├── QuickStartGuide.txt
├── testcases
├── others
│ ├── text
│ │ └── hello_world.txt
│ ├── js
│ │ └── small_script.js
│ ├── xml
│ │ └── small_document.xml
│ ├── rtf
│ │ └── small_document.rtf
│ ├── sql
│ │ └── simple_queries.sql
│ ├── elf
│ │ └── small_exec.elf
│ ├── pcap
│ │ └── small_capture.pcap
│ └── pdf
│ │ └── small.pdf
├── images
│ ├── bmp
│ │ └── not_kitty.bmp
│ ├── gif
│ │ └── not_kitty.gif
│ ├── ico
│ │ └── not_kitty.ico
│ ├── jp2
│ │ └── not_kitty.jp2
│ ├── jpeg
│ │ └── not_kitty.jpg
│ ├── jxr
│ │ └── not_kitty.jxr
│ ├── png
│ │ ├── not_kitty.png
│ │ ├── not_kitty_alpha.png
│ │ ├── not_kitty_gamma.png
│ │ └── not_kitty_icc.png
│ ├── tiff
│ │ └── not_kitty.tiff
│ └── webp
│ │ └── not_kitty.webp
├── multimedia
│ └── h264
│ │ └── small_movie.mp4
├── archives
│ ├── common
│ │ ├── xz
│ │ │ └── small_archive.xz
│ │ ├── cab
│ │ │ └── small_archive.cab
│ │ ├── gzip
│ │ │ └── small_archive.gz
│ │ ├── lzo
│ │ │ └── small_archive.lzo
│ │ ├── rar
│ │ │ └── small_archive.rar
│ │ ├── zip
│ │ │ └── small_archive.zip
│ │ ├── bzip2
│ │ │ └── small_archive.bz2
│ │ ├── compress
│ │ │ └── small_archive.Z
│ │ ├── cpio
│ │ │ └── small_archive.cpio
│ │ └── tar
│ │ │ └── small_archive.tar
│ └── exotic
│ │ ├── arj
│ │ └── small_archive.arj
│ │ ├── lha
│ │ └── small_archive.lha
│ │ ├── lzip
│ │ └── small_archive.lz
│ │ ├── rzip
│ │ └── small_archive.rz
│ │ ├── zoo
│ │ └── small_archive.zoo
│ │ ├── lrzip
│ │ └── small_archive.lrz
│ │ └── lzma
│ │ └── small_archive.lzma
└── README.testcases
├── docs
├── vuln_samples
│ ├── bash-cmd-exec.var
│ ├── sqlite-null-ptr4.sql
│ ├── bash-uninit-mem.var
│ ├── sqlite-null-ptr10.sql
│ ├── sqlite-null-ptr11.sql
│ ├── sqlite-null-ptr3.sql
│ ├── sqlite-null-ptr5.sql
│ ├── sqlite-null-ptr2.sql
│ ├── sqlite-null-ptr7.sql
│ ├── sqlite-bad-ptr.sql
│ ├── sqlite-null-ptr8.sql
│ ├── sqlite-stack-exhaustion.sql
│ ├── sqlite-null-ptr1.sql
│ ├── sqlite-null-ptr12.sql
│ ├── sqlite-null-ptr13.sql
│ ├── sqlite-unint-mem.sql
│ ├── libxml2-bad-read.xml
│ ├── sqlite-null-ptr9.sql
│ ├── jxrlib-crash.jxr
│ ├── jxrlib-crash2.jxr
│ ├── jxrlib-crash3.jxr
│ ├── jxrlib-crash4.jxr
│ ├── msie-dht-leak.jpg
│ ├── msie-zlib-dos.png
│ ├── sqlite-bad-free.sql
│ ├── sqlite-oob-read.sql
│ ├── file-fpu-exception.elf
│ ├── firefox-bmp-leak.bmp
│ ├── firefox-gif-leak.gif
│ ├── firefox-gif-leak2.gif
│ ├── libjpeg-sos-leak.jpg
│ ├── libtiff-bad-write.tif
│ ├── libtiff-uninit-mem.tif
│ ├── msie-jxr-mem-leak.jxr
│ ├── msie-png-mem-leak.png
│ ├── msie-tiff-mem-leak.tif
│ ├── openssl-null-ptr.der
│ ├── openssl-null-ptr2.der
│ ├── photoshop-mem-leak.jpg
│ ├── sqlite-null-ptr6.sql
│ ├── strings-bfd-badptr.elf
│ ├── strings-stack-overflow
│ ├── tcpdump-arp-crash.pcap
│ ├── tcpdump-ppp-crash.pcap
│ ├── ffmpeg-h264-bad-read.mp4
│ ├── firefox-chrome-leak.jpg
│ ├── libtiff-uninit-mem2.tif
│ ├── libtiff-uninit-mem3.tif
│ ├── libtiff-uninit-mem4.tif
│ ├── strings-bfd-badptr2.elf
│ ├── unrtf-arbitrary-read.rtf
│ ├── libjpeg-turbo-dht-leak.jpg
│ ├── strings-unchecked-ctr.elf
│ ├── unzip-t-mem-corruption.zip
│ ├── ffmpeg-h264-bad-ptr-800m.mp4
│ ├── lesspipe-cpio-bad-write.cpio
│ ├── sqlite-bad-ptr2.sql
│ ├── sqlite-stack-buf-overflow.sql
│ ├── ffmpeg-h264-call-stack-overflow.mp4
│ ├── sqlite-null-ptr15.sql
│ ├── sqlite-bad-ptr3.sql
│ ├── sqlite-heap-overflow.sql
│ ├── sqlite-use-after-free.sql
│ ├── sqlite-oob-write.sql
│ ├── sqlite-null-ptr14.sql
│ ├── sqlite-negative-memset.sql
│ └── sqlite-heap-overwrite.sql
├── visualization
│ └── afl_gzip.png
├── QuickStartGuide.txt
├── life_pro_tips.txt
├── notes_for_asan.txt
├── INSTALL
├── historical_notes.txt
├── perf_tips.txt
├── parallel_fuzzing.txt
├── sister_projects.txt
├── COPYING
└── env_variables.txt
├── dictionaries
├── gif.dict
├── webp.dict
├── jpeg.dict
├── json.dict
├── png.dict
├── tiff.dict
├── xml.dict
├── README.dictionaries
├── js.dict
├── html_tags.dict
└── sql.dict
├── .gitignore
├── LICENSE
├── hash.h
├── types.h
├── libUnTracerDyninst.cpp
├── afl-plot
├── readme.md
├── Makefile
├── debug.h
├── untracer-gcc.c
├── config.h
└── alloc-inl.h
/QuickStartGuide.txt:
--------------------------------------------------------------------------------
1 | docs/QuickStartGuide.txt
--------------------------------------------------------------------------------
/testcases/others/text/hello_world.txt:
--------------------------------------------------------------------------------
1 | hello
2 |
--------------------------------------------------------------------------------
/testcases/others/js/small_script.js:
--------------------------------------------------------------------------------
1 | if (1==1) eval('1');
--------------------------------------------------------------------------------
/testcases/others/xml/small_document.xml:
--------------------------------------------------------------------------------
1 | d
2 |
--------------------------------------------------------------------------------
/docs/vuln_samples/bash-cmd-exec.var:
--------------------------------------------------------------------------------
1 | () { _; } >_[$($())] { id; }
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr4.sql:
--------------------------------------------------------------------------------
1 | select n()AND+#00;
2 |
--------------------------------------------------------------------------------
/testcases/others/rtf/small_document.rtf:
--------------------------------------------------------------------------------
1 | {\rtf1\pard Test\par}
--------------------------------------------------------------------------------
/docs/vuln_samples/bash-uninit-mem.var:
--------------------------------------------------------------------------------
1 | () { x() { _; }; x() { _; } <O));insert into t0
2 | select randomblob(0)-trim(0);
3 |
--------------------------------------------------------------------------------
/testcases/images/bmp/not_kitty.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/bmp/not_kitty.bmp
--------------------------------------------------------------------------------
/testcases/images/gif/not_kitty.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/gif/not_kitty.gif
--------------------------------------------------------------------------------
/testcases/images/ico/not_kitty.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/ico/not_kitty.ico
--------------------------------------------------------------------------------
/testcases/images/jp2/not_kitty.jp2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/jp2/not_kitty.jp2
--------------------------------------------------------------------------------
/testcases/images/jpeg/not_kitty.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/jpeg/not_kitty.jpg
--------------------------------------------------------------------------------
/testcases/images/jxr/not_kitty.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/jxr/not_kitty.jxr
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/png/not_kitty.png
