AFLTriage – Tool To Triage Crashing Input Files Using A Debugger
278
AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
Supports binary targets with or without symbols/debugging information
Source code and variables will be annotated in reports for context
Currently AFLTriage only supports GDB and has only been tested on Linux C/C++ targets. Note that AFLTriage does not classify crashes by potential exploitablity. Accurate exploitability classification is very target and scenario specific and is best left to specialized tools and expert analysts.
Usage
Usage of AFLTriage is quite straightforward. You need your inputs to triage, an output directory for reports, and the binary and its arguments to triage.
[+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 - Python 3.6.9 (default, Jan 26 2021, 15:33:00)) [+] Image triage cmdline: "./target_binary --option-one @@" [+] Reports will be output to directory "reports" [+] Triaging AFL directory fuzzing_directory/ (41 files) [+] Triaging 41 testcases [+] Using 24 threads to triage [+] Triaging [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6) [+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0]
Similar to AFL the @@ is replaced with the path of the file to be triaged. AFLTriage will take care of the rest.
Building and Running
You will need a working Rust build environment. Once you have cargo and rust installed, building and running is simple:
<div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="cd afltriage-rs/ cargo run –help Finished dev [unoptimized + debuginfo] target(s) in 0.33s Running `target/debug/afltriage –help` … “>
cd afltriage-rs/ cargo run --help
<compilation>
Finished dev [unoptimized + debuginfo] target(s) in 0.33s Running `target/debug/afltriage --help`
<AFLTriage usage> ...
Extended Usage
<div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="afltriage 1.0.0 Quickly triage and summarize crashing testcases USAGE: afltriage -i … -o … OPTIONS: -i … A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2…) so it cannot be the last argument passed to AFLTriage — this is reserved for the command. -o The output directory for triage report files. Use ‘-‘ to print entire reports to console. -t, –timeout The timeout in milliseconds for each testcase to triage. [default: 60000] -j, –jobs How many threads to use during triage. –report-formats … The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible values: text, json, rawjson] –bucket-strategy The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage, first_frame, first_frame_raw, first_5_frames, function_names, first_function_name] –child-output Include child output in triage reports. –child-output-lines How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not recommended). [default: 25] –stdin Provide testcase input to the target via stdin instead of a file. –profile-only Perform environment checks, describe the inputs to be triaged, and profile the target binary. –skip-profile Skip target profiling before input processing. –debug Enable low-level debugging output of triage operations. -h, –help Prints help information -V, –version Prints version information ARGS: <command>… The binary executable and args to execute. Use ‘@@’ as a placeholder for the path to the input file or –stdin. Optionally use — to delimit the start of the command. “>
afltriage 1.0.0 Quickly triage and summarize crashing testcases
OPTIONS: -i <input>... A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2...) so it cannot be the last argument passed to AFLTriage -- this is reserved for the command. -o <output> The output directory for triage report files. Use '-' to print entire reports to console.
-t, --timeout <timeout> The timeout in milliseconds for each testcase to triage. [default: 60000]
-j, --jobs <jobs> How many threads to use during triage.
--report-formats <report_format s>... The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible values: text, json, rawjson] --bucket-strategy <bucket_strategy> The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage, first_frame, first_frame_raw, first_5_frames, function_names, first_function_name] --child-output Include child output in triage reports.
--child-output-lines <child_output_lines> How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not recommended). [default: 25] --stdin Provide testcase input to the target via stdin instead of a file.
--profile-only Perform environment chec ks, describe the inputs to be triaged, and profile the target binary.
--skip-profile Skip target profiling before input processing.
--debug Enable low-level debugging output of triage operations.
-h, --help Prints help information
-V, --version Prints version information
ARGS: <command>... The binary executable and args to execute. Use '@@' as a placeholder for the path to the input file or --stdin. Optionally use -- to delimit the start of the command.