diff options
| -rw-r--r-- | README.md | 20 | ||||
| -rw-r--r-- | docs/fuzzing_expert.md | 7 | ||||
| m--------- | qemu_mode/qemuafl | 0 | ||||
| m--------- | unicorn_mode/unicornafl | 0 |
4 files changed, 22 insertions, 5 deletions
diff --git a/README.md b/README.md index db6a70b5..76ef8448 100644 --- a/README.md +++ b/README.md @@ -66,17 +66,29 @@ A common way to do this would be: make clean all 2. Get a small but valid input file that makes sense to the program. -When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](../dictionaries/README.md), too. +When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described +in [dictionaries/README.md](../dictionaries/README.md), too. 3. If the program reads from stdin, run `afl-fuzz` like so: - ./afl-fuzz -i testcase_dir -o findings_dir -- \ - /path/to/tested/program [...program's cmdline...] +``` + ./afl-fuzz -i seeds_dir -o output_dir -- \ + /path/to/tested/program [...program's cmdline...] +``` - If the program takes input from a file, you can put `@@` in the program's command line; AFL will put an auto-generated file name in there for you. + To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz. + + If the program takes input from a file, you can put `@@` in the program's + command line; AFL will put an auto-generated file name in there for you. 4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/status_screen.md](docs/status_screen.md). +5. You will find found crashes and hangs in the subdirectories `crashes/` and + `hangs/` in the `-o output_dir` directory. You can replay the crashes by + feeding them to the target, e.g.: + `cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]` + You can generate cores or use gdb directly to follow up the crashes. + ## Contact Questions? Concerns? Bug reports? diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 7695e21f..ca884159 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -540,6 +540,11 @@ To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/` If you have multiple servers then use the command after a sync, or you have to execute this script per server. +Another tool to inspect the current state and history of a specific instance +is afl-plot, which generates an index.html file and a graphs that show how +the fuzzing instance is performing. +The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot` + #### e) Stopping fuzzing, restarting fuzzing, adding new seeds To stop an afl-fuzz run, simply press Control-C. @@ -620,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns. If you want to know more, the tons of texts in [docs/](./) will have you covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ -(some might be deprecated or unsupported), see [links_tools.md](links_tools.md). \ No newline at end of file +(some might be deprecated or unsupported), see [links_tools.md](links_tools.md). diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject 86dead4dcb1aae7181fbf6b5f3706eee9f842e3 +Subproject a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f9 +Subproject c0e03d2c6b55a22025324f121746b41b1e756fb |