{"id":9188,"date":"2020-02-19T21:10:15","date_gmt":"2020-02-19T15:40:15","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=9188"},"modified":"2020-02-19T21:10:15","modified_gmt":"2020-02-19T15:40:15","slug":"manul","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/manul\/","title":{"rendered":"Manul : A Coverage-Guided Parallel Fuzzer For Open-Source And Blackbox Binaries On Windows, Linux & Macos"},"content":{"rendered":"\n

Manul is a coverage-guided parallel fuzzer for open-source and black-box binaries on Windows, Linux and macOS (beta) written in pure Python. <\/p>\n\n\n\n

Quick Start<\/strong><\/p>\n\n\n\n

pip3 install psutil
git clone https:\/\/github.com\/mxmssh\/manul
cd manul
mkdir in
mkdir out
echo “AAAAAA” > in\/test
python3 manul.py -i in -o out -n 4 “linux\/test_afl @@”<\/strong><\/p>\n\n\n\n

Installing Radamsa<\/strong><\/p>\n\n\n\n

sudo apt-get install gcc make git wget
git clone https:\/\/gitlab.com\/akihe\/radamsa.git && cd radamsa && make && sudo make install<\/strong><\/p>\n\n\n\n

There is no need to install radamsa on Windows, Manul is distributed with radamsa native library on this platform.<\/p>\n\n\n\n

<\/a>List of Public CVEs<\/strong><\/p>\n\n\n\n

CVE IDs<\/th>Product<\/th>Finder<\/th><\/tr><\/thead>
CVE-2019-9631 CVE-2019-7310 CVE-2019-9959<\/td>Poppler<\/td>Maksim Shudrak<\/td><\/tr>
CVE-2018-17019 CVE-2018-16807 CVE-2019-12175<\/td>Bro\/Zeek<\/td>Maksim Shudrak<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

If you managed to find a new bug using Manul please contact me and I will add you in the list.<\/p>\n\n\n\n

<\/a>Demo<\/strong><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Dependencies<\/strong><\/p>\n\n\n\n

  1. Python3 (Python2 is deprecated since Jan 1. 2020 but Manul should still work fine under Python2)<\/li>
  2. psutil<\/a><\/li>
  3. pywin32 (pip install pywin32<\/code>) on Windows platform (required for DBI persistence mode only).<\/li><\/ol>\n\n\n\n

    <\/a>Coverage-guided fuzzing<\/strong><\/p>\n\n\n\n

    Currently, Manul supports two types of instrumentation: AFL-based (afl-gcc, afl-clang and afl-clang-fast) and DBI.<\/p>\n\n\n\n

    Coverage-guided fuzzing (AFL instrumentation mode)<\/strong><\/p>\n\n\n\n

    Instrument your target with afl-gcc<\/code> or afl-clang-fast<\/code> and Address Sanitizer<\/code> (recommended for better results). For example:<\/p>\n\n\n\n

    CC=afl-gcc CXX=afl-g++ CFLAGS=-fsanitize=address CXXFLAGS=-fsanitize=address cmake
    make -j 8<\/strong><\/p>\n\n\n\n

    USE_ASAN=1 CC=afl-clang-fast CXX=afl-clang-fast++ cmake
    make -j 8<\/strong><\/p>\n\n\n\n

    Coverage-guided fuzzing in DBI mode<\/strong><\/p>\n\n\n\n

    You don’t need to instrument your target in this mode but you need to download the latest version of DynamoRIO framework for Windows or Linux.<\/p>\n\n\n\n

    Manul is distributed with x86\/x64 precompiled clients for Linux and Windows. You can find them in the following folders:<\/p>\n\n\n\n

    linux\/dbi_32|dbi_64\/libbinafl.so (DynamoRIO client)
    win\/dbi_32|dbi_64\/binafl.dll
    Unfortunately, DynamoRIO is not officially supported on MacOS.<\/strong><\/p>\n\n\n\n

