i don't see how this would select the correct distro for 32 vs 64 bit, and default on 64-bit systems will likely be 64 bit QEMU.

Hi guys,

I just pull shellphish/mechaphish docker image and tried to run test_fuzzer.py but it failed like picture below. I also make sure that all the requirements installed already but still don't know how to solve it. Any idea?

Hello... I'm Having a little bug, after installation I tried to run a single test app, steps to repeoduce:

#include <stdio.h>

int main(int argc, char **argv){
	printf("My name is: %s\n",argv[1]);
}

Complation gcc test.c

shellphuzz -i -c 4 ~/Desktop/a.out

output:

[*] Creating fuzzer...
Traceback (most recent call last):
  File "/home/user/anaconda2/bin/shellphuzz", line 63, in <module>
    create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback
  File "/home/user/anaconda2/lib/python2.7/site-packages/fuzzer/fuzzer.py", line 155, in __init__
    p = angr.Project(binary_path)
  File "/home/user/anaconda2/lib/python2.7/site-packages/angr/project.py", line 146, in __init__
    raise Exception("Not a valid binary file: %s" % repr(thing))
Exception: Not a valid binary file: '-i'
Exception AttributeError: "'Fuzzer' object has no attribute '_timer'" in <bound method Fuzzer.__del__ of <fuzzer.fuzzer.Fuzzer object at 0x7f51100fc050>> ignored

Hey,

Im currently looking into using Driller via this python wrapper, and cannot quite answer the following question from just the readme:

What kind of binary has to be specified via the command line for it to work? Is it just the normally compiled binary (standard gcc/g++) and AFL then works via qemu mode on it, or does it have to be instrumented and compiled with the AFL compiler (afl-cc)?

Thanks :)

I follow the instructions in README.md and use the virtualenv. However when I run the command shellphuzz -w afl_work -d 2 -c 2 -C -f 1 ./pwn2. It tells me that import tracer error. It is strange that because in driller's requirements.txt there is such a line git+https://github.com/angr/tracer.git#egg=tracer, but when I ran pip install driller pip didn't automatically install the tracer for me. So I choose to manually install tracer with command pip install git+https://github.com/angr/tracer.git#egg=tracer. After that I run the command shellphuzz -w afl_work -d 2 -c 2 -C -f 1 ./pwn2 again. This time it prints a different error output.

Traceback (most recent call last):
  File "/home/dddong/.virtualenvs/shellphuzz/bin/shellphuzz", line 10, in <module>
    import driller
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/driller/__init__.py", line 1, in <module>
    from .driller import *
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/driller/driller.py", line 5, in <module>
    import tracer
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/__init__.py", line 1, in <module>
    from .runner import Runner
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/runner.py", line 15, in <module>
    from .tracer import TracerEnvironmentError, TracerInstallError
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/tracer.py", line 11, in <module>
    from .cachemanager import LocalCacheManager
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/cachemanager/__init__.py", line 1, in <module>
    from .cachemanager import CacheManager
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/cachemanager/cachemanager.py", line 4, in <module>
    from ..simprocedures import receive
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/simprocedures/__init__.py", line 1, in <module>
    from .random import FixedRandom
  File "/home/dddong/.virtualenvs/shellphuzz/local/lib/python2.7/site-packages/tracer/simprocedures/random.py", line 10, in <module>
    class FixedRandom(angr.SimProcedure):
AttributeError: 'module' object has no attribute 'SimProcedure'

It seems that tracer module have a desync issue with the angr module. I don't know how to fix it, perhaps downgrade the version of the angr? Hopes for someone's help. Thanks.

I followed "Install the CRS" instructions. Next I did: workon cgc, then attempted to run shellphuzz on a simple binary: ../angr-dev/fuzzer/shellphuzz -i -c 4 mybinary. The following error immediately appeared.

