blob: c33096be22b960ecce1d3545b2696894a759e07e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# afl-network-proxy
If you want to run afl-fuzz over the network than this is what you need :)
Note that the impact on fuzzing speed will be huge, expect a loss of 90%.
## When to use this
1. when you have to fuzz a target that has to run on a system that cannot
contain the fuzzing output (e.g. /tmp too small and file system is read-only)
2. when the target instantly reboots on crashes
3. ... any other reason you would need this
## how to get it running
### on the target
Run `afl-network-server` with your target with the -m and -t values you need.
Important is the -i parameter which is the TCP port to liste on.
e.g.:
```
$ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@
```
### on the fuzzing master
Just run afl-fuzz with your normal options, however the target should be
`afl-network-client` with the IP and PORT of the `afl-network-server` and
increase the -t value:
```
$ afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111
```
Note the '+' on the -t parameter value. the afl-network-server will take
care of proper timeouts hence afl-fuzz should not. The '+' increases the timout
and the value itself should be 500-1000 higher than the one on
afl-network-server.
### networking
The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to
either. Note that also the outgoing interface can be specified with a '%' for
`afl-network-client`, e.g. `fe80::1234%eth0`.
## how to compile and install
`make && sudo make install`
## Future
It would be much faster and more effective if `afl-network-server` does not
send the map data back (64kb or more) but the checksum that `afl-fuzz` would
generate. This change however would make it incompatible with existing
afl spinoffs.
But in the future this will be implemented and supported as a compile option.
|
