2018-12-21 如何使用honggfuzz来fuzz apache httpd？

这是使用honggfuzz来fuzz apache httpd的一个例子。实践的时候遇到了一些问题，暂时绕不过去了，最后fuzz并没有成功。如果有对fuzz或者webserver感兴趣的同学欢迎一起讨论。

此外，对于一些相对成熟的基础设施软件，如apache/nginx/IIS，有点好奇还会存在RCE吗？现在国内还有团队是做这方面的工作吗？

本文主要参考honggfuzz的example：14cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6Y4L8$3!0Y4L8r3g2Q4x3V1k6Z5L8$3&6Y4k6$3k6#2P5Y4A6Q4x3V1k6T1L8r3!0T1i4K6u0r3L8h3q4K6N6r3g2J5i4K6u0r3k6i4S2S2L8i4m8D9k6i4y4Q4x3V1k6S2M7r3q4U0K9r3g2Q4x3X3c8Z5N6s2c8H3k6q4)9J5c8W2u0q4b7f1c8y4c8g2)9J5k6h3#2V1

0x01 安装honggfuzz

下载honggfuzz源码到~/Fuzz/honggfuzz.git目录，安装好依赖后，使用make安装即可。

# 1. change folder
cd ~/Fuzz

# 2. clone honggfuzz 
git clone 637K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6Y4L8$3!0Y4L8r3g2Q4x3V1k6Z5L8$3&6Y4k6$3k6#2P5Y4A6Q4x3X3g2Y4K9i4b7`. honggfuzz.git
cd honggfuzz.git

# 3. install dependency
apt-get install libbfd-dev
apt-get insall libunwind-dev
apt-get install clang-6.0 # apt-cache search clang / 4.0 5.0 6.0 

# 4. install
make
make install

安装完成后，在/usr/local/bin下可以看到编译后的文件：

0x02 源码编译apache httpd-2.4.29

下载源码到目录：/root/Hackit/apache。

1. 从git上下载apache源码并切换分支

cd /root/Hackit/apache

git clone 7b7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7r3q4U0K9r3g2Q4x3V1k6Z5N6s2c8H3k6q4)9J5k6h3N6A6N6l9`.`. httpd.hackit

cd httpd.hackit

# 不推荐切换branch 否则patch时会出现错误    
# git checkout -b 2.4.29 2.4.29

（不推荐）或者从archives上下载，不推荐的原因是configure.in和 examples patch脚本中的不匹配，所以不能使用。相关inssue 0b0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6Y4L8$3!0Y4L8r3g2Q4x3V1k6Z5L8$3&6Y4k6$3k6#2P5Y4A6Q4x3V1k6A6M7%4y4#2k6i4y4Q4x3V1j5J5x3K6R3`.

cd /root/Hackit/apache
wget e66K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3q4J5j5$3S2A6N6X3g2Q4x3X3g2S2M7r3q4U0K9r3g2Q4x3X3g2G2M7X3N6Q4x3V1k6V1K9i4y4@1i4K6u0r3K9s2c8@1M7r3c8Q4x3V1k6Z5N6s2c8H3k6q4)9J5k6o6u0Q4x3X3f1@1i4K6u0W2x3U0W2Q4x3X3g2@1j5i4u0Q4x3X3g2Y4P5R3`.`.
tar zxvf httpd-2.4.29.tar.gz
cd httpd-2.4.29

1. 同时下载相应的最新依赖包

cd /root/Hackit/apache

# download url 8e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3q4H3M7W2)9J5k6h3q4H3j5h3y4Z5k6g2)9J5k6h3!0J5k6#2)9J5c8X3c8G2N6$3&6D9L8$3q4V1i4K6u0W2j5$3N6A6
wget 470K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3c8#2M7#2)9J5k6h3q4H3j5h3y4Z5k6g2)9J5k6h3!0J5k6#2)9J5c8X3c8A6M7%4c8Q4x3V1k6Q4x3V1k6S2M7s2u0Q4x3V1k6S2M7s2u0Q4x3X3b7I4i4K6u0W2y4W2)9J5k6e0g2Q4x3X3g2@1j5i4u0Q4x3X3g2Y4P5R3`.`.
tar zxvf apr-1.6.5.tar.gz

# download url 
wget fd4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3c8W2N6g2)9J5k6h3q4H3j5h3y4Z5k6g2)9J5k6h3!0J5k6#2)9J5c8X3c8A6M7%4c8Q4x3V1k6Q4x3V1k6S2M7s2u0Q4x3V1k6S2M7s2u0Q4x3X3c8#2N6r3W2D9i4K6u0V1x3g2)9J5k6e0k6Q4x3X3f1I4i4K6u0W2N6r3q4J5i4K6u0W2k6%4Z5`.
tar zxvf apr-util-1.6.1.tar.gz

