• Stars
    star
    144
  • Rank 249,638 (Top 6 %)
  • Language Objective-C++
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

ManuFuzzer

Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

PRs Welcome License Follow Twitter

What is ManuFuzzer?

ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework similar. It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.

How ManuFuzzer works?

ManuFuzzer makes use of custom breakpoint handler. When you select a module to instrument, ManuFuzzer replaces the branch instructions with breakpoint instruction at each and every basic-block by disassembling the module runtime using LLVM MC and stores the original bytes in a shadow memory mapping, whose address is fixed and can be computed from any address of the modified library and executes the program. Everytime any breakpoint gets hit, ManuFuzzer updates the coverage for the basic-block using custom breakpoint handler setup for SIGTRAP, deletes the breakpoint and resumes execution.

How to build ManuFuzzer?

ManuFuzzer is dependent on LLVM MC for disassembly and LLVM libFuzzer for fuzzing. ManuFuzzer patches LLVM-MC to increase the speed and evaluate an instruction type. ManuFuzzer pulls LLVM version 12.0.1-rc3 from https://github.com/llvm/llvm-project and applies llvm_ManuFuzzer.patch to LLVM MC and libFuzzer.

➜ git clone https://github.com/ant4g0nist/ManuFuzzer

To compile with debug logs:

➜ cd ManuFuzzer
➜ make
➜ make install

To compile without debug logs, pass FUZZ=1 in env:

➜ cd ManuFuzzer
➜ FUZZ=1 make
➜ make install

How to use ManuFuzzer?

For examples, let's try fuzzing CGFontCreateWithDataProvider function from CoreGraphics. This seems to be an easy target to reach.

ManuFuzzer exports 4 functions we need to use in our harness.

void installHandlers(void);
void libFuzzerCleanUp(void);
int instrumentMe(const char * module);
int libFuzzerStart(int argc, char **argv, UserCallback LLVMFuzzerTestOneInput);
  • instrumentMe(const char * module) function is used to instrument a target module.
  • installHandlers function installs the breakpoint handler required by ManuFuzzer to handle breakpoints.
  • libFuzzerStart is the main entry point to libFuzzer that takes argc, argv and a function LLVMFuzzerTestOneInput with signature LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
  • libFuzzerCleanUp just cleans up the mallocs.

These functions can be used in our harness as shown here:

#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>
#import <CoreGraphics/CoreGraphics.h>

#include "libManuFuzzer.h"

extern uint16_t previousLoc;

void LLVMFuzzerInitialize(int *argc, char ***argv) {
    installHandlers();

    instrumentMe("/System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO");
    instrumentMe("/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics");
    instrumentMe("/System/Library/Frameworks/CoreText.framework/Versions/A/CoreText");
    instrumentMe("/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib");
}

int LLVMFuzzerTestOneInput(const uint8_t *fuzz_buff, size_t size)
{
    previousLoc = 0;

    NSData *inData = [[NSData alloc] initWithBytes:fuzz_buff length:size];
    CFErrorRef error;
    
    CGDataProviderRef provider = CGDataProviderCreateWithCFData((__bridge CFDataRef)inData);
    
    CGFontRef font = CGFontCreateWithDataProvider(provider);
    
    if (font)
        CFRelease(font);
 
    CFRelease(provider);

    [inData release];

    return 0;
}

int main(int argc, char* argv[])
{
    LLVMFuzzerInitialize(&argc, &argv);
    libFuzzerStart(argc, argv, LLVMFuzzerTestOneInput);
    libFuzzerCleanUp();

    return 0;
}

Makefile to compile above sample code:

example.o: examples/main.mm
	SDKROOT=$(SDKROOT) $(CXX) -c -o bin/$@ examples/main.mm
	
example: example.o
	SDKROOT=$(SDKROOT) $(CXX) $(FUZZ_EXAMPLE_CFLAGS) ./bin/example.o -o bin/example
	rm bin/*.o

To compile the example:

➜ make example

Demo

TODO

  • replace Capstone with LLVM MC
  • make support for macOS on M1 public
  • make support for macOS on Intel public
  • clean the setup
  • test, test and tesssttt
  • fuzz, fuzzzz and more fuzzzzz

Trophies

let me know if you have found any vulnerabilities using this and will add it here :)

Thanks πŸ™ŒπŸ»πŸ™ŒπŸ»

More Repositories

1

lisa.py

- An Exploit Dev Swiss Army Knife.
Python
671
star
2

Susanoo

A REST API security testing framework.
Python
324
star
3

Vulnerable-Kext

A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation
C
230
star
4

vegvisir

A browser based GUI for **LLDB** Debugger.
JavaScript
201
star
5

rudroid

Rudroid - Writing the World's worst Android Emulator in Rust πŸ¦€
Rust
142
star
6

polar

A LLDB plugin which brings LLMs to LLDB
Python
125
star
7

Sloth

Sloth πŸ¦₯ is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation
C++
117
star
8

decompiler

RetDec plugin for LLDB. RetDec is a retargetable machine-code decompiler based on LLVM.
C++
63
star
9

crashmon

crashmon - A LLDB Based replacement for CrashWrangler
C++
46
star
10

webgl-fuzzer

WebGL fuzzer
JavaScript
37
star
11

chinstrap

A development environment, testing framework, and origination pipeline focused solely on Tezos
Python
34
star
12

crashwrangler

Apple's crashwrangler with support for Apple Silicon
C
29
star
13

fuzzing-pdfs-like-its-1990s

Python
25
star
14

ManuCombi

Mutates and generates files with all possible combinations of fuzzed bytes in the file.
Python
10
star
15

gLLDB

Very Basic gui for LLDB, serves as example for usage of pyobjc
Python
6
star
16

fuzzing.science

ant4g0nist's blog
JavaScript
5
star
17

tzktpy

Autogenerated Python SDK for TzKT API
Python
5
star
18

chinfuzz

Tezos smart contract fuzzer
Python
4
star
19

chronometry

Chronometry, a transparent and cryptographically verifiable proof-of-hack signature store
Go
3
star
20

hackfi-labs

Solidity
3
star
21

SecureSons

Modules for developing Secure Smart contract for Tezos in SmartPy
Python
2
star
22

vertigo-foundry-sample

Test project to test Foundry support for Vertigo
Solidity
1
star
23

ChinToken

A sample FA1.2 Token setup with Chinstrap to learn how to create, test and deploy Tezos smart contracts
Python
1
star