Kind of a side note, but I really hate how many relatively important discussions happen on Discord these days instead of forums... They aren't indexed/searcchable by search engines or archived by archive services, so they're just gone forever.
Yeah, you raised an important point. But how do we correct such trend ? I mean how do we keep discussions in forums instead of discord servers? Really, great things are being discussed over there in different discord servers but end up being only for the members participating in the servers
@@huzaifamuhammad8044 I don't know if there's any way to fix it. It's kinda like IRC was back in the day. People want limited, non-public communities.... Also, several companies moved their support forums to Discord which is even worse... Then every time you're looking for a solution to a technical problem, you can't find it and have to join some discord, then ask a question which has probably been asked/answered a bunch of times already. Maybe Discord should be pressured to index/archive conversations and make them searchable? Maybe as an option for server owners? I don't know
@@SandWire Not a bad idea for individual servers/channels. I remember I wrote a little bot to do essentially the same thing on IRC back in the day. That was back in like... 1998-1999 maybe, and those conversations are still online!
This was a good overview, but the second approach shows why it's always super important to make the small changes needed in example programs to use afl-clang-fast. You could have done a months worth of your current approach in a day with the speedup. It's going to be very difficult to ever find something at 100 execs/sec.
The second approach was fuzzing one function directly, the first one was fuzzing the full binary. So you cannot really compare the two, very different scopes :)
@@LiveOverflow I understand that, but your response indicates that you are missing the relevant point. You can do the same thing as in the second one by modifying dwebp. I guarantee similar speed. The scope of dwebp isn't much more than a few function calls. It was fast due to persistent mode, not because it was smaller.
Very good video. When you try to subscribe to the hextree updates and do not mark the "I accept and read the privacy policy" there is no feedback for not checking the checkbox. Only in the developer tools I was able to see my mistake.
Curious how oss fuzz is doing stuff at their scale and budget. Finding target functions for individual fuzzing like the Huffman table function, while at the same time having input that maps cleanly back into the source input file
That's interesting. I guess you'd have to read the webp spec to see how the image data translates into building those tables, then go from there. It might require so many combinations of data that doing it naively would end up as a hard as finding a hash collision or brute force decrypting. On another note, and it's a long shot, does anyone know a utility that can load a thread binary image so that it can be 'debugged'. It's something I do not want to run freely, and it is obfuscated so needs to run only as far as the obfuscation is removed, then dumped, and then terminated. I was thinking the bare minimum that loads the thread but throws an error before it runs for a debugger to catch. That way it would never run without the debugger ready to catch it. Extremely simple, but I cannot program 'C, C++, C#, and etc,' and can only do a small amount of Python so far. The thread needs whatever windows has ready for it on the stack in normal operation (0x18 bytes worth it looks like from the disassembly) - there is no input from the original hosting program.
so would you say that the PoC file that cause the crash actually is a valid format ? no malformed sizes no malformed data but the processing of the data tables will cause a representation that will cause later a corruption in the decoder of libweb ?
i wonder if this could full reproduce with AFLgo ? as AFLgo can take 2 diff of checkouts and direct fuzz ... i wonder if this would have reproduce this complex bug .. i know its "defacto" and not actually finding the issue... still interesting ..
In the end, fuzzing is supporting tool, but cannot test things for developers "magically". So at this point, there needs to have some knowledge and experience on how (and what) to fuzz, just like pentesting
Thankyou For the video, I believe you are using a MacBook, what precautions you are taking to not burn out the SSD, are you mapping temp folder to memory drive? Just curious
@22:50 are you quite sane? Avoiding code duplication improves readability and maintainability. Why would you copy the same code into 5 different functions, just to make fuzzing easier?
I had been watching your content for almost 10 years now. I really love it, but I have to be honest every time I watch any of your videos I feel really dumb because unlike most youtuber your craft is just way too high level. I really like what you can do with this tool and is something I would like to learn how to use since im the cybersecurity field. would you mind dumb things down a lit?Like making a tutorial on this tool, like how to properly set it up, then picking a random program to test it on?
