andreafioraldi · December 19, 2019 15:54
diff --git a/libxml2_harness.js b/libxml2_harness.js
 var fuzz = require("./frida-fuzzer/fuzz");

 fuzz.target_module = "libxml2.so.2";

 /* Load libdislocator and hook the PLT of the target module. DO NOT hook the
   symbols in libc otherwise Frida itself will use the dislocator malloc
   and freeze your machine (problably there are memory leaks in the runtime) */ 
 var subs = ["malloc", "calloc", "realloc", "free", "memalign", "posix_memalign"];
 var disloc = Module.load("/home/andrea/AFLplusplus/libdislocator.so");

 Process.enumerateModules().forEach(function (m) {

  if (m.name !== fuzz.target_module) return;
  
  m.enumerateImports().forEach(function (e) {
    if (e.type == "function" && subs.indexOf(e.name) !== -1)
      Interceptor.replace(e.address, disloc.getExportByName(e.name));
  });
  
 });
  
 var xmlReadMemory_addr = DebugSymbol.fromName("xmlReadMemory").address;
 var xmlReadMemory = new NativeFunction(xmlReadMemory_addr, "pointer",
  ['pointer', 'int', 'pointer', 'pointer', 'int'], { traps: 'all' });

 // don't trace xmlFreeDoc
 var xmlFreeDoc_addr = DebugSymbol.fromName("xmlFreeDoc").address;
 var xmlFreeDoc = new NativeFunction(xmlFreeDoc_addr, "void", ["pointer"]);

 var payload_mem = Memory.alloc(fuzz.config.MAX_FILE);

 var name = Memory.allocUtf8String("noname.xml");

 fuzz.fuzzer_test_one_input = function (/* Uint8Array */ payload) {

  Memory.writeByteArray(payload_mem, payload, payload.length);

  var r = xmlReadMemory(payload_mem, payload.length, name, ptr(0), 0);
  if (!r.isNull())
    xmlFreeDoc(r);

 }

 console.log (" >> Agent loaded!");
	var fuzz = require("./frida-fuzzer/fuzz");

	fuzz.target_module = "libxml2.so.2";

	/* Load libdislocator and hook the PLT of the target module. DO NOT hook the
	symbols in libc otherwise Frida itself will use the dislocator malloc
	and freeze your machine (problably there are memory leaks in the runtime) */
	var subs = ["malloc", "calloc", "realloc", "free", "memalign", "posix_memalign"];
	var disloc = Module.load("/home/andrea/AFLplusplus/libdislocator.so");

	Process.enumerateModules().forEach(function (m) {

	if (m.name !== fuzz.target_module) return;

	m.enumerateImports().forEach(function (e) {
	if (e.type == "function" && subs.indexOf(e.name) !== -1)
	Interceptor.replace(e.address, disloc.getExportByName(e.name));
	});

	});

	var xmlReadMemory_addr = DebugSymbol.fromName("xmlReadMemory").address;
	var xmlReadMemory = new NativeFunction(xmlReadMemory_addr, "pointer",
	['pointer', 'int', 'pointer', 'pointer', 'int'], { traps: 'all' });

	// don't trace xmlFreeDoc
	var xmlFreeDoc_addr = DebugSymbol.fromName("xmlFreeDoc").address;
	var xmlFreeDoc = new NativeFunction(xmlFreeDoc_addr, "void", ["pointer"]);

	var payload_mem = Memory.alloc(fuzz.config.MAX_FILE);

	var name = Memory.allocUtf8String("noname.xml");

	fuzz.fuzzer_test_one_input = function (/* Uint8Array */ payload) {

	Memory.writeByteArray(payload_mem, payload, payload.length);

	var r = xmlReadMemory(payload_mem, payload.length, name, ptr(0), 0);
	if (!r.isNull())
	xmlFreeDoc(r);

	}

	console.log (" >> Agent loaded!");