ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-20 05:23:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Maciej Domanski
2022-12-28 09:41:22 +01:00
parent 51e0707d4d
commit f28f6adbce
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
utils/argv_fuzzing/Makefile
View File

@ -11,7 +11,7 @@
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
.PHONY: all install clean .PHONY: all install clean demo
PREFIX ?= /usr/local PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin BIN_PATH = $(PREFIX)/bin
@ -58,5 +58,7 @@ clean:
rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo
demo: demo:
../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c CC = afl-clang-fast
../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c CFLAGS = -fsanitize=address
-@$(CC) $(CFLAGS) -o argv_fuzz_demo argv_fuzz_demo.c
-@$(CC) $(CFLAGS) -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c

15
utils/argv_fuzzing/README.md
View File

@ -1,14 +1,16 @@
# argv_fuzzing feature # argv_fuzzing feature
AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for fuzzing of arguments passed to a program from the command line interface, rather than from standard input. AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for the fuzzing of arguments
passed to a program from the command line interface rather than from standard input.
## With source code ## With source code
When source is available, a macro from the `argv-fuzz-inl.h` header file can be used to change the program's behavior to build argv from STDIN. When the source code is available, a specific macro from the `argv-fuzz-inl.h` header file can be used to change
the program's behavior to build argv from STDIN.
### Without persistent mode ### Without persistent mode
Conditions needed to use the argv_fuzzing feature: Conditions needed to use the argv_fuzzing feature:
1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) 1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`)
2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) 2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`)
3. Use the one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: 3. Use one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input:
- `AFL_INIT_ARGV();` or - `AFL_INIT_ARGV();` or
- `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed)
@ -18,7 +20,8 @@ see: [argv_fuzz_demo.c](argv_fuzz_demo.c)
Conditions needed to use the argv_fuzzing feature with persistent mode: Conditions needed to use the argv_fuzzing feature with persistent mode:
1. Ensure your target can handle persistent mode fuzzing 1. Ensure your target can handle persistent mode fuzzing
2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md) 2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md)
3. Use the one of the following macro near the beginning of the main function and after the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): 3. Use one of the following macros near the beginning of the main function and after
the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`):
- `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to
- `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)` - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)`
@ -34,5 +37,5 @@ A few conditions need to be fulfilled for this mechanism to work correctly:
1. As it relies on hooking the loader, it cannot work on static binaries 1. As it relies on hooking the loader, it cannot work on static binaries
2. If the target binary does not use the default libc's `_start` implementation 2. If the target binary does not use the default libc's `_start` implementation
(crt1.o), the hook may not run. (crt1.o), the hook may not run.
3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`.
target binary expects argv to be living on the stack, things may go wrong. Things may go wrong if the target binary expects argv to live on the stack.