It's always nice to see a pocke level that's more conventional, because they do them so well, as much as their experimental stuff is impressive, I was never a massive fan of it.
Question for the greater cyber sec community. How applicable is binary fuzzing to your work? This is something that I really want to get into but seems like it is far from applicable in my work so far.
I do security audits of mostly web application. Once in a while you get clients with cgi .c or other embedded tools and server stuff. So it's not common. But I want to be able to also do good work in those cases ;)
I had situations where memory corruption cause a major problem which we supposed should not happen. After investigating with tombstone logs and fuzzying we found that there was a race conditions caused by a defective driver
1:45AM HUFO here: Fuzzing is dumb, the moral should not be duplicate your code to make it more secure and the way they found the vuln was reading the code and understanding an attacker's input can go to the function where an assumption on it would be incorrect.
Please Help!!!! Are new Mac's with new M series apple chips good for binary exploitation, android and windows pentesting? Because i heard that you have to a wrok arounds to run like kali linux, also some essential tools not designed to work on these new architecture M chips.
it's good if you want to do mac (arm) exploitation. obviously not so great when you want to learn linux (x86) exploitation. in this case I also did the fuzzing setup on mac, but the actual fuzzing I did on a linux x86 server.
@@LiveOverflow Can you share more insights on this? It seems you had used docker container on your Mac M1 machine or did you use a cloud linux server and launched your container there? I think there are not many good resources for aspiring vulnerability researchers out there on what is a good setup for binary research for Linux binaries if your base is Macbook M chips. Also, another question - do you think using a cloud service like AWS with a high performance EC2 Instance would speed up the fuzzing process given that it has more cores / RAM available than running on your local linux computer?
Here's a challenge - Create a distributed fuzzing client. One person fuzzing for 100 days? Naa. 100 people fuzzing for 1 day? Way easier. 10,000 people fuzzing for awhile? Should find SOMETHING :p
I don't get it. Why are so many security-aware people using discord? Its such an awfully bad choice in the scope of communicating with integrity, confidentiality and availability. Someone please enlighten me.
after doing deep investigation on the code and what you have fuzzed , your choice of fuzzing that API is useless . this doesn't have any understanding between your crash and to the original data that is from the file , the data transformation is what you have fuzzed and to get the needed data to put in a file require to find what is the de-transformation that is needed in order to put it back into a file.
its just a process of doing random stuff on the application to see ash or do some weird things it was not intended to with aim of analysing what causes the crash so tha you can weaponize that and attack the applications that is how i understand it hopefully it helps
Kind of a side note, but I really hate how many relatively important discussions happen on Discord these days instead of forums... They aren't indexed/searcchable by search engines or archived by archive services, so they're just gone forever.
fully agree :(
Yeah, you raised an important point. But how do we correct such trend ? I mean how do we keep discussions in forums instead of discord servers?
Really, great things are being discussed over there in different discord servers but end up being only for the members participating in the servers
@@huzaifamuhammad8044 I don't know if there's any way to fix it. It's kinda like IRC was back in the day. People want limited, non-public communities.... Also, several companies moved their support forums to Discord which is even worse... Then every time you're looking for a solution to a technical problem, you can't find it and have to join some discord, then ask a question which has probably been asked/answered a bunch of times already.
Maybe Discord should be pressured to index/archive conversations and make them searchable? Maybe as an option for server owners? I don't know
Discord bot reposting every message from channel to forum?
@@SandWire Not a bad idea for individual servers/channels. I remember I wrote a little bot to do essentially the same thing on IRC back in the day. That was back in like... 1998-1999 maybe, and those conversations are still online!
This was a good overview, but the second approach shows why it's always super important to make the small changes needed in example programs to use afl-clang-fast. You could have done a months worth of your current approach in a day with the speedup. It's going to be very difficult to ever find something at 100 execs/sec.
The second approach was fuzzing one function directly, the first one was fuzzing the full binary. So you cannot really compare the two, very different scopes :)
@@LiveOverflow I understand that, but your response indicates that you are missing the relevant point. You can do the same thing as in the second one by modifying dwebp. I guarantee similar speed. The scope of dwebp isn't much more than a few function calls. It was fast due to persistent mode, not because it was smaller.
love to see that you are still wearing the ccc entrance band 😄 was nice meeting you there!
thank you for your crystal clear explanation
Very good video.
