AFLplusplus: “Fork server handshake failed” Error when fuzzing an arm binary without source code

anybody here?
I have been working on using afl-qemu mode fuzzing IoT binaries. But I got a “Fork server handshake failed” problem when started to run the binary.

The information of the binary is here:

./bin/busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

After setting the QEMU_LD_PREFIX, I tried the suggestion like ‘afl-showmap -o fuzz_out.txt -Q -m none ./bin/busybox’ and it turned out to be fine.

afl-showmap++3.01a by Michal Zalewski
[*] Executing './bin/busybox'...
-- Program output begins --
BusyBox v1.22.1 (2016-10-11 15:13:12 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, acpid, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid, blockdev, bootchartd,
        brctl, bzip2, cal, cat, catv, chgrp, chmod, chown, chroot, cksum, clear, cmp, conspy, cp, cttyhack, cut, date, dc, dd,
        delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsdomainname, dos2unix, du, echo, egrep, env, expand, expr, false,
        fdisk, fgconsole, fgrep, find, flock, fold, free, fsck, fstrim, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep,
        groups, gunzip, gzip, halt, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd,
        init, insmod, install, ionice, iostat, ipcrm, ipcs, kill, killall, killall5, klogd, linuxrc, ln, logger, login, logname,
        logread, losetup, ls, lsmod, lsof, lspci, lsusb, md5sum, mdev, mkdir, mkfifo, mknod, mktemp, modinfo, modprobe, more, mount,
        mountpoint, mpstat, mv, nameif, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od, passwd, patch, pgrep,
        pidof, ping, ping6, pivot_root, pkill, pmap, poweroff, printenv, printf, ps, pstree, pwd, pwdx, rdate, rdev, readlink,
        readprofile, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod, route, run-parts, rx, script, scriptreplay, sed, seq,
        setserial, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, sleep, smemcap, sort, split, start-stop-daemon, stat,
        strings, stty, su, sulogin, sum, switch_root, sync, sysctl, syslogd, tail, tar, taskset, tee, telnet, telnetd, test, tftp,
        time, timeout, top, touch, tr, traceroute, traceroute6, true, tty, tunctl, tune2fs, udhcpc, udhcpc6, umount, uname,
        unexpand, uniq, unix2dos, unzip, uptime, users, usleep, uudecode, uuencode, vconfig, vi, volname, wall, watch, watchdog, wc,
        wget, which, who, whoami, whois, xargs, yes, zcat, zcip

-- Program output ends --
[+] Captured 98 tuples (highest value 8, total values 280) in 'fuzz_out.txt'.

But when I tried command ‘sudo afl-fuzz -m none -i fuzz_in/ -o fuzz_out/ -Q ./bin/busybox @@’ , it reported the error shown below.

root@ubuntu:squashfs-root# sudo afl-fuzz -m none -i fuzz_in/ -o fuzz_out/ -Q ./bin/busybox @@
afl-fuzz++3.01a based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 4 CPU cores and 3 runnable tasks (utilization: 75%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'fuzz_in/'...
[+] Loaded a total of 1 seeds.
[*] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:testcase'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code.
If the target was compiled with afl-clang-lto and AFL_LLVM_MAP_ADDR then recompiling without this parameter.
Otherwise there is a horrible bug in the fuzzer.
Poke <afl-users@googlegroups.com> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:954

Could anybody tell me where is the problem? It is said that there might be a horrible bug in the fuzzer, is that true? Thanks so much!!

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (10 by maintainers)

Commits related to this issue

Most upvoted comments

Thanks so much! I finally found where the problem is that I shouldn’t make the output folder, fuzz_out, by myself which would be created automatically by the afl-fuzz command. I am sure it is an easy mistake for beginners.