    Using DynamoRIO to fuzz black-box binaries<\/strong><\/p>\n\n\n\n

    You have to uncomment the following lines in the manul.config<\/code> file  and provide correct path to DynamoRIO launcher and client.<\/p>\n\n\n\n

    # Choose DBI framework to provide coverage back to Manul (“dynamorio” or “pin”). Example dbi = dynamorio
    dbi = dynamorio<\/strong><\/p>\n\n\n\n

    # If dbi parameter is not None the path to dbi engine launcher and dbi client should be specified.
    dbi_root = \/home\/max\/DynamoRIO\/bin64\/drrun
    dbi_client_root = \/home\/max\/manul\/linux\/dbi_64\/libbinafl.so
    dbi_client_libs = None<\/strong><\/p>\n\n\n\n

    Additionally, you can increase performance of your black-box fuzzing campaign by using persistent in-memory fuzzing.<\/p>\n\n\n\n

    In this mode, you should instruct Manul to instrument particular function (yes, you need to find it by disassembling your binary) and it will run it in a loop by uncommenting the following lines:<\/p>\n\n\n\n

    dbi_persistence_mode = 1
    dbi_target_module = afl_test
    dbi_target_method = open_file
    #dbi_target_offset = 0x3198 # optionally you can provide offset of this function instead of name
    dbi_fuzz_iterations = 1000<\/strong><\/p>\n\n\n\n

    Also Read – Burp Suite Extension For Generate A Random User Agents<\/a><\/strong><\/p>\n\n\n\n

    Manul uses a large portion of winAFL instrumetation library’s code to communicate and instrument a target.<\/p>\n\n\n\n

    IMPORTANT NOTE:<\/strong> You should use 32-bit launcher and 32-bit client to fuzz 32-bit binaries and 64-bit launcher and 64-bit client for 64-bit binaries!<\/p>\n\n\n\n

    Compiling DynamoRIO client library<\/strong><\/p>\n\n\n\n

    To compile instrumentation library, you need to use the latest version of DynamoRIO. The source code of instrumentation library can be found in dbi_clients_src located in the Manul main folder.<\/p>\n\n\n\n

    64-bit Linux

    cd dbi_clients_src
    wget – download the latest DynamoRIO
    tar xvf DynamoRIO-x86_64-X.XX.XXXX-X.tar.gz
    mkdir client_64
    cd client_64
    cmake ..\/dr_cov\/ -DDynamoRIO_DIR=\/home\/max\/manul\/dbi_clients_src\/DynamoRIO-x86_64-Linux-X.XX.XXXX-X.tar.gz\/cmake
    make<\/strong><\/p>\n\n\n\n

    32-bit Linux

    cd dbi_clients_src
    wget – download the latest DynamoRIO
    tar xvf DynamoRIO-x86_64-X.XX.XXXX-X.tar.gz
    mkdir client_64
    cd client_64
    CFLAGS=-m32 CXXFLAGS=-m32 cmake ..\/dr_cov\/ -DDynamoRIO_DIR=\/home\/max\/manul\/dbi_clients_src\/DynamoRIO-i386-Linux-X.XX.XXXX-X.tar.gz\/cmake
    make<\/strong><\/p>\n\n\n\n

    On Windows, the easiest way to compile the library would be to install Visual Studio (tested on 2017 & 2013 versions), launch VS20XX Cross Tools Command Prompt<\/code> and run the following commands: <\/p>\n\n\n\n

    64-bit Windows
    cd dbi_clients_src
    (Download and extract the latest version of DynamoRIO)
    mkdir client_64
    cd client_64
    cmake -G”Visual Studio 15 Win64″ ..\\dr_cov\\ -DDynamoRIO_DIR=C:\\Users\\max\\manul\\dbi_clients_src\\DynamoRIO-Windows-XXXX.XX.X.X\\cmake
    cmake –build . –config RelWithDebInfo (or just Debug if needed)<\/strong><\/p>\n\n\n\n

