Comments (2)
ivanfratric
commented on July 24, 2024
Hi,
I've never tried to fuzz anything that receives input over network with WinAFL but it might be doable with a few tweaks.
First of all, familiarize yourself with how WinAFL works, see "How does my target run onder WinAFL" in README.
I think the tricky part in this case is getting a new input (generated by WinAFL) in your parsing function for every iteration.
One way to do it would be to create a custom binary that reads a file and feeds it to your parsing function (note: this all needs to be inside the same process). If you can do this you can fuzz it with WinAFL out of the box.
Another approach, in case your target program can handle multiple connection without restarting the process could work like this:
- WinAFL generates input
- Your python script reads it, opens a connection to the target and sends the file content
- WinAFL runs the parsing function and reports the coverage
In order for this to work you'd need to modify the WinAFL code and remove all the code used to run the target function in a loop (because if your parsing function runs in a loop your target will never accept new connections). Specifically see pre_fuzz_handler and post_fuzz_handler in winafl.c
Another tricky part here would be figuring out when your target is done with one iteration so you can open a new connection. But perhaps your target has some mechanism to keep track of that (e.g. a previous connection got closed)
I'm sure there are other things I'm forgetting but hopefully this is sufficient to get you started.
from winafl.
mxmssh
commented on July 24, 2024
I also want to do fuzz testing of network application. The first option you mentioned above will not work in my case.
The second approach looks reasonable for me but I don't understand several things:
- "WinAFL generates input" (ok)
Your python script reads it ...Could we just implement this step in WinAFL using raw sockets ?WinAFL runs the parsing function and reports the coverage. In order for this to work you'd need to modify the WinAFL code and remove all the code used to run the target function in a loop (because if your parsing function runs in a loop your target will never accept new connections).... In my case (and I guess in many other cases) an application handles network data in the following way:
1. Function A listens for the incoming network packets (UDP protocol, ```recvfrom``` function is used).
2. Function A receives network packet.
3. Function A calls function B (parser) and passes network packet as an argument for function B.
4. Function B parses network packet.
5. Function B returns to Function A.
6. Function A listens for the next incoming packet.
I want to do fuzzing of function B and I can run it in the loop. In my case, network input and file input can be considered like the same things (instead of fopen/CreateFile we have recv/recvfrom). Thus, WinAFL probably can work the same way it works now for file-based fuzzing. Am I right or am I missing something important ?
Probably I am wrong at some point. Of course it requires a lot of modifications for WinAFL which is ok with me.
from winafl.
Related Issues (20)
- Update docs HOT 3
- Facing Issues with Offset Calculation and Starting Fuzzing in WinAFL HOT 2
- Compilation failed HOT 3
- Documented build commands do not generate winafl.dll HOT 9
- How to stop WinAFL properly? HOT 1
- Winafl + Libprotobuf-mutator
- WinAFL Internal Crash at PC 0x5a1a456e HOT 6
- PROGRAM ABORT : Unexpected result from pipe! expected 'P', instead received '' HOT 1
- ERROR while building winafl HOT 1
- Error: Can't open .cur_input
- drrun.exe and afl-fuzz.exe giving error when -fsanitize=address flag given to compile target
- PROGRAM ABORT : Test case 'id_000000' results in a crash HOT 3
- Occur time out when init test case
- Incorrect detection count threads on multiCPU motherboards HOT 2
- Winafl doesn't want to start, reading other issues didn't help
- PROGRAM ABORT : CreateNamedPipe failed, GLE=231 HOT 2
- tmin: Proposing del_len option for improved speed HOT 2
- Is dumb mode (-n) currently implemented? HOT 4
- My output keeps showing a timeout HOT 8
- problem about finding crashes HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from winafl.