about summary refs log tree commit diff
path: root/examples/bash_shellshock/shellshock-fuzz.diff
diff options
context:
space:
mode:
Diffstat (limited to 'examples/bash_shellshock/shellshock-fuzz.diff')
-rw-r--r--examples/bash_shellshock/shellshock-fuzz.diff59
1 files changed, 0 insertions, 59 deletions
diff --git a/examples/bash_shellshock/shellshock-fuzz.diff b/examples/bash_shellshock/shellshock-fuzz.diff
deleted file mode 100644
index 3fa05bf8..00000000
--- a/examples/bash_shellshock/shellshock-fuzz.diff
+++ /dev/null
@@ -1,59 +0,0 @@
-This patch shows a very simple way to find post-Shellshock bugs in bash, as
-discussed here:
-
-  http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
-
-In essence, it shows a way to fuzz environmental variables. Instructions:
-
-1) Download bash 4.3, apply this patch, compile with:
-
-   CC=/path/to/afl-gcc ./configure
-   make clean all
-
-   Note that the harness puts the fuzzed output in $TEST_VARIABLE. With
-   Florian's Shellshock patch (bash43-028), this is no longer passed down
-   to the parser.
-
-2) Create and cd to an empty directory, put the compiled bash binary in
-   there, and run these commands:
-
-   mkdir in_dir
-   echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt
-
-3) Run the fuzzer with:
-
-   /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :
-
-   The -d parameter is advisable only if the tested shell is fairly slow
-   or if you are in a hurry; will cover more ground faster, but
-   less systematically.
-
-4) Watch for crashes in out_dir/crashes/. Also watch for any new files
-   created in cwd if you're interested in non-crash RCEs (files will be
-   created whenever the shell executes "foo>bar" or something like
-   that). You can correlate their creation date with new entries in
-   out_dir/queue/.
-
-   You can also modify the bash binary to directly check for more subtle
-   fault conditions, or use the synthesized entries in out_dir/queue/
-   as a seed for other, possibly slower or more involved testing regimes.
-
-   Expect several hours to get decent coverage.
-
---- bash-4.3/shell.c.orig	2014-01-14 14:04:32.000000000 +0100
-+++ bash-4.3/shell.c	2015-04-30 05:56:46.000000000 +0200
-@@ -371,6 +371,14 @@
-   env = environ;
- #endif /* __OPENNT */
- 
-+  {
-+
-+    static char val[1024 * 16];
-+    read(0, val, sizeof(val) - 1);
-+    setenv("TEST_VARIABLE", val, 1);
-+
-+  }
-+
-   USE_VAR(argc);
-   USE_VAR(argv);
-   USE_VAR(env);
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 20:49:13 +0000