jdbirdwell / afl Goto Github PK
View Code? Open in Web Editor NEWamerican fuzzy lop for network fuzzing (unofficial) -- official afl site is http://lcamtuf.coredump.cx/afl/
american fuzzy lop for network fuzzing (unofficial) -- official afl site is http://lcamtuf.coredump.cx/afl/
sys/sendfile.h is Linux only. Unable to compile on OSX platforms
Hi,
I want to fuzz a network program which :
The program performs steps 1 to 5 three times sequentially.
When I try to fuzz this program using afl-net, it generates following output:
american fuzzy lop 1.95b (listen_socket)
┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
│ run time : 0 days, 0 hrs, 0 min, 49 sec │ cycles done : 0 │
│ last new path : none seen yet │ total paths : 1 │
│ last uniq crash : none seen yet │ uniq crashes : 0 │
│ last uniq hang : 0 days, 0 hrs, 0 min, 0 sec │ uniq hangs : 1 │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤
│ now processing : 0 (0.00%) │ map density : 13 (0.02%) │
│ paths timed out : 0 (0.00%) │ count coverage : 1.00 bits/tuple │
├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤
│ now trying : havoc │ favored paths : 1 (100.00%) │
│ stage execs : 2144/2500 (85.76%) │ new edges on : 1 (100.00%) │
│ total execs : 2353 │ total crashes : 0 (0 unique) │
│ exec speed : 0.05/sec (zzzz...) │ total hangs : 1 (1 unique) │
├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤
│ bit flips : 0/16, 0/15, 0/13 │ levels : 1 │
│ byte flips : 0/2, 0/1, 0/0 │ pending : 1 │
│ arithmetics : 0/112, 0/0, 0/0 │ pend fav : 1 │
│ known ints : 0/11, 0/28, 0/0 │ own finds : 0 │
│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │
│ havoc : 0/0, 0/0 │ variable : 0 │
│ trim : n/a, 0.00% ├────────────────────────┘
└─────────────────────────────────────────────────────┘ [cpu: 39%]
[-] SYSTEM ERROR : Attempt to bind socket to source address & port failed (TCP case)
Stop location : network_send(), afl-fuzz.c:2188
OS message : Address already in use
I think that afl-fuzzer sends a request to the first socket created and after receiving the request, the program proceeds forward. It created the second socket and waits for a request, but fuzzer doesn't send a request. And after some time kills the process and marks it as a "hang". And in next round, as socket was not closed, I get "Address already in use" error.
Is there a way to fuzz this code using afl-net given that it creates and closes three sockets?
Import the 1.96b changes please.
Do you know if Michael will add your changes into AFL? Or is working on his own? I has no interest in network support?
Hi,
I'm trying to compile a Kafka-lib (librdkafka - the Apache Kafka C/C++ client library) with Afl-gcc (network) and the following messages appears:
./src/librdkafka.a(rdkafka.o): TLS transition from R_X86_64_TLSGD to R_X86_64_GOTTPOFF against `rd_kafka_last_error_code' at 0x2737 in section `.text' failed
../src/librdkafka.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [rdkafka_example] Error 1
make[1]: Leaving directory `/pe/lib-pe/librdkafka/examples'
make: *** [examples] Error 2
Have you ever experience this issue?
Thank you.
I was hoping to try https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop without having to modify the code.
With the following memory setting (512mb),
/home/user/afl/afl-fuzz -m 512 -i /home/user/testcases -o /home/user/outputs -D 1 -t 200+ -N udp://localhost:53 /home/user/knot-2.1.1/src/knotd -c /home/user/knot.conf
But on inspection with strace, it seems like there isn't enough memory
3398 mmap(NULL, 524288000, PROT_READ, MAP_SHARED, 5, 0) = -1 ENOMEM (Cannot allocate memory)
...
3398 write(2, "2016-04-14T08:35:43 critical: failed to open configuration database '' (not enough memor
y)\n", 91) = 91
...
3398 exit_group(1) = ?
3398 +++ exited with 1 +++
Running it with more memory (1024mb) results in
$ /home/user/afl/afl-fuzz -m 1024 -i /home/user/testcases -o /home/user/outputs -D 1 -t 200+ -N udp://localhost:53 /home/user/knot-2.1.1/src/knotd -c /home/user/knot.conf
afl-fuzz 1.95b by <[email protected]>
[+] You have 1 CPU cores and 2 runnable tasks (utilization: 200%).
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/home/user/testcases'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:dns-query-sample'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[!] WARNING: Test case results in a hang (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), afl-fuzz.c:3240
Any ideas?
Heya Birdwell!
Having a lot of fun with your project. I updated it to the latest 2.50b and am working on tuning a project. I seem to be running into an issue where what I believe is, a fuzzing iteration that's trying to send a buffer exceeding 64k.
Eventually, all of my fuzzing instances stop with this error "Message too long." After modifying the code, I was able to validate that indeed its trying to send too much data for 1 packet.
My thoughts were to look at implementing a UDP flag and then if it is set, check the buffer to make sure it is not greater than (65535-20(ip header)-8(udp header)-1) 65506.
Thoughts on this approach friend?
##EDIT:
Alright, now I'm conflicted. If I truncate I realize we're gonna miss a lot of good test cases. I guess the proper thing to do would be to loop sendto until all of the payload is sent over?
Summary
I am a student currently trying to create a base test case for the network fuzzer with a simple TCP server that merely creates, binds, listens, accepts, receives a string, and closes a socket. However, I'm stuck on two errors I'm receiving when attempting to fuzz the application. While running the application by itself or using strace it functions properly and exits appropriately.
Do you mind helping me with these errors? I feel I don't quite understand how the network fuzzer functionality works.
Error 1
Possible bad values for -t flag and -D flag?
When attempting to run the fuzzer:
afl-fuzz -i testcases/ -o findings/ -t 5000+ -D 1000 -N tcp://127.0.0.1:8080 -- ./netprog/tcpserver 8080
I receive the following error:
[-] SYSTEM ERROR : Attempt to bind socket to source address & port failed (TCP case)
Stop location : network_send(), afl-fuzz.c:2188
OS message : Address already in use
Following a netstat -an | grep 8080 I found this:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32800 127.0.0.1:8080 TIME_WAIT
Error 2
Test case is simply a file containing the string "test string"
How does the fuzzer send this data to the application?
Is the file parsed and the string data sent in an afl-formed TCP packet?
OR
Is the file itself sent?
When attempting to run the fuzzer:
afl-fuzz -i testcases/ -o findings/ -t 10000+ -D 5000 -N tcp://127.0.0.1:8080 -- ./netprog/tcpserver 8080
I receive the following error:
[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), afl-fuzz.c:3240
Trying to determine if I need to tweak the application itself to be compatible with the fuzzer or if I don't quite understand how the network fuzzer works.
Thank you for your consideration.
I just need to figure out if what I look for is already in AFL or not. It might be a feature-request if not...
So, I am trying to fuzz a PDF viewer with a few PDF files as initial seed for the mutation engine. But, my problem is that the PDF viewer is expected to open the PDF file and stay opened... waiting for the user to quit. Thus, AFL run the test cases and hit the timeout for all of them, then decide to stop here.
Would it be possible to have an option telling to AFL that we would like to consider that killing the application once the timeout is reached is an "Okay behavior" ? I know that hangs won't be possible to detect then, but I am more looking for crashes, so I do not care to have it for this application.
Well, this option might already exists, I might have missed it in the documentation! So, feel free to RTFM me, I probably deserve it! :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.