Fuzzing 4

Snapshot fuzzing an email client

Introduction

Keeping to the theme of 2023, another post on fuzzing!

In this post I’ll walkthrough how to fuzz a popular email client in China, Coremail, using open source snapshot fuzzer wtf.

I’ll target Coremail version 3.0.7, which is about a year old at the time of writing because I have previously reversed it.

Reversing will not be covered in this post due to NDA, and its just lots of manual work with windbg ida and procmon.

The focus should not be on Coremail, but rather fuzzing in general.

do
    {
      if ( hFile == (HANDLE)-1i64 )
        break;
      NumberOfBytesRead = 0;
      if ( !ReadFile(hFile, ptr_to_readdata__cur, 0x400000u, &NumberOfBytesRead, 0i64) )
        break;
      v19 = (int)NumberOfBytesRead;
      if ( (int)NumberOfBytesRead <= 0 )
        break;
      v20 = weird_class_shit->pbyte30;
      if ( v20[88] )
        break;
    }
    while ( !(*(unsigned __int8 (__fastcall **)(_BYTE *))(*(_QWORD *)v20 + 16i64))(v20)
         && (*(int (__fastcall **)(_QWORD *, void *, __int64))(*weird_class_shit->pqword50 + 16i64))(
              weird_class_shit->pqword50,
              ptr_to_readdata__cur,
              v19) >= 0 );

We’ll be fuzzing the above snippet, which is a loop to read in an exported .eml file(essentially HTML) and processing it.

For example, it is responsible for URL decoding %09 to a tab. Such functions that perform heavy parsing are generally interesting targets for fuzzing.

However, we would face some issues if we approached it with regular fuzzing.

Why Snapshot Fuzzing?

First of all, the target code resides in the target executable, not a DLL.

Without source code, we can’t easily harness the program because LoadLibrary is unable to load another exe into the process space. We’ll have to write our own loader for that. Furthermore, our target code is just a snippet of the entire function, which we don’t want to fuzz for performance issues.

With snapshot fuzzing however, we can just snapshot the executable while it’s being ran normally and replace the eml file’s contents with our testcase in memory, then revert anytime we are satisfied.

Another reason is because the code snippet we want to fuzz is an object method. As we know with classes, global states get extremely complicated, and we’ll have to perform extensive reversing to call each involved class’s constructor and destructor every iteration, or risk the curse of 50% stability zzz

Snapshot fuzzing of course doesn’t face such issues.

Regarding the designs of a snapshot fuzzer, I’ll blog about it some other day.

Fuzzing Flow

We’ll take a snapshot right after the ReadFile call and feed it to the fuzzer.

The fuzzer will work like this:

1. Replace the file content and size in memory.
2. Freely execute and log coverage until second ReadFile.
3. Hit our breakpoint and revert, begin next iteration.

Cool. But we’ll have to take one limitation into consideration.

The open source fuzzer we’ll be using does not support device emulation. That means any access to disk, registry, network and such is going to fail terribly. Goodness gracious, even a print to screen is not going to coorperate.

We’ll therefore have to either use a ramdisk or write a filesystem/registry hook (https://github.com/Y3A/hook_fs) to satisfy the calls from memory, both of which have performance costs.

Luckily for us, our parser does not touch disk for any other reads, but it does log some data to a temporary file. Since the data is never read in the fuzz cycle, we can just hook the WriteFile call to return success without actually writing anything.

This is definitely something to consider when weighing which target function to pick. Always always use a tool like procmon to confirm what your target function is doing. Ideally we want to fuzz a pure modular parser function, but that depends highly on the quality of the code we are auditing. In a few years however I’ll expect lightweight, precise emulation fuzzers to exist for public use.

Initial Setup

To fuzz with wtf, we need a Hyper-V VM, which in turn means Windows Pro.(Actually not really, but the workflow is designed for Hyper-V)

According to the README, we’ll create a new Windows 11 VM with 4096mb of RAM and one virtual CPU. This is because wtf only creates one bochscpu backend(assuming we’re using bochs), and it makes everything easier.

We also need to turn off dynamic ram, turn off checkpoints and turn off secure boot.

After booting up, disable paging in the guest:
View Advanced System Settings->Advanced->Performance->Advanced->Virtual Memory->No Paging File

Since wtf does not support device emulation, we obviously can’t page in from disk.