--------------------------------------------------------------------------------
/testcases/others/elf/small_exec.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/others/elf/small_exec.elf
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-oob-read.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/sqlite-oob-read.sql
--------------------------------------------------------------------------------
/testcases/images/tiff/not_kitty.tiff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/tiff/not_kitty.tiff
--------------------------------------------------------------------------------
/testcases/images/webp/not_kitty.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/webp/not_kitty.webp
--------------------------------------------------------------------------------
/docs/vuln_samples/file-fpu-exception.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/file-fpu-exception.elf
--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-bmp-leak.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/firefox-bmp-leak.bmp
--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-gif-leak.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/firefox-gif-leak.gif
--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-gif-leak2.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/firefox-gif-leak2.gif
--------------------------------------------------------------------------------
/docs/vuln_samples/libjpeg-sos-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libjpeg-sos-leak.jpg
--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-bad-write.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libtiff-bad-write.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libtiff-uninit-mem.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/msie-jxr-mem-leak.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/msie-jxr-mem-leak.jxr
--------------------------------------------------------------------------------
/docs/vuln_samples/msie-png-mem-leak.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/msie-png-mem-leak.png
--------------------------------------------------------------------------------
/docs/vuln_samples/msie-tiff-mem-leak.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/msie-tiff-mem-leak.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/openssl-null-ptr.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/openssl-null-ptr.der
--------------------------------------------------------------------------------
/docs/vuln_samples/openssl-null-ptr2.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/openssl-null-ptr2.der
--------------------------------------------------------------------------------
/docs/vuln_samples/photoshop-mem-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/photoshop-mem-leak.jpg
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr6.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/sqlite-null-ptr6.sql
--------------------------------------------------------------------------------
/docs/vuln_samples/strings-bfd-badptr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/strings-bfd-badptr.elf
--------------------------------------------------------------------------------
/docs/vuln_samples/strings-stack-overflow:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/strings-stack-overflow
--------------------------------------------------------------------------------
/docs/vuln_samples/tcpdump-arp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/tcpdump-arp-crash.pcap
--------------------------------------------------------------------------------
/docs/vuln_samples/tcpdump-ppp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/tcpdump-ppp-crash.pcap
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_alpha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/png/not_kitty_alpha.png
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/png/not_kitty_gamma.png
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_icc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/images/png/not_kitty_icc.png
--------------------------------------------------------------------------------
/testcases/others/pcap/small_capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/others/pcap/small_capture.pcap
--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-bad-read.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/ffmpeg-h264-bad-read.mp4
--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-chrome-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/firefox-chrome-leak.jpg
--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem2.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libtiff-uninit-mem2.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem3.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libtiff-uninit-mem3.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem4.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libtiff-uninit-mem4.tif
--------------------------------------------------------------------------------
/docs/vuln_samples/strings-bfd-badptr2.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/strings-bfd-badptr2.elf
--------------------------------------------------------------------------------
/docs/vuln_samples/unrtf-arbitrary-read.rtf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/unrtf-arbitrary-read.rtf
--------------------------------------------------------------------------------
/testcases/multimedia/h264/small_movie.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/multimedia/h264/small_movie.mp4
--------------------------------------------------------------------------------
/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg
--------------------------------------------------------------------------------
/docs/vuln_samples/strings-unchecked-ctr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/strings-unchecked-ctr.elf
--------------------------------------------------------------------------------
/docs/vuln_samples/unzip-t-mem-corruption.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/unzip-t-mem-corruption.zip
--------------------------------------------------------------------------------
/testcases/archives/common/xz/small_archive.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/xz/small_archive.xz
--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4
--------------------------------------------------------------------------------
/docs/vuln_samples/lesspipe-cpio-bad-write.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/lesspipe-cpio-bad-write.cpio
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-ptr2.sql:
--------------------------------------------------------------------------------
1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0);
2 |
--------------------------------------------------------------------------------
/testcases/archives/common/cab/small_archive.cab:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/cab/small_archive.cab
