ffw icon indicating copy to clipboard operation
ffw copied to clipboard
verified publisher icon dobin

Error while running in honggmode

Open ashishk1994 opened this issue 6 years ago • 7 comments

Hi

I tried to do the setup of ffw with honggmode by following the README but it's failing at the final step when I try to run the fuzzer. Can someone please help me here.

I am using ubuntu18.04

(python2.7_venv) root@ashish-VirtualBox:/home/ashish/network-fuzzer/ffw/vulnserver# ../ffw.py --honggmode
Basedir: /home/ashish/network-fuzzer/ffw
Config file: /home/ashish/network-fuzzer/ffw/vulnserver/config.py
Rember "use_netnamespace requires nesting in container"
Start fuzzing child #0
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/home/ashish/network-fuzzer/ffw/honggmode/honggslave.py", line 69, in doActualFuzz
    targetutils.startInNamespace(self.realDoActualFuzz, self.threadId)
  File "/home/ashish/network-fuzzer/ffw/target/targetutils.py", line 39, in startInNamespace
    func()
  File "/home/ashish/network-fuzzer/ffw/honggmode/honggslave.py", line 117, in realDoActualFuzz
    if honggComm.openSocket(serverManager.process.pid):
AttributeError: 'NoneType' object has no attribute 'pid'

config.py is as follows:

(python2.7_venv) root@ashish-VirtualBox:/home/ashish/network-fuzzer/ffw/vulnserver# cat config.py 
# this is a dedicated configuration file
# the same content as fuzzing.py

{
    # name of the software we fuzz
    "name": "vulnserver",

    # which version of the software are we fuzzing (optional)
    "version": "",

    # additional comment about this project (optional)
    "comment": "",

    # Path to target
    "target_bin": "bin/vulnserver_hfuzz",

    # target arguments
    # separate arguments by space
    # keywords: ""%(port)i" is the port the server will be started on
    "target_args": "%(port)i",

    # if you cant specify the port on the command line,
    # hardcode it here. Note that it will work only with one fuzzing instance.
    "target_port": 20000,

    # how many fuzzing instances should we start
    "processes": 1,

    # "tcp" or "udp" protocol?
    "ipproto": "tcp",

    "honggpath": "/home/ashish/network-fuzzer/honggfuzz/honggfuzz",

    "use_netnamespace": True,
}

ashishk1994 avatar Oct 14 '19 16:10 ashishk1994

looks like honggfuzz version is causing the issue. I tried following honggfuzz version (based on the tags in honggfuzz repo) alongwith latest FFW repo.

hongfuzz version 1.9 : sancov parameter is removed from honggfuzz but FFW still use sancov params while trying to spawn honggfuzz server hence throw an error of "unrecognized sancov option parameters" and hence server is not up and ffw throws the above mentioned error.

hongfuzz version 1.8 : same issue like above.

hongfuzz version 1.7 : for this version, sancov is supported hence error is changed to following. @dobin any follow ups?

INFO:root:  Pid: 775
INFO:root:  Return code: None
INFO:root:Start server PID: 775
INFO:root:connecting to honggfuzz socket: /tmp/honggfuzz_socket.775...
 connected to honggfuzz!
INFO:root:Honggfuzz connection successful
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
INFO:root:NET Check if we can connect to server localhost:20000
DEBUG:root:NET testServerConnectionTcp: connect to ('localhost', 20000)
INFO:root:NET Connection error: [Errno 111] Connection refused
ERROR:root:NET  Server not alive, aborting - 20000
Check if process exists: ps auxwww | grep vulnserver_hfuzz
ashish     775  0.0  0.0  88360  3980 pts/0    Sl+  13:21   0:00 /home/ashish/network-fuzzer/honggfuzz/honggfuzz --keep_output --sanitizers --sancov --threads 1 --stdin_input --socket_fuzzer --san_opts detect_leaks=0 -d -l honggfuzz.log -- /home/ashish/network-fuzzer/ffw/vulnserver/bin/vulnserver_hfuzz 20000
ashish     778  0.2  0.0 21475051004 3752 ?    ts   13:21   0:00 /home/ashish/network-fuzzer/ffw/vulnserver/bin/vulnserver_hfuzz 20000
ashish     779  0.0  0.0   4624   788 pts/0    S+   13:21   0:00 sh -c ps auxwww | grep vulnserver_hfuzz
ashish     781  0.0  0.0  21532  1060 pts/0    S+   13:21   0:00 grep vulnserver_hfuzz
Check if port is open: lsof -i -P
Trying netcat
nc: connect to localhost port 20000 (tcp) failed: Connection refused
List intefaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:7b:1b:88 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 74257sec preferred_lft 74257sec
    inet6 fe80::b89e:6d50:63bb:4bfa/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
 
Common errors:
* Did you specify the correct port?
* Did you specify all necessary command line arguments for target (config file etc)?
* Are the paths/working-directory of target set correctly?
* In honggfuzz mode: Is the target compiled with hfuzz_cc compiler?
ERROR:root:Bootstrap: Could not connect to server.

ashishk1994 avatar Nov 07 '19 05:11 ashishk1994

while trying to connect from ffw to honggfuzz we are using AF_UNIX socket with socket file as parameter while doing testServerConnection in network we are using AF_INET with localhost and port as the server_address. In my case, AF_UNIX socket connection works but somehow can't use AF_INET socket for connection hence testServerConnection is failing. @dobin is there something I am missing here, you can help with?

ashishk1994 avatar Nov 07 '19 05:11 ashishk1994

Looks like issue is in the fuzz binary creation - I used clang while honggfuzz was compiled using gcc. Fixed above issues when I compiled the fuzz binary with gcc. We can close this.

ashishk1994 avatar Nov 07 '19 10:11 ashishk1994

Hey. I didnt understand your solution.

It was solved by compiling your target program with honggfuzz-gcc? Because it didnt work when using honggfuzz-clang, because you compililed honggfuzz with gcc? That be interesting, i would never have found that out!

dobin avatar Nov 12 '19 08:11 dobin

Hi,

I have been also trapped in the issue about "Connection refused" for a long time, and I still dont understand @ashishk1994 's solution. Can you give me more details? Because I used all hongfuzz's compiler and it didn't work at all

HarDToBelieve avatar Dec 02 '19 05:12 HarDToBelieve

@dobin ,

I also cannot run the example of socketfuzzer from hongfuzz's repo. It seems that after spawning and accepting connection successfully, fuzzer shutdowns it immediately? image

Maybe these two issues are the one?

HarDToBelieve avatar Dec 02 '19 05:12 HarDToBelieve

@dobin

@HarDToBelieve yes you are right, even the example of socketfuzzer failed for me. I am still not able to figure out the exact issue, but It is pretty clear current versions of FFW and HonggFuzz are not compatible.

For me, changing to HonggFuzz 1.7 version and compiling vulnserver_hfuzz with gcc worked without error.

@dobin - do you have an idea why we are getting this issue and if possible can make FFW compatible with current honggfuzz version?

ashishk1994 avatar Jan 16 '20 16:01 ashishk1994