├── .gitignore
├── bug-severity-AFLplusplus
├── types.h
├── config.h
├── Changelog.md
├── dictionaries
│ ├── mysqld.dict
│ ├── csv.dict
│ ├── zip.dict
│ ├── bz2.dict
│ ├── av1_dc.dict
│ ├── theme-load-fuzz.dict
│ ├── vpx_dec.dict
│ ├── tokener_parse_ex.dict
│ ├── math.dict
│ ├── bmp.dict
│ ├── pcap.dict
│ ├── riff.dict
│ ├── stata.dict
│ ├── perl.dict
│ ├── creole.dict
│ ├── iccprofile.dict
│ ├── gif.dict
│ ├── vhd.dict
│ ├── djvu.dict
│ ├── webp.dict
│ ├── jpeg2000.dict
│ ├── sas.dict
│ ├── rst.dict
│ ├── toml.dict
│ ├── wav.dict
│ ├── jpeg.dict
│ ├── bdf.dict
│ ├── icns.dict
│ ├── type42.dict
│ ├── rss.dict
│ ├── markdown.dict
│ ├── spss.dict
│ ├── atom.dict
│ ├── wkt.dict
│ ├── ogg.dict
│ ├── pbm.dict
│ ├── dds.dict
│ ├── json.dict
│ ├── url.dict
│ ├── fbs.dict
│ ├── protobuf.dict
│ ├── png.dict
│ ├── jsonnet.dict
│ ├── heif.dict
│ ├── hoextdown.dict
│ ├── aff.dict
│ ├── xpath.dict
│ └── tiff.dict
├── qemu_mode
│ ├── QEMUAFL_VERSION
│ ├── unsigaction
│ │ ├── unsigaction.c
│ │ ├── README.md
│ │ └── Makefile
│ ├── README.wine.md
│ ├── libqasan
│ │ ├── README.md
│ │ └── Makefile
│ ├── update_ref.sh
│ └── libcompcov
│ │ └── Makefile
├── testcases
│ ├── others
│ │ ├── text
│ │ │ └── hello_world.txt
│ │ ├── js
│ │ │ └── small_script.js
│ │ ├── xml
│ │ │ └── small_document.xml
│ │ ├── rtf
│ │ │ └── small_document.rtf
│ │ ├── sql
│ │ │ └── simple_queries.sql
│ │ ├── elf
│ │ │ └── small_exec.elf
│ │ ├── pcap
│ │ │ └── small_capture.pcap
│ │ └── pdf
│ │ │ └── small.pdf
│ ├── images
│ │ ├── bmp
│ │ │ └── not_kitty.bmp
│ │ ├── gif
│ │ │ └── not_kitty.gif
│ │ ├── ico
│ │ │ └── not_kitty.ico
│ │ ├── jp2
│ │ │ └── not_kitty.jp2
│ │ ├── jpeg
│ │ │ └── not_kitty.jpg
│ │ ├── jxr
│ │ │ └── not_kitty.jxr
│ │ ├── png
│ │ │ ├── not_kitty.png
│ │ │ ├── not_kitty_icc.png
│ │ │ ├── not_kitty_alpha.png
│ │ │ └── not_kitty_gamma.png
│ │ └── webp
│ │ │ └── not_kitty.webp
│ ├── multimedia
│ │ └── h264
│ │ │ └── small_movie.mp4
│ ├── archives
│ │ ├── common
│ │ │ ├── xz
│ │ │ │ └── small_archive.xz
│ │ │ ├── cab
│ │ │ │ └── small_archive.cab
│ │ │ ├── gzip
│ │ │ │ └── small_archive.gz
│ │ │ ├── lzo
│ │ │ │ └── small_archive.lzo
│ │ │ ├── rar
│ │ │ │ └── small_archive.rar
│ │ │ ├── zip
│ │ │ │ └── small_archive.zip
│ │ │ ├── bzip2
│ │ │ │ └── small_archive.bz2
│ │ │ ├── compress
│ │ │ │ └── small_archive.Z
│ │ │ ├── cpio
│ │ │ │ └── small_archive.cpio
│ │ │ └── ar
│ │ │ │ └── small_archive.a
│ │ └── exotic
│ │ │ ├── arj
│ │ │ └── small_archive.arj
│ │ │ ├── lha
│ │ │ └── small_archive.lha
│ │ │ ├── lzip
│ │ │ └── small_archive.lz
│ │ │ ├── rzip
│ │ │ └── small_archive.rz
│ │ │ ├── zoo
│ │ │ └── small_archive.zoo
│ │ │ ├── lrzip
│ │ │ └── small_archive.lrz
│ │ │ └── lzma
│ │ │ └── small_archive.lzma
│ └── README.md
├── unicorn_mode
│ ├── UNICORNAFL_VERSION
│ ├── samples
│ │ ├── c
│ │ │ ├── sample_inputs
│ │ │ │ ├── sample1.bin
│ │ │ │ ├── sample2.bin
│ │ │ │ ├── sample3.bin
│ │ │ │ ├── sample4.bin
│ │ │ │ └── sample5.bin
│ │ │ ├── .gitignore
│ │ │ ├── simple_target_x86_64
│ │ │ ├── persistent_target_x86_64
│ │ │ ├── sample_all.sh
│ │ │ ├── COMPILE.md
│ │ │ ├── Makefile
│ │ │ └── persistent_target.c
│ │ ├── speedtest
│ │ │ ├── sample_inputs
│ │ │ │ └── a
│ │ │ ├── rust
│ │ │ │ ├── .gitignore
│ │ │ │ ├── Cargo.toml
│ │ │ │ └── Makefile
│ │ │ ├── .gitignore
│ │ │ ├── python
│ │ │ │ └── Makefile
│ │ │ └── Makefile
│ │ ├── persistent
│ │ │ ├── sample_inputs
│ │ │ │ ├── sample2.bin
│ │ │ │ ├── sample3.bin
│ │ │ │ ├── sample1.bin
│ │ │ │ ├── sample4.bin
│ │ │ │ └── sample5.bin
│ │ │ ├── .gitignore
│ │ │ ├── persistent_target
│ │ │ ├── simple_target_x86_64
│ │ │ ├── persistent_target_x86_64
│ │ │ ├── sample_all.sh
│ │ │ ├── COMPILE.md
│ │ │ ├── simple_target_noncrashing.c
│ │ │ └── persistent_target.c
│ │ ├── simple
│ │ │ ├── sample_inputs
│ │ │ │ ├── sample1.bin
│ │ │ │ ├── sample2.bin
│ │ │ │ ├── sample3.bin
│ │ │ │ ├── sample4.bin
│ │ │ │ └── sample5.bin
│ │ │ ├── simple_target.bin
│ │ │ └── simple_target.c
│ │ └── compcov_x64
│ │ │ ├── sample_inputs
│ │ │ └── sample1.bin
│ │ │ ├── compcov_target.bin
│ │ │ ├── compcov_target.elf
│ │ │ ├── COMPILE.md
│ │ │ └── compcov_target.c
│ └── update_uc_ref.sh
├── custom_mutators
│ ├── rust
│ │ ├── example_lain
│ │ │ ├── rust-toolchain
│ │ │ └── Cargo.toml
│ │ ├── Cargo.toml
│ │ ├── custom_mutator-sys
│ │ │ ├── src
│ │ │ │ └── lib.rs
│ │ │ ├── wrapper.h
│ │ │ └── Cargo.toml
│ │ ├── .gitignore
│ │ ├── custom_mutator
│ │ │ └── Cargo.toml
│ │ ├── example
│ │ │ ├── Cargo.toml
│ │ │ └── src
│ │ │ │ └── example_mutator.rs
│ │ └── README.md
│ ├── grammar_mutator
│ │ ├── GRAMMAR_VERSION
│ │ ├── README.md
│ │ └── update_grammar_ref.sh
│ ├── gramatron
│ │ ├── JSONC_VERSION
│ │ ├── preprocess
│ │ │ └── prep_automaton.sh
│ │ └── test.h
│ ├── honggfuzz
│ │ ├── libhfcommon
│ │ │ ├── log.h
│ │ │ ├── common.h
│ │ │ └── util.h
│ │ ├── README.md
│ │ ├── custom_mutator_helpers.h
│ │ ├── Makefile
│ │ └── mangle.h
│ ├── libprotobuf-mutator-example
│ │ ├── test.proto
│ │ ├── lpm_aflpp_custom_mutator_input.h
│ │ ├── README.md
│ │ ├── vuln.c
│ │ └── Android.bp
│ ├── examples
│ │ ├── Makefile
│ │ └── common.py
│ ├── radamsa
│ │ ├── radamsa.h
│ │ ├── README.md
│ │ ├── LICENSE
│ │ └── GNUmakefile
│ ├── symcc
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── test_examples
│ │ │ ├── stdin_test.c
│ │ │ └── file_test.c
│ └── libfuzzer
│ │ ├── README.md
│ │ ├── FuzzerFork.h
│ │ ├── FuzzerMain.cpp
│ │ ├── FuzzerSHA1.h
│ │ ├── FuzzerExtFunctions.h
│ │ ├── libfuzzer.inc
│ │ ├── FuzzerUtilLinux.cpp
│ │ ├── FuzzerRandom.h
│ │ └── FuzzerBuiltins.h
├── frida_mode
│ ├── many-linux
│ │ ├── realpath
│ │ ├── Makefile
│ │ ├── Dockerfile
│ │ ├── GNUmakefile
│ │ └── README.md
│ ├── .gitignore
│ ├── include
│ │ ├── output.h
│ │ ├── lib.h
│ │ ├── util.h
│ │ ├── intercept.h
│ │ ├── asan.h
│ │ ├── prefetch.h
│ │ ├── entry.h
│ │ ├── stalker.h
│ │ ├── frida_cmplog.h
│ │ ├── ranges.h
│ │ ├── ctx.h
│ │ ├── js.h
│ │ └── persistent.h
│ ├── test
│ │ ├── osx-lib
│ │ │ ├── Makefile
│ │ │ ├── lib.c
│ │ │ ├── harness3.c
│ │ │ └── lib2.c
│ │ ├── output
│ │ │ ├── Makefile
│ │ │ └── GNUmakefile
│ │ ├── deferred
│ │ │ └── Makefile
│ │ ├── exe
│ │ │ ├── Makefile
│ │ │ └── GNUmakefile
│ │ ├── jpeg
│ │ │ ├── Makefile
│ │ │ └── get_symbol_addr.py
│ │ ├── proj4
│ │ │ ├── Makefile
│ │ │ └── get_symbol_addr.py
│ │ ├── sqlite
│ │ │ └── Makefile
│ │ ├── entry_point
│ │ │ └── Makefile
│ │ ├── png
│ │ │ ├── Makefile
