diff options
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/README.md | 8 | ||||
| -rw-r--r-- | examples/custom_mutators/Makefile | 7 | ||||
| -rw-r--r-- | examples/custom_mutators/example.c | 33 | ||||
| -rw-r--r-- | examples/custom_mutators/example.py | 19 |
4 files changed, 37 insertions, 30 deletions
diff --git a/examples/README.md b/examples/README.md index 37fae1a0..6c09caeb 100644 --- a/examples/README.md +++ b/examples/README.md @@ -3,8 +3,6 @@ Here's a quick overview of the stuff you can find in this directory: - custom_mutstors - An example custom mutator - - - python_mutators - Python mutators examples - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed (e.g., to test setuid programs). @@ -15,8 +13,8 @@ Here's a quick overview of the stuff you can find in this directory: - bash_shellshock - a simple hack used to find a bunch of post-Shellshock bugs in bash. - - canvas_harness - a test harness used to find browser bugs with a - corpus generated using simple image parsing + - canvas_harness - a test harness used to find browser bugs with a + corpus generated using simple image parsing binaries & afl-fuzz. - clang_asm_normalize - a script that makes it easy to instrument @@ -34,7 +32,7 @@ Here's a quick overview of the stuff you can find in this directory: mode to speed up certain fuzzing jobs. - post_library - an example of how to build postprocessors for AFL. - + - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin for fuzzing access with afl++ diff --git a/examples/custom_mutators/Makefile b/examples/custom_mutators/Makefile index a83e87fe..463cefb1 100644 --- a/examples/custom_mutators/Makefile +++ b/examples/custom_mutators/Makefile @@ -1,2 +1,7 @@ -all: +all: libexamplemutator.so + +libexamplemutator.so: $(CC) $(CFLAGS) -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so + +clean: + rm -rf libexamplemutator.so diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index a9764f5b..c8200b26 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -142,32 +142,25 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf) { - if (data->pre_save_size < buf_size + 5) { + uint8_t *pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5); + if (!pre_save_buf) { - data->pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5); - if (!data->pre_save_buf) { - - perror("custom mutator realloc failed."); - *out_buf = NULL; - return 0; - - } - - data->pre_save_size = buf_size + 5; + perror("custom mutator realloc failed."); + *out_buf = NULL; + return 0; } - *out_buf = data->pre_save_buf; + memcpy(pre_save_buf + 5, buf, buf_size); + pre_save_buf[0] = 'A'; + pre_save_buf[1] = 'F'; + pre_save_buf[2] = 'L'; + pre_save_buf[3] = '+'; + pre_save_buf[4] = '+'; - memcpy(*out_buf + 5, buf, buf_size); - size_t out_buf_size = buf_size + 5; - *out_buf[0] = 'A'; - *out_buf[1] = 'F'; - *out_buf[2] = 'L'; - *out_buf[3] = '+'; - *out_buf[4] = '+'; + *out_buf = pre_save_buf; - return out_buf_size; + return buf_size + 5; } diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 6bacfa05..9e95eed6 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -17,6 +17,13 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. import random +COMMANDS = [ + b"GET", + b"PUT", + b"DEL", +] + + def init(seed): ''' Called once when AFLFuzz starts up. Used to seed our RNG. @@ -27,6 +34,10 @@ def init(seed): random.seed(seed) +def deinit(): + pass + + def fuzz(buf, add_buf, max_size): ''' Called per fuzzing iteration. @@ -44,8 +55,9 @@ def fuzz(buf, add_buf, max_size): @rtype: bytearray @return: A new bytearray containing the mutated data ''' - ret = bytearray(buf) - # Do something interesting with ret + ret = bytearray(100) + + ret[:3] = random.choice(COMMANDS) return ret @@ -164,11 +176,10 @@ def fuzz(buf, add_buf, max_size): # ''' # Called after adding a new test case to the queue # -# @type filename_new_queue: str +# @type filename_new_queue: str # @param filename_new_queue: File name of the new queue entry # # @type filename_orig_queue: str # @param filename_orig_queue: File name of the original queue entry # ''' # pass - |