afl-network-proxy
If you want to run afl-fuzz over the network than this is what you need :) Note that the impact on fuzzing speed will be huge, expect a loss of 90%.
When to use this
- when you have to fuzz a target that has to run on a system that cannot contain the fuzzing output (e.g. /tmp too small and file system is read-only)
- when the target instantly reboots on crashes
- ... any other reason you would need this
how to get it running
Compiling
Just type make and let the autodetection do everything for you.
Note that compression is supported but currently disabled. It seems that sending 64kb of map data over TCP is faster than compressing it with the fastest algorithm and options to 112 byte and sending this. Weird.
on the target
Run afl-network-server with your target with the -m and -t values you need.
Important is the -i parameter which is the TCP port to liste on.
e.g.:
$ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@
on the fuzzing master
Just run afl-fuzz with your normal options, however the target should be
afl-network-client with the IP and PORT of the afl-network-server and
increase the -t value:
$ afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111
Note the '+' on the -t parameter value. the afl-network-server will take care of proper timeouts hence afl-fuzz should not. The '+' increases the timout and the value itself should be 500-1000 higher than the one on afl-network-server.
networking
The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to
either. Note that also the outgoing interface can be specified with a '%' for
afl-network-client, e.g. fe80::1234%eth0.
Also make sure your middle value of /proc/sys/net/ipv4/tcp_rmem is larger
than your MAP_SIZE (130kb is a good value). This is the default TCP window
size value.
how to compile and install
make && sudo make install