全是坑。。。
AFL安装:
- 在afl官网下载压缩包afl-latest.tgz并解压
- 解压后在目录下输入:
make
sudo make install
我这里报错,是因为没有安装gcc,按照错误信息装上即可
sudo apt-get install gcc
安装QEMU_MODE:
- 需要先安装一些依赖项
sudo apt install libtool-bin
sudo apt install bison
sudo apt install libglib2.0-dev
- 安装python环境,最好装3.6以上的,之前出过这个报错
法一:通过apt安装Python3.8
01.以root用户身份运行下面的命令,更新软件包列表,并且安装依赖包
sudo apt update
sudo apt install software-properties-common
02.将deadsnakes PPA添加的我的系统源列表中
sudo add-apt-repository ppa:deadsnakes/ppa
03.软件源仓库被启用,安装Python3.8
sudo apt install python3.8
04.验证安装是否成功
python 3
python 3.8 --version
05.把它设置为系统默认python
①基于软连接的系统级修改
sudo rm /usr/bin/python
sudo ln -s /usr/bin/python3.8 /usr/bin/python
②基于update-alternatives的系统级修改
列出所有可用的python替代版本信息
update-alternatives --list python
如图说明update-alternatives没有添加Python的替代版本。
将python的替代版本添加进去,最后的数字越大代表优先级越高
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 1
update-alternatives --install /usr/bin/python python /usr/bin/python3.8 2
此时python3.8已经是python的默认版本了。
法二:在 Ubuntu 上从源码编译安装 Python 3.8
01.更新软件包列表并且安装编译 Python 所必要的软件包
sudo apt update
sudo apt install build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev wget
02.从 Python 下载页面使用wget下载最新发布的软件源码,我这时候最新的是3.8.15
wget https://www.python.org/ftp/python/3.8.15/Python-3.8.15.tgz
03.下载完成后解压压缩包
tar -xf Python-3.8.0.tgz
04.切换到python源码目录。并且执行configure脚本,它会执行一系列检测,并且确保所有依赖都在系统上准备好了
cd Python-3.8.0
./configure --enable-optimizations
05.开始python3.8的编译处理
make -j 8
想要缩短编译时间,修改-j来适配你的处理器数量。我们可以通过输入nproc来找到处理器的数量
06.编译完成后,通过输入下面的命令安装python二进制包
sudo make altinstall
不要使用标准的make install,因为它会覆盖默认的系统python3 二进制包。
- 在qemu.code目录下执行自动编译脚本,版本太老了,可能会报很多错。
./build_qemu_support.sh
我试着执行了一下,之前在16.04中报错需要3.6以上的python版本,前面专门下载的3.8,到这里又告诉我需要2.6以上但不支持3以上??黑人问号脸,我要哭了。
- AFL自带安装脚本build_qemu_support.sh修改至新版本qemu,参考了这个博客
点击查看代码
#!/bin/sh
# 这里版本可以自行修改
VERSION="6.1.1"
QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
# 这个校验搞不懂,后面注释掉了
QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105"
echo "================================================="
echo "AFL binary-only instrumentation QEMU build script"
echo "================================================="
echo
echo "[*] Performing basic sanity checks..."
if [ ! "`uname -s`" = "Linux" ]; then
echo "[-] Error: QEMU instrumentation is supported only on Linux."
exit 1
fi
if [ ! -f "patches/afl-qemu-cpu-inl.h" -o ! -f "../config.h" ]; then
echo "[-] Error: key files not found - wrong working directory?"
exit 1
fi
if [ ! -f "../afl-showmap" ]; then
echo "[-] Error: ../afl-showmap not found - compile AFL first!"
exit 1
fi
for i in libtool wget python automake autoconf sha384sum bison iconv; do
T=`which "$i" 2>/dev/null`
if [ "$T" = "" ]; then
echo "[-] Error: '$i' not found, please install first."
exit 1
fi
done
if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then
echo "[-] Error: devel version of 'glib2' not found, please install first."
exit 1
fi
if echo "$CC" | grep -qF /afl-; then
echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
exit 1
fi
echo "[+] All checks passed!"