An alternative is to use the author’s tool:
https://github.com/0vercl0k/lockmem

Now we can register an account and setup Coremail.

For the initial corpus, I just modified it off the welcome email from outlook, since it’s pretty complicated already.

wlc.eml:

From: Outlook Team <no-reply@microsoft.com>
To: fuzzer me <fuzzmetothemoon@outlook.com>
Subject: Welcome to your new Outlook.com account
Thread-Topic: Welcome to your new Outlook.com account
Thread-Index: AQHZXyV5zLNJPAo1HkWWPF5eaDsU6g==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sat, 25 Mar 2023 22:24:14 +0800
Message-ID:
	<TYUPR01MB53810596CF7C52B6E613A8C5A6859@TYUPR01MB5381.apcprd01.prod.exchangelabs.com>
Content-Language: en-US
X-MS-Has-Attach: yes
X-Auto-Response-Suppress: All
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/related;
	boundary="_012_TYUPR01MB53810596CF7C52B6E613A8C5A6859TYUPR01MB5381apcp_";
	type="text/html"
MIME-Version: 1.0

--_012_TYUPR01MB53810596CF7C52B6E613A8C5A6859TYUPR01MB5381apcp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"ProgId" content=3D"Word.Document">
<meta name=3D"viewport" content=3D"width=3Ddevice-width" initial-scale=3D"1=
.0">
<style> @font-face { font-family: "wf_segoe-ui_normal"; src: local("Segoe U=
I"), local("Segoe WP"), url('https://r4.res.office365.com/owa/prem/fonts/se=
goeui-regular.woff') format('woff'), url('https://r4.res.office365.com/owa/=
prem/fonts/segoeui-regular.ttf') format('truetype'); } @font-face { font-fa=
mily: "wf_segoe-ui_semilight"; src: local("Segoe UI Semilight"), local("Seg=
oe WP Semilight"), url('https://r4.res.office365.com/owa/prem/fonts/segoeui=
-semilight.woff') format('woff'), url('https://r4.res.office365.com/owa/pre=
m/fonts/segoeui-semilight.ttf') format('truetype'); } </style><!--[if mso]>=
 <style>  body, table, td {font-family: 'Segoe UI', Arial, Helvetica, sans-=
serif !important;} .headline-text { font-size: 17px; line-height: 125%; mso=
-line-height-rule: exactly; text-align: center; color: #676767; }  .discove=
r-text { margin-top: 21px; padding-bottom: 44px; font-size: 14px; line-heig=
ht: 115%; mso-line-height-rule: exactly; color: #676767; } .feature-text { =
margin-top: 16px; font-size: 14px; line-height: 115%; mso-line-height-rule:=
 exactly; color: #676767;  }  </style>  <![endif]--><!--[if !mso]><!-- --><=
style> .headline-text { font-size: 17px; line-height: 1.76; text-align: cen=
ter; color: #676767; }  .discover-text { margin-top: 21px; padding-bottom: =
44px; font-size: 14px; line-height: 1.76; color: #676767; } .feature-text {=
 margin-top: 16px; font-size: 14px; line-height: 1.86; color: #676767;  }  =
</style><!--<![endif]--><style> table { border-collapse: collapse; } .headl=
ine-header { margin-top: 7px; font-size: 42px; font-weight: 300; text-align=
: center; color: #222222; } .header-font { font-family: 'Segoe UI Semilight=
', 'Segoe WP Semilight', 'wf_segoe-ui_semilight', 'Segoe UI ', Arial, Helve=
tica; } .text-font { font-family: 'Segoe UI', 'wf_segoe-ui_normal', Arial, =
Helvetica;  } .discover-header { margin-top: 18px; font-size: 24px; font-we=
ight: 300; color: #222222; }  .feature-header { font-size: 24px; font-weigh=
t: 300; color: #222222; }  .feature-link { color: #0e61ca;  text-decoration=
: none; } .app-img { width: 157px; height:auto; text-align: center; min-wid=
th: 130px; } .mslogo { margin-top: 20px; width: 114px; height: 25px; } .foo=
ter-link-text { opacity: 0.8; font-size: 12px; color: #5a5a5a; } .footer-li=
nk { color: #5a5a5a; } </style>
</head>
<body>
<center>
<table role=3D"presentation" style=3D"width: 600px;border-collapse: collaps=
e;" cellspacing=3D"0" cellpadding=3D"0" bgcolor=3D"#ffffff">
<tbody>
<tr role=3D"presentation">
<td role=3D"presentation" style=3D"width:100%;"><img src=3D"cid:colors-top"=
 alt=3D"" role=3D"presentation">
</td>
</tr>
</tbody>
</table>
</center>
</body>
</html>