│ │ │ └── persistent
│ │ │ │ ├── Makefile
│ │ │ │ └── hook
│ │ │ │ ├── Makefile
│ │ │ │ ├── load.js
│ │ │ │ └── cmodule.js
│ │ ├── re2
│ │ │ └── Makefile
│ │ ├── testinstr
│ │ │ └── Makefile
│ │ ├── unstable
│ │ │ └── Makefile
│ │ ├── fasan
│ │ │ └── Makefile
│ │ ├── persistent_ret
│ │ │ └── Makefile
│ │ ├── cmplog
│ │ │ ├── Makefile
│ │ │ └── get_section_addrs.py
│ │ └── js
│ │ │ ├── Makefile
│ │ │ ├── entry.js
│ │ │ ├── patch.js
│ │ │ └── replace.js
│ ├── Makefile
│ ├── src
│ │ ├── ctx
│ │ │ └── ctx_arm32.c
│ │ ├── cmplog
│ │ │ └── cmplog_arm32.c
│ │ ├── asan
│ │ │ ├── asan_arm32.c
│ │ │ └── asan.c
│ │ ├── stats
│ │ │ └── stats_arm32.c
│ │ ├── instrument
│ │ │ └── instrument_arm32.c
│ │ ├── intercept.c
│ │ ├── persistent
│ │ │ └── persistent_arm32.c
│ │ ├── output.c
│ │ └── util.c
│ ├── ts
│ │ ├── tsconfig.json
│ │ ├── package-lock.json
│ │ └── package.json
│ ├── update_frida_version.sh
│ ├── frida.map
│ └── util
│ │ └── get_symbol_addr.sh
├── utils
│ ├── afl_untracer
│ │ ├── TODO
│ │ ├── patches.txt
│ │ ├── Makefile
│ │ └── libtestinstr.c
│ ├── optimin
│ │ ├── EVALMAXSAT_VERSION
│ │ ├── .gitignore
│ │ ├── src
│ │ │ └── CMakeLists.txt
│ │ └── CMakeLists.txt
│ ├── afl_network_proxy
│ │ └── Makefile
│ ├── aflpp_driver
│ │ ├── Makefile
│ │ ├── aflpp_driver_test.c
│ │ ├── aflpp_qemu_driver_hook.c
│ │ └── aflpp_qemu_driver.c
│ ├── autodict_ql
│ │ ├── qlpack.yml
│ │ ├── strcmp-str.ql
│ │ ├── strncmp-str.ql
│ │ ├── memcmp-str.ql
│ │ ├── litool.ql
│ │ ├── build-codeql.sh
│ │ └── strtool.ql
│ ├── qbdi_mode
│ │ ├── assets
│ │ │ └── screen1.png
│ │ └── demo-so.c
│ ├── afl_proxy
│ │ ├── Makefile
│ │ └── README.md
│ ├── qemu_persistent_hook
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── test.c
│ │ └── read_into_rdi.c
│ ├── plot_ui
│ │ ├── Makefile
│ │ └── README.md
│ ├── persistent_mode
│ │ └── Makefile
│ ├── socket_fuzzing
│ │ └── README.md
│ ├── libpng_no_checksum
│ │ └── libpng-nocrc.patch
│ ├── defork
│ │ ├── README.md
│ │ ├── forking_target.c
│ │ └── defork.c
│ ├── argv_fuzzing
│ │ └── README.md
│ └── libdislocator
│ │ └── Makefile
├── docs
│ └── resources
│ │ ├── afl_gzip.png
│ │ ├── screenshot.png
│ │ └── statsd-grafana.png
├── instrumentation
│ ├── Makefile
│ ├── llvm-alternative-coverage.h
│ ├── README.snapshot.md
│ ├── afl-llvm-rt-lto.o.c
│ ├── README.out_of_line.md
│ ├── README.ngram.md
│ └── README.cmplog.md
├── test
│ ├── test-unittests.sh
│ ├── test-all.sh
│ ├── test-custom-mutator.c
│ ├── test-dlopen.c
│ ├── test-multiple-mutators.c
│ ├── test-post.sh
│ ├── test-cmplog.c
│ ├── test-floatingpoint.c
│ ├── test-unsigaction.c
│ └── checkcommit.sh
├── Makefile
├── .gitmodules
├── .github
│ ├── ISSUE_TEMPLATE
│ │ ├── feature_request.md
│ │ └── bug_report.md
│ ├── workflows
│ │ ├── build_aflplusplus_docker.yaml
│ │ ├── codeql-analysis.yml
│ │ ├── rust_custom_mutator.yml
│ │ └── ci.yml
│ └── FUNDING.yml
├── CONTRIBUTING.md
└── .dockerignore
└── CITATION.cff
/.gitignore:
--------------------------------------------------------------------------------
1 | **.vscode/
2 | **__pycache__/
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/types.h:
--------------------------------------------------------------------------------
1 | include/types.h
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/config.h:
--------------------------------------------------------------------------------
1 | include/config.h
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/Changelog.md:
--------------------------------------------------------------------------------
1 | docs/Changelog.md
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/mysqld.dict:
--------------------------------------------------------------------------------
1 | user="root"
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/QEMUAFL_VERSION:
--------------------------------------------------------------------------------
1 | a6758d1cc3
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/text/hello_world.txt:
--------------------------------------------------------------------------------
1 | hello
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/UNICORNAFL_VERSION:
--------------------------------------------------------------------------------
1 | 9064bca9ba
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | ��
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | ���
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/sample_inputs/a:
--------------------------------------------------------------------------------
1 | a
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/example_lain/rust-toolchain:
--------------------------------------------------------------------------------
1 | nightly
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/js/small_script.js:
--------------------------------------------------------------------------------
1 | if (1==1) eval('1');
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/xml/small_document.xml:
--------------------------------------------------------------------------------
1 | d
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | �
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | ��
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | ���
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/grammar_mutator/GRAMMAR_VERSION:
--------------------------------------------------------------------------------
1 | eedf07d
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/rtf/small_document.rtf:
--------------------------------------------------------------------------------
1 | {\rtf1\pard Test\par}
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/.gitignore:
--------------------------------------------------------------------------------
1 | harness
2 | harness-debug
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | ��
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | ���
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/many-linux/realpath:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | readlink -f -- "$@"
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/rust/.gitignore:
--------------------------------------------------------------------------------
1 | target
2 | Cargo.lock
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_untracer/TODO:
--------------------------------------------------------------------------------
1 | * add shmem fuzzing
2 | * add snapshot feature?
