Driller复现

Driller复现

文章：(2016-NDSS)Driller - Argumenting Fuzzing Through Selective Symbolic Execution

 

安装

环境：ubuntu 16.04

下载docker镜像：pull shellphish/mechaphish

运行镜像：docker run -it --privileged shellphish/mechaphish:latest

测试

切换目录：cd angr-dev/

编写测试代码：vim test.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>int vuln(char *str)
{int len = strlen(str);if(str[0] == 'A' && str[1] == 'e' && str[2] == '8' && str[3] == '6' && str[4] == '!' && str[5] == '!'){raise(SIGSEGV);}else{printf("it is good!\n");}return 0;
}int main(int argc, char *argv[])
{char buf[100]={0};read(0,buf,100);vuln(buf);return 0;
}

编译：gcc -o test test.c

配置环境：echo core | sudo tee /proc/sys/kernel/core_pattern

                  echo 1 | sudo tee /proc/sys/kernel/sched_child_runs_first

运行：./fuzzer/shellphuzz -c 4 -d 1 -C -w workdir2 ./test

运行结束，提示已经发现crash

切换目录：cd /angr-dev/workdir2/test/sync

查看每个fuzzer的crashes文件夹，以fuzzer-master为例

可以看到已经生成了满足示例程序崩溃条件“Ae86!!”的种子，成功。