--_012_TYUPR01MB53810596CF7C52B6E613A8C5A6859TYUPR01MB5381apcp_
Content-Type: image/png; name="colors.png"
Content-Description: colors.png
Content-Disposition: inline; filename="colors.png"; size=5486;
	creation-date="Sat, 25 Mar 2023 14:24:13 GMT";
	modification-date="Sat, 25 Mar 2023 14:24:13 GMT"
Content-ID: <colors>
Content-Transfer-Encoding: base64

aaa
--_012_TYUPR01MB53810596CF7C52B6E613A8C5A6859TYUPR01MB5381apcp_

Remember to keep the filesize relatively small(around 1kb is ideal). Otherwise the fuzzer might be wasting time on mutating useless data.

Create a new target directory under wtf-main/targets and save this file in the inputs folder.

The target directory should contain these folders:

Now we’re ready to attach a kernel debugger to take a snapshot.

Taking the snapshot

On the guest system, open up an admin command prompt and run:

bcdedit /debug on
bcdedit /dbgsettings net hostip:10.10.10.5 port:50000 key:a.b.c.d

Replace with your host's IP.

Now on your host, run WinDbg

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" /k net:port=50000,key=a.b.c.d -c

This allows us to perform network kernel debugging.
Note: Your target has to be at least Windows 8. Use serial debugging for anything lower.

After a reboot of the guest, WinDbg should be attached.

Before we snapshot, we need to make sure all bytes of any DLL the program loads is paged in and loaded. If the program uses lazy loading, some DLLs might not be fully mapped in the process space, and will lead to pagefaults when fuzzing with wtf.

We’ll use the command line debugger in the guest to do so:

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe" -pn cmclient.exe

One way to do it is just to touch all bytes of the DLL address space.

You can do it manually:

0:036> lm o
start             end                 module name
00007ff6`6a160000 00007ff6`6ba04000   CMClient   (deferred)
00007ffc`92520000 00007ffc`9c206000   libcef     (deferred)
00007ffc`bc410000 00007ffc`bc431000   nlansp_c   (deferred)
00007ffc`bc5d0000 00007ffc`bc5ec000   credui     (deferred)
00007ffc`bc5f0000 00007ffc`bc615000   dxva2      (deferred)
00007ffc`bc7d0000 00007ffc`bc7e9000   USP10      (deferred)
00007ffc`c4c40000 00007ffc`c4dba000   sapi       (deferred)
00007ffc`c6270000 00007ffc`c6419000   d3d9       (deferred)
00007ffc`c6420000 00007ffc`c654f000   chrome_elf   (deferred)
00007ffc`c9250000 00007ffc`c925e000   atlthunk   (deferred)
00007ffc`cfc30000 00007ffc`cfc64000   WINMM      (deferred)
<...>

0:036> dq 00007ff6`6a160000 00007ff6`6ba04000

or using a script:

from pykd import dbgCommand

for m in dbgCommand("lm o").split("\n")[1:-1]:
    print(f"On {m.split(' ')[4]}")
    try:
        dbgCommand(f"dq {m.split(' ')[0]} {m.split(' ')[1]}")
        
    except:
        pass

0:037> .load "C:\\Users\\User\\Desktop\\pykd.dll"
0:037> !py "C:\\Users\\User\\Desktop\\touchbytes.py"

In the process above, remember to save the base address where our target function lives in. In my case, that’s the base address of CMClient.

