使用SCFF测试tcpdump4.9

https://www.softscheck.com/en/identifying-security-vulnerabilities-with-cloud-fuzzing/

看完这篇文章，感觉很是牛逼！复现一下，记录遇到的各种坑！

笔者系统：Ubuntu14.04

首先，从github上下载tcpdump的源码

git clone git://bpf.tcpdump.org/tcpdump

然后尝试使用afl-gcc进行编译，得到这个结果。。。

root@kingdragon-Ubuntu:/home/kingdragon/git/tcpdump# CC=afl-gcc ./configure && makechecking build system type... x86_64-unknown-linux-gnuchecking host system type... x86_64-unknown-linux-gnuchecking for gcc... afl-gccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables... checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether we are using the GNU C compiler... yeschecking whether afl-gcc accepts -g... yeschecking for afl-gcc option to accept ISO C89... none neededchecking whether the compiler supports the -ffloat-store option... yeschecking for inline... inlinechecking for __attribute__... yeschecking whether __attribute__((unused)) can be used without warnings... yeschecking whether __attribute__((noreturn)) can be applied to function pointers without warnings... yeschecking whether __attribute__((format)) can be used without warnings... yeschecking whether __attribute__((format)) can be applied to function pointers... yeschecking how to run the C preprocessor... afl-gcc -Echecking for grep that handles long lines and -e... /bin/grepchecking for egrep... /bin/grep -Echecking for ANSI C header files... yeschecking for sys/types.h... yeschecking for sys/stat.h... yeschecking for stdlib.h... yeschecking for string.h... yeschecking for memory.h... yeschecking for strings.h... yeschecking for inttypes.h... yeschecking for stdint.h... yeschecking for unistd.h... yeschecking fcntl.h usability... yeschecking fcntl.h presence... yeschecking for fcntl.h... yeschecking rpc/rpc.h usability... yeschecking rpc/rpc.h presence... yeschecking for rpc/rpc.h... yeschecking rpc/rpcent.h usability... nochecking rpc/rpcent.h presence... nochecking for rpc/rpcent.h... nochecking netdnet/dnetdb.h usability... nochecking netdnet/dnetdb.h presence... nochecking for netdnet/dnetdb.h... nochecking for net/pfvar.h... nochecking for netinet/if_ether.h... yeschecking whether time.h and sys/time.h may both be included... yeschecking smi.h usability... nochecking smi.h presence... nochecking for smi.h... nochecking whether to enable the possibly-buggy SMB printer... yesconfigure: WARNING: The SMB printer may have exploitable buffer overflows!!!checking whether to drop root privileges by default... nochecking whether to chroot... nochecking for cap_enter... nochecking for cap_rights_limit... nochecking for cap_ioctls_limit... nochecking for openat... yeschecking for cap_init in -lcasper... nochecking for cap_gethostbyaddr in -lcap_dns... nochecking whether to sandbox using capsicum... nochecking whether to sandbox using Casper library... nochecking for library containing gethostbyname... none requiredchecking for library containing socket... none requiredchecking for library containing putmsg... none requiredchecking whether the operating system supports IPv6... yeschecking ipv6 stack type... linux-glibcchecking for dnet_htoa declaration in netdnet/dnetdb.h... nochecking for vfprintf... yeschecking for strlcat... nochecking for strlcpy... nochecking for strdup... yeschecking for strsep... yeschecking for getopt_long... yeschecking for fork... yeschecking for vfork... yeschecking for strftime... yeschecking for setlinebuf... yeschecking for alarm... yeschecking for vsnprintf... yeschecking for snprintf... yeschecking return type of signal handlers... voidchecking for sigaction... yeschecking for library containing dnet_htoa... nochecking for main in -lrpc... nochecking for library containing getrpcbynumber... none requiredchecking for local pcap library... not foundchecking for pcap-config... nochecking for main in -lpcap... noconfigure: error: see the INSTALL doc for more info

结果是失败的，内心有一些崩溃，不过反正也不是一两次了，接着找原因。

发现了这个

于是，从github上下载libpcap的源码

git clone git://bpf.tcpdump.org/libpcap

将tcpdump复制到libpcap目录下

cp -r tcpdump/ libpcap/

再次编译,同样的结果。。。

尝试编译libpcap

cd libpcap-1.8.1./configure

报错：

checking for flex... nochecking for lex... noconfigure: error: Neither flex nor lex was found.

安装flex

sudo apt-get install flex

再次报错

checking for bison... nochecking for byacc... nochecking for capable yacc/bison... insufficientconfigure: error: yacc is insufficient to compile libpcap. libpcap requires Bison, Berkeley YACC, or another YACC compatible with them.