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/optimin/EVALMAXSAT_VERSION:
--------------------------------------------------------------------------------
1 | 440bf90edf88f6ab940934129e3c5b3b93764295
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/csv.dict:
--------------------------------------------------------------------------------
1 | "\x00"
2 | "\r\n"
3 | ";;"
4 | ",,"
5 | "\t;"
6 | "\n;"
7 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/.gitignore:
--------------------------------------------------------------------------------
1 | harness
2 | harness-debug
3 | out
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_network_proxy/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo please use GNU make, thanks!
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/aflpp_driver/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @gmake all || echo please install GNUmake
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/gramatron/JSONC_VERSION:
--------------------------------------------------------------------------------
1 | af8dd4a307e7b837f9fa2959549548ace4afe08b
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | 00000000000000000000000000000000
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/libhfcommon/log.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_E
2 | #define LOG_E LOG_F
3 | #endif
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/libhfcommon/common.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_E
2 | #define LOG_E LOG_F
3 | #endif
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/libhfcommon/util.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_E
2 | #define LOG_E LOG_F
3 | #endif
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: autodict
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-cpp
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/zip.dict:
--------------------------------------------------------------------------------
1 | header1="\x50\x4B\x03\x04"
2 | header2="\x50\x4B\x05\x06"
3 | header2="\x50\x4B\x07\x08"
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/unsigaction/unsigaction.c:
--------------------------------------------------------------------------------
1 | int sigaction(int signum, void *act, void *oldact) {
2 | return 0;
3 | }
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/bz2.dict:
--------------------------------------------------------------------------------
1 | magic="BZ"
2 | compress_magic="\x31\x41\x59\x26\x53\x59"
3 | eos_magic="\x17\x72\x45\x38\x50\x90"
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/sql/simple_queries.sql:
--------------------------------------------------------------------------------
1 | create table t1(one smallint);
2 | insert into t1 values(1);
3 | select * from t1;
4 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/.gitignore:
--------------------------------------------------------------------------------
1 | output
2 | harness
3 | harness-debug
4 | target
5 | target.o
6 | target.offsets.*
7 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/docs/resources/afl_gzip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/docs/resources/afl_gzip.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/docs/resources/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/docs/resources/screenshot.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/.gitignore:
--------------------------------------------------------------------------------
1 | build/
2 | frida_test.dat
3 | qemu_test.dat
4 | frida_out/**
5 | qemu_out/**
6 | ts/dist/
7 | ts/node_modules/
8 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo "no need to do make in the instrumentation/ directory :) - it is all done in the main one"
3 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/docs/resources/statsd-grafana.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/docs/resources/statsd-grafana.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/av1_dc.dict:
--------------------------------------------------------------------------------
1 | # IVF Signature + version (bytes 0-5)
2 | kw1="DKIF\x00\x00"
3 |
4 | # AV1 codec fourCC (bytes 8-11)
5 | kw2="AV01"
6 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/theme-load-fuzz.dict:
--------------------------------------------------------------------------------
1 | "{"
2 | "}"
3 | "\""
4 | ";"
5 | "="
6 | "formats"
7 | "replaces"
8 | "abstracts"
9 | "timestamp"
10 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/bmp/not_kitty.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/bmp/not_kitty.bmp
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/gif/not_kitty.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/gif/not_kitty.gif
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/ico/not_kitty.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/ico/not_kitty.ico
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/jp2/not_kitty.jp2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/jp2/not_kitty.jp2
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/jpeg/not_kitty.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/jpeg/not_kitty.jpg
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/jxr/not_kitty.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/jxr/not_kitty.jxr
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/png/not_kitty.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/png/not_kitty.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/elf/small_exec.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/others/elf/small_exec.elf
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qbdi_mode/assets/screen1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/utils/qbdi_mode/assets/screen1.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/png/not_kitty_icc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/png/not_kitty_icc.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/webp/not_kitty.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/webp/not_kitty.webp
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/png/not_kitty_alpha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/png/not_kitty_alpha.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/images/png/not_kitty_gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/images/png/not_kitty_gamma.png
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/pcap/small_capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/others/pcap/small_capture.pcap
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/multimedia/h264/small_movie.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/multimedia/h264/small_movie.mp4
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/simple_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/c/simple_target_x86_64
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/xz/small_archive.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/xz/small_archive.xz
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/simple_target.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/simple/simple_target.bin
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libprotobuf-mutator-example/test.proto:
--------------------------------------------------------------------------------
1 | syntax = "proto2";
2 |
3 | message TEST {
4 | required uint32 a = 1;
5 | required string b = 2;
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/cab/small_archive.cab:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/cab/small_archive.cab
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/gzip/small_archive.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/gzip/small_archive.gz
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/lzo/small_archive.lzo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/lzo/small_archive.lzo
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/rar/small_archive.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/rar/small_archive.rar
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/zip/small_archive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/zip/small_archive.zip
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/arj/small_archive.arj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/arj/small_archive.arj
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/lha/small_archive.lha:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/lha/small_archive.lha
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/lzip/small_archive.lz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/lzip/small_archive.lz
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/rzip/small_archive.rz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/rzip/small_archive.rz
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/zoo/small_archive.zoo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/zoo/small_archive.zoo
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/persistent_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/c/persistent_target_x86_64
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_proxy/Makefile:
--------------------------------------------------------------------------------
1 | all: afl-proxy
2 |
3 | afl-proxy: afl-proxy.c
4 | $(CC) -I../../include -o afl-proxy afl-proxy.c
5 |
6 | clean:
7 | rm -f afl-proxy *~ core
8 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/bzip2/small_archive.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/bzip2/small_archive.bz2
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/compress/small_archive.Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/compress/small_archive.Z