Now we can exit the command line debugger:

0:036> qd

To set a usermode breakpoint in kernel debugger, we have to switch to the target process invasively.
WinDbg commands will not be covered here as it’s assumed to be a pre-requisite!

kd> !process 0 0 cmclient.exe
PROCESS ffffd50ba83350c0
    SessionId: 2  Cid: 1978    Peb: 4f2563d000  ParentCid: 1324
    DirBase: 5549b000  ObjectTable: 00000000  HandleCount:   0.
    Image: CMClient.exe

PROCESS ffffd50bab4c60c0
    SessionId: 2  Cid: 18d8    Peb: 4774584000  ParentCid: 1324
FreezeCount 1
    DirBase: 5d7bc000  ObjectTable: ffffe5088c2b4c00  HandleCount: 772.
    Image: CMClient.exe


kd> .process /i ffffd50bab4c60c0
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`26c333e0 cc              int     3
kd> bp /p ffffd50bab4c60c0 7ff6`6a160000+0x5fb190
kd> g

My target code resides at an offset of 0x5fb196 into CMClient.exe(after ReadFile), but I’ll break at 0x5fb190 to capture the arguments to ReadFile.

After we load the eml file into Coremail, kd will break and we can extract the arguments.

kd> g
Breakpoint 0 hit
0033:00007ff6`11b0b190 ff15ca57ba00    call    qword ptr [00007ff6`126b0960]
kd> u
00007ff6`11b0b190 ff15ca57ba00    call    qword ptr [00007ff6`126b0960] <-- ReadFile IAT
00007ff6`11b0b196 85c0            test    eax,eax
00007ff6`11b0b198 7430            je      00007ff6`11b0b1ca
00007ff6`11b0b19a 48635dd7        movsxd  rbx,dword ptr [rbp-29h]
00007ff6`11b0b19e 85db            test    ebx,ebx
00007ff6`11b0b1a0 7e28            jle     00007ff6`11b0b1ca
00007ff6`11b0b1a2 488b4f30        mov     rcx,qword ptr [rdi+30h]
00007ff6`11b0b1a6 80795800        cmp     byte ptr [rcx+58h],0

In particular, we are interested in argument 2 and 4, which is the buffer to store the read, and the pointer to the number of bytes read.

kd> r rdx
rdx=000001c26a702040
kd> r r9
r9=000000a2f14fe860

After saving these addresses somewhere, step over the call and take a dump :p

kd> bc *
kd> .scriptload "C:\Users\chenl\Desktop\hacking\tools\bdump-master\bdump.js"
[bdump] Usage: !bdump "C:\\path\\to\\dump"
[bdump] Usage: !bdump_full "C:\\path\\to\\dump"
[bdump] Usage: !bdump_active_kernel "C:\\path\\to\\dump"
[bdump] This will create a dump directory and fill it with a memory and register files
[bdump] NOTE: you must include the quotes and escape the backslashes!
JavaScript script successfully loaded from 'C:\Users\chenl\Desktop\hacking\tools\bdump-master\bdump.js'
kd> !bdump_full "C:\\Users\\chenl\\Desktop\\hacking\\tools\\wtf-main\\targets\\cmclient\\state"
[bdump] creating dir...
[bdump] saving regs...
[bdump] register fixups...
[bdump] don't know how to get mxcsr_mask or fpop, setting mxcsr_mask to 0xffbf and fpop to zero...
[bdump]
[bdump] don't know how to get avx registers, skipping...
[bdump]
[bdump] tr.base is not cannonical...
[bdump] old tr.base: 0xffffffff83d96000
[bdump] new tr.base: 0xfffff80583d96000
[bdump]
[bdump] rip and gs don't match kernel/user, swapping...
[bdump] rip: 0x7ff611b0b196
[bdump] new gs.base: 0xa2f0d67000
[bdump] new kernel_gs_base: 0xfffff8057b718000
[bdump]
[bdump] non-zero IRQL in usermode, resetting to zero...
[bdump] saving mem, get a coffee or have a smoke, this will probably take around 10-15 minutes...
[bdump] Creating C:\Users\chenl\Desktop\hacking\tools\wtf-main\targets\cmclient\state\mem.dmp - Full kernel dump
[bdump] 0% written.
[bdump] 5% written. 35 sec remaining.
[bdump] 10% written. 26 sec remaining.
[bdump] 15% written. 25 sec remaining.
[bdump] 20% written. 23 sec remaining.
[bdump] 25% written. 21 sec remaining.
[bdump] 30% written. 20 sec remaining.
[bdump] 35% written. 18 sec remaining.
[bdump] 40% written. 17 sec remaining.
[bdump] 45% written. 15 sec remaining.
[bdump] 50% written. 14 sec remaining.
[bdump] 55% written. 13 sec remaining.
[bdump] 60% written. 11 sec remaining.
[bdump] 65% written. 10 sec remaining.
[bdump] 70% written. 8 sec remaining.
[bdump] 75% written. 7 sec remaining.
[bdump] 80% written. 5 sec remaining.
[bdump] 85% written. 4 sec remaining.
[bdump] 90% written. 2 sec remaining.
[bdump] 95% written. 1 sec remaining.
[bdump] Wrote 4.0 GB in 29 sec.
[bdump] The average transfer rate was 141.2 MB/s.
[bdump] Wrote 4584 pages of 0xdeadfeed into this dump file for memory that could not be
[bdump] read successfully by the kernel memory manager.  The kernel memory manager can
[bdump] not read pages that have a held page lock, are on the failed memory page list,
[bdump] or which have been hot removed from the system.
[bdump] Dump successfully written
[bdump] done!
@$bdump_full("C:\\Users\\chenl\\Desktop\\hacking\\tools\\wtf-main\\targets\\cmclient\\state")