--------------------------------------------------------------------------------
/testcases/archives/common/gzip/small_archive.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/gzip/small_archive.gz
--------------------------------------------------------------------------------
/testcases/archives/common/lzo/small_archive.lzo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/lzo/small_archive.lzo
--------------------------------------------------------------------------------
/testcases/archives/common/rar/small_archive.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/rar/small_archive.rar
--------------------------------------------------------------------------------
/testcases/archives/common/zip/small_archive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/zip/small_archive.zip
--------------------------------------------------------------------------------
/testcases/archives/exotic/arj/small_archive.arj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/arj/small_archive.arj
--------------------------------------------------------------------------------
/testcases/archives/exotic/lha/small_archive.lha:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/lha/small_archive.lha
--------------------------------------------------------------------------------
/testcases/archives/exotic/lzip/small_archive.lz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/lzip/small_archive.lz
--------------------------------------------------------------------------------
/testcases/archives/exotic/rzip/small_archive.rz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/rzip/small_archive.rz
--------------------------------------------------------------------------------
/testcases/archives/exotic/zoo/small_archive.zoo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/zoo/small_archive.zoo
--------------------------------------------------------------------------------
/testcases/archives/common/bzip2/small_archive.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/bzip2/small_archive.bz2
--------------------------------------------------------------------------------
/testcases/archives/common/compress/small_archive.Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/compress/small_archive.Z
--------------------------------------------------------------------------------
/testcases/archives/common/cpio/small_archive.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/common/cpio/small_archive.cpio
--------------------------------------------------------------------------------
/testcases/archives/exotic/lrzip/small_archive.lrz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/lrzip/small_archive.lrz
--------------------------------------------------------------------------------
/testcases/archives/exotic/lzma/small_archive.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/testcases/archives/exotic/lzma/small_archive.lzma
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-stack-buf-overflow.sql:
--------------------------------------------------------------------------------
1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">"";
2 |
--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FoRTE-Research/UnTracer-AFL/HEAD/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4
--------------------------------------------------------------------------------
/testcases/others/pdf/small.pdf:
--------------------------------------------------------------------------------
1 | %PDF-1.0
2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<>
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr15.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check');
2 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-ptr3.sql:
--------------------------------------------------------------------------------
1 | create table t(l);PRAGMA writable_schema=ON;
2 | UPDATE sqlite_master SET sql='0�0000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM;
3 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-heap-overflow.sql:
--------------------------------------------------------------------------------
1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0
2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x;
3 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-use-after-free.sql:
--------------------------------------------------------------------------------
1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-oob-write.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC);
2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o');
3 | INSERT INTO t0 VALUES('');
4 | INSERT INTO t0 VALUES('');
5 | INSeRT INTO t0 VALUES('o');
6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"';
7 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr14.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 |
--------------------------------------------------------------------------------
/dictionaries/gif.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for GIF images
3 | # -----------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_87a="87a"
9 | header_89a="89a"
10 | header_gif="GIF"
11 |
12 | marker_2c=","
13 | marker_3b=";"
14 |
15 | section_2101="!\x01\x12"
16 | section_21f9="!\xf9\x04"
17 | section_21fe="!\xfe"
18 | section_21ff="!\xff\x11"
19 |
--------------------------------------------------------------------------------
/dictionaries/webp.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for WebP images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_RIFF="RIFF"
9 | header_WEBP="WEBP"
10 |
11 | section_ALPH="ALPH"
12 | section_ANIM="ANIM"
13 | section_ANMF="ANMF"
14 | section_EXIF="EXIF"
15 | section_FRGM="FRGM"
16 | section_ICCP="ICCP"
17 | section_VP8="VP8 "
18 | section_VP8L="VP8L"
19 | section_VP8X="VP8X"
20 | section_XMP="XMP "
21 |
--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-negative-memset.sql:
--------------------------------------------------------------------------------
1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0));
2 |
--------------------------------------------------------------------------------
/dictionaries/jpeg.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JPEG images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_jfif="JFIF\x00"
9 | header_jfxx="JFXX\x00"
10 |
11 | section_ffc0="\xff\xc0"
12 | section_ffc2="\xff\xc2"
13 | section_ffc4="\xff\xc4"
14 | section_ffd0="\xff\xd0"
15 | section_ffd8="\xff\xd8"
16 | section_ffd9="\xff\xd9"
17 | section_ffda="\xff\xda"
18 | section_ffdb="\xff\xdb"
19 | section_ffdd="\xff\xdd"
20 | section_ffe0="\xff\xe0"
21 | section_ffe1="\xff\xe1"
22 | section_fffe="\xff\xfe"
23 |
--------------------------------------------------------------------------------
/dictionaries/json.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JSON
3 | # -----------------------
4 | #
5 | # Just the very basics.