# 下载地址 ba5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6F1k6$3S2@1N6s2l9J5i4K6u0r3L8X3N6Z5N6s2c8H3x3W2)9J5c8Y4u0W2L8r3g2S2M7$3g2K6i4K6u0r3
wget b50K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6F1k6$3S2@1N6s2l9J5i4K6u0r3L8X3N6Z5N6s2c8H3x3W2)9J5c8Y4u0W2L8r3g2S2M7$3g2K6i4K6u0r3k6r3!0%4L8X3I4G2j5h3c8Q4x3V1k6$3x3g2)9J5k6e0x3#2i4K6u0W2x3g2)9J5c8X3&6Y4K9s2c8@1M7o6u0Q4x3X3b7I4i4K6u0W2x3K6g2Q4x3X3f1I4i4K6u0W2N6r3q4J5i4K6u0W2k6%4Z5`.
tar zxvf nghttp2-1.35.1.tar.gz

# binary
sudo apt-get install libpcre3-dev

1. 开始编译

cd /root/Hackit/apache/httpd.hackit

# patch
patch -p1 < /root/Fuzz/honggfuzz.git/examples/apache-httpd/httpd-master.honggfuzz.patch

# change path and versions
vim hfuzz.compile_and_install.asan.sh
# HFUZZ_DIR="/root/Fuzz/honggfuzz.git"
# NGHTTP2_VER=1.35.1    


# start compile 
chmod u+x ./hfuzz.compile_and_install.asan.sh
export nproc=4
./hfuzz.compile_and_install.asan.sh

注意patch时一定要关注是否有相应的报错输出：

开始编译

编译成功：

启动apache看下效果，但是并没有启动起来。怀疑是由于patch了httpd导致的server已经不能正常运行了，只能通过honggfuzz来跑？

/root/Hackit/apache/dist/bin/apachectl start

0x03 开始fuzz

复制honggfuzz examples中的配置文件到apache的配置文件中：

cd /root/Hackit/apache/dist/conf
cp /root/Fuzz/honggfuzz.git/examples/apache-httpd/httpd.conf.h* ./

开始fuzz：

# 切换
cd /root/Fuzz/honggfuzz.git/examples/apache-httpd
# 开始fuzz
honggfuzz  -f corpus_http1 -w ./httpd.wordlist -- /root/Hackit/apache/dist/bin/httpd -DFOREGROUND -f  /root/Hackit/apache/dist/conf/httpd.conf.h1  ___FILE___

这里的httpd退出非常快，图中的exit with code 1是否是说这个fuzz是有效的呢？使用tcpdump抓包发现并没有数据传输，那么似乎并没有fuzz成功。
如何确定exit code 为1的原因呢？精力有限，欢迎讨论...

参考

1. 官网 ea5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2G2L8X3N6Y4k6Y4g2*7P5W2)9J5k6h3y4G2L8g2)9J5c8R3`.`.
2. honggfuzz漏洞挖掘技术深究系列 https://bbs.pediy.com/thread-247954.htm
3. git submodules 1d0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Q4x3X3c8K6j5$3#2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8$3!0C8i4K6u0r3P5X3S2Q4x3V1k6$3x3W2)9J5c8V1N6A6N6q4)9J5k6q4)9J5y4f1f1#2i4K6t1#2b7U0N6Q4x3U0g2m8y4g2)9J5y4f1f1#2i4K6t1#2z5o6g2Q4x3U0g2n7y4#2)9J5k6q4)9J5y4f1f1#2i4K6t1#2b7f1c8Q4x3U0f1&6x3q4)9J5y4f1f1$3i4K6t1#2b7e0S2Q4x3U0g2m8x3g2)9J5y4f1f1#2i4K6t1#2z5f1c8Q4x3U0f1&6y4H3`.`.
4. 9f2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6c8N6h3W2U0K9K6M7H3x3q4)9J5c8W2q4#2K9h3y4C8y4K6l9H3i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8X3S2G2L8X3N6Y4k6Y4g2*7P5W2)9J5c8V1c8G2j5$3E0W2M7X3k6A6L8r3f1`.
5. 0caK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8X3@1H3i4K6g2X3x3K6M7^5z5o6j5@1x3U0W2Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0M7&6y4U0b7K6x3o6M7^5
6. 473K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2C8j5h3&6U0L8r3!0#2k6q4)9J5k6h3y4F1i4K6u0r3j5%4g2J5k6r3g2J5i4K6u0r3j5i4m8S2j5$3S2W2i4K6u0r3z5e0p5J5y4K6x3`.

补充资料：

1. d1fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2K6N6$3W2W2j5$3E0A6i4K6u0W2L8X3g2@1i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9I4i4K6u0r3k6Y4g2*7P5X3W2F1k6#2)9J5k6s2c8U0M7q4)9J5k6s2y4W2M7Y4k6W2M7Y4y4Q4x3X3g2Z5N6r3#2D9

[培训]科锐逆向工程师培训第53期2025年7月8日开班！