Here I used https://github.com/yrp604/bdump , which is recommended in the README of wtf.

Writing a fuzzer module

wtf allows us to fuzz arbitrary targets by extending its source code. For every new target we have to write a new fuzzer module that tells the fuzzer how to behave.

They are generally straightforward to write, and we can modify the given examples (https://github.com/0vercl0k/wtf/blob/main/src/wtf/fuzzer_hevd.cc and https://github.com/0vercl0k/wtf/blob/main/src/wtf/fuzzer_tlv_server.cc).

Below is the fuzzer module for cmclient:

#include "backend.h"
#include "targets.h"
#include <fmt/format.h>
#include "crash_detection_umode.h"

#define MAX_LEN 8000

namespace fs = std::filesystem;

namespace Cmclient {

constexpr bool LoggingOn = false;

template <typename... Args_t>
void DebugPrint(const char *Format, const Args_t &...args) {
  if constexpr (LoggingOn) {
    fmt::print("Cmclient: ");
    fmt::print(fmt::runtime(Format), args...);
  }
}

bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
  if (BufferSize > MAX_LEN) {
    return false;
  }

  uint32_t BufferSizeCpy = BufferSize;

  const Gva_t BufferPtr = Gva_t(0x1c26a702040);
  const Gva_t BufferSizePtr = Gva_t(0xa2f14fe860);

  if (!g_Backend->VirtWriteDirty(BufferSizePtr, (uint8_t *)&BufferSize,
                                 sizeof(uint32_t))) {
    DebugPrint("Write size failed\n");
    return false;
  }

  if (!g_Backend->VirtWriteDirty(BufferPtr, Buffer,
                                 BufferSizeCpy)) {
    DebugPrint("Write buffer failed\n");
    return false;
  }

  return true;
}

bool Init(const Options_t &Opts, const CpuState_t &) {
  //
  // Stop the test-case once we return back from the call
  //
  const Gva_t AfterCall = Gva_t(0x7ff611510000 + 0x5fb190);
  if (!g_Backend->SetBreakpoint(AfterCall, [](Backend_t *Backend) {
        DebugPrint("Finish processing\n");
        Backend->Stop(Ok_t());
      })) {
    DebugPrint("Failed to SetBreakpoint AfterCall\n");
    return false;
  }

    if (!g_Backend->SetBreakpoint("nt!DbgPrintEx", [](Backend_t *Backend) {
        const uint32_t towrite = Backend->R8();
        const Gva_t ptr_write_addr = Gva_t(Backend->R9());

        const Gva_t FormatPtr = Backend->GetArgGva(2);
        const std::string &Format = g_Backend->VirtReadString(FormatPtr);
        DebugPrint("DbgPrintEx: {}", Format);
        Backend->SimulateReturnFromFunction(0);
      })) {
    DebugPrint("Failed to SetBreakpoint DbgPrintEx\n");
    return false;
  }

