Replies: 6 comments
-
|
I think the easiest path is to write a harness in C and call the function in the .so file you want to fuzz. javascript just makes it more complicated and slower would be my guess. plus if you then use qemu for fuzzing you can fuzz on an intel machine with better speed. |
Beta Was this translation helpful? Give feedback.
-
|
You can use the whole of the FRIDA api here. https://frida.re/docs/javascript-api/. |
Beta Was this translation helpful? Give feedback.
-
Thanks for reply. I understand what you mean, but I still don't know how to write my harness C in this case. Because the symbol table has been stripped, I cannot determine the name of the target function. How can I call the function to be fuzzed in the harness C? Thank you. |
Beta Was this translation helpful? Give feedback.
-
|
Nothing special, just as you would normally load a library with C code and call a function thats not exported. This sort of thing should do it... #include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <string.h>
// Define the function prototype of the neighboring exported function
typedef void (*exported_function_type)(void);
int main() {
// Path to the shared library (replace with your actual path)
const char *lib_path = "./libexample.so";
// Load the shared library
void *handle = dlopen(lib_path, RTLD_LAZY);
if (!handle) {
fprintf(stderr, "Error loading library: %s\n", dlerror());
return 1;
}
// Clear any existing errors
dlerror();
// Look up an exported symbol (a function that is accessible)
exported_function_type exported_function = (exported_function_type) dlsym(handle, "exported_function");
// Check for errors with dlsym
const char *error = dlerror();
if (error) {
fprintf(stderr, "Error locating symbol: %s\n", error);
dlclose(handle);
return 1;
}
// Calculate the offset between the neighboring symbol and the hidden function
// This is a conceptual example: you need to know the offset of the hidden function
uintptr_t exported_addr = (uintptr_t)exported_function;
// Assume that the hidden function is 64 bytes after the exported function (this is a hypothetical example)
uintptr_t hidden_function_addr = exported_addr + 64; // The offset needs to be known
// Cast the address to the type of the hidden function
// Assuming the hidden function is of type `void (*)(void)`
void (*hidden_function)(void) = (void (*)(void))hidden_function_addr;
// Call the hidden function (if it's valid)
hidden_function(); // This should work if the address is correct
// Close the library handle when done
dlclose(handle);
return 0;
} |
Beta Was this translation helpful? Give feedback.
-
|
As it seemed to me you should use dlopen in constructor function (attribute [[gnu::constructor]] for C++/C23). (Also AFL++ doc suggest to use AFL_PRELOAD for dlopened libraries) In my opinion best way to link during harness build. For example with cmake: ...
find_library(target_lib NAMES target PATHS ${LIB_PATH} PATH_SUFFIXES ${PATH} NO_CMAKE_FIND_ROOT_PATH)
add_executable(harness main.cpp)
target_link_libraries(harness PUBLIC ${target_lib})
...Also you should define symbol in your harness, like this extern "C" void some_function_for_fuzing(uint8_t* data, size_t len);In this case your harness 100% can be fuzzed in frida mode. If some symbols in hidden I can advice to use python LIEF and just Good luck! |
Beta Was this translation helpful? Give feedback.
-
Hi there, I'm using AFL++ with frida-mode to fuzz Android stuffs.
I've read this blog beforehand, and now I have a question: If I want to fuzz a .so file whose symbol table has been stripped, how can I write a harness JS script? Thanks
Beta Was this translation helpful? Give feedback.
All reactions