1#!/bin/sh 2# 3# american fuzzy lop++ - crash triage utility 4# ----------------------------------------- 5# 6# Originally written by Michal Zalewski 7# 8# Copyright 2013, 2014, 2017 Google Inc. All rights reserved. 9# 10# Licensed under the Apache License, Version 2.0 (the "License"); 11# you may not use this file except in compliance with the License. 12# You may obtain a copy of the License at: 13# 14# http://www.apache.org/licenses/LICENSE-2.0 15# 16# Note that this assumes that the targeted application reads from stdin 17# and requires no other cmdline parameters. Modify as needed if this is 18# not the case. 19# 20# Note that on OpenBSD, you may need to install a newer version of gdb 21# (e.g., from ports). You can set GDB=/some/path to point to it if 22# necessary. 23# 24 25echo "crash triage utility for afl-fuzz by Michal Zalewski" 26echo 27 28ulimit -v 100000 2>/dev/null 29ulimit -d 100000 2>/dev/null 30 31if [ "$#" -lt "2" ]; then 32 echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary [...target params...]" 1>&2 33 echo 1>&2 34 exit 1 35fi 36 37DIR="$1" 38BIN="$2" 39shift 40shift 41 42if [ "$AFL_ALLOW_TMP" = "" ]; then 43 44 echo "$DIR" | grep -qE '^(/var)?/tmp/' 45 T1="$?" 46 47 echo "$BIN" | grep -qE '^(/var)?/tmp/' 48 T2="$?" 49 50 if [ "$T1" = "0" -o "$T2" = "0" ]; then 51 echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 52 exit 1 53 fi 54 55fi 56 57if 58 [ "$GDB" = "" ]; then 59 GDB=gdb 60fi 61 62if [ ! -f "$BIN" -o ! -x "$BIN" ]; then 63 echo "[-] Error: binary '$BIN' not found or is not executable." 1>&2 64 exit 1 65fi 66 67if [ ! -d "$DIR/queue" ]; then 68 echo "[-] Error: directory '$DIR' not found or not created by afl-fuzz." 1>&2 69 exit 1 70fi 71 72CCOUNT=$((`ls -- "$DIR/crashes" 2>/dev/null | wc -l`)) 73 74if [ "$CCOUNT" = "0" ]; then 75 echo "No crashes recorded in the target directory - nothing to be done." 76 exit 0 77fi 78 79echo 80 81for crash in $DIR/crashes/id:*; do 82 83 id=`basename -- "$crash" | cut -d, -f1 | cut -d: -f2` 84 sig=`basename -- "$crash" | cut -d, -f2 | cut -d: -f2` 85 86 # Grab the args, converting @@ to $crash 87 88 use_args="" 89 use_stdio=1 90 91 for a in $@; do 92 93 case "$a" in 94 *@@*) 95 unset use_stdio 96 use_args="$use_args `printf %s "$a" | sed -e 's<@@<'$crash'<g'`" 97 ;; 98 *) 99 use_args="$use_args $a" 100 ;; 101 esac 102 103 done 104 105 # Strip the trailing space 106 use_args="${use_args# }" 107 108 echo "+++ ID $id, SIGNAL $sig +++" 109 echo 110 111 if [ "$use_stdio" = "1" ]; then 112 $GDB --batch -q --ex "r $use_args <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null 113 else 114 $GDB --batch -q --ex "r $use_args" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null 115 fi 116 echo 117 118done 119