winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

Test case 'id_000000' results in a timeout

Open Deepak-Biswakarma-2310 opened this issue 1 year ago • 4 comments

GitHub Issue: Problem with Fuzz Testing Using WinAFL and DynamoRIO

Description

I am performing fuzz testing on a sample C++ program using WinAFL and DynamoRIO. The program was compiled using Visual Studio Community 2022, generating the .exe and .pdb files. To provide input for fuzzing, I created a binary file named image.img with the following Python script:

import struct

# Define the data
header = b"IMAG"  # 4-byte header
width = 20        # Integer (4 bytes)
height = 30       # Integer (4 bytes)
data = b"ABCDEFGHIJ"  # 10 bytes of data

# Create binary data using struct
binary_data = struct.pack("4sii10s", header, width, height, data)

# Write to a file
with open("image.img", "wb") as f:
    f.write(binary_data)

print("image.img file has been created.")

After debugging my configuration, the dry run of the fuzzing process was successful. However, when executing the final fuzzing command, I encountered the following error:

Error Screenshot

Error

Environment Details

  • Operating System: Windows 11
  • Compiler: Visual Studio Community 2022
  • WinAFL Version: Latest
  • DynamoRIO Version: Windows-7.1.0-1 (bin32 used for 32-bit fuzzing)
  • Fuzz Command: 
    afl-fuzz.exe -i inImage -o outImage -t 5000 -D C:\fuzzing\DynamoRIO-Windows-7.1.0-1\bin32 -- -coverage_module samplefuzzprogram.exe -target_module samplefuzzprogram.exe -target_offset 0xffdff000 -fuzz_iterations 5000 -call_convention cdecl -nargs 1 -covtype edge -- samplefuzzprogram.exe @@

Steps Taken

  1. Verified that the compiled program runs without errors.

  2. Ensured image.img conforms to the structure expected by the ProcessImage function.

  3. Performed a dry run with:

    C:\fuzzing\DynamoRIO-Windows-11.0.20049\bin32\drrun.exe -c winafl.dll -debug -target_module samplefuzzprogram.exe -target_offset <calculated_offset> -- samplefuzzprogram.exe image.img

    This was successful and produced no errors.

  4. When running the afl-fuzz command, the error mentioned above was encountered.

Request

Could someone help identify where the problem might be in the configuration or execution? Specifically:

  1. Is there a misstep in the fuzzing command?
  2. Could there be an issue with the calculated offset or the call convention?
  3. Are there any additional debugging steps I should take to resolve the issue?

Any guidance on resolving this error would be greatly appreciated!

Deepak-Biswakarma-2310 avatar Nov 25 '24 11:11 Deepak-Biswakarma-2310

I have no knowledge of winafl but are getting odd support requests which seem to be based on bad example test cases. There is a NON ISO standard small.PDF sample that will stress Adobe Acrobat due to it being malformed, however MuPDF will process the file without error. Thus there should be no "fault" to test. image

GitHubRulesOK avatar Nov 25 '24 12:11 GitHubRulesOK

@Deepak-Biswakarma-2310 The DynamoRIO version you are using appears to be quite old. Please grab a more recent build from https://github.com/DynamoRIO/dynamorio/releases.

Additionally, the -target_offset 0xffdff000 appears incorrect. The value is too large. The target offset is meant to be an offset from the start of the module to the function you want to fuzz and can be obtained e.g. using windbg.

ifratric avatar Nov 26 '24 09:11 ifratric

@Deepak-Biswakarma-2310 Did you get this to work ?

jaoh avatar Feb 14 '25 14:02 jaoh

First of all i think ur harness is wrong is read the afl_docs there are steps that must be followed by harness , 2nd refine ur command i think offset is wrong

ISH2YU avatar Jun 07 '25 16:06 ISH2YU