{"id":28637287,"url":"https://github.com/ax/frida-afl-proxy-poc","last_synced_at":"2025-06-12T18:10:13.526Z","repository":{"id":279688714,"uuid":"938361434","full_name":"ax/frida-afl-proxy-poc","owner":"ax","description":"frida-afl-proxy-poc","archived":false,"fork":false,"pushed_at":"2025-02-26T21:11:55.000Z","size":158,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-26T22:18:39.913Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-24T20:44:58.000Z","updated_at":"2025-02-26T21:11:58.000Z","dependencies_parsed_at":"2025-02-26T22:28:40.844Z","dependency_job_id":null,"html_url":"https://github.com/ax/frida-afl-proxy-poc","commit_stats":null,"previous_names":["ax/frida-afl-proxy-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ax/frida-afl-proxy-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ax%2Ffrida-afl-proxy-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ax%2Ffrida-afl-proxy-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ax%2Ffrida-afl-proxy-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ax%2Ffrida-afl-proxy-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ax","download_url":"https://codeload.github.com/ax/frida-afl-proxy-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ax%2Ffrida-afl-proxy-poc/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259518828,"owners_count":22870304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-12T18:10:01.616Z","updated_at":"2025-06-12T18:10:13.501Z","avatar_url":"https://github.com/ax.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# :rabbit2: frida-afl-proxy-poc\nWhat follows here is merely a proof of concept to explore an idea.\n\nfrida-afl-proxy is an afl proxy based on Frida that can be used with AFL++ for coverage-guided binary-only fuzzing. \n\nIt should run on all platforms supported by Frida. It can be used when all the others AFL++ modes are not suitable.\n## How frida-afl-proxy works\nfrida-afl-proxy can be used to fuzz network servers with AFL++. frida-afl-proxy, afl-fuzz and a frida-server must run on the target platform.\n- AFL++'s afl-fuzz spawns frida-afl-proxy that connects to the frida-server and load the frida-afl-proxy.js script.\n- The frida-afl-proxy.js script attach the frida interceptor to the target function. onEnter the frida Staker will follow the current thread id for coverage collection.\n- afl-fuzz writes its mutated payloads to frida-afl-proxy that repeatedly connects, sends the payload, and close the socket.\n- During the execution and processing of the input, the target will, due to the injected code, gather coverage info and write it to AFL++'s coverage bitmap in the AFL++'s shared memory.\n## Run frida-afl-proxy against vuln-tcp-server\nfrida-afl-proxy.js should be modified to fit the needs of the target, you have to setup `module_start`, `module_end` and `base`.\n`module_start` and `module_end` are used to limit the stalker tracing (mandatory?) and `base` is the address of the function that \nFrida will instrument and gather coverage from.\n\n- Run `getfrida.sh`\n- Compile the fafl-poc `make fafl-poc`\n- Compile the vuln-tcp-server `make vuln-tcp-server`\n- Compile just afl-fuzz\n- Run the frida server `./frida-server-16.5.6-linux-x86_64`\n- `mkdir in; echo \"CIAO\" \u003e in/1`\n- `touch crashshmfile` `touch shmfile`\n- Then `fafl-poc` can be run and it should find the infamous vuln-tcp-server crash in a matter of time:\n\n```\nAFL_SKIP_BIN_CHECK=1 AFL_DEBUG=1 /home/ax/AFLplusplus/afl-fuzz -t 100000 -m 2048 -i ./in -o ./out -- ./fafl-poc 127.0.0.1:27042 $(pidof vuln-tcp-server) fafl-poc.js\n```\n- The payload that crashes the server will be written in `./CRASH.txt` also.\n\n## References\n- https://github.com/AFLplusplus/AFLplusplus/blob/stable/utils/afl_proxy/\n- https://github.com/ttdennis/fpicker\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fax%2Ffrida-afl-proxy-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fax%2Ffrida-afl-proxy-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fax%2Ffrida-afl-proxy-poc/lists"}