6 | #
7 | # Inspired by a dictionary by Jakub Wilk
8 | #
9 |
10 | "0"
11 | ",0"
12 | ":0"
13 | "0:"
14 | "-1.2e+3"
15 |
16 | "true"
17 | "false"
18 | "null"
19 |
20 | "\"\""
21 | ",\"\""
22 | ":\"\""
23 | "\"\":"
24 |
25 | "{}"
26 | ",{}"
27 | ":{}"
28 | "{\"\":0}"
29 | "{{}}"
30 |
31 | "[]"
32 | ",[]"
33 | ":[]"
34 | "[0]"
35 | "[[]]"
36 |
37 | "''"
38 | "\\"
39 | "\\b"
40 | "\\f"
41 | "\\n"
42 | "\\r"
43 | "\\t"
44 | "\\u0000"
45 | "\\x00"
46 | "\\0"
47 | "\\uD800\\uDC00"
48 | "\\uDBFF\\uDFFF"
49 |
50 | "\"\":0"
51 | "//"
52 | "/**/"
53 |
--------------------------------------------------------------------------------
/testcases/README.testcases:
--------------------------------------------------------------------------------
1 | =======================
2 | AFL starting test cases
3 | =======================
4 |
5 | (See ../docs/README for the general instruction manual.)
6 |
7 | The archives/, images/, multimedia/, and others/ subdirectories contain small,
8 | standalone files that can be used to seed afl-fuzz when testing parsers for a
9 | variety of common data formats.
10 |
11 | There is probably not much to be said about these files, except that they were
12 | optimized for size and stripped of any non-essential fluff. Some directories
13 | contain several examples that exercise various features of the underlying format.
14 | For example, there is a PNG file with and without a color profile.
15 |
16 | Additional test cases are always welcome.
17 |
18 | In addition to well-chosen starting files, many fuzzing jobs benefit from a
19 | small and concise dictionary. See ../dictionaries/README.dictionaries for more.
20 |
--------------------------------------------------------------------------------
/dictionaries/png.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for PNG images
3 | # -----------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_png="\x89PNG\x0d\x0a\x1a\x0a"
12 |
13 | section_IDAT="IDAT"
14 | section_IEND="IEND"
15 | section_IHDR="IHDR"
16 | section_PLTE="PLTE"
17 | section_bKGD="bKGD"
18 | section_cHRM="cHRM"
19 | section_fRAc="fRAc"
20 | section_gAMA="gAMA"
21 | section_gIFg="gIFg"
22 | section_gIFt="gIFt"
23 | section_gIFx="gIFx"
24 | section_hIST="hIST"
25 | section_iCCP="iCCP"
26 | section_iTXt="iTXt"
27 | section_oFFs="oFFs"
28 | section_pCAL="pCAL"
29 | section_pHYs="pHYs"
30 | section_sBIT="sBIT"
31 | section_sCAL="sCAL"
32 | section_sPLT="sPLT"
33 | section_sRGB="sRGB"
34 | section_sTER="sTER"
35 | section_tEXt="tEXt"
36 | section_tIME="tIME"
37 | section_tRNS="tRNS"
38 | section_zTXt="zTXt"
39 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Prerequisites
2 | *.d
3 |
4 | # Object files
5 | *.o
6 | *.ko
7 | *.obj
8 | #*.elf
9 |
10 | # Linker output
11 | *.ilk
12 | *.map
13 | *.exp
14 |
15 | # Precompiled Headers
16 | *.gch
17 | *.pch
18 |
19 | # Libraries
20 | *.lib
21 | *.a
22 | *.la
23 | *.lo
24 |
25 | # Shared objects (inc. Windows DLLs)
26 | *.dll
27 | *.so
28 | #*.so.*
29 | *.dylib
30 |
31 | # Executables
32 | *.exe
33 | *.out
34 | *.app
35 | *.i*86
36 | *.x86_64
37 | *.hex
38 |
39 | # Debug files
40 | *.dSYM/
41 | *.su
42 | *.idb
43 | *.pdb
44 |
45 | # OS generated files
46 | .DS_Store
47 | .DS_Store
48 | .DS_Store?
49 | ._*
50 | .Spotlight-V100
51 | .Trashes
52 | ehthumbs.db
53 | Thumbs.db
54 |
55 | # AFL-specific binaries
56 | afl-as
57 | afl-clang
58 | afl-clang++
59 | afl-gcc
60 | afl-g++
61 | untracer-as
62 | untracer-clang
63 | untracer-clang++
64 | untracer-gcc
65 | untracer-g++
66 | as
67 | afl-analyze
68 | afl-showmap
69 | libUnTracerDyninst.so
70 | untracer-afl
71 | UnTracerDyninst
72 |
73 | # Misc folders
74 | .idea/
75 | cmake-build-debug/CMakeFiles/
76 |
77 | # Kernel Module Compile Results
78 | *.mod*
79 | *.cmd
80 | .tmp_versions/
81 | .old/
82 | modules.order
83 | Module.symvers
84 | Mkfile.old
85 | dkms.conf
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Much of UnTracer-AFL is adapted from Michal Zalewski's AFL, Paradyn's Dyninst,
4 | and Cisco Talos' / Marc Heuse's AFL-Dyninst.
5 |
6 | Copyright (c) 2019 Virginia Polytechnic Institute and State University
7 |
8 | Permission is hereby granted, free of charge, to any person obtaining a copy
9 | of this software and associated documentation files (the "Software"), to deal
10 | in the Software without restriction, including without limitation the rights
11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 | copies of the Software, and to permit persons to whom the Software is
13 | furnished to do so, subject to the following conditions:
14 |
15 | The above copyright notice and this permission notice shall be included in all
16 | copies or substantial portions of the Software.