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/cpio/small_archive.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/common/cpio/small_archive.cpio
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/lrzip/small_archive.lrz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/lrzip/small_archive.lrz
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/exotic/lzma/small_archive.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/testcases/archives/exotic/lzma/small_archive.lzma
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/persistent_target:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/persistent_target
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/compcov_target.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/compcov_target.bin
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/compcov_target.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/compcov_target.elf
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/simple_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/simple_target_x86_64
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/persistent_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HexHive/Evocatio/HEAD/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/persistent_target_x86_64
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qemu_persistent_hook/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | $(CC) -no-pie test.c -o test
3 | $(CC) -fPIC -shared read_into_rdi.c -o read_into_rdi.so
4 |
5 | clean:
6 | rm -rf in out test read_into_rdi.so
7 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include "test.pb.h"
3 |
4 | class MyMutator : public protobuf_mutator::Mutator {
5 | };
6 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/vpx_dec.dict:
--------------------------------------------------------------------------------
1 | # IVF Signature + version (bytes 0-5)
2 | kw1="DKIF\x00\x00"
3 |
4 | # VP9 codec fourCC (bytes 8-11)
5 | kw2="VP90"
6 |
7 | # VP8 codec fourCC (bytes 8-11)
8 | kw3="VP80"
9 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/many-linux/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | clean:
6 | @gmake clean
7 |
8 | shell:
9 | @gmake shell
10 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/Cargo.toml:
--------------------------------------------------------------------------------
1 | [workspace]
2 | members = [
3 | "custom_mutator-sys",
4 | "custom_mutator",
5 | "example",
6 | # Lain needs a nightly toolchain
7 | # "example_lain",
8 | ]
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/tokener_parse_ex.dict:
--------------------------------------------------------------------------------
1 | "{"
2 | "}"
3 | ","
4 | "["
5 | "]"
6 | ","
7 | ":"
8 | "e"
9 | "e+"
10 | "e-"
11 | "E"
12 | "E+"
13 | "E-"
14 | "\""
15 | "null"
16 | "1"
17 | "1.234"
18 | "3e4"
19 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/others/pdf/small.pdf:
--------------------------------------------------------------------------------
1 | %PDF-1.0
2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<>
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/custom_mutator-sys/src/lib.rs:
--------------------------------------------------------------------------------
1 | #![allow(non_upper_case_globals)]
2 | #![allow(non_camel_case_types)]
3 | #![allow(non_snake_case)]
4 |
5 | include!(concat!(env!("OUT_DIR"), "/bindings.rs"));
6 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/custom_mutator-sys/wrapper.h:
--------------------------------------------------------------------------------
1 | #include "../../../include/afl-fuzz.h"
2 | #include "../../../include/common.h"
3 | #include "../../../include/config.h"
4 | #include "../../../include/debug.h"
5 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/math.dict:
--------------------------------------------------------------------------------
1 | "{"
2 | "}"
3 | ","
4 | "["
5 | "]"
6 | ","
7 | ":"
8 | "e"
9 | "e+"
10 | "e-"
11 | "E"
12 | "E+"
13 | "E-"
14 | "\""
15 | "\\"
16 | " "
17 | "null"
18 | "1"
19 | "1.234"
20 | "3e4"
21 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/strcmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /// function : strcmp
4 |
5 | from FunctionCall fucall, Expr size
6 | where
7 | fucall.getTarget().hasName("strcmp")
8 | select fucall.getArgument(_).getValueText()
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/grammar_mutator/README.md:
--------------------------------------------------------------------------------
1 | # Grammar-Mutator
2 |
3 | This is just a stub directory that will clone the real grammar mutator
4 | directory.
5 |
6 | Execute `./build_grammar_mutator.sh` to set everything up.
7 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/bmp.dict:
--------------------------------------------------------------------------------
1 | windows="BM"
2 | os2_bitmap="BA"
3 | os2_icon="CI"
4 | os2_pointer="CP"
5 | os2_struct="IC"
6 | os2_ptr="PT"
7 | windows_color_space="Win "
8 | srgb="sRGB"
9 | link="LINK"
10 | mbed="MBED"
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/strncmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /// function : strncmp
4 |
5 | from FunctionCall fucall, Expr size
6 | where
7 | fucall.getTarget().hasName("strncmp")
8 | select fucall.getArgument(_).getValueText()
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/memcmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /// function : memcmp trace
4 |
5 | from FunctionCall fucall, Expr size
6 | where
7 | fucall.getTarget().hasName("memcmp")
8 | select fucall.getArgument(_).getValueText()
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/pcap.dict:
--------------------------------------------------------------------------------
1 | # https://www.tcpdump.org/pcap/pcap.html
2 |
3 | # Headers
4 | "\xa1\xb2\xc3\xd4"
5 | "\xd4\xc3\xb2\xa1"
6 | "\xa1\xb2\x3c\x4d"
7 | "\x4d\x3c\xb2\xa1"
8 |
9 |
10 | current_version="\x02\x00\x04\x00"
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/optimin/.gitignore:
--------------------------------------------------------------------------------
1 | CMakeLists.txt.user
2 | CMakeCache.txt
3 | CMakeFiles
4 | CMakeScripts
5 | Testing
6 | Makefile
7 | cmake_install.cmake
8 | install_manifest.txt
9 | compile_commands.json
10 | CTestTestfile.cmake
11 | _deps
12 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/examples/Makefile:
--------------------------------------------------------------------------------
1 | all: libexamplemutator.so
2 |
3 | libexamplemutator.so:
4 | $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so
5 |
6 | clean:
7 | rm -rf libexamplemutator.so
8 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/output.h:
--------------------------------------------------------------------------------
1 | #ifndef _OUTPUT_H
2 | #define _OUTPUT_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern char *output_stdout;
7 | extern char *output_stderr;
8 |
9 | void output_config(void);
10 | void output_init(void);
11 |
12 | #endif
13 |
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/unsigaction/README.md:
--------------------------------------------------------------------------------
1 | # unsigaction
2 |
3 | This library disables sigaction handlers when preloaded.
4 |
5 | Mainly needed by Wine mode but can be used as a separate tool.
6 |
7 | A similar solution can be found in [preeny](https://github.com/zardus/preeny).
8 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-unittests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | . ./test-pre.sh
4 |
5 | $ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY"
6 | unset AFL_CC
7 | make -C .. unit || CODE=1 INCOMPLETE=1 :
8 | rm -rf unittests/unit_hash unittests/unit_rand
9 |
10 | . ./test-post.sh
11 |
12 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/lib.h:
--------------------------------------------------------------------------------
1 | #ifndef _LIB_H
2 | #define _LIB_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | void lib_config(void);
7 |
8 | void lib_init(void);
9 |
10 | guint64 lib_get_text_base(void);
11 |
12 | guint64 lib_get_text_limit(void);
13 |
14 | #endif
15 |
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/litool.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class HexOrOctLiteral extends Literal{
4 | HexOrOctLiteral(){
5 | (this instanceof HexLiteral) or (this instanceof OctalLiteral)
6 | }
7 | }
8 |
9 | from HexOrOctLiteral lit
10 | select lit.getValueText()
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/plot_ui/Makefile:
--------------------------------------------------------------------------------
1 | CFLAGS=`pkg-config --cflags gtk+-3.0`
2 | LDFLAGS=`pkg-config --libs gtk+-3.0`
3 |
4 | all: afl-plot-ui
5 |
6 | afl-plot-ui: afl-plot-ui.c
7 | $(CC) $(CFLAGS) -o afl-plot-ui afl-plot-ui.c $(LDFLAGS)
8 |
9 | clean:
10 | rm -f afl-plot-ui
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/riff.dict:
--------------------------------------------------------------------------------
1 | # https://developers.google.com/speed/webp/docs/riff_container
2 |
3 | # FourCC
4 | "ALPH"
5 | "ANIM"
6 | "ANMF"
7 | "EXIF"
8 | "ICCP"
9 | "RIFF"
10 | "VP8 "
11 | "VP8L"
12 | "VP8X"
13 | "WEBP"
14 | "XMP "
15 |
16 | # VP8 signature
17 | "\x9D\x01\x2A"
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/osx-lib/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | clean:
6 | @gmake clean
7 |
8 | frida_persistent:
9 | @gmake frida_persistent
10 |
11 | frida_persistent_hook:
12 | @gmake frida_persistent_hook
