Bugs can only be found durring fuzzing code, which is executed. But which parts of the code of a target system is executing during a fuzzing session? And how we can improve our fuzzer to include also tests for code blocks which weren’t covered before?
Dynamorio
We’ll use now Dynamorio — a runtime code manipulation system — to analyse which code we have executed in a first run. Then, we’ll analyse how we can trigger more code. We could use this information to improve our Fuzzer.
As test application, we’re using a simple Go web server, which delivers a static string for requests to /foundme and a error message else. Here is the code:
package main
import (
"fmt"
"log"
"net/http"
)
func helloHandler(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/foundme" {
http.Error(w, "404 not found.", http.StatusNotFound)
return
}
fmt.Fprintf(w, "You found me!")
}
func main() {
http.HandleFunc("/foundme", helloHandler)
fmt.Printf("Starting server at port 8080\n")
if err := http.ListenAndServe(":8080", nil); err != nil {
log.Fatal(err)
}
}
Prerequisites:
- Build the webserver with
go build webserver.goto get an executeable. - Download Dynamorio
- Download Dynapstalker
- Download IDA free
Ok, let’s go:
- Start drrun from Dynamorio and execute the previously compiled webserver within with
/opt/DynamoRIO-Linux-8.0.0-1/bin64/drrun -t drcov -dump_text -- webserver
and perform some requests. Exit the process via CTRL+C.
- The directory now contains a log file like
drcov.webserver.01693.0000.proc.log. - Convert this file with Dynapstalker into a IDC script file IDA can read:
python /opt/dynapstalker/dynapstalker.py drcov.webserver.01693.0000.proc.log webserver webserver.idc 0x00ffff - Open the executable in IDA and load the generated IDC file via File -> Script command. The blocks are now in the given color.
- Think how to genare input which would go into other code parse and repeat.
Leave a Reply
You must be logged in to post a comment.