Home

Awesome

afl_ghidra_emu

License

afl_ghidra_emu allows to fuzz exotic architecture using AFL++ and Ghidra emulation with code coverage functionality.

For more information, read this article.

<p align="center"> <img src="https://airbus-cyber-security.com/wp-content/uploads/2021/04/202104_Blog_Graphic_Fuzzing.png"> </p>

How it works?

AFL++ runs a trampoline program (afl_bridge_external) which is in charge of forwarding samples to Ghidra emulation via a TCP socket (Ex: 127.0.0.1:6674/tcp).

A python script in Ghidra (fuzz_xtensa_check_serial.py) is responsible for emulating code execution. It listens on a TCP socket (127.0.0.1:6674/tcp) and waits for input data coming from trampoline script. As soon as the script receives input data, the emulation will be started. During the execution, the executed path addresses, and the execution status are sent to afl_bridge_external using established TCP socket.

afl_bridge_external reports the execution status and execution path to AFL++ using pipes and shared memory.

Installation

Install AFL++

Clone afl_ghidra_emu directory

git clone https://github.com/airbus-cyber/afl_ghidra_emu.git

Compile afl_bridge_external

cd afl_ghidra_emu/afl_bridge_external
make

Copy afl_ghidra_emu files to your ghidra script directory

cd ../..
cp –r afl_ghidra_emu/* $USER_HOME/ghidra_scripts/

Example: Fuzzing Xtensa binary code keygenme_xtensa.elf

./examples/xtensa/bin/keygenme_xtensa.elf is a keygenMe compiled for Xtensa (ex: esp32) architecture. Xtensa is not officially supported in Ghidra yet. So, you need first to install it by following these instruction

Load in Ghidra

Start Fuzz

Make AFL workspace directories

mkdir input output

Add first sample

echo -n "BBBBBBBB" > input/sample1.bin

Start AFL++ with trampoline program.

afl-fuzz -D -i input -o output afl_bridge_external 127.0.0.1 6674 20

Stop Ghidra emulation

Stop AFL++ using CTRL+C. If Ghidra emulation still running, we can send "STOP" command:

echo -e "\xff" | nc 127.0.0.1 6674

Do no use Ghidra Cancel button, because it does not properly close the socket.

Example: Fuzzing PPC binary code keygenme_ppc.elf

./examples/ppc/bin/keygenme_ppc.elf is also a keygenMe compiled for PowerPC architecture.

Follow the same steps above with PowerPC:BE:32:default architecture in Ghidra and run the script fuzz_ppc_check_serial.py.