22. 安装crashwalk分类崩溃

首先我们要安装可利用的gdb插件,因为crashwalk需要这个插件,而且路径是硬编码的,所以运行以下命令:

mkdir ~/src
cd ~/src
git clone https://github.com/jfoote/exploitable.git

在我们需要安装golang之后,输入这个命令:

$ sudo apt install golang

然后我们可以安装crash walk:

$ go get -u github.com/bnagy/crashwalk/cmd/...

它将安装crashwalk二进制文件:cwtriage,cwdump,cw find in~/go/bin目录。 修改您的系统路径,以便这些crashwalk二进制文件可用:

export PATH=$PATH:~/go/bin

用cwtriage分类崩溃

首先让我们看看它有哪些选项:

$ cwtriage

  cwtriage runs crashfiles with instrumentation and outputs results in various 
  formats  
  Usage: cwtriage -root /path/to/afl-dir [-match pattern] -- /path/to/target -in @@ -out whatever
  ( @@ will be substituted for each crashfile )

  -afl
        Prefer the AFL recorded crashing command, if present
  -every int
        Run every n seconds (default -1)
  -f string
        Template filename to use while running crash
  -ignore string
        Directory skip pattern ( go regex syntax )
  -match string
        Match pattern for files ( go regex syntax )
  -mem int
        Memory limit for target processes (MB) (default -1)
  -output string
        Output format to use: [json pb text] (default "text")
  -root string
        Root directory to look for crashes
  -seen
        Include seen results from the DB in the output
  -seendb string
        Path to BoltDB (default "crashwalk.db")
  -strict
        Abort the whole run if any crashes fail to repro
  -t int
        Timeout for target processes (secs) (default 60)
  -tidy
        Move crashes that error under Run() to a tidy dir
  -workers int
        Number of concurrent workers (default 1)

它有内置的AFL支持,所以你可以输入以下命令:

$ cwtriage -afl -root out

你会看到类似这样的内容:

2020/11/04 09:12:16 ------
Command: ./imgRead_afl out/crashes/id:000000,sig:06,src:000000,op:havoc,rep:128
File: out/crashes/id:000000,sig:06,src:000000,op:havoc,rep:128
Memory Limit: -1
Timeout: 60
Error: no crash detected
---------
---CRASH SUMMARY---
Filename: out/crashes/id:000001,sig:06,src:000000,op:havoc,rep:32
SHA1: d5c3cd9fe0c7e4d95f1a27d86e2ad34b496b1d67
Classification: PROBABLY_NOT_EXPLOITABLE
Hash: 50aaa03fc7675a1c8baaa05d808c21dd.50aaa03fc7675a1c8baaa05d808c21dd
Command: ./imgRead_afl out/crashes/id:000001,sig:06,src:000000,op:havoc,rep:32
Faulting Frame:
   ProcessImage @ 0x00000000004c6568: in /mnt/b/myworkwsl/Damn_Vulnerable_C_Program/imgRead_afl
Disassembly:
   0x00000000004c6553: mov rcx,QWORD PTR [rsp+0x8]
   0x00000000004c6558: mov rdx,QWORD PTR [rsp]
   0x00000000004c655c: lea rsp,[rsp+0x98]
   0x00000000004c6564: mov eax,r14d
   0x00000000004c6567: cdq
=> 0x00000000004c6568: idiv r15d
   0x00000000004c656b: mov r14d,eax
   0x00000000004c656e: mov r12,r13
   0x00000000004c6571: mov WORD PTR [r13+0x7fff800c],0x200
   0x00000000004c657b: movsxd r15,eax
Stack Head (2 entries):
   ProcessImage              @ 0x00000000004c6568: in /mnt/b/myworkwsl/Damn_Vulnerable_C_Program/imgRead_afl
   main                      @ 0x00000000004c76c8: in /mnt/b/myworkwsl/Damn_Vulnerable_C_Program/imgRead_afl
Registers:
rax=0x000000000000ffff rbx=0x00007ffffffedd00 rcx=0x0000000000000000 rdx=0x0000000000000000
rsi=0x0000000000000000 rdi=0x00007ffffffedb81 rbp=0x00007ffffffeddb0 rsp=0x00007ffffffedc80
 r8=0x00007ffffffecf50  r9=0x0000000000000002 r10=0x00000000004d5973 r11=0x00000000004d5973
r12=0x00007ffffffedca4 r13=0x00000fffffffdb90 r14=0x000000000000ffff r15=0x0000000000000000
rip=0x00000000004c6568 efl=0x0000000000010202  cs=0x0000000000000033  ss=0x000000000000002b
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000
Extra Data:
   Description: Floating point exception signal
   Short description: FloatingPointException (17/22)
   Explanation: The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor.
---END SUMMARY---
2020/11/04 09:12:18 ------
Command: ./imgRead_afl out/crashes/id:000002,sig:06,src:000000,op:havoc,rep:128
File: out/crashes/id:000002,sig:06,src:000000,op:havoc,rep:128
Memory Limit: -1
Timeout: 60
Error: no crash detected

您会注意到并非所有输入都导致崩溃。 你会看到这样的消息:

Error: no crash detected

这是因为我们没有为 cwtriage 提供 ASAN 选项。 所以再次运行它:

$ ASAN_OPTIONS="abort_on_error=1:symbolize=0" cwtriage -afl -seen -root out

这将创建一个名为 crashwalk.db 的文件。 然后您可以使用 cwdump 转储崩溃信息:

$ cwdump crashwalk.db

你可以把这个输出重定向到一个文本文件,或者使用|more来浏览它们。

您还可以使用 cwfind 查找具有给定hash的所有文件。 使用以下命令:

$ cwfind -db crashwalk.db b9bdc301f6ec7b1f38a58796cac7369e.dcde4daab363919b57d3903b9ffcea8c

您可以看到导致相同崩溃的所有文件。

来源: http://fuzzing.in/codelabs/fuzzing_opensource/index.html?index=..%2F..index#21