17 |
18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 | SOFTWARE.
25 |
--------------------------------------------------------------------------------
/dictionaries/tiff.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for TIFF images
3 | # ------------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_ii="II*\x00"
12 | header_mm="MM\x00*"
13 |
14 | section_100="\x00\x01"
15 | section_101="\x01\x01"
16 | section_102="\x02\x01"
17 | section_103="\x03\x01"
18 | section_106="\x06\x01"
19 | section_107="\x07\x01"
20 | section_10D="\x0d\x01"
21 | section_10E="\x0e\x01"
22 | section_10F="\x0f\x01"
23 | section_110="\x10\x01"
24 | section_111="\x11\x01"
25 | section_112="\x12\x01"
26 | section_115="\x15\x01"
27 | section_116="\x16\x01"
28 | section_117="\x17\x01"
29 | section_11A="\x1a\x01"
30 | section_11B="\x1b\x01"
31 | section_11C="\x1c\x01"
32 | section_11D="\x1d\x01"
33 | section_11E="\x1e\x01"
34 | section_11F="\x1f\x01"
35 | section_122="\"\x01"
36 | section_123="#\x01"
37 | section_124="$\x01"
38 | section_125="%\x01"
39 | section_128="(\x01"
40 | section_129=")\x01"
41 | section_12D="-\x01"
42 | section_131="1\x01"
43 | section_132="2\x01"
44 | section_13B=";\x01"
45 | section_13C="<\x01"
46 | section_13D="=\x01"
47 | section_13E=">\x01"
48 | section_13F="?\x01"
49 | section_140="@\x01"
50 | section_FE="\xfe\x00"
51 | section_FF="\xff\x00"
52 |
--------------------------------------------------------------------------------
/dictionaries/xml.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for XML
3 | # ----------------------
4 | #
5 | # Several basic syntax elements and attributes, modeled on libxml2.
6 | #
7 | # Created by Michal Zalewski
8 | #
9 |
10 | attr_encoding=" encoding=\"1\""
11 | attr_generic=" a=\"1\""
12 | attr_href=" href=\"1\""
13 | attr_standalone=" standalone=\"no\""
14 | attr_version=" version=\"1\""
15 | attr_xml_base=" xml:base=\"1\""
16 | attr_xml_id=" xml:id=\"1\""
17 | attr_xml_lang=" xml:lang=\"1\""
18 | attr_xml_space=" xml:space=\"1\""
19 | attr_xmlns=" xmlns=\"1\""
20 |
21 | entity_builtin="<"
22 | entity_decimal="�"
23 | entity_external="&a;"
24 | entity_hex="�"
25 |
26 | string_any="ANY"
27 | string_brackets="[]"
28 | string_cdata="CDATA"
29 | string_col_fallback=":fallback"
30 | string_col_generic=":a"
31 | string_col_include=":include"
32 | string_dashes="--"
33 | string_empty="EMPTY"
34 | string_empty_dblquotes="\"\""
35 | string_empty_quotes="''"
36 | string_entities="ENTITIES"
37 | string_entity="ENTITY"
38 | string_fixed="#FIXED"
39 | string_id="ID"
40 | string_idref="IDREF"
41 | string_idrefs="IDREFS"
42 | string_implied="#IMPLIED"
43 | string_nmtoken="NMTOKEN"
44 | string_nmtokens="NMTOKENS"
45 | string_notation="NOTATION"
46 | string_parentheses="()"
47 | string_pcdata="#PCDATA"
48 | string_percent="%a"
49 | string_public="PUBLIC"
50 | string_required="#REQUIRED"
51 | string_schema=":schema"
52 | string_system="SYSTEM"
53 | string_ucs4="UCS-4"
54 | string_utf16="UTF-16"
55 | string_utf8="UTF-8"
56 | string_xmlns="xmlns:"
57 |
58 | tag_attlist=""
61 | tag_doctype=""
68 | tag_open_close=""
69 | tag_open_exclamation=""
72 | tag_xml_q=""
73 |
--------------------------------------------------------------------------------
/dictionaries/README.dictionaries:
--------------------------------------------------------------------------------
1 | ================
2 | AFL dictionaries
3 | ================
4 |
5 | (See ../docs/README for the general instruction manual.)
6 |
7 | This subdirectory contains a set of dictionaries that can be used in
8 | conjunction with the -x option to allow the fuzzer to effortlessly explore the
9 | grammar of some of the more verbose data formats or languages. The basic
10 | principle behind the operation of fuzzer dictionaries is outlined in section 9
11 | of the "main" README for the project.
12 |
13 | Custom dictionaries can be added at will. They should consist of a
14 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try
15 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually
16 | the sweet spot.
17 |
18 | Custom dictionaries can be created in two ways:
19 |
20 | - By creating a new directory and placing each token in a separate file, in
21 | which case, there is no need to escape or otherwise format the data.
22 |
23 | - By creating a flat text file where tokens are listed one per line in the
24 | format of name="value". The alphanumeric name is ignored and can be omitted,
25 | although it is a convenient way to document the meaning of a particular
26 | token. The value must appear in quotes, with hex escaping (\xNN) applied to
27 | all non-printable, high-bit, or otherwise problematic characters (\\ and \"
28 | shorthands are recognized, too).
29 |
30 | The fuzzer auto-selects the appropriate mode depending on whether the -x
31 | parameter is a file or a directory.
32 |
33 | In the file mode, every name field can be optionally followed by @, e.g.:
34 |
35 | keyword_foo@1 = "foo"
36 |
37 | Such entries will be loaded only if the requested dictionary level is equal or
38 | higher than this number. The default level is zero; a higher value can be set
39 | by appending @ to the dictionary file name, like so:
40 |
41 | -x path/to/dictionary.dct@2
42 |
43 | Good examples of dictionaries can be found in xml.dict and png.dict.
