https://github.com/ax/frida-afl-proxy-poc

frida-afl-proxy-poc
https://github.com/ax/frida-afl-proxy-poc

Last synced: about 1 year ago
JSON representation

frida-afl-proxy-poc

• Host: GitHub
• URL: https://github.com/ax/frida-afl-proxy-poc
• Owner: ax
• Created: 2025-02-24T20:44:58.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-02-26T21:11:55.000Z (over 1 year ago)
• Last Synced: 2025-02-26T22:18:39.913Z (over 1 year ago)
• Language: C
• Size: 154 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# :rabbit2: frida-afl-proxy-poc

What follows here is merely a proof of concept to explore an idea.

frida-afl-proxy is an afl proxy based on Frida that can be used with AFL++ for coverage-guided binary-only fuzzing. 

It should run on all platforms supported by Frida. It can be used when all the others AFL++ modes are not suitable.

## How frida-afl-proxy works

frida-afl-proxy can be used to fuzz network servers with AFL++. frida-afl-proxy, afl-fuzz and a frida-server must run on the target platform.

- AFL++'s afl-fuzz spawns frida-afl-proxy that connects to the frida-server and load the frida-afl-proxy.js script.

- The frida-afl-proxy.js script attach the frida interceptor to the target function. onEnter the frida Staker will follow the current thread id for coverage collection.

- afl-fuzz writes its mutated payloads to frida-afl-proxy that repeatedly connects, sends the payload, and close the socket.

- During the execution and processing of the input, the target will, due to the injected code, gather coverage info and write it to AFL++'s coverage bitmap in the AFL++'s shared memory.

## Run frida-afl-proxy against vuln-tcp-server

frida-afl-proxy.js should be modified to fit the needs of the target, you have to setup `module_start`, `module_end` and `base`.

`module_start` and `module_end` are used to limit the stalker tracing (mandatory?) and `base` is the address of the function that 

Frida will instrument and gather coverage from.

- Run `getfrida.sh`

- Compile the fafl-poc `make fafl-poc`

- Compile the vuln-tcp-server `make vuln-tcp-server`

- Compile just afl-fuzz

- Run the frida server `./frida-server-16.5.6-linux-x86_64`

- `mkdir in; echo "CIAO" > in/1`

- `touch crashshmfile` `touch shmfile`

- Then `fafl-poc` can be run and it should find the infamous vuln-tcp-server crash in a matter of time:

```

AFL_SKIP_BIN_CHECK=1 AFL_DEBUG=1 /home/ax/AFLplusplus/afl-fuzz -t 100000 -m 2048 -i ./in -o ./out -- ./fafl-poc 127.0.0.1:27042 $(pidof vuln-tcp-server) fafl-poc.js

```

- The payload that crashes the server will be written in `./CRASH.txt` also.

## References

- https://github.com/AFLplusplus/AFLplusplus/blob/stable/utils/afl_proxy/

- https://github.com/ttdennis/fpicker