aboutsummaryrefslogtreecommitdiff
path: root/experimental
diff options
context:
space:
mode:
Diffstat (limited to 'experimental')
-rw-r--r--experimental/argv_fuzzing/Makefile5
-rw-r--r--experimental/argv_fuzzing/argv-fuzz-inl.h28
-rw-r--r--experimental/persistent_demo/persistent_demo.c15
-rw-r--r--experimental/post_library/post_library.so.c11
-rw-r--r--experimental/post_library/post_library_png.so.c5
-rw-r--r--experimental/socket_fuzzing/Makefile35
-rw-r--r--experimental/socket_fuzzing/README.md11
-rw-r--r--experimental/socket_fuzzing/socketfuzz.c90
8 files changed, 178 insertions, 22 deletions
diff --git a/experimental/argv_fuzzing/Makefile b/experimental/argv_fuzzing/Makefile
index a8858a39..25b6f1f6 100644
--- a/experimental/argv_fuzzing/Makefile
+++ b/experimental/argv_fuzzing/Makefile
@@ -23,12 +23,13 @@ LDFLAGS = -shared -ldl
all: argvfuzz32.so argvfuzz64.so
argvfuzz32.so: argvfuzz.c
- $(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
+ -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
argvfuzz64.so: argvfuzz.c
- $(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+ -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
install: argvfuzz32.so argvfuzz64.so
+ install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/
diff --git a/experimental/argv_fuzzing/argv-fuzz-inl.h b/experimental/argv_fuzzing/argv-fuzz-inl.h
index 5d411046..6b9be654 100644
--- a/experimental/argv_fuzzing/argv-fuzz-inl.h
+++ b/experimental/argv_fuzzing/argv-fuzz-inl.h
@@ -17,7 +17,7 @@
#include "/path/to/argv-fuzz-inl.h"
- ...to the file containing main(), ideally placing it after all the
+ ...to the file containing main(), ideally placing it after all the
standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
main().
@@ -36,12 +36,20 @@
#include <unistd.h>
-#define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0)
+#define AFL_INIT_ARGV() \
+ do { \
+ \
+ argv = afl_init_argv(&argc); \
+ \
+ } while (0)
-#define AFL_INIT_SET0(_p) do { \
+#define AFL_INIT_SET0(_p) \
+ do { \
+ \
argv = afl_init_argv(&argc); \
- argv[0] = (_p); \
- if (!argc) argc = 1; \
+ argv[0] = (_p); \
+ if (!argc) argc = 1; \
+ \
} while (0)
#define MAX_CMDLINE_LEN 100000
@@ -53,9 +61,9 @@ static char** afl_init_argv(int* argc) {
static char* ret[MAX_CMDLINE_PAR];
char* ptr = in_buf;
- int rc = 0;
+ int rc = 0;
- if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0);
+ if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}
while (*ptr) {
@@ -63,7 +71,8 @@ static char** afl_init_argv(int* argc) {
if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
rc++;
- while (*ptr) ptr++;
+ while (*ptr)
+ ptr++;
ptr++;
}
@@ -77,4 +86,5 @@ static char** afl_init_argv(int* argc) {
#undef MAX_CMDLINE_LEN
#undef MAX_CMDLINE_PAR
-#endif /* !_HAVE_ARGV_FUZZ_INL */
+#endif /* !_HAVE_ARGV_FUZZ_INL */
+
diff --git a/experimental/persistent_demo/persistent_demo.c b/experimental/persistent_demo/persistent_demo.c
index a94c8374..d8d59905 100644
--- a/experimental/persistent_demo/persistent_demo.c
+++ b/experimental/persistent_demo/persistent_demo.c
@@ -28,12 +28,11 @@
#include <signal.h>
#include <string.h>
-
/* Main entry point. */
int main(int argc, char** argv) {
- ssize_t len; /* how much input did we read? */
+ ssize_t len; /* how much input did we read? */
char buf[100]; /* Example-only buffer, you'd replace it with other global or
local variables appropriate for your use case. */
@@ -64,21 +63,28 @@ int main(int argc, char** argv) {
We just have some trivial inline code that faults on 'foo!'. */
/* do we have enough data? */
- if (len < 4)
- return 0;
+ if (len < 4) return 0;
if (buf[0] == 'f') {
+
printf("one\n");
if (buf[1] == 'o') {
+
printf("two\n");
if (buf[2] == 'o') {
+
printf("three\n");
if (buf[3] == '!') {
+
printf("four\n");
abort();
+
}
+
}
+
}
+
}
/*** END PLACEHOLDER CODE ***/
@@ -92,3 +98,4 @@ int main(int argc, char** argv) {
return 0;
}
+
diff --git a/experimental/post_library/post_library.so.c b/experimental/post_library/post_library.so.c
index 048eea70..90d45e3f 100644
--- a/experimental/post_library/post_library.so.c
+++ b/experimental/post_library/post_library.so.c
@@ -21,9 +21,9 @@
in the targeted binary (as shown in ../libpng_no_checksum/). One possible
exception is the process of fuzzing binary-only software in QEMU mode.
- 2) The use of postprocessors for anything other than checksums is questionable
- and may cause more harm than good. AFL is normally pretty good about
- dealing with length fields, magic values, etc.
