UniFuzzer : A Fuzzing Tool For Closed-Source Binaries Based On Unicorn & LibFuzzer

UniFuzzer is a fuzzing tool for closed-source binaries based on Unicorn and LibFuzzer. Currently it supports fuzzing 32-bits LSB ELF files on ARM/MIPS, which are usually seen in IoT devices.

Features

  • very little hack and easy to build
  • can target any specified function or code snippet
  • coverage-guided fuzzing with considerable speed
  • dependence resolved and loaded automatically
  • library function override by PRELOAD

Build

  1. Reverse the target binary and find interesting functions for fuzzing.
  2. Create a .c file in the directory callback, which should contain the following callbacks:
  • void onLibLoad(const char *libName, void *baseAddr, void *ucBaseAddr): It’s invoked each time an dependent library is loaded in Unicorn.
  • int uniFuzzerInit(uc_engine *uc): It’s invoked just after all the binaries been loaded in Unicorn. Stack/heap/registers can be setup up here.
  • int uniFuzzerBeforeExec(uc_engine *uc, const uint8_t *data, size_t len): It’s invoked before each round of fuzzing execution.
  • int uniFuzzerAfterExec(uc_engine *uc): It’s invoked after each round of fuzzing execution.

Also Read – ISPY : Eternalblue/Bluekeep Scanner & Exploit

  1. Run make and get the fuzzing tool named uf.

Run

uniFuzzer uses the following environment variables as parameters:

  • UF_TARGET: Path of the target ELF file
  • UF_PRELOAD: Path of the preload library. Please make sure that the library has the same architecture as the target.
  • UF_LIBPATH: Paths in which the dependent libraries reside. Use : to separate multiple paths.

And the fuzzing can be started using the following command:

UF_TARGET=<target> [UF_PRELOAD=<preload>] UF_LIBPATH=<libPath> ./uf

Demo

There comes a demo for basic usage. The demo contains the following files:

  • demo-vuln.c: This is the target for fuzzing. It contains a simple function named vuln() which is vulnerable to stack/heap overflow.
  • demo-libcpreload.c: This is for PRELOAD hooking. It defines an empty printf() and simplified malloc()/free().
  • callback/demo-callback.c: This defines the necessary callbacks for fuzzing the demo vuln() function.

First, please install gcc for mipsel (package gcc-mipsel-linux-gnu on Debian) to build the demo:

# the target binary
# ‘-Xlinker –hash-style=sysv’ tells gcc to use ‘DT_HASH’ instead of ‘DT_GNU_HASH’ for symbol lookup
# since currently uniFuzzer does not support ‘DT_GNU_HASH’ mipsel-linux-gnu-gcc demo-vuln.c -Xlinker –hash-style=sysv -no-pie -o demo-vuln

# the preload library mipsel-linux-gnu-gcc -shared -fPIC -nostdlib -Xlinker –hash-style=sysv demo-libcpreload.c -o demo-libcpreload.so

Or you can just use the file demo-vuln and demo-libcpreload.so, which are compiled using the commands above.

Next, run make to build uniFuzzer. Please note that if you compiled the MIPS demo by yourself, then some addresses might be different from the prebuilt one and demo-callback.c should be updated accordingly.

Finally, make sure that the libc library of MIPS is ready. On Debian it’s in /usr/mipsel-linux-gnu/lib/ after installing the package libc6-mipsel-cross, and that’s what UF_LIBPATH should be:

UF_TARGET=<path to demo-vuln> UF_PRELOAD=<path to demo-libcpreload.so> UF_LIBPATH=<lib path for MIPS> ./uf

Hack on Unicorn

Unicorn clears the JIT cache of QEMU due to this issue, which slows down the speed of fuzzing since the target binary would have to be JIT re-compiled during each round of execution.

We can comment out tb_flush(env); as stated in that issue for performance.

TODO

  • support for syscall
  • support for other architectures and binary formats
  • support GNU_HASH
  • support IFUNC
  • integrate environment setup and provide APIs
R K

Recent Posts

Nmap cheat sheet for beginners

Nmap (Network Mapper) is a free tool that helps you find devices on a network,…

5 hours ago

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 week ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 week ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 week ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 week ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 week ago