mxmssh
Crashes saved aren't really crashes
Hello. It's me again. So after letting pdfcrack fuzz. I wanted to analyze the crashes. However as it turns out. They weren't even crashes. When I looked pdfcrack gives an error about them not being save files (pdfcrack has save file feature I used to make go by faster). Sure an error, but no a crash.
It also let this fuzz overnight. It took up over 200GB by logging manul though to be crashes.
I'll upload the file so you can test this.
Recreate Issue :
Just run the command manul.py -i in2 -o out -n 3 -c pdfcrack_manul.config "pdfcrack_scource/pdfcrack -l @@"
The pdfcrack is already instrumented. When you have fuzzed as much as you want. Then you can run. pdfcrack_source/pdfcrack -l <a .sav in out>, and it should tell you that this is not a save or is corrupted, not crash.
Just to make sure. I tested this with AFL. Went throught the crashes using afl-collect (part of afl-utils), and found a heap error (which is exploitable).
afl-collect 1.33a by rc0r [email protected] # @_rc0r Crash sample collection and processing utility for afl-fuzz.
[] Going to collect crash samples from '/home/kittytechno/fuzzing/pdfcrack/out_afl'. [!] Table 'Data' not found in existing database! [] Creating new table 'Data' in database '/home/kittytechno/fuzzing/pdfcrack/crashes.db' to store data! [] Found 1 fuzzers, collecting crash samples. [] Successfully indexed 6 crash samples. [] Saving invalid sample info to database. [!] Removed 0 invalid crash samples from index. [!] Removed 0 timed out samples from index. [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.0' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.1' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.2' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.3' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.4' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.5' for 1 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.6' for 0 samples... [] Generating intermediate gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script.7' for 0 samples... [] Executing gdb+exploitable script 'gdb_script.0'... [] Executing gdb+exploitable script 'gdb_script.1'... [] Executing gdb+exploitable script 'gdb_script.2'... [] Executing gdb+exploitable script 'gdb_script.3'... [] Executing gdb+exploitable script 'gdb_script.4'... [] Executing gdb+exploitable script 'gdb_script.5'... [] Executing gdb+exploitable script 'gdb_script.6'... [*] Executing gdb+exploitable script 'gdb_script.7'... *** GDB+EXPLOITABLE SCRIPT OUTPUT *** [00001] out_afl:id:000000,sig:11,src:000001,op:flip1,pos:119............: PROBABLY_EXPLOITABLE [DestAvNearNull (15/22)] [00002] out_afl:id:000001,sig:11,src:000001,op:flip1,pos:391............: PROBABLY_EXPLOITABLE [SegFaultOnPcNearNull (12/22)] [00003] out_afl:id:000002,sig:06,src:000029+000005,op:splice,rep:2......: EXPLOITABLE [HeapError (10/22)] [00004] out_afl:id:000003,sig:11,src:000029+000048,op:splice,rep:4......: PROBABLY_EXPLOITABLE [SegFaultOnPcNearNull (12/22)] [00005] out_afl:id:000004,sig:11,src:000029+000041,op:splice,rep:2......: PROBABLY_EXPLOITABLE [SegFaultOnPcNearNull (12/22)] [00006] out_afl:id:000005,sig:11,src:000036+000021,op:splice,rep:16.....: PROBABLY_EXPLOITABLE [DestAvNearNull (15/22)]
[] Saving sample classification info to database. [!] Removed 3 duplicate samples from index. Will continue with 3 remaining samples. [!] Removed 0 uninteresting crash samples from index. [] Generating final gdb+exploitable script '/home/kittytechno/fuzzing/pdfcrack/collection_dir/gdb_script' for 3 samples... [*] Copying 3 samples into output directory...