Struggling to give inputs to AFL

4,089 views
Skip to first unread message

[S]

unread,
Jul 30, 2015, 8:10:04 AM7/30/15
to afl-users
Hi,

I've read some documents regarding AFL from last few days. I'm trying to find the bug using AFL in this example code: http://paste.ubuntu.com/11964398/

I've created few manual random files in "input" folder and also created automatic using

$dd if=/dev/urandom of=a.log bs=1M count=2

and started AFL

$afl-fuzz -i afl_in -o afl_out ./a.out -a @@

The output printscreen I've attached to the mail. I'm trying to find, why I'm not able to locate bug using AFL with this vulnerable code. please let me know pointers, so that I can go further with AFL fuzzing. 


Thanks in advance.




Screenshot_5.png

Jakub Wilk

unread,
Jul 30, 2015, 9:05:05 AM7/30/15
to afl-...@googlegroups.com
* [S] <sandee...@gmail.com>, 2015-07-30, 05:10:
>I've read some documents regarding AFL from last few days. I'm trying
>to find the bug using AFL in this example code:
>http://paste.ubuntu.com/11964398/

The code in question does:

strcpy(buff, argv[1]);

But AFL doesn't fuzz command-line arguments out of the box. Instead, it
puts test input to a file, and then either redirects stdin or passes the
filename on the command line.

>I've created few manual random files in "input" folder

You don't need more than input file in this case. Please read "Choosing
initial test cases" in README.

>and also created automatic using
>
>$dd if=/dev/urandom of=a.log bs=1M count=2

You don't need input file THAT big. In fact, afl-fuzz refuses to process
input files bigger than 1MB.

>and started AFL
>
>$afl-fuzz -i afl_in -o afl_out ./a.out -a @@

What's -a?

--
Jakub Wilk

[S]

unread,
Jul 30, 2015, 9:12:41 AM7/30/15
to afl-users, jw...@jwilk.net
Hi Jakub,

>The code in question does:

>strcpy(buff, argv[1]);

>But AFL doesn't fuzz command-line arguments out of the box. Instead, it
>puts test input to a file, and then either redirects stdin or passes the
>filename on the command line.

Yep I got it.

>You don't need more than input file in this case. Please read "Choosing
>initial test cases" in README.

I'm reading it again, thank you for the pointers


>You don't need input file THAT big. In fact, afl-fuzz refuses to process
>input files bigger than 1MB.

I thought AFL will work on the input files which less than equal to 1MB


>$afl-fuzz -i afl_in -o afl_out ./a.out -a @@

I followed execution command from the following blog.

http://www.evilsocket.net/2015/04/30/fuzzing-with-afl-fuzz-a-practical-example-afl-vs-binutils/

you got any example inputs to test any particular lib or source

Michal Zalewski

unread,
Jul 30, 2015, 12:10:12 PM7/30/15
to afl-users
>>strcpy(buff, argv[1]);
>
>>But AFL doesn't fuzz command-line arguments out of the box. Instead, it
>>puts test input to a file, and then either redirects stdin or passes the
>>filename on the command line.
>
> Yep I got it.

Yup, this is your most significant problem. AFL doesn't support argv
fuzzing, because TBH, it's just not horribly useful in practice. There
is an example in experimental/argv_fuzzing/ showing how to do it in a
general case if you really want to.

>>You don't need input file THAT big. In fact, afl-fuzz refuses to process
>>input files bigger than 1MB.
>
> I thought AFL will work on the input files which less than equal to 1MB

As explained in the docs, you want to start with small, meaningful
test cases; 1 MB of garbage isn't a good starting file (and in any
case, if you get the invocation right, it'd crash the target program
right away and be rejected by afl-fuzz for that reason alone).

>>$afl-fuzz -i afl_in -o afl_out ./a.out -a @@
> I followed execution command from the following blog.

Everything after the path to the target binary (./a.out) is passed to
your target binary as an argument. So you're calling it with:

argv[0] = "./a.out";
argv[1] = "-a";
argv[2] = "<file name, which is not what you want, but a separate
problem - see above>";

Since your program looks only at argv[1], and that value is fixed and
always set to "-a", nothing happens.

/mz
Reply all
Reply to author
Forward
0 new messages