安装bison

sudo apt-get install bison

再次去编译tcpdump

cd path/to/tcpdumpCC=afl-fcc ./configure && make

编译成功！终于迈出人生第一步！

创建SCFF项目，准备起飞！

这儿有个坑！！！！！！！！！！！！1

原文中使用  scff-mkconfig  来创建项目，然而现实中的是，并不存在scff-mkconfig命令，应该使用  scff-mkcfg来创建！

配置过程如下

root@kingdragon-Ubuntu:/home/kingdragon/git/tcpdump# scff-mkcfgLocation of target binary/tar.gz [/bin/bash]: tcpdumpArguments for tcpdump (Use @@ where you normally would specify a file name) []: -e -r @@Select number of machines (1-200) [1]: 4INSTANCE TYPE        SPEED            COST/HOURt2.nano              slowest              0.01€t2.micro             slow                 0.01€t2.medium                                 0.06€m4.large             normal               0.14€m4.xlarge            fast                 0.28€m4.2xlarge                                0.57€m4.4xlarge           superfast            1.14€m4.10xlarge          extreme              2.85€Select instance type or machine speed [slow]: t2.microEC2 OS must be one of win32, win64, linux32, linux64 [linux64]: linux64ID             NAME                    DESCRIPTION  ARCHami-02e4be67   ubuntu/images-testing   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-02f6ac67   ubuntu/images-testing   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-04cb9161   ubuntu/images-testing   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-05164c60   ubuntu/images/hvm-ins   <no description>                   x86_64ami-07f5d162   ubuntu/images/hvm-ins   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-0927036c   ubuntu/images-testing   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-0a104a6f   ubuntu/images/hvm-ssd   <no description>                   x86_64ami-0aecb76f   ubuntu/images/hvm-ssd   <no description>                   x86_64ami-0b174d6e   ubuntu/images/hvm-ssd   <no description>                   x86_64ami-10012475   ubuntu-16.04__KNIME_S   KNIME Server 4.4.0                 x86_64ami-10eeb575   ubuntu/images/hvm-ssd   <no description>                   x86_64ami-11d38974   ubuntu/images-testing   Canonical, Ubuntu, 16.04 LTS, am   x86_64ami-14527671   snappydata_0.8_201703   [Copied ami-b15901d1 from us-wes   x86_64ami-14f2a971   ubuntu/images/hvm-ins   <no description>                   x86_64ami-153e6470   ubuntu/images/hvm-ssd   <no description>                   x86_64ami-15ecb770   ubuntu/images/hvm-ssd   <no description>                   x86_64Select AMI-ID [ami-07f5d162]: ami-02e4be67Instance group ID (GID) (Must be 9 chars long) [4l_tcpdum]: tcpdump49Fuzzer (must be one of ['dummy', 'afl'] [afl]: aflTemplate file [none]: ipv4.pcapRequired libraries/tools for tcpdump [none]: noneWriting config to scff.proj ==================== Configfile, check for errors ====================[INSTANCES]ami = ami-02e4be67gid = tcpdump49instancetype = t2.microname = autonumberofmachines = 4platform = linuxpost_bootstrap_cmd = [FUZZING]dependencies = nonefuzzer = aflfuzzdir = fuzzinginputdir = fuzzing/inputoutputdir = fuzzing/outputtemplate = ipv4.pcaptarget = tcpdumpargs = -e -r @@

然后进行运行，确得到如下结果，心累，明天再搞，先本地跑一跑。

root@kingdragon-Ubuntu:/home/kingdragon/git/tcpdump# scff-ctrl .bootstrapscff-ctrl v0.42 - send commands to an AWS instance.Programmed by softScheck to control fuzzers in the cloud.Usage: scff-ctrl INSTANCE-ID|GID||all|running|SCFF-PROJ-FILE CMD       scff-ctrl list TAG_1:VALUE_1{,TAG_N:VALUE_N} [CMD]Available instances:   EC2-INSTANCE-ID   GIDNAME STATE * i-026bc46674d23cdba  GID unset  <Unnamed>                     runningAvailable commands (CMD):  bake-image, bootstrap, clean, cmd, deploy, distributed, doctor, grab-findings,  grab-stats, halt-machine, info, log, pause-fuzzing, pop, push, reboot-machine,  remove-machine, report, resume-fuzzing, ssh, start-fuzzing, start-machine,  status, stop-fuzzingroot@kingdragon-Ubuntu:/home/kingdragon/git/tcpdump# scff-ctrl all start-fuzzingSending start-fuzzing to i-026bc46674d23cdba(!!) sh: 0: Can't open core-patternProblems found: - Core scff components missing - scff daemon unreachable - .scff directory does not exist - Target has not been deployed - scff.proj does not exist - core_pattern is not 'core'

本地afl-fuzz运行截图

未完待续，明天接着搞AWS的cloud fuzzing