How Fuzzing with AFL works! | Ep. 02

Показать описание

Let's investigate some issues we have fuzzing sudo with afl. And also explain how AFL works. After improving our fuzzing setup even more, we are finally read to start fuzzing sudo for real. Can we find the vulnerability now?

Sudo Research Episode 02:
00:00 - Recap
00:39 - Fixing AFL Crash Using LLVM mode
03:32 - Testing the AFL Instrumented Sudo Binary
04:11 - How Fuzzing with AFL works!
06:44 - Can AFL find the crash?
08:06 - Detour: busybox and argv[0]
09:48 - How could we discover "sudoedit"?
10:47 - Can AFL find "sudoedit" through magic?
11:25 - Include argv[0] in the testcases
13:06 - Parallel Fuzzing Setup

-=[ ❤️ Support ]=-

-=[ 🐕 Social ]=-

Рекомендации по теме

Комментарии

This series is amazing! Glad you found something to continue the channel with.😊

exitdave

The only channel I watch without skipping a nano second!

xecxdef

I never understand more than 1% but I still watch every of his videos😍

spoofer

Starting after argv[0] is the best thing in the world. :)
I will never run multiple fuzzers in parallel, but it does not mean that I surrender quickly. In fact, I never surrender!

BlackHermit

Ari van Houten's comment is above my comment or below my comment.
Finally another masterpiece!

fitmotheyap

I would love some vids talking about azure / best practice security in cloud infrastructure.

Your channel is by far the best source of digestable knowledge I've ever come across.

toreshimada

im not might be the first viewer but atleast i always watch your video and support you no matter what (maybe).

day

Your videos are great learning materials in this YouTuverse. Thank you and keep up the good work.

sandeshgautam

Great work. I always have fun enjoying your and Hammond's videos with some wine!

nikhilmehra

Does AFL not tell you that "hey, this part of the code never ever ran", which would've happened for the part that checks for argv[0] is the "edit"-variant? I thought that was the whole point of checking coverage – to see which parts the fuzzer never fuzzed.

sadhlife

Nice series! Really curious what’s gonna be next

PathCybersecSlavaMoskvin

Klasse Serie. Ich fange gerade an mich in das Thema einzuarbeiten. Danke.
Dieses Video sollte doch Ep 02 in der Playliste sein. Oder? Das stehen leider nicht im Titel und ist nicht in der Playliste.

kobaltauge

I liked the video before watching it and I was not disappointed :)

DaJC

Wow, please do more AFL and AFL++ videos!!!

tenex

Amazing work man. Thank you from the bottom of my heart.

kissinger

Amazing work! Amazing series! Thank you!

fuscatube

I've been trying to follow along in the series and instead of trying to patch afl like you have I've just used your docker in episode 4 where afl++ is already setup. However, when I move the argv-fuzz-inl.h file that came in the utils/argv-fuzzing directory of AFL++ to the src directory of sudo and make the adjustments to include the header while also adding the macro at the beginning of main, everything compiles fine after updating CC=/pathtoafl-clang-fast ./configure --disable-shared. But when I go to run the sudo binary in the src directory with something like sudo -l id, I just immediately get a segmentation fault instead of the path to /usr/bin/id. I even changed the getuid/and group id values to be hardcoded 1000. But regardless at this point it shouldn't crash. It was not doing that for you on the original AFL. It says it created a core dump but I do not see it in the directory so I dont know how to figure out what is going on.

brandonpennell

I don't know much about AFL except what you talked about, but the process seems similar to what KLEE (symbolic execution engine) does. It uses symbolic values instead of variables to find sets of constraints that input must satisfy to reach a certain path. Klee was used to find many bugs in GNU CoreUtils where proper input handling didn't happen

nachiketagrawal

Hey, just noticed this video is missing from the playlist while starting to follow along -- might want to add it ;)

NeunEinser

8:47 did he just says "lets have a pik queek" instead of "lets have a quick peek"?

Eon_TAS

How Fuzzing with AFL works! | Ep. 02

How Fuzzing with AFL works! | Ep. 02

Linux Fuzzing Tutorial with AFL Fuzzer

Fuzzing 101 with AFL

How does AFL work fuzzing?

[Fuzzing with AFL] How to fuzz TcpDump with AFL on Linux

[Fuzzing with AFL] How to fuzz a simple C program with AFL on Linux

Blackbox Fuzzing using AFL++ QEMU mode (Binary-Only Fuzzing)

Fuzzing with AFL - Erlend Oftedal

[Fuzzing with AFL] How to fuzz a binary with AFL using e9afl without having source code

[Fuzzing with AFL] How to fuzz FFMpeg with AFL on linux

Fuzzing 0x00 - Fuzzing theory, instrumentation and AFL

your software is too fuzzy

afl-unicorn: Fuzzing The 'Unfuzzable' - Nathan Voss

[Fuzzing with AFLPlusPlus] How to fuzz a program with AFL/AFLplusplus in persistent mode

Finding The .webp Vulnerability in 8s (Fuzzing with AFL++)

Fuzzing and AFL

Fuzzing Embedded (Trusted) Operating Systems Using AFL | Martijn Bogaard | nullcon Goa 2019

Fuzzing with AFL - by Michael Macnair (Workshop)

106 Fuzzing with AFL Adam DC949

Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

[Fuzzing with AFLplusplus] How to install and use AFLplusplus to fuzz a simple C program

[Fuzzing with AFL] How to install AFL on Ubuntu

[Fuzzing with AFLplusplus] How to use CmpLog feature to fuzz a binary

American Fuzzy Lop (Fuzzing explanation and demonstration)