[*] Creating fuzzer... ERROR | 2017-08-31 16:44:15,218 | fuzzer.fuzzer | AFL Error: Pipe at the beginning of core_pattern execute 'echo core | sudo tee /proc/sys/kernel/core_pattern' AFL Warning: We probably want the fork() children to run first execute 'echo 1 | sudo tee /proc/sys/kernel/sched_child_runs_first'

Traceback (most recent call last): File "../angr-dev/fuzzer/shellphuzz", line 69, in create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback, time_limit=args.timeout File "../angr-dev/fuzzer/fuzzer/fuzzer.py", line 97, in init Fuzzer._perform_env_checks() File "../angr-dev/fuzzer/fuzzer/fuzzer.py", line 595, in _perform_env_checks raise InstallError(err) fuzzer.fuzzer.InstallError: AFL Error: Pipe at the beginning of core_pattern execute 'echo core | sudo tee /proc/sys/kernel/core_pattern' AFL Warning: We probably want the fork() children to run first execute 'echo 1 | sudo tee /proc/sys/kernel/sched_child_runs_first'

Exception AttributeError: "'Fuzzer' object has no attribute 'procs'" in <bound method Fuzzer.del of <fuzzer.fuzzer.Fuzzer object at 0x7f183b326f50>> ignored

Hi,

While testing the fuzzer with the given test script, it is stopping with below error.

ERROR | 2017-02-03 16:35:01,011 | fuzzer.fuzzer | AFL Error: Pipe at the beginning of core_pattern Traceback (most recent call last): File "test_fuzzer.py", line 124, in run_all() File "test_fuzzer.py", line 121, in run_all all_functionsf File "test_fuzzer.py", line 76, in test_fuzzer_spawn f = fuzzer.Fuzzer(binary, "work") File "/home/rborad/driller/local/lib/python2.7/site-packages/fuzzer/fuzzer.py", line 46, in init Fuzzer._perform_env_checks() File "/home/rborad/driller/local/lib/python2.7/site-packages/fuzzer/fuzzer.py", line 496, in _perform_env_checks raise InstallError("execute 'echo core | sudo tee /proc/sys/kernel/core_pattern'") fuzzer.fuzzer.InstallError: execute 'echo core | sudo tee /proc/sys/kernel/core_pattern'

Can anyone help to resolve it.

Thanks

Making QEMU utilization an option instead of forced. Still defaulting behavior to using it.

Open question on handling this in the future. You can tell if the binary is instrumented by checking for afl naming conventions (as I'm doing in autoPwn). It would make sense to do that in fuzzer and just have it default to the correct choice. Only problem is that it doesn't load up the project by default, and loading the project could add a decent load time overhead.

Interested in your thoughts on that tradeoff. For now, I'm fine controlling that choice from autoPwn. I would rather have the smarts be built into fuzzer though.

Hello,

I'm trying to install the fuzzer (with all the dependencies) on the docker container but every way of installation I'm facing different problems. Is there any instruction how to install it or a docker file that works? Regards Marek

Hey,

I have successfully installed everything in a virtual environment and am now trying to fuzz a simple c-program with the following command: shellphuzz -i -c 1 -d 1 /home/user/local_fuzzing/target/target_binary

When running this, i get the following error outputs: WARNING | 2019-01-04 12:54:46,354 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups. Traceback (most recent call last): File "/home/user/local_fuzzing/shellphish-afl/venv/bin/shellphuzz", line 10, in <module> import driller ImportError: No module named driller

Can anyone help me out with this? Is the angr error causing the ImportError and thats the reason for the crash? Or is just a warning I could ignore and the ImportError itself is the source of the crash? How do I fix it?

Thanks!

Addition: For installation, I simply created a new virtual environment, activated into it and then ran the 2 commands like specified in the ReadMe here: pip install git+https://github.com/shellphish/shellphish-afl pip install git+https://github.com/shellphish/fuzzer

(angr) angr@ee8fe98b1fc4:$ shellphuzz -i -c 27 -d 13 libarchive/bsdtar [*] Drilling... [*] Creating fuzzer... Traceback (most recent call last):
File "/home/angr/.virtualenvs/angr/bin/shellphuzz", line 7, in <module> exec(compile(f.read(), __file__, 'exec')) File "/home/angr/angr-dev/fuzzer/shellphuzz", line 87, in <module> memory=args.memory, seeds=seeds, timeout=args.run_timeout, protocol_fuzz=args.opc_afl, AttributeError: 'Namespace' object has no attribute 'opc_afl' (angr) angr@ee8fe98b1fc4:~$

All set up with docker run -it shellphish/mechaphish; git clone https://github.com/libarchive/libarchive; compiling libarchive[1], then running the above command.

