A kAFL based hypervisor fuzzer which fully supports nested VMs

Overview

hAFL2

hAFL2 is a kAFL-based hypervisor fuzzer.
It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as it's support nested virtualization, code coverage and detailed crash monitoring.

hAFL2 Hyper-V Fuzzing Architecture


  1. The technical details of the project are described within the TechnicalDetails.md file.
  2. The setup instructions are described within the tutorial.md file.

Disclaimer

  1. I only had 3 weeks in order to implement this project from 0 as I worked at the same time on the hAFL1 project & Black Hat USA 2021 talk, therefore, I worked in a PoC mode (a.k.a. quick and dirty.) If I had the time, I'd definetly add more features and re-write some of the code, but I decided to release it anyway as it worked end-to-end, and I wanted to provide the infosec community a native hypervisor fuzzer because I didn't find a public one. I believe that it can help other researchers to learn the field of hypervisors internals and start their own hypervisor fuzzer.

  2. I personally used it in order to target the Hyper-V networking VSP (VMSwitch), which means that I retreived code coverage out of the root partition VM (L2), and sent fuzzing inputs directly to the child partition VM (L2) where my harness was executed.
    This behavior can be easily modified (e.g. retreiving code coverage out of the hypervisor itself on L1, etc.) and I explained exactly what needs to be done in order to make it work within the TechnicalDetails.md file.

VMSwitch Harness Gaps

Due to a lack of time, I have provided a partial harness for Hyper-V's VMSwitch which provide one the ability to send RNDIS packets from the guest partition to the root partition.

It's imporant to mention that there is a major gap in the harness - it won't provide you an accurate code coverage and I'll try to explain why.

The harness is responsible for the following:

  • Signal (ACQUIRE) hAFL2 to start collecting code coverage from the root partition.
  • Send the fuzzing payload to VMSwitch within the root partition.
  • Wait for a VMBus completion packet.
  • Signal (RELEASE) hAFL2 to stop collecting code coverage.

The problem is that VMSwitch processes packets in an asynchronous manner which means that it will call the interesting parsing code (which we'd like to have within our code coverage) AFTER it already sent a completion packet to the child partition's harness, therefore, the code coverage will be partial.

@OphirHarpaz and I solved a similar problem within hAFL1 by disabling PatchGuard and modifying some VMSwitch logic.
I believe this can be solved in a similar manner, maybe by patching VMSwitch and modifying the call to VmbChannelPacketComplete to occur after VMSwitch has finished the processing part.

Check out the Harness driver of hAFL1 in order to understand how we patched VMSwitch.

Re-Compile and Reload KVM

If you already installed the hAFL2 Linux kernel (with modified KVM) and you wish to modify some of KVM's code without re-compile the whole kernel, you may use ./compile-kvm.sh 5.12.7 in order to do so.
The script will also reload the new compiled version of KVM and KVM-intel.

Credits

  • Ophir Harpaz for working together on the hAFL1 project which inspired me to implement the hAFL2 project.
  • Saar Amar for answering a lot of nVMX-related questions during the implementation of this project, which helped me completing this project on time.
  • SafeBreach Labs which provided me the time to learn and implement this project.
  • The kAFL team (Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel and Thorsten Holz) for providing a fuzzing infrastructure which I heavily modified in order to target hypervisors.
  • The Nyx fuzzer team (Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wör­ner, and Thorsten Holz) for telling their own story of implementing a hypervisor fuzzer.

Owner
SafeBreach Labs
SafeBreach Labs
SafeBreach Labs
Chapter 1 of the AWS Cookbook

Chapter 1 - Security Set and export your default region: export AWS_REGION=us-east-1 Set your AWS ACCOUNT ID:: AWS_ACCOUNT_ID=$(aws sts get-caller-ide

AWS Cookbook 30 Nov 27, 2022
A tool to crack a wifi password with a help of wordlist

A tool to crack a wifi password with a help of wordlist. This may take long to crack a wifi depending upon number of passwords your wordlist contains. Also it is slower as compared to social media ac

Saad 144 Dec 29, 2022
Python Toolkit containing different Cyber Attacks Tools

Helikopter Python Toolkit containing different Cyber Attacks Tools. Tools in Helikopter Toolkit 1. FattyNigger (PYTHON WORM) 2. Taxes (PYTHON PASS EXT

Saqlain Naqvi 22 Dec 04, 2022
Compilation of resources and insights that helped me on my journey to data scientist

Compilation of resources and insights that helped me on my journey to data scientist

Conor Dewey 1.5k Jan 02, 2023
Password List Creator Simple !

Password List Creator Simple !

MR.D3F417 4 Jan 27, 2022
Script Crack Facebook Elite 🚶‍♂

elite Script Crack Facebook Elite 🚶‍♂ Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install git $ pkg install python $ pip

Yumasaa 1 Jan 02, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 118 Dec 24, 2022
Mert Güvençli 142 Jan 05, 2023
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Inspektur Cari informasi mengenai email dan nomor telepon dengan mudah. Inspektur adalah aplikasi OSINT yang berguna untuk mencari informasi berdasark

Bagas Wastu 36 Dec 04, 2022
This respository contains the source code of the printjack and phonejack attacks.

Printjack-Phonejack This repository contains the source code of the printjack and phonejack attacks. The Printjack directory contains the script to ca

pietrobiondi 2 Feb 12, 2022
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 9 Dec 30, 2022
A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms.

MacPer A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms. Not all of the exploits directly sp

20 Nov 30, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 08, 2022
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
Burp Suite extension for encoding/decoding EVM calldata

unblocker Burp Suite extension for encoding/decoding EVM calldata 0x00_prerequisites Burp Suite Java 8+ Python 2.7 0x01_installation clone this reposi

Halborn 16 Aug 30, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
Metasploit Multi Purpose Exploiting Toolkit For Termux

MSF-EXPLOIT MSF-ANDRO is a Metasploit Multi Purpose Exploiting Toolkit For Termux . Only a Basic Script , Still in Development . FEATURES : Install Me

Mr.X 22 Dec 29, 2022
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021