Sheep Shellcode

The hackery blog of Vincent Moscatello.

An American Fuzzylop Environment

In an effort to try and find some zero-days in VLC media player, I’ve been trying to set up a solid environment for fuzzing with American Fuzzy Lop. At the beginning of this project my hardware was limited to a DELL 740 with components that were slowly dying. Well it was between fuzzing on that and fuzzing on my laptop. After reading afl’s readme I reconsidered…

“That said, especially when fuzzing on less suitable hardware (laptops, smartphones, etc), it’s not entirely impossible for something to blow up.”

The original DELL 740 went through several different iterations of operating system installs. The first iteration was a Gentoo install. I was actually really happy with Gentoo but there were several reasons I decided to abandon it. The dependencies for the version of vlc I wanted to compile were not present on portage, the drivers for the mouse I was using seemed to be non-existent (or buried deep within the kernel config), and in general it was an absolute nightmare waiting for things to compile on the older hardware.

The second iteration of operating system installs was Ubuntu. I first tried loading up 14.04 from a usb. It immediately crashed into an initram file system. Le sigh. Time to try lubuntu! lubuntu worked at first but the entire operating system would just freeze up after about 12 hours of fuzzing. I also had issues where lubuntu would fall asleep despite disabling sleep from the xfce system preferences.

It was after a reboot from one of the frozen lubuntu sessions that I encountered hardware issues yay! The hard drive completely died on me. It was time to find the largest amount of cpu cycles I could get for the absolute cheapest price possible. For this I turned to UF surplus where I was able to get two fairly decent computers for around 35$ That’s less money and way more power than a raspberry pi 2!

Introducing megaman and Kirby:

Megaman is a DELL 740 with a AMD 2.40 GHZ processor, 2.0 GB of ram and a 160GB hard drive. Kirby is a slightly more beefy machine with a 3.0 GHZ Core 2 Duo processor, 4GB of ram, and a 250GB hard drive. The computers did not come with an operating system installed on them and unfortunately I didn’t have access to a monitor. It was time to be resourceful. I decided to take out the hard drives and install debian on them using vmware and a SATA to usb cable.

The installation went perfectly! I ended up installing two important packages before placing the hard drives back in the computers, ssh-server and xvnc4server. I used a small dlink router I had lying around from previous reverse engineering projects so I could easily access both computers from an internal network.

To actually give these computers access to the outside internet, I set the gateway of these machine to be my laptop. I used iptables to forward the fuzzing box’s traffic through the laptops wifi interface. Yep. The room hosting Kirby and megaman did not have access to a convenient Ethernet outlet.

At this point everything was working! I was able to connect to the VNC servers which would drop me into an extremely minimal window manager called mwm. After experiencing hiccups with lubuntu I wanted to stick with something as stripped back as possible.

To make the process of fuzzing more convenient I placed the fuzzing job in a simple shell script.

kirby@kirby:~$ cat
/home/kirby/bin/afl/afl-1.86b/afl-fuzz -t2000 -m512 -i /home/kirby/Documents/samples -o /home/kirby/Documents/out /home/kirby/Documents/vlc/vlc-2.2.0~rc2/bin/vlc-static --play-and-exit  @@

One thing you quickly notice after using afl on graphical applications is that the gui application starts in the same xsession as the terminal you start afl in. The terminal you start afl in has lots of important information in it such as the number of crashes so far, the number of new paths found, and the numbers of executions. Viewing the stats quickly becomes an epileptic’s worst nightmare. The simplest solution I came up with was to redirect the standard output of afl into a tmux session. You can find the tmux sessions in /dev/pts

kirby@kirby:/dev/pts$ ls
0  1  3  4  5  6  7  ptmx

Being able to access the afl stats via tmux is extremely convenient! The redirection was as simple as > /dev/pts/7

What was I fuzzing exactly? I decided that the first round of fuzzing would be on windows media files since vlc’s demuxer looked rather complicated.

kirby@kirby:~/Documents/samples$ ls -lh
total 52K
-rw-r--r-- 2 kirby kirby 7.4K Sep 14 15:38 out-0491d9bd474d63efa19faa327540384e.wma
-rw-r--r-- 2 kirby kirby  27K Sep 14 15:40 out-3cdcfdc516b49d6352daa8e28ebe1021.wma
-rw-r--r-- 2 kirby kirby 7.7K Sep 14 15:49 out-467b15c65920cb1ebec71fe1d9f0a419.wma
-rw-r--r-- 2 kirby kirby 6.9K Sep 14 15:50 out-65412c58f15d9ce300b965a4e96aad40.wma

I decided to start with four files that were as small as I could get them. Checkout the video below to see the fuzzing environment in action!