44 |
--------------------------------------------------------------------------------
/testcases/archives/common/tar/small_archive.tar:
--------------------------------------------------------------------------------
1 | limerick��������������������������������������������������������������������������������������������0000640�0000764�0000764�00000000277�12427053460�012465� 0����������������������������������������������������������������������������������������������������ustar �lcamtuf�������������������������lcamtuf����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������There was a young man from Japan
2 | Whose limericks never would scan.
3 | When asked why that was,
4 | He replied "It's because
5 | I always try to cram as many words into the last line as I possibly can."
6 | �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
--------------------------------------------------------------------------------
/docs/QuickStartGuide.txt:
--------------------------------------------------------------------------------
1 | =====================
2 | AFL quick start guide
3 | =====================
4 |
5 | You should read docs/README. It's pretty short. If you really can't, here's
6 | how to hit the ground running:
7 |
8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips.
9 |
10 | 2) Find or write a reasonably fast and simple program that takes data from
11 | a file or stdin, processes it in a test-worthy way, then exits cleanly.
12 | If testing a network service, modify it to run in the foreground and read
13 | from stdin. When fuzzing a format that uses checksums, comment out the
14 | checksum verification code, too.
15 |
16 | The program must crash properly when a fault is encountered. Watch out for
17 | custom SIGSEGV or SIGABRT handlers and background processes. For tips on
18 | detecting non-crashing flaws, see section 11 in docs/README.
19 |
20 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to
21 | do this would be:
22 |
23 | CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared
24 | make clean all
25 |
26 | If program build fails, ping .
27 |
28 | 4) Get a small but valid input file that makes sense to the program. When
29 | fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
30 | dictionaries/README.dictionaries, too.
31 |
32 | 5) If the program reads from stdin, run 'afl-fuzz' like so:
33 |
34 | ./afl-fuzz -i testcase_dir -o findings_dir -- \
35 | /path/to/tested/program [...program's cmdline...]
36 |
37 | If the program takes input from a file, you can put @@ in the program's
38 | command line; AFL will put an auto-generated file name in there for you.
39 |
40 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting
41 | docs/status_screen.txt.
42 |
43 | That's it. Sit back, relax, and - time permitting - try to skim through the
44 | following files:
45 |
46 | - docs/README - A general introduction to AFL,
47 | - docs/perf_tips.txt - Simple tips on how to fuzz more quickly,
48 | - docs/status_screen.txt - An explanation of the tidbits shown in the UI,
49 | - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores.
50 |
--------------------------------------------------------------------------------
/hash.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - hashing function
3 | -------------------------------------
4 |
5 | The hash32() function is a variant of MurmurHash3, a good
6 | non-cryptosafe hashing function developed by Austin Appleby.
7 |
8 | For simplicity, this variant does *NOT* accept buffer lengths
9 | that are not divisible by 8 bytes. The 32-bit version is otherwise
10 | similar to the original; the 64-bit one is a custom hack with
11 | mostly-unproven properties.
12 |
13 | Austin's original code is public domain.
14 |
15 | Other code written and maintained by Michal Zalewski
16 |
17 | Copyright 2016 Google Inc. All rights reserved.
18 |
19 | Licensed under the Apache License, Version 2.0 (the "License");
20 | you may not use this file except in compliance with the License.
21 | You may obtain a copy of the License at:
22 |
23 | http://www.apache.org/licenses/LICENSE-2.0
24 |
25 | */
26 |
27 | #ifndef _HAVE_HASH_H
28 | #define _HAVE_HASH_H
29 |
30 | #include "types.h"
31 |
32 | #ifdef __x86_64__
33 |
34 | #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
35 |
36 | static inline u32 hash32(const void* key, u32 len, u32 seed) {
37 |
38 | const u64* data = (u64*)key;
39 | u64 h1 = seed ^ len;
40 |
41 | len >>= 3;
42 |
43 | while (len--) {
44 |
45 | u64 k1 = *data++;
46 |
47 | k1 *= 0x87c37b91114253d5ULL;
48 | k1 = ROL64(k1, 31);
49 | k1 *= 0x4cf5ad432745937fULL;
50 |
51 | h1 ^= k1;
52 | h1 = ROL64(h1, 27);
53 | h1 = h1 * 5 + 0x52dce729;
54 |
55 | }
56 |
57 | h1 ^= h1 >> 33;
58 | h1 *= 0xff51afd7ed558ccdULL;
59 | h1 ^= h1 >> 33;
60 | h1 *= 0xc4ceb9fe1a85ec53ULL;
61 | h1 ^= h1 >> 33;
62 |
63 | return h1;
64 |
65 | }
66 |
67 | #else
68 |
69 | #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
70 |
71 | static inline u32 hash32(const void* key, u32 len, u32 seed) {
72 |
73 | const u32* data = (u32*)key;
74 | u32 h1 = seed ^ len;
75 |
76 | len >>= 2;
77 |
78 | while (len--) {
79 |
80 | u32 k1 = *data++;
81 |
82 | k1 *= 0xcc9e2d51;
83 | k1 = ROL32(k1, 15);
84 | k1 *= 0x1b873593;
85 |
86 | h1 ^= k1;
87 | h1 = ROL32(h1, 13);
88 | h1 = h1 * 5 + 0xe6546b64;
89 |
90 | }
91 |
92 | h1 ^= h1 >> 16;
93 | h1 *= 0x85ebca6b;
94 | h1 ^= h1 >> 13;
95 | h1 *= 0xc2b2ae35;
96 | h1 ^= h1 >> 16;
97 |
98 | return h1;
99 |
100 | }
101 |
102 | #endif /* ^__x86_64__ */
103 |
104 | #endif /* !_HAVE_HASH_H */
105 |
--------------------------------------------------------------------------------
/types.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - type definitions and minor macros
3 | ------------------------------------------------------
4 |
5 | Written and maintained by Michal Zalewski
6 |
7 | Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
8 |
9 | Licensed under the Apache License, Version 2.0 (the "License");
10 | you may not use this file except in compliance with the License.
