A kAFL based hypervisor fuzzer which fully supports nested VMs

Overview

hAFL2

hAFL2 is a kAFL-based hypervisor fuzzer.
It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as it's support nested virtualization, code coverage and detailed crash monitoring.

hAFL2 Hyper-V Fuzzing Architecture


  1. The technical details of the project are described within the TechnicalDetails.md file.
  2. The setup instructions are described within the tutorial.md file.

Disclaimer

  1. I only had 3 weeks in order to implement this project from 0 as I worked at the same time on the hAFL1 project & Black Hat USA 2021 talk, therefore, I worked in a PoC mode (a.k.a. quick and dirty.) If I had the time, I'd definetly add more features and re-write some of the code, but I decided to release it anyway as it worked end-to-end, and I wanted to provide the infosec community a native hypervisor fuzzer because I didn't find a public one. I believe that it can help other researchers to learn the field of hypervisors internals and start their own hypervisor fuzzer.

  2. I personally used it in order to target the Hyper-V networking VSP (VMSwitch), which means that I retreived code coverage out of the root partition VM (L2), and sent fuzzing inputs directly to the child partition VM (L2) where my harness was executed.
    This behavior can be easily modified (e.g. retreiving code coverage out of the hypervisor itself on L1, etc.) and I explained exactly what needs to be done in order to make it work within the TechnicalDetails.md file.

VMSwitch Harness Gaps

Due to a lack of time, I have provided a partial harness for Hyper-V's VMSwitch which provide one the ability to send RNDIS packets from the guest partition to the root partition.

It's imporant to mention that there is a major gap in the harness - it won't provide you an accurate code coverage and I'll try to explain why.

The harness is responsible for the following:

  • Signal (ACQUIRE) hAFL2 to start collecting code coverage from the root partition.
  • Send the fuzzing payload to VMSwitch within the root partition.
  • Wait for a VMBus completion packet.
  • Signal (RELEASE) hAFL2 to stop collecting code coverage.

The problem is that VMSwitch processes packets in an asynchronous manner which means that it will call the interesting parsing code (which we'd like to have within our code coverage) AFTER it already sent a completion packet to the child partition's harness, therefore, the code coverage will be partial.

@OphirHarpaz and I solved a similar problem within hAFL1 by disabling PatchGuard and modifying some VMSwitch logic.
I believe this can be solved in a similar manner, maybe by patching VMSwitch and modifying the call to VmbChannelPacketComplete to occur after VMSwitch has finished the processing part.

Check out the Harness driver of hAFL1 in order to understand how we patched VMSwitch.

Re-Compile and Reload KVM

If you already installed the hAFL2 Linux kernel (with modified KVM) and you wish to modify some of KVM's code without re-compile the whole kernel, you may use ./compile-kvm.sh 5.12.7 in order to do so.
The script will also reload the new compiled version of KVM and KVM-intel.

Credits

  • Ophir Harpaz for working together on the hAFL1 project which inspired me to implement the hAFL2 project.
  • Saar Amar for answering a lot of nVMX-related questions during the implementation of this project, which helped me completing this project on time.
  • SafeBreach Labs which provided me the time to learn and implement this project.
  • The kAFL team (Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel and Thorsten Holz) for providing a fuzzing infrastructure which I heavily modified in order to target hypervisors.
  • The Nyx fuzzer team (Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wör­ner, and Thorsten Holz) for telling their own story of implementing a hypervisor fuzzer.

Owner
SafeBreach Labs
SafeBreach Labs
SafeBreach Labs
Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound ______ ____ __ __ / ____/___ ____ ____/ / / / /___ __ ______ ____/ / / / __/ __ \/ __ \/ __

idna 352 Jan 02, 2023
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Automatically download all 10,000 CryptoPunk NFTs.

CryptoPunk Stealer The sole purpose of this script is to download the entire CryptoPunk NFT collection. How does it work? Basically, the website where

Dan 7 Oct 22, 2022
Open-source jailbreaking tool for many iOS devices

Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund

6.7k Jan 05, 2023
Data Recovery from your broken Android phone

Broken Phone Recovery a guide how to backup data from your locked android phone if you broke your screen (and more) you can skip some steps depending

v1nc 25 Sep 23, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022
Malware for Discord, designed to steal passwords, tokens, and inject discord folders for long-term use.

Vital What is Vital? Vital is malware primarily used to collect and extract information from the Discord desktop client. While it has other features (

HellSec 59 Dec 01, 2022
PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

A medium security python password manager that encrypt passwords using Advanced Encryption Standard (AES) PassLock is a password manager and password

Akshay Vs 44 Nov 18, 2022
Grafana-0Day-Vuln-POC

Grafana V8.0+版本存在未授权任意文件读取 0Day漏洞 - POC 1 漏洞信息 1.1 基本信息 漏洞厂商:Grafana 厂商官网:https://grafana.com/ 1.2 漏洞描述 Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Gr

mik1th0n 3 Dec 13, 2021
GRR Rapid Response: remote live forensics for incident response

GRR Rapid Response is an incident response framework focused on remote live forensics. Build Type Status Tests End-to-end Tests Windows Templates Linu

Google 4.3k Jan 05, 2023
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

39 Dec 16, 2022
Mr.Holmes is a information gathering tool (OSINT)

🔍 Mr.Holmes Mr.Holmes is a information gathering tool (OSINT). Is main purpose is to gain information about domains,username and phone numbers with t

534 Jan 08, 2023
Scanning for CVE-2021-44228

Filesystem log4j_scanner for windows and Unix. Scanning for CVE-2021-44228, CVE-2021-45046, CVE-2019-17571 Requires a minimum of Python 2.7. Can be ex

Brett England 4 Jan 09, 2022
The Decompressoin tool for Vxworks MINIFS

MINIFS-Decompression The Decompression tool for Vxworks MINIFS filesystem. USAGE python minifs_decompression.py [target_firmware] The example of Mercu

8 Jan 03, 2023
Password database With special stuff

This is a Password database I made for myself, as I want to keep all my passwords in the same place. but still protected, shall anyone get access to the file. And so I made this simple password datab

9 Oct 30, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 06, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
Python Library For Ethical Hacker

Python Library For Ethical Hacker

11 Nov 03, 2022