afl-network-proxy
If you want to run afl-fuzz over the network than this is what you need :) Note that the impact on fuzzing speed will be huge, expect a loss of 90%.
When to use this
- when you have to fuzz a target that has to run on a system that cannot contain the fuzzing output (e.g. /tmp too small and file system is read-only)
- when the target instantly reboots on crashes
- ... any other reason you would need this
how to get it running
on the target
Run afl-network-server with your target with the -m and -t values you need.
Important is the -i parameter which is the TCP port to liste on.
e.g.:
$ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@
on the fuzzing master
Just run afl-fuzz with your normal options, however the target should be
afl-network-client with the IP and PORT of the afl-network-server and
increase the -t value:
$ afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111
Note the '+' on the -t parameter value. the afl-network-server will take care of proper timeouts hence afl-fuzz should not. The '+' increases the timout and the value itself should be 500-1000 higher than the one on afl-network-server.
networking
The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to
either. Note that also the outgoing interface can be specified with a '%' for
afl-network-client, e.g. fe80::1234%eth0.
how to compile and install
make && sudo make install
Future
It would be much faster and more effective if afl-network-server does not
send the map data back (64kb or more) but the checksum that afl-fuzz would
generate. This change however would make it incompatible with existing
afl spinoffs.
But in the future this will be implemented and supported as a compile option.