11 | You may obtain a copy of the License at:
12 |
13 | http://www.apache.org/licenses/LICENSE-2.0
14 |
15 | */
16 |
17 | #ifndef _HAVE_TYPES_H
18 | #define _HAVE_TYPES_H
19 |
20 | #include
21 | #include
22 |
23 | typedef uint8_t u8;
24 | typedef uint16_t u16;
25 | typedef uint32_t u32;
26 |
27 | /*
28 |
29 | Ugh. There is an unintended compiler / glibc #include glitch caused by
30 | combining the u64 type an %llu in format strings, necessitating a workaround.
31 |
32 | In essence, the compiler is always looking for 'unsigned long long' for %llu.
33 | On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
34 | 'unsigned long long' in , so everything checks out.
35 |
36 | But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
37 | Now, it only happens in circumstances where the type happens to have the
38 | expected bit width, *but* the compiler does not know that... and complains
39 | about 'unsigned long' being unsafe to pass to %llu.
40 |
41 | */
42 |
43 | #ifdef __x86_64__
44 | typedef unsigned long long u64;
45 | #else
46 | typedef uint64_t u64;
47 | #endif /* ^__x86_64__ */
48 |
49 | typedef int8_t s8;
50 | typedef int16_t s16;
51 | typedef int32_t s32;
52 | typedef int64_t s64;
53 |
54 | #ifndef MIN
55 | # define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
56 | # define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
57 | #endif /* !MIN */
58 |
59 | #define SWAP16(_x) ({ \
60 | u16 _ret = (_x); \
61 | (u16)((_ret << 8) | (_ret >> 8)); \
62 | })
63 |
64 | #define SWAP32(_x) ({ \
65 | u32 _ret = (_x); \
66 | (u32)((_ret << 24) | (_ret >> 24) | \
67 | ((_ret << 8) & 0x00FF0000) | \
68 | ((_ret >> 8) & 0x0000FF00)); \
69 | })
70 |
71 | #ifdef AFL_LLVM_PASS
72 | # define AFL_R(x) (random() % (x))
73 | #else
74 | # define R(x) (random() % (x))
75 | #endif /* ^AFL_LLVM_PASS */
76 |
77 | #define STRINGIFY_INTERNAL(x) #x
78 | #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
79 |
80 | #define MEM_BARRIER() \
81 | asm volatile("" ::: "memory")
82 |
83 | #define likely(_x) __builtin_expect(!!(_x), 1)
84 | #define unlikely(_x) __builtin_expect(!!(_x), 0)
85 |
86 | #endif /* ! _HAVE_TYPES_H */
87 |
--------------------------------------------------------------------------------
/dictionaries/js.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JavaScript
3 | # -----------------------------
4 | #
5 | # Contains basic reserved keywords and syntax building blocks.
6 | #
7 | # Created by Michal Zalewski
8 | #
9 |
10 | keyword_arguments="arguments"
11 | keyword_break="break"
12 | keyword_case="case"
13 | keyword_catch="catch"
14 | keyword_const="const"
15 | keyword_continue="continue"
16 | keyword_debugger="debugger"
17 | keyword_decodeURI="decodeURI"
18 | keyword_default="default"
19 | keyword_delete="delete"
20 | keyword_do="do"
21 | keyword_else="else"
22 | keyword_escape="escape"
23 | keyword_eval="eval"
24 | keyword_export="export"
25 | keyword_finally="finally"
26 | keyword_for="for (a=0;a<2;a++)"
27 | keyword_function="function"
28 | keyword_if="if"
29 | keyword_in="in"
30 | keyword_instanceof="instanceof"
31 | keyword_isNaN="isNaN"
32 | keyword_let="let"
33 | keyword_new="new"
34 | keyword_parseInt="parseInt"
35 | keyword_return="return"
36 | keyword_switch="switch"
37 | keyword_this="this"
38 | keyword_throw="throw"
39 | keyword_try="try"
40 | keyword_typeof="typeof"
41 | keyword_var="var"
42 | keyword_void="void"
43 | keyword_while="while"
44 | keyword_with="with"
45 |
46 | misc_1=" 1"
47 | misc_a="a"
48 | misc_array=" [1]"
49 | misc_assign=" a=1"
50 | misc_code_block=" {1}"
51 | misc_colon_num=" 1:"
52 | misc_colon_string=" 'a':"
53 | misc_comma=" ,"
54 | misc_comment_block=" /* */"
55 | misc_comment_line=" //"
56 | misc_cond=" 1?2:3"
57 | misc_dec=" --"
58 | misc_div=" /"
59 | misc_equals=" ="
60 | misc_fn=" a()"
61 | misc_identical=" ==="
62 | misc_inc=" ++"
63 | misc_minus=" -"
64 | misc_modulo=" %"
65 | misc_parentheses=" ()"
66 | misc_parentheses_1=" (1)"
67 | misc_parentheses_1x4=" (1,1,1,1)"
68 | misc_parentheses_a=" (a)"
69 | misc_period="."