[1] cd libarchive/build && ./autogen.sh && cd .. && ./configure && make -j40

So tested: Ubuntu 18.04 TLS

Executing the following command will reproduce the problem:

pip install git+https://github.com/shellphish/fuzzer

Installing collected packages: future, ana, z3-solver, claripy, smmap2, gitdb2, GitPython, decorator, networkx, cooldict, dpkt-fix, capstone, mulpyplexer, ailment, unicorn, pycparser, cffi, archinfo, plumbum, rpyc, sortedcontainers, idalink, pefile, pyelftools, bitstring, pyvex, cle, progressbar, cachetools, futures, angr, shellphish-afl, shellphish-qemu, tqdm, fuzzer Running setup.py install for future ... done Running setup.py install for ana ... done Running setup.py install for claripy ... done Running setup.py install for networkx ... done Running setup.py install for cooldict ... done Running setup.py install for dpkt-fix ... done Running setup.py install for mulpyplexer ... done Running setup.py install for ailment ... done Running setup.py install for pycparser ... done Running setup.py install for archinfo ... done Running setup.py install for rpyc ... done Running setup.py install for idalink ... done Running setup.py install for pefile ... done Running setup.py install for pyelftools ... done Running setup.py install for bitstring ... done Running setup.py install for cle ... done Running setup.py install for progressbar ... done Running setup.py install for shellphish-afl ... error Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-QluSO3/shellphish-afl/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-wpVEXT-record/install-record.txt --single-version-externally-managed --compile: running install running build Setting up AFL-other-arch Cloning into 'bin/afl-unix'... patching file qemu_mode/patches/elfload.diff Hunk #1 FAILED at 1. Hunk #2 FAILED at 9. 2 out of 2 hunks FAILED -- saving rejects to file qemu_mode/patches/elfload.diff.rej error: Unable to apply AFL patch

----------------------------------------

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-QluSO3/shellphish-afl/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-wpVEXT-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-QluSO3/shellphish-afl/

Any ideas?

Thank you!

I got this when I tried pip install git+https://github.com/shellphish/shellphish-afl

    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c: In function ‘cpu_resume_from_signal’:
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c:71:37: error: dereferencing pointer to incomplete type ‘struct ucontext’
             sigprocmask(SIG_SETMASK, &uc->uc_sigmask, NULL);
                                         ^~
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c: In function ‘cpu_x86_signal_handler’:
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c:213:41: error: dereferencing pointer to incomplete type ‘struct ucontext’
     #define PC_sig(context)       ((context)->uc_mcontext.gregs[REG_RIP])
                                             ^
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c:232:10: note: in expansion of macro ‘PC_sig’
         pc = PC_sig(uc);
              ^~~~~~
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/user-exec.c:237:1: warning: control reaches end of non-void function [-Wreturn-type]
     }
     ^
    /tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu/rules.mak:57: recipe for target 'user-exec.o' failed
    make[2]: *** [user-exec.o] Error 1
    make[2]: *** Waiting for unfinished jobs....
    Makefile:173: recipe for target 'subdir-i386-linux-user' failed
    make[1]: *** [subdir-i386-linux-user] Error 2
    make[1]: Leaving directory '/tmp/pip-ugqYQB-build/bin/afl-multi-cgc/afl/qemu_mode/multicb-qemu'
    Makefile:2: recipe for target 'all' failed
    make: *** [all] Error 1
    error: Unable to make afl-multi-cgc

Anything that can be done from my side for this?

root@a57c22203b68:/ctf/work# shellphuzz /ctf/work/fm WARNING | 2018-08-08 16:19:59,460 | claripy | Claripy is setting the recursion limit to 15000. If Python segfaults, I am sorry. [*] Creating fuzzer... Traceback (most recent call last): File "/usr/local/bin/shellphuzz", line 69, in create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback, time_limit=args.timeout File "/usr/local/lib/python2.7/dist-packages/fuzzer/fuzzer.py", line 162, in init self.os = p.loader.main_object.os AttributeError: 'Loader' object has no attribute 'main_object'