When you try to subscribe to the hextree updates and do not mark the "I accept and read the privacy policy" there is no feedback for not checking the checkbox. Only in the developer tools I was able to see my mistake.
Dein Content und dein Kanal sind genial! Wie immer absolut krasses Video!
I love your fuzzing videos!
A Crowdstrike desaster deep dive would be a nice comeback video. Just saying 😜
at minute 21:04 there is a mistake in the graphics. it should be 520>500 and not 520>410, which was the input value from before
Where is Mr Live Of?
Has a letter agency taken him out as he was just about to reveal their under cover operation?
Bruh, are you alive? Waiting for your video on something for about a month now.
amazing. deep respect from South korea, man
You mean China?
love you man
Is this what they call unit fuzzing?
excellent video and well explained as always🙏👏👏👏
Only i know how much i have waited for this video to be released
Vanhauser-thc is the author of hydra tool?
Yes the one and only
He the author of AFL++ too, basically
Curious how oss fuzz is doing stuff at their scale and budget. Finding target functions for individual fuzzing like the Huffman table function, while at the same time having input that maps cleanly back into the source input file
This was great!
At 21:04 there probably should be 500 instead of 410.
But thanks for the great video.
Can you share the discord server that you found about AFL fuzzing?
Rocks as always
That's interesting. I guess you'd have to read the webp spec to see how the image data translates into building those tables, then go from there. It might require so many combinations of data that doing it naively would end up as a hard as finding a hash collision or brute force decrypting.
On another note, and it's a long shot, does anyone know a utility that can load a thread binary image so that it can be 'debugged'. It's something I do not want to run freely, and it is obfuscated so needs to run only as far as the obfuscation is removed, then dumped, and then terminated. I was thinking the bare minimum that loads the thread but throws an error before it runs for a debugger to catch. That way it would never run without the debugger ready to catch it. Extremely simple, but I cannot program 'C, C++, C#, and etc,' and can only do a small amount of Python so far. The thread needs whatever windows has ready for it on the stack in normal operation (0x18 bytes worth it looks like from the disassembly) - there is no input from the original hosting program.
so would you say that the PoC file that cause the crash actually is a valid format ? no malformed sizes no malformed data but the processing of the data tables will cause a representation that will cause later a corruption in the decoder of libweb ?
How does AFL++ compare to libfuzzer from the llvm project? Could be a nice video.
Hans, where are you? We miss you. Come back.
a really good video, i am also making content with ctf broo. Thank you for your knowledge
i wonder if this could full reproduce with AFLgo ? as AFLgo can take 2 diff of checkouts and direct fuzz ... i wonder if this would have reproduce this complex bug .. i know its "defacto" and not actually finding the issue... still interesting ..
In the end, fuzzing is supporting tool, but cannot test things for developers "magically".
So at this point, there needs to have some knowledge and experience on how (and what) to fuzz, just like pentesting
Overflow?
Thankyou For the video, I believe you are using a MacBook, what precautions you are taking to not burn out the SSD, are you mapping temp folder to memory drive? Just curious
guess I missed you at the CCC
afl++ is way harder than we think 😑😓
@22:50 are you quite sane? Avoiding code duplication improves readability and maintainability. Why would you copy the same code into 5 different functions, just to make fuzzing easier?
You don’t have to copy the complete logic. Just create a wrapper function for each color's huffman table.
next video whennnnnn!!!!!!!!!!!!!!!
@@20cmusic Did he say that explicitly?
I wish you did more minecraft stuff. that was fun and kinda why i subbed to you xD ... i mean either way your videos are great !
What happens if you use qsym/hybrid fuzzing techniques? I read the paper (well, most part) about it and it claims *speed*
I had been watching your content for almost 10 years now. I really love it, but I have to be honest every time I watch any of your videos I feel really dumb because unlike most youtuber your craft is just way too high level. I really like what you can do with this tool and is something I would like to learn how to use since im the cybersecurity field. would you mind dumb things down a lit?Like making a tutorial on this tool, like how to properly set it up, then picking a random program to test it on?
