DrAFL : Fuzzing Binaries With No Source Code On Linux

Original AFL supports black-box coverage-guided fuzzing using QEMU mode. I highly recommend to try it first and if it doesn’t work you can try drAFL tool.

Usage

You need to specify DRRUN_PATH to point to drrun launcher and LIBCOV_PATH to point to libbinafl.so coverage library. You also need to switch off AFL’s fork server (AFL_NO_FORKSRV=1) and probably AFL_SKIP_BIN_CHECK=1. See step 5 in the build section below for more details.

NOTE: Don’t forget that you should use 64-bit DynamoRIO for 64-bit binaries and 32-bit DynamoRIO for 32-bit binaries, otherwise it will not work. To make sure that your target is running under DynamoRIO, you can run it using the following command:

drrun – – <path/to/your/app/> <app_args>

Instrumentation DLL

Instrumentation library is a modified version of winAFL’s coverage library created by Ivan Fratric.

Also Read – Easysploit : Metasploit Automation Easier & Faster Than Ever

Build

Step 1. Clone drAFL repo

git clone https://github.com/mxmssh/drAFL.git /home/max/drAFL
cd /home/max/drAFL

Step 2. Clone and build DynamoRIO

git clone https://github.com/DynamoRIO/dynamorio
mkdir build_dr
cd build_dr/
cmake ../dynamorio/
make -j
cd ..

If you have any problems with DynamoRIO compilation check this page

Step 3. Build coverage tool

mkdir build
cd build
cmake ../bin_cov/ -DDynamoRIO_DIR=../build_dr/cmake
make -j
cd ..

Step 4. Build patched AFL

cd afl/
make
cd ..

Step 5. Configure environment variables and run the target

cd build
mkdir in
mkdir out
echo “AAAA” > in/seed
export DRRUN_PATH=/home/max/drAFL/build_dr/bin64/drrun
export LIBCOV_PATH=/home/max/drAFL/build/libbinafl.so
export AFL_NO_FORKSRV=1
export AFL_SKIP_BIN_CHECK=1
../afl/afl-fuzz -m none -i in -o out — ./afl_test @@

In case of afl_test you should expect 25-30 exec/sec and 1 unique crash in 2-3 minutes.

R K

Recent Posts

Nmap cheat sheet for beginners

Nmap (Network Mapper) is a free tool that helps you find devices on a network,…

4 hours ago

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 week ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 week ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 week ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 week ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 week ago