    32-bit Windows
    cd dbi_clients_src
    (Download and extract the latest version of DynamoRIO)
    mkdir client_32
    cd client_32
    cmake -G”Visual Studio 15″ ..\\dr_cov\\ -DDynamoRIO_DIR=C:\\Users\\max\\manul\\dbi_clients_src\\DynamoRIO-Windows-XXXX.XX.X.X\\cmake
    cmake –build . –config RelWithDebInfo (or just Debug if needed)<\/strong><\/p>\n\n\n\n

    Using Intel PIN to fuzz black-box binaries on Linux<\/strong><\/p>\n\n\n\n

    Manul initially supported Intel PIN coverage-guided fuzzing but due to low performance and high maintainance overhead, this is not supported anymore.<\/p>\n\n\n\n

    <\/a>Command-Line Arguments<\/strong><\/p>\n\n\n\n

    The most frequently used options can be provided via the command line. The more options are supported using configuration file (manul.config<\/code>).<\/p>\n\n\n\n

    Example: python3 manul.py -i corpus -o out_dir -n 40 \"target @@\"\n\npositional arguments:\n  target_binary  The target binary and options to be executed (don't forget to include quotes e.g. \"target e @@\").\n\noptional arguments:\n  -h, --help     show this help message and exit\n  -n NFUZZERS    Number of parallel fuzzers\n  -s             Run dumb fuzzing (no code instrumentation)\n  -c CONFIG      Path to config file with additional options (see Configuration File Options section below)\n  -r             Restore previous session\n\nRequired parameters:\n  -i INPUT       Path to directory with initial corpus\n  -o OUTPUT      Path to output directory\n\n<\/code><\/pre>\n\n\n\n
    <\/a>Configuration File Options<\/strong><\/p>\n\n\n\n
    Manul is distributed with default manul.config<\/code> file where user can find all supported options and usage examples. Options should be specified in the following format Format: <option_name> = <value><\/code>. Symbol #<\/code> can be used to ignore a line.<\/p>\n\n\n\n
    <\/a>Dictionary<\/strong><\/p>\n\n\n\n
    dict = \/home\/max\/dictionaries\/test.dict<\/code>. AFL mutation strategy allows user to specify a list of custom tokens that can be inserted at random places in the fuzzed file. <\/p>\n\n\n\n
    Manul supports this functionality via this option (absolute paths preferred).<\/p>\n\n\n\n
    <\/a>Mutator weights<\/strong><\/p>\n\n\n\n
    mutator_weights=afl:7,radamsa:2,my_mutator:1<\/code>. Mutator weights allow user to tell Manul how many mutations per 10 executions should be performed by certain fuzzer. <\/p>\n\n\n\n
    In this example, AFL mutator will be executed in 7\/10 mutations, Radamsa 2\/10 and some custom my_mutator<\/code> will get 1\/10. <\/p>\n\n\n\n
    If you want to disable certain mutator, the weight should be assigned to 0 (e.g. mutator_weights=afl:0,radamsa:1,my_mutator:9<\/code>).<\/p>\n\n\n\n
    <\/a>Deterministic Seed (Radamsa Option)<\/strong><\/p>\n\n\n\n
    deterministic_seed = False|True<\/code>. By providing True<\/code>, Radamsa mutations will become deterministic thereby each run of Manul will lead to same outputs.<\/p>\n\n\n\n
    <\/a>Print Summary per Thread<\/strong><\/p>\n\n\n\n
    print_per_thread = False|True<\/code>. By enabling this option, Manul will print summary for each thread being executed instead of total summary.<\/p>\n\n\n\n
    <\/a>Disable Volatile Paths<\/strong><\/p>\n\n\n\n
    disable_volatile_bytes = False|True<\/code> By enabling this option, Manul will not blacklist volatile paths.<\/p>\n\n\n\n
    <\/a>AFL’s forkserver (only UNIX)<\/strong><\/p>\n\n\n\n
    forkserver_on = False|True<\/code> Enable or disable AFL’s forkserver<\/a>.<\/p>\n\n\n\n
    <\/a>DBI Options<\/strong><\/p>\n\n\n\n