70 | misc_plus=" +"
71 | misc_plus_assign=" +="
72 | misc_regex=" /a/g"
73 | misc_rol=" <<<"
74 | misc_semicolon=" ;"
75 | misc_serialized_object=" {'a': 1}"
76 | misc_string=" 'a'"
77 | misc_unicode=" '\\u0001'"
78 |
79 | object_Array=" Array"
80 | object_Boolean=" Boolean"
81 | object_Date=" Date"
82 | object_Function=" Function"
83 | object_Infinity=" Infinity"
84 | object_Int8Array=" Int8Array"
85 | object_Math=" Math"
86 | object_NaN=" NaN"
87 | object_Number=" Number"
88 | object_Object=" Object"
89 | object_RegExp=" RegExp"
90 | object_String=" String"
91 | object_Symbol=" Symbol"
92 | object_false=" false"
93 | object_null=" null"
94 | object_true=" true"
95 |
96 | prop_charAt=".charAt"
97 | prop_concat=".concat"
98 | prop_constructor=".constructor"
99 | prop_destructor=".destructor"
100 | prop_length=".length"
101 | prop_match=".match"
102 | prop_proto=".__proto__"
103 | prop_prototype=".prototype"
104 | prop_slice=".slice"
105 | prop_toCode=".toCode"
106 | prop_toString=".toString"
107 | prop_valueOf=".valueOf"
108 |
--------------------------------------------------------------------------------
/libUnTracerDyninst.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 |
14 | #define FORKSRV_FD 198
15 |
16 | using namespace std;
17 | static long savedDi;
18 | register long rdi asm("di"); // the warning is fine - we need the warning because of a bug in dyninst
19 |
20 | /* AFL bitmap tracing vars. */
21 | static char * trace_bits;
22 | static long shm_id;
23 | #define SHM_ENV_VAR "__AFL_SHM_ID"
24 |
25 | /* This is for the dummy tracer - i.e., it exits when hitting . */
26 | void mainExit() {
27 | exit(0);
28 | }
29 |
30 | /* Forkserver variant with tracer file descriptors + hashmap initialization + SHM. */
31 | void forkServer() {
32 | int temp_data;
33 | pid_t fork_pid;
34 |
35 | /* Set up the SHM bitmap. */
36 | char *shm_env_var = getenv(SHM_ENV_VAR);
37 | if (!shm_env_var) {
38 | perror("Error getenv() SHM\n");
39 | return;
40 | }
41 | shm_id = atoi(shm_env_var);
42 | trace_bits = (char *) shmat(shm_id, NULL, 0);
43 | if (trace_bits == (char *) - 1) {
44 | perror("Error shmat()");
45 | return;
46 | }
47 |
48 | /* Tell the parent that we're alive. If the parent doesn't want
49 | to talk, assume that we're not running in forkserver mode. */
50 | if (write(FORKSRV_FD + 1, &temp_data, 4) != 4) {
51 | perror("ERROR: fork server not running");
52 | return;
53 | }
54 |
55 | /* All right, let's await orders... */
56 | while (1) {
57 |
58 | /* Parent - Verify status message length. */
59 | int stMsgLen = read(FORKSRV_FD, &temp_data, 4);
60 | if (stMsgLen != 4) {
61 | /* we use a status message length 2 to terminate the fork server. */
62 | if(stMsgLen == 2)
63 | exit(EXIT_SUCCESS);
64 | perror("Error reading fork server");
65 | exit(EXIT_FAILURE);
66 | }
67 |
68 | /* Parent - Fork off worker process that actually runs the benchmark. */
69 | fork_pid = fork();
70 | if (fork_pid < 0) {
71 | perror("Fork server fork() failed");
72 | exit(EXIT_FAILURE);
73 | }
74 |
75 | /* Child worker - Close descriptors and return (runs the benchmark). */
76 | if (fork_pid == 0) {
77 | close(FORKSRV_FD);
78 | close(FORKSRV_FD + 1);
79 | return;
80 | }
81 |
82 | /* Parent - Inform controller that we started a new run. */
83 | if (write(FORKSRV_FD + 1, &fork_pid, 4) != 4) {
84 | perror("Fork server write(pid) failed");
85 | exit(EXIT_FAILURE);
86 | }
87 | /* Parent - Sleep until child/worker finishes. */
88 | if (waitpid(fork_pid, &temp_data, 2) < 0) {
89 | perror("Fork server waitpid() failed");
90 | exit(EXIT_FAILURE);
91 | }
92 |
93 | /* Parent - Inform controller that run finished. */
94 | if (write(FORKSRV_FD + 1, &temp_data, 4) != 4) {
95 | perror("Fork server write(temp_data) failed");
96 | exit(EXIT_FAILURE);
97 | }
98 | /* Jump back to beginning of this loop and repeat. */
99 | }
100 | }
101 |
102 | /* Basic block callback with trace to file. */
103 | void traceFile(char * curBlkAddr, char *tracePath, unsigned int curBlkID)
104 | {
105 | static FILE *traceFile = fopen(tracePath, "w");
106 | fprintf(traceFile, "%s\n", curBlkAddr);
107 | }
108 |
109 | /* Basic block callback with trace to file + hashmap + SHM. */
110 | void traceSHM(unsigned int curBlkID)
111 | {
112 | if (trace_bits && trace_bits[curBlkID] == 0)
113 | trace_bits[curBlkID]++;
114 | }
115 |
116 | void saveRdi() {
117 | savedDi = rdi;
118 | /*
119 | asm("pop %rax"); // take care of rip
120 | asm("push %rdi");
121 | asm("push %rax");
122 | */
123 | }
124 |
125 | void restoreRdi() {
126 | rdi = savedDi;
127 | /*
128 | asm("pop %rax"); // take care of rip
129 | asm("pop %rdi");
130 | asm("push %rax");
131 | */
132 | }
133 |
--------------------------------------------------------------------------------
/dictionaries/html_tags.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for HTML parsers (tags only)
3 | # -------------------------------------------
4 | #
5 | # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
6 | # include any attributes or attribute values.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | tag_a=""
12 | tag_abbr=""
13 | tag_acronym=""
14 | tag_address=""
15 | tag_annotation_xml=""
16 | tag_applet="