[Bro] PE file parser fuzzing
Maksim Shudrak
mxmssh at gmail.com
Wed Aug 22 15:29:58 PDT 2018
Hi everyone,
I am trying to search for bugs in bro file parser using libfuzzer. I found
the old branch where you tried to fuzz HTTP protocol. So, I have
implemented everything on top this branch. I was able to easily make it
work for DNP3 protocol but file analyzers are different. The problem is
that I can't reach the actual PE parser code from my LLVMFuzzerTestOneInput.
The actual code is :
analyzer::file::File_Analyzer *filea = new
analyzer::file::File_Analyzer("TCP",conn);
filea->DeliverStream(DataSize, Data, true);
I had problems with file handler which I solved by adding the following
line in the Manager.cc
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -427,6 +427,7 @@ string Manager::GetFileID(analyzer::Tag tag,
Connection* c, bool is_orig)
mgr.QueueEvent(get_file_handle, vl);
mgr.Drain(); // need file handle immediately so we don't have to
buffer data
+ file_mgr->SetHandle("random_str");
return current_file_id;
}
In this case, Bro will call "hash" analyzer and ignore PE. It looks like
the PE file analyzer is not loaded/initialized, the debug log reports only
the following modules being loaded:
[FjjsZfY8GArx2E0Ih] Add analyzer MD5
[FjjsZfY8GArx2E0Ih] Add analyzer SHA1
Probably, I am on completely wrong way to make it work. it would be great
if you can suggest me some other ways to make it work without significant
modification of bro source code.
Thank you in advance.
----------------------
Best regards,
Maksim Shudrak.
tel. +1-415-793-0894
skype: vitality_3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180822/3cb8f145/attachment.html
More information about the Bro
mailing list