From 6fe38b2138ed993f3af28fc5ab92fda8f7542ef7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:39:47 +0100 Subject: argv fuzz persistent --- utils/argv_fuzzing/argv_fuzz_demo.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 utils/argv_fuzzing/argv_fuzz_demo.c (limited to 'utils/argv_fuzzing/argv_fuzz_demo.c') diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c new file mode 100644 index 00000000..f4375316 --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -0,0 +1,16 @@ +#include +#include +#include "argv-fuzz-inl.h" + +int main(int argc, char **argv) { +AFL_INIT_ARGV(); + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { + abort(); + } + } else { + printf("Bad number of arguments!\n"); + } + + return 0; +} \ No newline at end of file -- cgit 1.4.1 From 3d031f93a6366ee157cfd9a27fbb6d485d328d8e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:15:52 +0100 Subject: update --- utils/argv_fuzzing/argv_fuzz_demo.c | 9 ++++++++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 23 ++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) (limited to 'utils/argv_fuzzing/argv_fuzz_demo.c') diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index f4375316..5fe4d704 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,7 +3,14 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { -AFL_INIT_ARGV(); + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool + AFL_INIT_ARGV(); + + /* Check the number of command line arguments and + compare the values of the first two arguments to specific strings. + If the number of arguments is not correct or the values do not match, + an error message is printed. If the values do match, the program + calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 1e96ade1..a96cf1fe 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -1,28 +1,49 @@ +/* +This file contains a simple fuzzer for testing command line argument parsing +using persistent mode. +*/ + #include #include #include "argv-fuzz-inl.h" __AFL_FUZZ_INIT(); +/* The main function is an entry point for a program. + The argc parameter is an integer that indicates the number of arguments + passed to the program. The argv parameter is an array of character pointers, + with each element pointing to a null-terminated string that represents + one of the arguments. + */ int main(int argc, char **argv) { #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + /* __AFL_LOOP() limits the maximum number of iterations before exiting + the loop and allowing the program to terminate. It protects against + accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { int len = __AFL_FUZZ_TESTCASE_LEN; + // Check that the length of the test case is at least 8 bytes if (len < 8) continue; + // Initialize the command line arguments using the testcase buffer AFL_INIT_ARGV_PERSISTENT(buf); + /* Check if the first argument is "XYZ" and the second argument is "TEST2" + If so, call the "abort" function to terminate the program. + Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } } else { printf("Bad number of arguments!\n"); } } - + /* Exiting the loop allows the program to terminate normally. AFL will restart + the process with a clean slate for allocated memory, file descriptors, etc. + */ return 0; } \ No newline at end of file -- cgit 1.4.1 From b189640a927e9ed17347b26f6579b0e41dcdda38 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:54:36 +0100 Subject: cleanup --- .custom-format.py | 15 +++++++------ utils/argv_fuzzing/README.md | 4 ++-- utils/argv_fuzzing/argv-fuzz-inl.h | 31 ++++++++++++++------------ utils/argv_fuzzing/argv_fuzz_demo.c | 13 +++++++---- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 11 ++++++++- 5 files changed, 46 insertions(+), 28 deletions(-) (limited to 'utils/argv_fuzzing/argv_fuzz_demo.c') diff --git a/.custom-format.py b/.custom-format.py index 428d7b0d..00f6280f 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -26,15 +26,16 @@ import shutil with open(".clang-format") as f: fmt = f.read() -CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) -CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") +#CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) +#CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") -if shutil.which(CLANG_FORMAT_BIN) is None: - CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" +#if shutil.which(CLANG_FORMAT_BIN) is None: +# CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" -if shutil.which(CLANG_FORMAT_BIN) is None: - print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") - exit(1) +#if shutil.which(CLANG_FORMAT_BIN) is None: +# print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") +# exit(1) +CLANG_FORMAT_BIN = "clang-format" COLUMN_LIMIT = 80 for line in fmt.split("\n"): diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e9224995..bcf388c7 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -# argvfuzz +#argvfuzz AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. @@ -13,4 +13,4 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. \ No newline at end of file + target binary expects argv to be living on the stack, things may go wrong. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index d3440799..bb8f2813 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -57,18 +57,20 @@ \ } while (0) -#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ - do { \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - } while (0) - -#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ - do { \ - \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - argv[0] = (_p); \ - if (!argc) argc = 1; \ - \ +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ } while (0) #define MAX_CMDLINE_LEN 100000 @@ -105,12 +107,13 @@ static char **afl_init_argv(int *argc) { } -static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { +static char **afl_init_argv_persistent(int *argc, + unsigned char *persistent_buff) { static char *ret[MAX_CMDLINE_PAR]; unsigned char *ptr = persistent_buff; - int rc = 0; + int rc = 0; while (*ptr && rc < MAX_CMDLINE_PAR) { diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index 5fe4d704..6ab1e2e5 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,6 +3,7 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool AFL_INIT_ARGV(); @@ -12,12 +13,16 @@ int main(int argc, char **argv) { an error message is printed. If the values do match, the program calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { - if (strcmp(argv[2], "TEST2") == 0) { - abort(); - } + + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } return 0; -} \ No newline at end of file + +} + diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index a96cf1fe..08a62c62 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -16,6 +16,7 @@ __AFL_FUZZ_INIT(); one of the arguments. */ int main(int argc, char **argv) { + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif @@ -25,6 +26,7 @@ int main(int argc, char **argv) { the loop and allowing the program to terminate. It protects against accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; // Check that the length of the test case is at least 8 bytes @@ -37,13 +39,20 @@ int main(int argc, char **argv) { If so, call the "abort" function to terminate the program. Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + /* Exiting the loop allows the program to terminate normally. AFL will restart the process with a clean slate for allocated memory, file descriptors, etc. */ return 0; -} \ No newline at end of file + +} -- cgit 1.4.1