13 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/output/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/deferred/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libprotobuf-mutator-example/README.md:
--------------------------------------------------------------------------------
1 | Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)
2 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/stata.dict:
--------------------------------------------------------------------------------
1 | " "
2 | ")"
3 | "*/"
4 | "/*"
5 | "_column("
6 | "_firstlineoffile("
7 | "_line("
8 | "_lines("
9 | "_lrecl("
10 | "_newline"
11 | "_skip("
12 | "byte"
13 | "dictionary"
14 | "double"
15 | "float"
16 | "infile"
17 | "int"
18 | "long"
19 | "str"
20 | "using"
21 | "{"
22 | "}"
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/util.h:
--------------------------------------------------------------------------------
1 | #ifndef _UTIL_H
2 | #define _UTIL_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | #define UNUSED_PARAMETER(x) (void)(x)
7 | #define IGNORED_RETURN(x) (void)!(x)
8 |
9 | guint64 util_read_address(char *key);
10 |
11 | guint64 util_read_num(char *key);
12 |
13 | #endif
14 |
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/perl.dict:
--------------------------------------------------------------------------------
1 |
2 | #
3 | # AFL dictionary for fuzzing Perl
4 | # --------------------------------
5 | #
6 | # Created by @RandomDhiraj
7 | #
8 |
9 | "<:crlf"
10 | "fwrite()"
11 | "fread()"
12 | ":raw:utf8"
13 | ":raw:eol(LF)"
14 | "Perl_invert()"
15 | ":raw:eol(CRLF)"
16 | "Perl_PerlIO_eof()"
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/intercept.h:
--------------------------------------------------------------------------------
1 | #ifndef _INTERCEPTOR_H
2 | #define _INTERCEPTOR_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | void intercept_hook(void *address, gpointer replacement, gpointer user_data);
7 | void intercept_unhook(void *address);
8 | void intercept_unhook_self(void);
9 |
10 | #endif
11 |
12 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/creole.dict:
--------------------------------------------------------------------------------
1 | # http://www.wikicreole.org/wiki/Creole1.0
2 |
3 | bold="**"
4 | italic="//"
5 | heading="=="
6 | link1="[[a|b]]"
7 | link2="[[a:b]]"
8 | hr="----"
9 | img=" {{a|b}}"
10 | table_heading="|=a |=b |"
11 | raw="{{{a}}}"
12 | escape="~"
13 | placeholder="<<>>"
14 | line_break="\\\\"
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | format:
13 | @gmake format
14 |
15 | hook:
16 | @gmake hook
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/ctx/ctx_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "ctx.h"
6 |
7 | #if defined(__arm__)
8 |
9 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) {
10 |
11 | FATAL("ctx_read_reg unimplemented for this architecture");
12 |
13 | }
14 |
15 | #endif
16 |
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/exe/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/jpeg/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
15 | debug:
16 | @gmake debug
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/archives/common/ar/small_archive.a:
--------------------------------------------------------------------------------
1 | !
2 | limerick/ 1415337776 500 500 100640 191 `
3 | There was a young man from Japan
4 | Whose limericks never would scan.
5 | When asked why that was,
6 | He replied "It's because
7 | I always try to cram as many words into the last line as I possibly can."
8 |
9 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/radamsa/radamsa.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | void radamsa_init(void);
5 |
6 | size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max,
7 | unsigned int seed);
8 |
9 | size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed);
10 |
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/asan.h:
--------------------------------------------------------------------------------
1 | #ifndef _ASAN_H
2 | #define _ASAN_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern gboolean asan_initialized;
7 |
8 | void asan_config(void);
9 | void asan_init(void);
10 | void asan_arch_init(void);
11 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
12 |
13 | #endif
14 |
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/proj4/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
15 | debug:
16 | @gmake debug
17 |
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/sqlite/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
15 | debug:
16 | @gmake debug
17 |
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/radamsa/README.md:
--------------------------------------------------------------------------------
1 | # custum mutator: libradamsa
2 |
3 | Pretranslated radamsa library. This code belongs to the radamsa author.
4 |
5 | > Original repository: https://gitlab.com/akihe/radamsa
6 |
7 | > Source commit: 7b2cc2d0
8 |
9 | > The code here is adapted for AFL++ with minor changes respect the original version
10 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/entry_point/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
15 | frida_entry:
16 | @gmake frida
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/symcc/Makefile:
--------------------------------------------------------------------------------
1 |
2 | ifdef DEBUG
3 | CFLAGS += -DDEBUG
4 | endif
5 |
6 | all: symcc-mutator.so
7 |
8 | CFLAGS += -O3 -funroll-loops
9 |
10 | symcc-mutator.so: symcc.c
11 | $(CC) $(CFLAGS) $(CPPFLAGS) -g -I../../include -shared -fPIC -o symcc-mutator.so symcc.c
12 |
13 | clean:
14 | rm -f symcc-mutator.so *.o *~ core
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/iccprofile.dict:
--------------------------------------------------------------------------------
1 | # Dict for ICC profiles parsed by skcms.
2 |
3 | "mft1"
4 | "mft2"
5 | "mAB "
6 | "rXYZ"
7 | "gXYZ"
8 | "bXYZ"
9 | "rTRC"
10 | "gTRC"
11 | "bTRC"
12 | "kTRC"
13 | "A2B0"
14 | "curv"
15 | "para"
16 | "mluc"
17 | "XYZ "
18 | "Lab "
19 | "RGB "
20 | "CMYK"
21 | "GRAY"
22 | "mntr"
23 | "scnr"
24 | "prtr"
25 | "spac"
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/ts/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "compilerOptions": {
3 | "target": "es2020",
4 | "lib": ["es2020"],
5 | "strict": true,
6 | "module": "commonjs",
7 | "esModuleInterop": true,
8 | "declaration": true,
9 | "outDir": "./dist"
10 | },
11 | "include": [
12 | "lib/**/*"
13 | ]
14 | }
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/prefetch.h:
--------------------------------------------------------------------------------
1 | #ifndef _PREFETCH_H
2 | #define _PREFETCH_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern gboolean prefetch_enable;
7 | extern gboolean prefetch_backpatch;
8 |
9 | void prefetch_config(void);
10 | void prefetch_init(void);
11 | void prefetch_write(void *addr);
12 | void prefetch_read(void);
13 |
14 | #endif
15 |
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/png/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
18 | debug:
19 | @gmake debug
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_proxy/README.md:
--------------------------------------------------------------------------------
1 | # afl-proxy
2 |
3 | afl-proxy is an example skeleton file which can easily be used to fuzz
4 | and instrument non-standard things.
5 |
6 | You only need to change the while() loop of the main() to send the
7 | data of buf[] with length len to the target and write the coverage
8 | information to __afl_area_ptr[__afl_map_size]
9 |
10 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/many-linux/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM fridadotre/manylinux-x86_64
2 |
3 | COPY realpath /bin/realpath
4 | RUN chmod +x /bin/realpath
5 |
6 | RUN yum -y install xz
7 | RUN yum -y install vim-common
8 |
9 | WORKDIR /AFLplusplus
10 | ENV CFLAGS="\
11 | -DADDR_NO_RANDOMIZE=0x0040000 \
12 | -Wno-implicit-function-declaration \
13 | "
14 | ENV CXX=$CC
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/re2/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
18 | debug:
19 | @gmake debug
20 |
21 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/testinstr/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
18 | debug:
19 | @gmake debug
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/unstable/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
18 | debug:
19 | @gmake debug
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/gif.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for GIF images
3 | # -----------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_87a="87a"
9 | header_89a="89a"
10 | header_gif="GIF"
11 |
12 | marker_2c=","
13 | marker_3b=";"
14 |
15 | section_2101="!\x01\x12"
16 | section_21f9="!\xf9\x04"
17 | section_21fe="!\xfe"
18 | section_21ff="!\xff\x11"
19 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/sample_all.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | [ -z "${UNAME}" ] && UNAME=$(uname)
4 |
5 | DIR=`dirname $0`
6 |
7 | if [ "$UNAME" = Darwin ]; then
8 | export DYLD_LIBRARY_PATH=../../unicorn
9 | else
10 | export LD_LIBRARY_PATH=../../unicorn
11 | fi
12 |
13 |
14 |
15 | if [ ! test -e $DIR/harness]; then
16 | echo "[!] harness not found in $DIR"
17 | exit 1
18 | fi
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/python/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: all fuzz
2 |
3 | all: ../target
4 |
5 | afl-fuzz: ../../../../afl-fuzz
6 | ../../../../afl-fuzz:
7 | $(MAKE) -C ../../../../ afl-fuzz
8 |
9 |
10 | ../target:
11 | $(MAKE) -C ..
