Loading... [toc] --- > 参考:Fuzzing101 项目 > > https://github.com/antonio-morales/Fuzzing101/tree/main/Exercise%201 # 1、配置 获取 CVE-2019-13288 漏洞 xpdf 3.02 源代码: ```bash wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz ``` 获取测试样本: ```bash wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf wget http://www.africau.edu/images/default/sample.pdf wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf ``` 安装 afl-fuzz: ``` 待补充 ``` 安装 clang: ``` 待补充 ``` 使用 afl-clang 编译 xpdf: ```bash CC=~/Desktop/afl-2.52b/afl-clang CXX=~/Desktop/afl-2.52b/afl-clang++ ./configure --prefix="/home/kali/Desktop/fuzzing_xpdf/install/" ``` 测试 xpdf 使用效果: ```bash ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf] └─$ ./install/bin/pdfinfo -help 1 ⨯ pdfinfo version 3.02 Copyright 1996-2007 Glyph & Cog, LLC Usage: pdfinfo [options] <PDF-file> -f <int> : first page to convert -l <int> : last page to convert -box : print the page bounding boxes -meta : print the document metadata (XML) -enc <string> : output text encoding name -opw <string> : owner password (for encrypted files) -upw <string> : user password (for encrypted files) -cfg <string> : configuration file to use in place of .xpdfrc -v : print copyright and version info -h : print usage information -help : print usage information --help : print usage information -? : print usage information ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf] └─$ ./install/bin/pdfinfo -box -meta ./pdf_samples/sample.pdf Creator: Rave (http://www.nevrona.com/rave) Producer: Nevrona Designs CreationDate: Wed Mar 1 07:28:26 2006 Tagged: no Pages: 2 Encrypted: no Page size: 612 x 792 pts (letter) MediaBox: 0.00 0.00 612.00 792.00 CropBox: 0.00 0.00 612.00 792.00 BleedBox: 0.00 0.00 612.00 792.00 TrimBox: 0.00 0.00 612.00 792.00 ArtBox: 0.00 0.00 612.00 792.00 File size: 3028 bytes Optimized: no PDF version: 1.3 ``` # 2、Fuzzing 开始 afl-fuzz: ```bash ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf] └─$ afl-fuzz -i ./pdf_samples -o ./out -- ./install/bin/pdftotext @@ ./output ``` 选项解释: - `-i`,指定用例文件所在目录 - `-o`,fuzzing 结果输出目录 - `--`,固定字段,后面跟测试程序 - `@@`,占位符,在实际运行时会被替换为测试用例文件名 Fuzzing 结果:  说明: process timing: - `run time`,一共 fuzz 了 23 小时 19 分钟 59 秒 - `last new path`,距最后一次发现新路径过了 9 分 6 秒 - `last uniq crash`,距最后一次发现 crash 过了 57 分 40 秒 - `last uniq hang`,距最后一次发现 hang 过了多久,一次都没发现 overall results: - `total paths`,总共发现的路径数目,一共 3560 条 - `uniq crashes`,总共发现的 crash 数目,一共 3 个。一般也是 fuzzing 最关注的结果项 stage progress: - `exec speed`,当前执行速度,为 845.2/sec。该项可以判断当前 fuzzing 潜力 上面结果显示,我们 fuzzing 变异的输入造成了 pdftotext 程序 3 个不同的 crash,意味着程序内部对数据的处理逻辑存在 3 处缺陷。 查看 crash 输入: ```bash ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf/out/crashes] └─$ ls -l total 16 -rw------- 1 kali kali 4064 Aug 17 13:12 id:000000,sig:11,src:000002,op:flip4,pos:799 -rw------- 1 kali kali 4064 Aug 18 06:50 id:000001,sig:11,src:001417,op:flip4,pos:799 -rw------- 1 kali kali 4064 Aug 18 11:11 id:000002,sig:11,src:001752,op:flip4,pos:799 -rw------- 1 kali kali 638 Aug 17 13:12 README.txt ``` 确认 fuzzing 效果,的确触发 crash: ```bash ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf/out/crashes] └─$ ../../install/bin/pdftotext ./id:000000,sig:11,src:000002,op:flip4,pos:799 99 ⨯ zsh: segmentation fault ../../install/bin/pdftotext ./id:000000,sig:11,src:000002,op:flip4,pos:799 ┌──(kali㉿kali)-[~/Desktop/fuzzing_xpdf/out/crashes] └─$ ../../install/bin/pdftotext ./id:000001,sig:11,src:001417,op:flip4,pos:799 139 ⨯ zsh: segmentation fault ../../install/bin/pdftotext ./id:000001,sig:11,src:001417,op:flip4,pos:799 ``` 最后修改:2022 年 08 月 24 日 11 : 30 PM © 允许规范转载