ARCHIVE="`basename -- "$QEMU_URL"`"
CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
#if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then
# 正常下载就行了,不做校验
echo "[*] Downloading QEMU ${VERSION} from the web..."
rm -f "$ARCHIVE"
wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
# CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
#fi
#if [ "$CKSUM" = "$QEMU_SHA384" ]; then
# echo "[+] Cryptographic signature on $ARCHIVE checks out."
#else
# echo "[-] Error: signature mismatch on $ARCHIVE (perhaps download error?)."
# exit 1
#fi
echo "[*] Uncompressing archive (this will take a while)..."
# 解压
rm -rf "qemu-${VERSION}" || exit 1
tar xf "$ARCHIVE" || exit 1
echo "[+] Unpacking successful."
echo "[*] Configuring QEMU for $CPU_TARGET..."
ORIG_CPU_TARGET="$CPU_TARGET"
test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
cd qemu-$VERSION || exit 1
# 原本2.10.0版本安装是需要补丁的,而且还会有错误,这里用6.1.1就不需要了
echo "[*] Applying patches..."
echo "[*] QEMU ${VERSION} don't need patches"
#patch -p1 <../patches/elfload.diff || exit 1
#patch -p1 <lt../patches/cpu-exec.diff || exit 1
#patch -p1 <../patches/syscall.diff || exit 1
#patch -p1 <../patches/configure.diff || exit 1
#patch -p1 <../patches/memfd.diff || exit 1
echo "[+] Patching done."
# --enable-pie seems to give a couple of exec's a second performance
# improvement, much to my surprise. Not sure how universal this is..
# 配置,自动设置成当前linux用户的CPU,如x86_64
CFLAGS="-O3 -ggdb" ./configure --disable-system \
--enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
--target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
echo "[+] Configuration complete."
echo "[*] Attempting to build QEMU (fingers crossed!)..."
# 编译
make || exit 1
echo "[+] Build process successful!"
echo "[*] Copying binary..."
# 这里的路径有点奇怪
# 总之就是要把qemu_mode/qemu-6.1.1/build/x86_64-linux-user下的qemu-x86_64放到afl目录下
# 但实际我这里还是报错,所以干脆手动放到bin目录下了
cp -f "./build/${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
cd ..
ls -l ../afl-qemu-trace || exit 1
echo "[+] Successfully created '../afl-qemu-trace'."
if [ "$ORIG_CPU_TARGET" = "" ]; then
echo "[*] Testing the build..."
cd ..
make >/dev/null || exit 1
# 用gcc编译会出现No instrumentation detected错误,只是测试的话干脆就用afl-gcc了
# 不知道这样做有没有问题
#gcc test-instr.c -o test-instr || exit 1
afl-gcc test-instr.c -o test-instr || exit 1
unset AFL_INST_RATIO
# We shouldn't need the /dev/null hack because program isn't compiled with any
# optimizations.
# 这里建议去掉-q(静默模式),不然一点提示都没有让人以为没在运行
echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1
rm -f test-instr
# 这里的-s也是,添加后不显示错误信息了
cmp -s .test-instr0 .test-instr1
DR="$?"
rm -f .test-instr0 .test-instr1
if [ "$DR" = "0" ]; then
echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
exit 1
fi
echo "[+] Instrumentation tests passed. "
echo "[+] All set, you can now use the -Q mode in afl-fuzz!"
else
echo "[!] Note: can't test instrumentation when CPU_TARGET set."
echo "[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!"
fi
exit 0
- 又报错缺少ninja,安装一下
sudo apt-get install ninja-build
- 再次build一下,终于前进了一大步,但我遇到了跟上面那个博主说的一样的错误,据他所说就是要把qemu_mode/qemu-6.1.1/build/x86_64-linux-user下的qemu-x86_64放到afl目录下。我自己分析了一下这里的源码,发现它是要把"qemu_mode/qemu-6.1.1/build/x84_64-linux-user/qemu-x86_64"复制为"../../afl-qemu-trace",而他这个路径又少了个build,所以加上再执行。
结果又报了错,参考博客解释由于指令位数与qemu模拟的架构不兼容导致,可以忽略此次测试错误,也可以指定64位程序使用64位架构。
还没成功,改对了再来。