12 |
13 | fuzz: all afl-fuzz
14 | rm -rf ./ouptput
15 | ../../../../afl-fuzz -s 1 -U -i ../sample_inputs -o ./output -- python3 harness.py @@
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/.gitignore:
--------------------------------------------------------------------------------
1 | # Generated by Cargo
2 | # will have compiled files and executables
3 | /target/
4 |
5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
7 | Cargo.lock
8 |
9 | # These are backup files generated by rustfmt
10 | **/*.rs.bk
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/vhd.dict:
--------------------------------------------------------------------------------
1 | # https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-VHDX/%5bMS-VHDX%5d.pdf
2 |
3 | magic="\x65\x6C\x69\x66\x78\x64\x68\x76"
4 | head="\x64\x61\x65\x68"
5 | regi="\x69\x67\x65\x72"
6 | loge="\x65\x67\x6F\x6C"
7 | zero="\x6F\x72\x65\x7A"
8 | desc="\x63\x73\x65\x64"
9 | data="\x61\x74\x61\x64"
10 | metadata="\x61\x74\x61\x64\x61\x74\x65\x6D"
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_untracer/patches.txt:
--------------------------------------------------------------------------------
1 | libtestinstr.so:0x1000
2 | 0x10
3 | 0x12
4 | 0x20
5 | 0x36
6 | 0x30
7 | 0x40
8 | 0x50
9 | 0x63
10 | 0x6f
11 | 0x78
12 | 0x80
13 | 0xa4
14 | 0xb0
15 | 0xb8
16 | 0x100
17 | 0xc0
18 | 0xc9
19 | 0xd7
20 | 0xe3
21 | 0xe8
22 | 0xf8
23 | 0x105
24 | 0x11a
25 | 0x135
26 | 0x141
27 | 0x143
28 | 0x14e
29 | 0x15a
30 | 0x15c
31 | 0x168
32 | 0x16a
33 | 0x16b
34 | 0x170
35 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/custom_mutator-sys/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "custom_mutator-sys"
3 | version = "0.1.0"
4 | authors = ["Julius Hohnerlein "]
5 | edition = "2018"
6 |
7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
8 |
9 | [dependencies]
10 |
11 | [build-dependencies]
12 | bindgen = "0.56"
13 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/sample_all.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | [ -z "${UNAME}" ] && UNAME=$(uname)
4 |
5 | DIR=`dirname $0`
6 |
7 | if [ "$UNAME" = Darwin ]; then
8 | export DYLD_LIBRARY_PATH=../../unicorn
9 | else
10 | export LD_LIBRARY_PATH=../../unicorn
11 | fi
12 |
13 |
14 |
15 | if [ ! test -e $DIR/harness]; then
16 | echo "[!] harness not found in $DIR"
17 | exit 1
18 | fi
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/ts/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "requires": true,
3 | "lockfileVersion": 1,
4 | "dependencies": {
5 | "tsc": {
6 | "version": "2.0.3",
7 | "resolved": "https://registry.npmjs.org/tsc/-/tsc-2.0.3.tgz",
8 | "integrity": "sha512-SN+9zBUtrpUcOpaUO7GjkEHgWtf22c7FKbKCA4e858eEM7Qz86rRDpgOU2lBIDf0fLCsEg65ms899UMUIB2+Ow==",
9 | "dev": true
10 | }
11 | }
12 | }
13 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/fasan/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida-noasan:
13 | @gmake frida-noasan
14 |
15 | frida:
16 | @gmake frida
17 |
18 | debug:
19 | @gmake debug
20 |
21 | run:
22 | @gmake run
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/osx-lib/lib.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 |
6 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
7 |
8 | if (Size < 5) return;
9 |
10 | if (Data[0] == 'F')
11 | if (Data[1] == 'A')
12 | if (Data[2] == '$')
13 | if (Data[3] == '$')
14 | if (Data[4] == '$') abort();
15 |
16 |
17 | }
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-all.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | . ./test-pre.sh
4 |
5 | . ./test-basic.sh
6 |
7 | . ./test-llvm.sh
8 |
9 | . ./test-llvm-lto.sh
10 |
11 | . ./test-gcc-plugin.sh
12 |
13 | . ./test-libextensions.sh
14 |
15 | . ./test-qemu-mode.sh
16 |
17 | . ./test-frida-mode.sh
18 |
19 | . ./test-unicorn-mode.sh
20 |
21 | . ./test-custom-mutators.sh
22 |
23 | . ./test-unittests.sh
24 |
25 | . ./test-post.sh
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/Makefile:
--------------------------------------------------------------------------------
1 | CFLAGS += -Wall -Werror -Wextra -Wpedantic -Og -g -fPIE
2 |
3 | .PHONY: all clean
4 |
5 | all: target target.offsets.main
6 |
7 | clean:
8 | rm -rf *.o target target.offsets.*
9 |
10 | target.o: target.c
11 | ${CC} ${CFLAGS} -c target.c -o $@
12 |
13 | target: target.o
14 | ${CC} ${CFLAGS} target.o -o $@
15 |
16 | target.offsets.main: target
17 | ./get_offsets.py
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/rust/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "unicornafl_harness"
3 | version = "0.1.0"
4 | authors = ["Dominik Maier "]
5 | edition = "2018"
6 |
7 | [profile.release]
8 | lto = true
9 | opt-level = 3
10 | panic = "abort"
11 |
12 | [dependencies]
13 | unicornafl = { path = "../../../unicornafl/bindings/rust/", version="1.0.0" }
14 | capstone="0.6.0"
15 | libc="0.2.66"
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libprotobuf-mutator-example/vuln.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | int main(int argc, char *argv[])
8 | {
9 | char str[100]={};
10 | read(0, str, 100);
11 | int *ptr = NULL;
12 | if( str[0] == '\x02' || str[0] == '\xe8') {
13 | *ptr = 123;
14 | }
15 | return 0;
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/persistent_ret/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida:
13 | @gmake frida
14 |
15 | frida_ret:
16 | @gmake frida_ret
17 |
18 | debug:
19 | @gmake debug
20 |
21 | run:
22 | @gmake run
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/djvu.dict:
--------------------------------------------------------------------------------
1 | "ANTa"
2 | "ANTz"
3 | "BG2k"
4 | "BG44"
5 | "BGjp"
6 | "BM44"
7 | "CELX"
8 | "DIRM"
9 | "DJVI"
10 | "DJVM"
11 | "DJVU"
12 | "Djbz"
13 | "FAKE"
14 | "FG2k"
15 | "FG44"
16 | "FGbz"
17 | "FGjp"
18 | "FORM"
19 | "INCL"
20 | "INFO"
21 | "LINK"
22 | "METa"
23 | "METz"
24 | "NAVM"
25 | "NDIR"
26 | "PM44"
27 | "SINF"
28 | "Sjbz"
29 | "Smmr"
30 | "TH44"
31 | "THUM"
32 | "TXTa"
33 | "TXTz"
34 | "WMRM"
35 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/entry.h:
--------------------------------------------------------------------------------
1 | #ifndef _ENTRY_H
2 | #define _ENTRY_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern guint64 entry_point;
7 | extern gboolean entry_compiled;
8 | extern gboolean entry_run;
9 |
10 | void entry_config(void);
11 |
12 | void entry_init(void);
13 |
14 | void entry_start(void);
15 |
16 | void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output);
17 |
18 | #endif
19 |
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_untracer/Makefile:
