Fuzzing command line arguments [argv]

Question

I have a binary I've been trying to fuzz with AFL, the only thing is AFL only fuzzes STDIN, and File inputs and this binary takes input through its arguments pass_read [input1] [input2]. I was wondering if there are any methods/fuzzers that allow fuzzing in this manner?

I don't not have the source code so making a harness is not really applicable.

So you are looking for a tool like `xargs`? Or just patching AFL yourself? — Ext3h, Jul 25 '20 at 16:55
@Ext3h I'm looking for a method to fuzz the positional arguments of this binary, I was hopefully looking for another tool but if patching AFL is the only way to accomplish this I may have too — rooter, Jul 25 '20 at 18:27

score 3 · Answer 1 · answered Sep 23 '20 at 11:40

3

Michal Zalewski, the creator of AFL, states in this post:

AFL doesn't support argv fuzzing, because TBH, it's just not horribly useful in practice. There is an example in experimental/argv_fuzzing/ showing how to do it in a general case if you really want to.

Link to the mentioned example on GitHub: https://github.com/google/AFL/tree/master/experimental/argv_fuzzing

There are some instructions in the file argv-fuzz-inl.h (haven't tried myself).

answered Sep 23 '20 at 11:40

user2286693

3,007
2
17
17

1

Thanks for your answer, I saw this example before and unfortunately it only works if you have the source code available, the binary I am trying to fuzz is black box. – rooter Sep 24 '20 at 12:09
@rooter Just out of interest ... did you try the above `xargs` suggestion from @Ext3h? – user2286693 Sep 24 '20 at 15:40

score 1 · Answer 2 · edited Nov 29 '21 at 19:58

1

I looked at the AFLplusplus repo on GitHub. Inside AFLplusplus/utils/argv_fuzzing/, there is a Makefile. If you run it, you will get a .so file (a shared library) that you can use to do argv fuzzing, even if you only have the binary. Obviously, you must use AFL_PRELOAD. You can read more in the README.

edited Nov 29 '21 at 19:58

Jeremy Caney

7,102
69
48
77

answered Nov 29 '21 at 11:43

terzino di paese

21
4

I checked out this solution before, unfortunately it seems you still need to patch the source to call AFL_INIT_ARGV() macro in order for this method to work. – rooter Nov 30 '21 at 20:01

David Silveiro · Answer 3 · 2020-07-26T16:50:00.233

0

Bash only Solution

As an example, lets generate 10 random strings and store them in a file

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 10 > string-file.txt

Next, lets read 2 lines from string-file and pass it into our application

exec handle< string-file.txt

while read string1 <&handle ; do
        read string2 <&handle

        pass_read $line1 $line2 >> crash_file.txt
done

exec handle<&-

We then have any crashes stored within crash_file.txt for further analysis.

This may not be the most elegant solution, but perhaps you gives you an idea of some other possibilities if no tool necessarily fulfills the current requirements

edited Jul 26 '20 at 16:50

answered Jul 25 '20 at 17:06

David Silveiro

1,515
1
15
23

Thanks for your answer, I looked at zuff and I don't believe it solves my issue since it also only takes a filename as fuzzing inputs. AFL actually does have a QEMU mode for non-instrumented binaries without the source but my issue is I have no method of fuzzing since it doesn't allow fuzzing argument strings for the binary – rooter Jul 25 '20 at 18:32

Fuzzing command line arguments [argv]

3 Answers3