+ 2) The use of postprocessors for anything other than checksums is
+ questionable and may cause more harm than good. AFL is normally pretty good
+ about dealing with length fields, magic values, etc.
3) Postprocessors that do anything non-trivial must be extremely robust to
gracefully handle malformed data and other error conditions - otherwise,
@@ -77,10 +77,10 @@
/* The actual postprocessor routine called by afl-fuzz: */
const unsigned char* afl_postprocess(const unsigned char* in_buf,
- unsigned int* len) {
+ unsigned int* len) {
static unsigned char* saved_buf;
- unsigned char* new_buf;
+ unsigned char* new_buf;
/* Skip execution altogether for buffers shorter than 6 bytes (just to
show how it's done). We can trust *len to be sane. */
@@ -117,3 +117,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
return new_buf;
}
+
diff --git a/experimental/post_library/post_library_png.so.c b/experimental/post_library/post_library_png.so.c
index 6ba95c1a..093c6022 100644
--- a/experimental/post_library/post_library_png.so.c
+++ b/experimental/post_library/post_library_png.so.c
@@ -36,13 +36,13 @@
#define UP4K(_i) ((((_i) >> 12) + 1) << 12)
const unsigned char* afl_postprocess(const unsigned char* in_buf,
- unsigned int* len) {
+ unsigned int* len) {
static unsigned char* saved_buf;
static unsigned int saved_len;
unsigned char* new_buf = (unsigned char*)in_buf;
- unsigned int pos = 8;
+ unsigned int pos = 8;
/* Don't do anything if there's not enough room for the PNG header
(8 bytes). */
@@ -111,3 +111,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
return new_buf;
}
+
diff --git a/experimental/socket_fuzzing/Makefile b/experimental/socket_fuzzing/Makefile
new file mode 100644
index 00000000..b4ed9456
--- /dev/null
+++ b/experimental/socket_fuzzing/Makefile
@@ -0,0 +1,35 @@
+#
+# american fuzzy lop++ - socket_fuzz
+# ----------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX ?= /usr/local
+BIN_PATH = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared -ldl
+
+all: socketfuzz32.so socketfuzz64.so
+
+socketfuzz32.so: socketfuzz.c
+ -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
+
+socketfuzz64.so: socketfuzz.c
+ -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+install: socketfuzz32.so socketfuzz64.so
+ install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+ if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+ install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+
+clean:
+ rm -f socketfuzz32.so socketfuzz64.so
diff --git a/experimental/socket_fuzzing/README.md b/experimental/socket_fuzzing/README.md
new file mode 100644
index 00000000..79f28bea
--- /dev/null
+++ b/experimental/socket_fuzzing/README.md
@@ -0,0 +1,11 @@
+# socketfuzz
+
+when you want to fuzz a network service and you can not/do not want to modify
+the source (or just have a binary), then this LD_PRELOAD library will allow
+for sending input to stdin which the target binary will think is coming from
+a network socket.
+
+This is desock_dup.c from the amazing preeny project
+https://github.com/zardus/preeny
+
+It is packaged in afl++ to have it at hand if needed
diff --git a/experimental/socket_fuzzing/socketfuzz.c b/experimental/socket_fuzzing/socketfuzz.c
new file mode 100644
index 00000000..bd6b68ff
--- /dev/null
+++ b/experimental/socket_fuzzing/socketfuzz.c
@@ -0,0 +1,90 @@
+/*
+ * This is desock_dup.c from the amazing preeny project
+ * https://github.com/zardus/preeny
+ *
+ * It is packaged in afl++ to have it at hand if needed
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h> //
+#include <sys/socket.h> //
+#include <sys/stat.h> //
+#include <fcntl.h> //
+#include <netinet/in.h>
+#include <pthread.h>
+#include <signal.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdio.h>
+#include <poll.h>
+//#include "logging.h" // switche from preeny_info() to fprintf(stderr, "Info: "
+
+//
+// originals
+//
+int (*original_close)(int);
+int (*original_dup2)(int, int);
+__attribute__((constructor)) void preeny_desock_dup_orig() {
+
+ original_close = dlsym(RTLD_NEXT, "close");
+ original_dup2 = dlsym(RTLD_NEXT, "dup2");
+
+}
+
+int close(int sockfd) {
+
+ if (sockfd <= 2) {
+
+ fprintf(stderr, "Info: Disabling close on %d\n", sockfd);
+ return 0;
+
+ } else {
+
+ return original_close(sockfd);
+
+ }
+
+}
+
+int dup2(int old, int new) {
+
+ if (new <= 2) {
+
+ fprintf(stderr, "Info: Disabling dup from %d to %d\n", old, new);
+ return 0;
+
+ } else {
+
+ return original_dup2(old, new);
+
+ }
+
+}
+
+int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
+
+ fprintf(stderr, "Info: Emulating accept on %d\n", sockfd);
+ return 0;
+
+}
+
+int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+
+ fprintf(stderr, "Info: Emulating bind on port %d\n",
+ ntohs(((struct sockaddr_in *)addr)->sin_port));
+ return 0;
+
+}
+
+int listen(int sockfd, int backlog) {
+
+ return 0;
+
+}
+
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-24 11:53:22 +0000