--------------------------------------------------------------------------------
1 | ifdef DEBUG
2 | OPT=-O0
3 | else
4 | OPT=-O3
5 | endif
6 |
7 | all: afl-untracer libtestinstr.so
8 |
9 | afl-untracer: afl-untracer.c
10 | $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl
11 |
12 | libtestinstr.so: libtestinstr.c
13 | $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c
14 |
15 | clean:
16 | rm -f afl-untracer libtestinstr.so *~ core
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/stalker.h:
--------------------------------------------------------------------------------
1 | #ifndef _STALKER_H
2 | #define _STALKER_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern guint stalker_ic_entries;
7 |
8 | void stalker_config(void);
9 | void stalker_init(void);
10 | GumStalker *stalker_get(void);
11 | void stalker_start(void);
12 | void stalker_trust(void);
13 |
14 | GumStalkerObserver *stalker_get_observer(void);
15 |
16 | #endif
17 |
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/frida_cmplog.h:
--------------------------------------------------------------------------------
1 | #ifndef _CMPLOG_H
2 | #define _CMPLOG_H
3 |
4 | extern struct cmp_map *__afl_cmp_map;
5 |
6 | void cmplog_config(void);
7 | void cmplog_init(void);
8 |
9 | /* Functions to be implemented by the different architectures */
10 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
11 |
12 | gboolean cmplog_is_readable(guint64 addr, size_t size);
13 |
14 | #endif
15 |
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qemu_persistent_hook/README.md:
--------------------------------------------------------------------------------
1 | # QEMU persistent hook example
2 |
3 | Compile the test binary and the library:
4 |
5 | ```
6 | make
7 | ```
8 |
9 | Fuzz with:
10 |
11 | ```
12 | export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}')
13 | export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so
14 |
15 | mkdir in
16 | echo 0000 > in/in
17 |
18 | ../../afl-fuzz -Q -i in -o out -- ./test
19 | ```
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/persistent_mode/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | ../../afl-clang-fast -o persistent_demo persistent_demo.c
3 | ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c
4 | AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c
5 |
6 | document:
7 | AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c
8 |
9 | clean:
10 | rm -f persistent_demo persistent_demo_new test-instr
11 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/webp.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for WebP images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_RIFF="RIFF"
9 | header_WEBP="WEBP"
10 |
11 | section_ALPH="ALPH"
12 | section_ANIM="ANIM"
13 | section_ANMF="ANMF"
14 | section_EXIF="EXIF"
15 | section_FRGM="FRGM"
16 | section_ICCP="ICCP"
17 | section_VP8="VP8 "
18 | section_VP8L="VP8L"
19 | section_VP8X="VP8X"
20 | section_XMP="XMP "
21 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/jpeg2000.dict:
--------------------------------------------------------------------------------
1 | type="jP "
2 | ftyp="ftyp"
3 | subtype1="jp2 "
4 | subtype2="jp20"
5 | subtype3="jpm "
6 | subtype4="jpx "
7 | subtype5="jp2h"
8 | subtype6="jpxb"
9 | subtype7="mjp2"
10 | subtype8="mj2s"
11 | subtype9="jp2c"
12 | subtype10="jpch"
13 | subtype11="jplh"
14 | codestream="\xFF\x4F\xFF\x51"
15 | signature="\x0d\x0a\x87\x0a"
16 | tag1="hdr"
17 | tag2="colr"
18 | tag3="url"
19 | tag4="req"
20 | tag5="res"
21 | tag6="page"
22 | tag7="obj"
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/cmplog/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | frida:
16 | @gmake frida
17 |
18 |
19 | frida-nocmplog:
20 | @gmake frida-nocmplog
21 |
22 | format:
23 | @gmake format
24 |
25 | debug:
26 | @gmake debug
27 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/png/persistent/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | qemu:
13 | @gmake qemu
14 |
15 | qemu_entry:
16 | @gmake qemu_entry
17 |
18 | frida:
19 | @gmake frida
20 |
21 | frida_entry:
22 | @gmake frida_entry
23 |
24 | debug:
25 | @gmake debug
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/optimin/src/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | add_executable(optimin OptiMin.cpp)
2 |
3 | foreach(LIB MaLib EvalMaxSAT glucose)
4 | target_include_directories(optimin PRIVATE
5 | "${CMAKE_SOURCE_DIR}/EvalMaxSAT/lib/${LIB}/src")
6 | target_link_libraries(optimin ${LIB})
7 | endforeach(LIB)
8 |
9 | llvm_map_components_to_libnames(LLVM_LIBS support)
10 | target_link_libraries(optimin ${LLVM_LIBS})
11 |
12 | install(TARGETS optimin RUNTIME DESTINATION bin)
13 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/sas.dict:
--------------------------------------------------------------------------------
1 | " "
2 | "#"
3 | "$"
4 | "$CHAR"
5 | "%LET"
6 | "("
7 | ")"
8 | "*/"
9 | "/*"
10 | ";"
11 | "@"
12 | "ATTRIB"
13 | "CLEAR"
14 | "CONTENTS"
15 | "DATA"
16 | "DATE"
17 | "FILENAME"
18 | "FOOTNOTE"
19 | "FORMAT"
20 | "IF"
21 | "INFILE"
22 | "INPUT"
23 | "INVALUE"
24 | "LABEL"
25 | "LENGTH"
26 | "LIBNAME"
27 | "LIST"
28 | "MISSING"
29 | "OPTIONS"
30 | "OTHER"
31 | "PRINT"
32 | "PROC"
33 | "RUN"
34 | "VALUE"
35 | "_ALL_"
36 | "dlm"
37 | "firstobs"
38 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/custom_mutator/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "custom_mutator"
3 | version = "0.1.0"
4 | authors = ["Julius Hohnerlein "]
5 | edition = "2018"
6 |
7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
8 |
9 | [features]
10 | afl_internals = ["custom_mutator-sys"]
11 |
12 | [dependencies]
13 | custom_mutator-sys = { path = "../custom_mutator-sys", optional=true }
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/cmplog/cmplog_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "frida_cmplog.h"
6 | #include "util.h"
7 |
8 | #if defined(__arm__)
9 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
10 |
11 | UNUSED_PARAMETER(instr);
12 | UNUSED_PARAMETER(iterator);
13 | if (__afl_cmp_map == NULL) { return; }
14 | FATAL("CMPLOG mode not supported on this architecture");
15 |
16 | }
17 |
18 | #endif
19 |
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/socket_fuzzing/README.md:
--------------------------------------------------------------------------------
1 | # socketfuzz
2 |
3 | when you want to fuzz a network service and you can not/do not want to modify
4 | the source (or just have a binary), then this LD_PRELOAD library will allow
5 | for sending input to stdin which the target binary will think is coming from
6 | a network socket.
