Friday, 10 February 2017

Running AFL on Bash for Windows

Recently I wrote about using Virtual Machine Manager in Bash on Windows (or Windows Subsystem for Linux aka "WSL"), and since then I have been playing around with getting other utilities I use in a native Linux environment.

One utility is American Fuzzy Lop (AFL), a fuzzing tool for finding vulnerabilities within Linux ELF binaries. It has been since ported to fuzz Windows PE binaries natively, but since we're able to run ELF binaries within WSL, why not fuzz them too?

If you're running Bash on Windows and have tried to compile AFL before, you probably have run into this problem:

shmget() failed

This error results from WSL having limitations on shared memory--specifically the lack of /dev/shm. By default, AFL will outright refuse to compile because these system functions simply do not exist.

One of the most recent builds of Bash on Windows includes support for shared memory functions that AFL requires in order to compile.
Along with support for the following shared-memory syscalls which are widely used by a number of Linux tools including PostgreSQL.

  • shmct
  • shmget
  • shmdt
  • shmat
The catch here is that the mainline Windows 10 version of WSL has yet to be updated to address this problem so you must be in the Windows Insider program in order to reap the benefits of these functions. Once you've enrolled and have updated, you can confirm the version of WSL by checking the version of Linux using uname.

If you're up to date you should see this version:
Linux mycomputer 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 x86_64 x86_64 GNU/Linux
If you're not up to date then it'll show the following:
Linux mycomputer 3.4.0+ #1 PREEMPT Thu Aug 1 17:06:05 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
Assuming you're successful you should be able to follow the instructions provided by AFL and begin fuzzing.

I'm still testing it out but at least we now know that it should compile and run fine on the surface. You will notice that the way the screen is drawn that it will look a bit wonky while running.

One thing I feel the need to add is if you're using an SSD, AFL is definitely a great way to reduce the lifespan of your drive. Instead, I recommend creating a RAM disk within Windows and then accessing it normally. I have tested ImDrive and it works just fine within WSL.