✅ Fuzzing IoT binaries with AFL++

Fuzzing IoT binaries with AFL++ - Part II

学习理由：本文介绍了 ALF++ qeme 模式 fuzzing Cisco 固件的 httpd binary 程序的方法。作为从 0 到 Iot binary fuzzing 的学习的入门材料非常适合，提供了足够的细节，每一步都可以复现。

本文要点

由于 AFL 的限制，应该程序必须接受文件作为输入，解决方法是 binary level modification
- 方法一：patching the assembly instructions
  - 推荐工具: Cutter which is a GUI for radare2.
- 方法二：通过 LD_PRELOAD hook libc 函数
  - desockmulti 有一些socket 相关的实现
本文实验的对象：Cisco RV130X_FW_1.0.3.55.bin
本文终极目标：fuzzing 这个固件的 httpd binary 文件

实践 1

qemu-arm-static

# ~/fuzz/squashfs-root/www
$ /usr/bin/qemu-arm-static -L .. ../usr/sbin/httpd
$ curl <http://127.0.0.1>

抓包拿到 base-login-request.txt

POST /login.cgi HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
Host: 10.78.24.15
Origin: <http://10.78.24.15>
Pragma: no-cache
Referer: <http://10.78.24.15/login.cgi>
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

submit_button=login&submit_type=&gui_action=&wait_time=0&change_action=&enc=1&continue_key=&user=admin&pwd=3ff83912fdb4176a21cd5c93e2094554

实践 2

「把 main 函数中 0x231c0 处的close() 改成 exit() 」

Navigating to 0x231c0 … change bl close to bl 0x10b64 to call the exit function instead.

The instruction immediately before can be changed from mov r0, sl to eor r0, r0 which sets register r0 to 0 to give us the following disassembly.