Fuzzing command line arguments [argv]

Asked 25/7, 2020 at 16:42 Answered 29/11, 2021 at 11:43

reverse-engineering argv exploit fuzzing american-fuzzy-lop

I have a binary I've been trying to fuzz with AFL, the only thing is AFL only fuzzes STDIN, and File inputs and this binary takes input through its arguments pass_read [input1] [input2]. I was wondering if there are any methods/fuzzers that allow fuzzing in this manner?

I don't not have the source code so making a harness is not really applicable.

Alvinaalvine answered 25/7, 2020 at 16:42 Comment(4)

What type of inputs does it accept as args? – Stepaniestepbrother 25/7, 2020 at 16:46

So you are looking for a tool like xargs? Or just patching AFL yourself? – Prop 25/7, 2020 at 16:55

@DSilveiro it accepts just two strings – Alvinaalvine 25/7, 2020 at 18:23

@Prop I'm looking for a method to fuzz the positional arguments of this binary, I was hopefully looking for another tool but if patching AFL is the only way to accomplish this I may have too – Alvinaalvine 25/7, 2020 at 18:27

Michal Zalewski, the creator of AFL, states in this post:

AFL doesn't support argv fuzzing, because TBH, it's just not horribly useful in practice. There is an example in experimental/argv_fuzzing/ showing how to do it in a general case if you really want to.

Link to the mentioned example on GitHub: https://github.com/google/AFL/tree/master/experimental/argv_fuzzing

There are some instructions in the file argv-fuzz-inl.h (haven't tried myself).

Oquinn answered 23/9, 2020 at 11:40 Comment(2)

Thanks for your answer, I saw this example before and unfortunately it only works if you have the source code available, the binary I am trying to fuzz is black box. – Alvinaalvine 24/9, 2020 at 12:9

@Alvinaalvine Just out of interest ... did you try the above xargs suggestion from @Ext3h? – Oquinn 24/9, 2020 at 15:40

Bash only Solution

As an example, lets generate 10 random strings and store them in a file

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 10 > string-file.txt

Next, lets read 2 lines from string-file and pass it into our application

exec handle< string-file.txt

while read string1 <&handle ; do
        read string2 <&handle

        pass_read $line1 $line2 >> crash_file.txt
done

exec handle<&-

We then have any crashes stored within crash_file.txt for further analysis.

This may not be the most elegant solution, but perhaps you gives you an idea of some other possibilities if no tool necessarily fulfills the current requirements

Stepaniestepbrother answered 25/7, 2020 at 17:6 Comment(1)

Thanks for your answer, I looked at zuff and I don't believe it solves my issue since it also only takes a filename as fuzzing inputs. AFL actually does have a QEMU mode for non-instrumented binaries without the source but my issue is I have no method of fuzzing since it doesn't allow fuzzing argument strings for the binary – Alvinaalvine 25/7, 2020 at 18:32

I looked at the AFLplusplus repo on GitHub. Inside AFLplusplus/utils/argv_fuzzing/, there is a Makefile. If you run it, you will get a .so file (a shared library) that you can use to do argv fuzzing, even if you only have the binary. Obviously, you must use AFL_PRELOAD. You can read more in the README.

Moffit answered 29/11, 2021 at 11:43 Comment(1)

I checked out this solution before, unfortunately it seems you still need to patch the source to call AFL_INIT_ARGV() macro in order for this method to work. – Alvinaalvine 30/11, 2021 at 20:1

Recommended topics

Hot tags