diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-03-23 18:18:54 +0100 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-03-23 18:18:54 +0100 |
| commit | 77b81e7361f7286cc3e0174b87ae5facb9f1290d (patch) | |
| tree | 1289a776f96b7af6fed7b1c61509368de14aeb46 /examples | |
| parent | 83f925ccc9c871998f9d7a905387fd83f8e3f4af (diff) | |
| download | afl++-77b81e7361f7286cc3e0174b87ae5facb9f1290d.tar.gz | |
custom mutators might work again like this
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/custom_mutators/custom_mutator_helpers.h | 74 | ||||
| -rw-r--r-- | examples/custom_mutators/example.c | 76 |
2 files changed, 100 insertions, 50 deletions
diff --git a/examples/custom_mutators/custom_mutator_helpers.h b/examples/custom_mutators/custom_mutator_helpers.h index 53ecf960..844ccf94 100644 --- a/examples/custom_mutators/custom_mutator_helpers.h +++ b/examples/custom_mutators/custom_mutator_helpers.h @@ -5,7 +5,9 @@ #include "types.h" #include <stdlib.h> -#define LIMIT_RAND(limit) (rand() % (limit)) +#define RAND_BELOW(limit) (rand() % (limit)) + +typedef struct{} afl_t; static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { @@ -13,13 +15,13 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { static s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; static s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; - switch (LIMIT_RAND(12)) { + switch (RAND_BELOW(12)) { case 0: { /* Flip a single bit somewhere. Spooky! */ - s32 bit_idx = ((LIMIT_RAND(end - begin) + begin) << 3) + LIMIT_RAND(8); + s32 bit_idx = ((RAND_BELOW(end - begin) + begin) << 3) + RAND_BELOW(8); out_buf[bit_idx >> 3] ^= 128 >> (bit_idx & 7); @@ -31,8 +33,8 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { /* Set byte to interesting value. */ - u8 val = interesting_8[LIMIT_RAND(sizeof(interesting_8))]; - out_buf[(LIMIT_RAND(end - begin) + begin)] = val; + u8 val = interesting_8[RAND_BELOW(sizeof(interesting_8))]; + out_buf[(RAND_BELOW(end - begin) + begin)] = val; break; @@ -44,19 +46,19 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 2) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 1) break; - switch (LIMIT_RAND(2)) { + switch (RAND_BELOW(2)) { case 0: *(u16 *)(out_buf + byte_idx) = - interesting_16[LIMIT_RAND(sizeof(interesting_16) >> 1)]; + interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)]; break; case 1: *(u16 *)(out_buf + byte_idx) = - SWAP16(interesting_16[LIMIT_RAND(sizeof(interesting_16) >> 1)]); + SWAP16(interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)]); break; } @@ -71,19 +73,19 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 4) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 3) break; - switch (LIMIT_RAND(2)) { + switch (RAND_BELOW(2)) { case 0: *(u32 *)(out_buf + byte_idx) = - interesting_32[LIMIT_RAND(sizeof(interesting_32) >> 2)]; + interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]; break; case 1: *(u32 *)(out_buf + byte_idx) = - SWAP32(interesting_32[LIMIT_RAND(sizeof(interesting_32) >> 2)]); + SWAP32(interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]); break; } @@ -98,19 +100,19 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 8) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 7) break; - switch (LIMIT_RAND(2)) { + switch (RAND_BELOW(2)) { case 0: *(u64 *)(out_buf + byte_idx) = - (s64)interesting_32[LIMIT_RAND(sizeof(interesting_32) >> 2)]; + (s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]; break; case 1: *(u64 *)(out_buf + byte_idx) = - SWAP64((s64)interesting_32[LIMIT_RAND(sizeof(interesting_32) >> 2)]); + SWAP64((s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]); break; } @@ -123,7 +125,7 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { /* Randomly subtract from byte. */ - out_buf[(LIMIT_RAND(end - begin) + begin)] -= 1 + LIMIT_RAND(ARITH_MAX); + out_buf[(RAND_BELOW(end - begin) + begin)] -= 1 + RAND_BELOW(ARITH_MAX); break; @@ -133,7 +135,7 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { /* Randomly add to byte. */ - out_buf[(LIMIT_RAND(end - begin) + begin)] += 1 + LIMIT_RAND(ARITH_MAX); + out_buf[(RAND_BELOW(end - begin) + begin)] += 1 + RAND_BELOW(ARITH_MAX); break; @@ -145,17 +147,17 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 2) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 1) break; - if (LIMIT_RAND(2)) { + if (RAND_BELOW(2)) { - *(u16 *)(out_buf + byte_idx) -= 1 + LIMIT_RAND(ARITH_MAX); + *(u16 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX); } else { - u16 num = 1 + LIMIT_RAND(ARITH_MAX); + u16 num = 1 + RAND_BELOW(ARITH_MAX); *(u16 *)(out_buf + byte_idx) = SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) - num); @@ -172,17 +174,17 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 2) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 1) break; - if (LIMIT_RAND(2)) { + if (RAND_BELOW(2)) { - *(u16 *)(out_buf + byte_idx) += 1 + LIMIT_RAND(ARITH_MAX); + *(u16 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX); } else { - u16 num = 1 + LIMIT_RAND(ARITH_MAX); + u16 num = 1 + RAND_BELOW(ARITH_MAX); *(u16 *)(out_buf + byte_idx) = SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) + num); @@ -199,17 +201,17 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 4) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 3) break; - if (LIMIT_RAND(2)) { + if (RAND_BELOW(2)) { - *(u32 *)(out_buf + byte_idx) -= 1 + LIMIT_RAND(ARITH_MAX); + *(u32 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX); } else { - u32 num = 1 + LIMIT_RAND(ARITH_MAX); + u32 num = 1 + RAND_BELOW(ARITH_MAX); *(u32 *)(out_buf + byte_idx) = SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) - num); @@ -226,17 +228,17 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { if (end - begin < 4) break; - s32 byte_idx = (LIMIT_RAND(end - begin) + begin); + s32 byte_idx = (RAND_BELOW(end - begin) + begin); if (byte_idx >= end - 3) break; - if (LIMIT_RAND(2)) { + if (RAND_BELOW(2)) { - *(u32 *)(out_buf + byte_idx) += 1 + LIMIT_RAND(ARITH_MAX); + *(u32 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX); } else { - u32 num = 1 + LIMIT_RAND(ARITH_MAX); + u32 num = 1 + RAND_BELOW(ARITH_MAX); *(u32 *)(out_buf + byte_idx) = SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) + num); @@ -253,7 +255,7 @@ static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) { why not. We use XOR with 1-255 to eliminate the possibility of a no-op. */ - out_buf[(LIMIT_RAND(end - begin) + begin)] ^= 1 + LIMIT_RAND(255); + out_buf[(RAND_BELOW(end - begin) + begin)] ^= 1 + RAND_BELOW(255); break; diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index 2787e218..560a5919 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -3,6 +3,7 @@ Written by Khaled Yakdan <yakdan@code-intelligence.de> Andrea Fioraldi <andreafioraldi@gmail.com> Shengtuo Hu <h1994st@gmail.com> + Dominik Maier <mail@dmnk.co> */ // You need to use -I /path/to/AFLplusplus/include @@ -12,6 +13,8 @@ #include <stdlib.h> #include <string.h> +#define DATA_SIZE (100) + static const char *commands[] = { "GET", @@ -20,12 +23,36 @@ static const char *commands[] = { }; -static size_t data_size = 100; -void afl_custom_init(unsigned int seed) { +typedef struct my_mutator { + + afl_t *afl; + // any additional data here! + +} my_mutator_t; + +/** + * Initialize this custom mutator + * + * @param[in] afl a pointer to the internal state object. Can be ignored for now. + * @param[in] seed A seed for this mutator - the same seed should always mutate in the same way. + * @return Pointer to the data object this custom mutator instance should use. + * There may be multiple instances of this mutator in one afl-fuzz run! + * Returns NULL on error. + */ +my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { srand(seed); // needed also by surgical_havoc_mutate() + my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); + if (!data) { + perror("afl_custom_init alloc"); + return NULL; + } + data->afl = afl; + + return data; + } /** @@ -33,6 +60,7 @@ void afl_custom_init(unsigned int seed) { * * (Optional for now. Required in the future) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param[in] buf Pointer to input data to be mutated * @param[in] buf_size Size of input data * @param[in] add_buf Buffer containing the additional test case @@ -41,13 +69,14 @@ void afl_custom_init(unsigned int seed) { * produce data larger than max_size. * @return Size of the mutated output. */ -size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf, +size_t afl_custom_fuzz(my_mutator_t *data, uint8_t **buf, size_t buf_size, + uint8_t *add_buf, size_t add_buf_size, // add_buf can be NULL size_t max_size) { // Make sure that the packet size does not exceed the maximum size expected by // the fuzzer - size_t mutated_size = data_size <= max_size ? data_size : max_size; + size_t mutated_size = DATA_SIZE <= max_size ? DATA_SIZE : max_size; if (mutated_size > buf_size) *buf = realloc(*buf, mutated_size); @@ -59,10 +88,10 @@ size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf, // Mutate the payload of the packet int i; for (i = 0; i < 8; ++i) { - + // Randomly perform one of the (no len modification) havoc mutations surgical_havoc_mutate(mutated_out, 3, mutated_size); - + } return mutated_size; @@ -76,6 +105,7 @@ size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf, * (Optional) If this functionality is not needed, simply don't define this * function. * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param[in] buf Buffer containing the test case to be executed * @param[in] buf_size Size of the test case * @param[out] out_buf Pointer to the buffer containing the test case after @@ -83,7 +113,7 @@ size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf, * will release the memory after saving the test case. * @return Size of the output buffer after processing */ -size_t afl_custom_pre_save(uint8_t *buf, size_t buf_size, uint8_t **out_buf) { +size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf) { size_t out_buf_size; @@ -118,11 +148,12 @@ static int cur_step; * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param buf Buffer containing the test case * @param buf_size Size of the test case * @return The amount of possible iteration steps to trim the input */ -int afl_custom_init_trim(uint8_t *buf, size_t buf_size) { +int afl_custom_init_trim(my_mutator_t *data, uint8_t *buf, size_t buf_size) { // We simply trim once trimmming_steps = 1; @@ -146,12 +177,13 @@ int afl_custom_init_trim(uint8_t *buf, size_t buf_size) { * * (Optional) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param[out] out_buf Pointer to the buffer containing the trimmed test case. * External library should allocate memory for out_buf. AFL++ will release * the memory after saving the test case. * @param[out] out_buf_size Pointer to the size of the trimmed test case */ -void afl_custom_trim(uint8_t **out_buf, size_t *out_buf_size) { +void afl_custom_trim(my_mutator_t *data, uint8_t **out_buf, size_t *out_buf_size) { *out_buf_size = trim_buf_size - 1; @@ -169,11 +201,12 @@ void afl_custom_trim(uint8_t **out_buf, size_t *out_buf_size) { * * (Optional) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param success Indicates if the last trim operation was successful. * @return The next trim iteration index (from 0 to the maximum amount of * steps returned in init_trim) */ -int afl_custom_post_trim(int success) { +int afl_custom_post_trim(my_mutator_t *data, int success) { if (success) { @@ -192,6 +225,7 @@ int afl_custom_post_trim(int success) { * * (Optional) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param[inout] buf Pointer to the input data to be mutated and the mutated * output * @param[in] buf_size Size of input data @@ -199,7 +233,7 @@ int afl_custom_post_trim(int success) { * not produce data larger than max_size. * @return Size of the mutated output. */ -size_t afl_custom_havoc_mutation(uint8_t **buf, size_t buf_size, +size_t afl_custom_havoc_mutation(my_mutator_t *data, uint8_t **buf, size_t buf_size, size_t max_size) { if (buf_size == 0) { @@ -223,9 +257,10 @@ size_t afl_custom_havoc_mutation(uint8_t **buf, size_t buf_size, * * (Optional) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @return The probability (0-100). */ -uint8_t afl_custom_havoc_mutation_probability(void) { +uint8_t afl_custom_havoc_mutation_probability(my_mutator_t *data) { return 5; // 5 % @@ -236,11 +271,12 @@ uint8_t afl_custom_havoc_mutation_probability(void) { * * (Optional) * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param filename File name of the test case in the queue entry * @return Return True(1) if the fuzzer will fuzz the queue entry, and * False(0) otherwise. */ -uint8_t afl_custom_queue_get(const uint8_t *filename) { +uint8_t afl_custom_queue_get(my_mutator_t *data, const uint8_t *filename) { return 1; @@ -252,13 +288,25 @@ uint8_t afl_custom_queue_get(const uint8_t *filename) { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param filename_new_queue File name of the new queue entry * @param filename_orig_queue File name of the original queue entry */ -void afl_custom_queue_new_entry(const uint8_t *filename_new_queue, +void afl_custom_queue_new_entry(my_mutator_t *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue) { /* Additional analysis on the original or new test case */ } +/** + * Deinitialize everything + * + * @param data The data ptr from afl_custom_init + */ +void afl_custom_deinit(my_mutator_t *data) { + + free(data); + +} + |