  //
  // Simulate WriteFile
  //
  if (!g_Backend->SetBreakpoint("Kernel32!WriteFile", [](Backend_t *Backend) {
        const uint64_t towrite = Backend->R8();
        const Gva_t ptr_write_addr = Gva_t(Backend->R9());
        if (!Backend->VirtWriteDirty(ptr_write_addr, (uint8_t *)&towrite,
                                 sizeof(uint32_t))) {
            DebugPrint("Write lpNumberOfBytesWritten failed\n");
        }
        Backend->SimulateReturnFromFunction(1);
      })) {
    DebugPrint("Failed to SetBreakpoint WriteFile\n");
    return false;
  }

  //
  // Catch umode exceptions
  //
  if (!SetupUsermodeCrashDetectionHooks()) {
    fmt::print("Failed to SetupUsermodeCrashDetectionHooks\n");
    return false;
  }

  return true;
}

//
// Register the target.
//

Target_t Cmclient("cmclient", Init, InsertTestcase);

} // namespace Cmclient

We instruct the fuzzer to only accept testcases of maximum length 8000, and write the testcase and size to the addresses we captured previously using WinDbg.

We also tell the fuzzer to revert after hitting the breakpoint(second ReadFile), and fake calls to WriteFile.

At this point, we can compile wtf and begin fuzzing.

Fuzz away!

server.bat:

"C:\Users\chenl\Desktop\hacking\tools\wtf-main\src\build\wtf.exe" master --max_len=8000 --runs=100000000000000 --name cmclient --target .

client_run.bat:

"C:\Users\chenl\Desktop\hacking\tools\wtf-main\src\build\wtf.exe" run --name cmclient --state state --backend=bochscpu --limit 10000000 --input inputs\wlc.eml --trace-type=rip

client_fuzz.bat:

"C:\Users\chenl\Desktop\hacking\tools\wtf-main\src\build\wtf.exe" fuzz --name cmclient --backend=bochscpu --limit 10000000

wtf supports parallel fuzzing by starting a server, which accepts TCP connections from one or more clients. The clients will perform the actual fuzzing, and send the results to the server for synchronisation.

We first spin up a server by running server.bat, then run client_run.bat to perform a dry run.

Along with symbolizer(https://github.com/0vercl0k/symbolizer), we can verify PC traces of the run to make sure it didn’t crash somewhere unintended. This works much better if we had actual pdb symbols.

Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Trace file C:\Users\chenl\Desktop\hacking\tools\wtf-main\targets\cmclient\wlc.eml.trace
Running inputs\wlc.eml
--------------------------------------------------
Run stats:
Instructions executed: 634.5k (9.3k unique)
          Dirty pages: 380.0kb
      Memory accesses: 1.9mb
       Edges executed: 0.0 (0.0 unique)
#1 cov: 9256 exec/s: 1.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 1.0s

<...>
CMClient+0x5fb178
CMClient+0x5fb17a
CMClient+0x5fb17e
CMClient+0x5fb183
CMClient+0x5fb187
CMClient+0x5fb18d
CMClient+0x5fb190

The traces look good, and we hit the breakpoint as expected.

Now we can run the actual client_fuzz.bat.

Immediately after running, the fuzzer finds new testcases to store, which is usually a great sign.

Now we can scale it up and wait for time to work its magic.
I’m planning to run 13 nodes for a week, which takes up about 65% of CPU so I can still play fifa :p

Conclusion

Snapshot fuzzing is a really creative invention, and it’s a great improvement to oldschool fuzzing in terms of stability and ease of use. Apart from wtf, other public snapshot fuzzers include nyx-fuzz, which is more heavyweight and requires a dedicated VM to run. However, it does support full system emulation like some of the private toolings used in big companies, which is super neat.

In this article I used wtf with bochscpu as an emulator, which is the slowest(but most accurate) of all 3. Running 13 nodes gives me around 390 execs per second. An exercise for the reader will be to run their fuzzer on a KVM backend, which is said to give 100x speed improvements for the same specs. That’s insane! But to achieve that you’ll probably have to rent a baremetal server for a couple of weeks, which can be costly.

Finally, it’s important to note that fuzzing is an iterative process. This is just the beginning, and we have to go through more rounds of checking coverage, editing the module, getting new corpuses or even finding new target functions in order to comprehensively assess the target.

I’ll update above if a bug does occur after a week of fuzzing.

..