It's always nice to see a pocke level that's more conventional, because they do them so well, as much as their experimental stuff is impressive, I was never a massive fan of it.
Cool stuff
Question for the greater cyber sec community. How applicable is binary fuzzing to your work? This is something that I really want to get into but seems like it is far from applicable in my work so far.
I do security audits of mostly web application. Once in a while you get clients with cgi .c or other embedded tools and server stuff. So it's not common. But I want to be able to also do good work in those cases ;)
There is plenty of way to fuzz binary target. You can statically instrument them, or fuzz them without instrumentation with tool such as Radamsa
I had situations where memory corruption cause a major problem which we supposed should not happen.
After investigating with tombstone logs and fuzzying we found that there was a race conditions caused by a defective driver
unaliveoverflow
Nice video
1:45AM HUFO here: Fuzzing is dumb, the moral should not be duplicate your code to make it more secure and the way they found the vuln was reading the code and understanding an attacker's input can go to the function where an assumption on it would be incorrect.
tmux would have been a better option than screen.
Make it’s own live TH-cam channel to your fuzzer 😂
Also what discord channel is that one?
great video. still wearing your congress wristband i see :)
Please Help!!!!
Are new Mac's with new M series apple chips good for binary exploitation, android and windows pentesting? Because i heard that you have to a wrok arounds to run like kali linux, also some essential tools not designed to work on these new architecture M chips.
it's good if you want to do mac (arm) exploitation. obviously not so great when you want to learn linux (x86) exploitation. in this case I also did the fuzzing setup on mac, but the actual fuzzing I did on a linux x86 server.
@@LiveOverflow Can you share more insights on this? It seems you had used docker container on your Mac M1 machine or did you use a cloud linux server and launched your container there?
I think there are not many good resources for aspiring vulnerability researchers out there on what is a good setup for binary research for Linux binaries if your base is Macbook M chips.
Also, another question - do you think using a cloud service like AWS with a high performance EC2 Instance would speed up the fuzzing process given that it has more cores / RAM available than running on your local linux computer?
Push!
funny to see you’re using your minecraft server to also do these. stuff lol
epic
Here's a challenge - Create a distributed fuzzing client.
One person fuzzing for 100 days? Naa.
100 people fuzzing for 1 day? Way easier.
10,000 people fuzzing for awhile? Should find SOMETHING :p
My theory of how they found it: formal methods.
like what ? share more details ?
@@shaisarfaty Formalise the logic of the program interactive theorem provers like Isabelle or Coq.
I WANT A POC OF .webp Image to run “whoami” !!! 😂😂
You Can Be Turkey Pro.
I don't get it. Why are so many security-aware people using discord? Its such an awfully bad choice in the scope of communicating with integrity, confidentiality and availability. Someone please enlighten me.
It’s where most people are. And if you want to have a community, which is open anyway, what does it matter? ;)
Noice
after doing deep investigation on the code and what you have fuzzed , your choice of fuzzing that API is useless . this doesn't have any understanding between your crash and to the original data that is from the file , the data transformation is what you have fuzzed and to get the needed data to put in a file require to find what is the de-transformation that is needed in order to put it back into a file.
I'm two and a half minutes in and I still don't know what fuzzing is
its just a process of doing random stuff on the application to see ash or do some weird things it was not intended to with aim of analysing what causes the crash so tha you can weaponize that and attack the applications that is how i understand it hopefully it helps
Think of it as just brute forcing unexpected inputs and detecting unexpected behavior.
Thats why he referred to another video explaining the basics.
cute
It's cool to live in the world where one can watch 25 minutes video in 0 seconds
Nah thon just got struck by a bolt of lightning and thus was able to take in 25min worth of info in 0.001mins@@ERazzor
Please make a video PUBG lite 0.27.0 32bit vtable hooking please
I heard this guy got thrown in jail for saying something against the rules in Germany
nowadays with chatgpt youtube bloggers becoming useles kek
Please make a video PUBG lite 0.27.0 32bit vtable hooking please