Loading extra dictionary fails about winafl HOT 4 CLOSED

You might be able to work around this by injecting them into a resumed session.
I don't think it will matter much if this is done early in the fuzzing process.

1. quickly run a session and generate the output directory structure
2. place the raw tokens as separate files in \o\queue.state\auto_extras
3. rename the files with this batch script if necessary:

@echo off
SET COUNT=0
setlocal EnableDelayedExpansion
SET PREFIX=auto
FOR /f "tokens=*" %%G IN ('dir /b *') DO (call :renum "%%G")
GOTO :eof

:renum
 set "formattedValue=000000%count%"
 ren %1 %PREFIX%_!formattedValue:~-6!
 set /a count+=1
 GOTO :eof

4. resume the session by specifying a dash instead of an input dir ( e.g. "-o ./outdir -i - ")

don't forget to back up your results often

from winafl.

Admittedly I didn't do a lot of testing with dictionaries because I didn't use them myself so it's possible there are bugs with this. I'll take a look at this when I can find some spare cycles. Meanwhile, If you can point out the bug in the code it would be highly appreciated.

@mrpeppels or anyone else - Was -x working for you?

from winafl.

There are two bugs.

The first is in the load_extras function in afl-fuzz.c

It uses in_dir instead of dir

Actual:

static void load_extras(u8* dir) {

  WIN32_FIND_DATA fdata;
  HANDLE h;
  u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
  u8* x;
  char *pattern;

  if(in_dir[strlen(in_dir)-1] == '\\') {
    pattern = alloc_printf("%s*", in_dir);
  } else {
    pattern = alloc_printf("%s\\*", in_dir);
  }...

Fixed:

static void load_extras(u8* dir) {

  WIN32_FIND_DATA fdata;
  HANDLE h;
  u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
  u8* x;
  char *pattern;

  if(dir[strlen(dir)-1] == '\\') {
    pattern = alloc_printf("%s*", dir);
  } else {
    pattern = alloc_printf("%s\\*", dir);
  }...

The second bug is the MAX_DICT_FILE which is too litle -> By increasing this constant allows you to read dictionary files greater than 128 Bytes ;-)

from winafl.

Awesome! Thanks for spotting this! I had to change directory listing in several places due to different APIs on Linux and Windows and I must have copy-pasted this from another place and forgot to change the variable name. I just released the updated version with the fix.

MAX_DICT_FILE is the same as in linux AFL and I think it might be deliberate to limit the maximum size of a dictionary token.

from winafl.