7 |
8 | This is desock_dup.c from the amazing preeny project
9 | https://github.com/zardus/preeny
10 |
11 | It is packaged in AFL++ to have it at hand if needed
12 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/llvm-alternative-coverage.h:
--------------------------------------------------------------------------------
1 | #ifndef AFL_NGRAM_CONFIG_H
2 | #define AFL_NGRAM_CONFIG_H
3 |
4 | #include "types.h"
5 |
6 | #if (MAP_SIZE_POW2 <= 16)
7 | typedef u16 PREV_LOC_T;
8 | #elif (MAP_SIZE_POW2 <= 32)
9 | typedef u32 PREV_LOC_T;
10 | #else
11 | typedef u64 PREV_LOC_T;
12 | #endif
13 |
14 | /* Maximum ngram size */
15 | #define NGRAM_SIZE_MAX 16U
16 |
17 | /* Maximum K for top-K context sensitivity */
18 | #define CTX_MAX_K 32U
19 |
20 | #endif
21 |
22 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-custom-mutator.c:
--------------------------------------------------------------------------------
1 | /**
2 | * Reference:
3 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c
4 | */
5 |
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | int main(int argc, char *argv[]) {
13 |
14 | char str[100];
15 | read(0, str, 100);
16 | if (str[6] == 'A') { abort(); }
17 | return 0;
18 |
19 | }
20 |
21 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/example/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "example_mutator"
3 | version = "0.1.0"
4 | authors = ["Julius Hohnerlein "]
5 | edition = "2018"
6 |
7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
8 |
9 | [dependencies]
10 | custom_mutator = { path = "../custom_mutator" }
11 |
12 | [[example]]
13 | name = "example_mutator"
14 | path = "./src/example_mutator.rs"
15 | crate-type = ["cdylib"]
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/rst.dict:
--------------------------------------------------------------------------------
1 | # https://docutils.readthedocs.io/en/sphinx-docs/ref/rst/restructuredtext.html
2 |
3 | bold="**"
4 | list1="1. "
5 | list2="(1) "
6 | list3="1) "
7 | list4="I. "
8 | list5="i. "
9 | list6="* "
10 | list7="- "
11 | list8="+ "
12 | end_of_paragraph="::"
13 | title="====="
14 | image=".. image:: "
15 | image_attr=" :a: 1"
16 | doctest=">>>"
17 | table1="+--+""
18 | table2="+==+""
19 | footnote_and_citation=".. [a] "
20 | hyperlink=".. _a: http://a "
21 | macro=".. |b| a"
22 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/example_lain/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "example_lain"
3 | version = "0.1.0"
4 | authors = ["Julius Hohnerlein "]
5 | edition = "2018"
6 |
7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
8 |
9 | [dependencies]
10 | custom_mutator = { path = "../custom_mutator" }
11 | lain="0.5"
12 |
13 | [[example]]
14 | name = "example_lain"
15 | path = "./src/lain_mutator.rs"
16 | crate-type = ["cdylib"]
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/toml.dict:
--------------------------------------------------------------------------------
1 | # https://github.com/toml-lang/toml
2 |
3 | key_value="a.b=\"c\""
4 | unicode="\\u1234"
5 | unicode_long="\\u12345678"
6 | true="true"
7 | false="false"
8 | multiline_literal="'''"
9 | multiline="\"\"\""
10 | integer="+1_2_3_4"
11 | negative_integer="-1"
12 | hex="0xde_ad"
13 | oct="0o6"
14 | bin="0b1"
15 | float="-6_3.6e-05"
16 | nan="nan"
17 | inf="inf"
18 | time="1979-05-27T07:32:00Z"
19 | array="[1,2]"
20 | table="[a]"
21 | inline_table="a={1=2,3=4}"
22 | array_table="[[a]]"
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/ranges.h:
--------------------------------------------------------------------------------
1 | #ifndef _RANGES_H
2 | #define _RANGES_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | extern gboolean ranges_debug_maps;
7 | extern gboolean ranges_inst_libs;
8 | extern gboolean ranges_inst_jit;
9 |
10 | void ranges_config(void);
11 | void ranges_init(void);
12 |
13 | gboolean range_is_excluded(GumAddress address);
14 |
15 | void ranges_exclude();
16 |
17 | void ranges_add_include(GumMemoryRange *range);
18 | void ranges_add_exclude(GumMemoryRange *range);
19 |
20 | #endif
21 |
22 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/js/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | frida_js_entry:
13 | @gmake frida_js_entry
14 |
15 | frida_js_replace:
16 | @gmake frida_js_replace
17 |
18 | frida_js_patch:
19 | @gmake frida_js_patch
20 |
21 | frida_js_stalker:
22 | @gmake frida_js_stalker
23 |
24 | debug:
25 | @gmake debug
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-dlopen.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | int main(int argc, char **argv) {
7 |
8 | if (!getenv("TEST_DLOPEN_TARGET")) return 1;
9 | void *lib = dlopen(getenv("TEST_DLOPEN_TARGET"), RTLD_LAZY);
10 | if (!lib) {
11 |
12 | perror(dlerror());
13 | return 2;
14 |
15 | }
16 |
17 | int (*func)(int, char **) = dlsym(lib, "main_exported");
18 | if (!func) return 3;
19 |
20 | return func(argc, argv);
21 |
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/README.md:
--------------------------------------------------------------------------------
1 | # custum mutator: honggfuzz mangle
2 |
3 | this is the honggfuzz mutator in mangle.c as a custom mutator
4 | module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h
5 | with a lot of mocking around it :-)
6 |
7 | just type `make` to build
8 |
9 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz-mutator.so afl-fuzz ...```
10 |
11 | > Original repository: https://github.com/google/honggfuzz
12 | > Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5
13 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/libpng_no_checksum/libpng-nocrc.patch:
--------------------------------------------------------------------------------
1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200
2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200
3 | @@ -268,7 +268,11 @@
4 | if (need_crc != 0)
5 | {
6 | crc = png_get_uint_32(crc_bytes);
7 | - return ((int)(crc != png_ptr->crc));
8 | +
9 | + if (crc != png_ptr->crc)
10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc);
11 | +
12 | + return ((int)(1 != 1));
13 | }
14 |
15 | else
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-multiple-mutators.c:
--------------------------------------------------------------------------------
1 | /**
2 | * Test-Case for multiple custom mutators in C
3 | * Reference:
4 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c
5 | */
6 |
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | int main(int argc, char **argv) {
13 |
14 | int a = 0;
15 | char s[100];
16 | read(0, s, 100);
17 |
18 | if (s[7] == 'B') { abort(); }
19 |
20 | return 0;
21 |
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/many-linux/GNUmakefile:
--------------------------------------------------------------------------------
1 | PWD:=$(shell pwd)/
2 | ROOT:=$(PWD)../../
3 | BUILD_DIR:=$(PWD)build/
4 |
5 | .PHONY: all clean shell
6 |
7 | all:
8 | docker build --tag many-afl-frida .
9 | docker run --rm \
10 | -v $(ROOT):/AFLplusplus \
11 | many-afl-frida \
12 | make -C /AFLplusplus/frida_mode clean all
13 |
14 | $(BUILD_DIR):
15 | mkdir -p $@
16 |
17 | clean:
18 | docker images --filter 'dangling=true' -q --no-trunc | xargs -L1 docker rmi --force
19 |
20 | shell:
21 | docker run -ti --rm many-afl-frida /bin/bash
22 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-post.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | AFL_TEST_DEPTH=$((AFL_TEST_DEPTH-1))
3 |
4 | if [ $AFL_TEST_DEPTH = 0 ]; then
5 | # All runs done :)
6 |
7 | $ECHO "$GREY[*] $AFL_TEST_COUNT test cases completed.$RESET"
8 | test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed"
9 | test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed"
10 | test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET"
11 | test "$CODE" = "0" || $ECHO "$RED[!] failure in tests :-($RESET"
12 | exit $CODE
13 |
14 | fi
15 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/defork/README.md:
--------------------------------------------------------------------------------
1 | # defork
2 |
3 | when the target forks, this breaks all normal fuzzing runs.
4 | Sometimes, though, it is enough to just run the child process.
5 | If this is the case, then this LD_PRELOAD library will always return 0 on fork,
6 | the target will belive it is running as the child, post-fork.
7 |
8 | This is defork.c from the amazing preeny project
9 | https://github.com/zardus/preeny
10 |
11 | It is altered for AFL++ to work with its fork-server: the initial fork will go through, the second fork will be blocked.
12 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/wav.dict:
--------------------------------------------------------------------------------
1 | header="RIFF"
2 | header_id="WAVE"
3 |
4 | fmt_chunk="fmt "
5 | fact_chunk="fact"
6 | data_chunk="data"
7 | cue_chunk="cue "
8 | playlist_chunk="plst"
9 | list_chunk="list"
10 | label_chunk="labl"
11 | note_chunk="note"
12 | labeled_text_chunk="ltxt"
13 | sampler_chunk="smpl"
14 | instrument_chunk="inst"
15 |
16 | # IFF extension: https://web.archive.org/web/20080114200405/http://www.borg.com/~jglatt/tech/aboutiff.htm
17 | "FORM"
18 | "LIST"
19 | "CAT "
20 | "ILBM"
21 | "AIFF"
22 | "ANIM"
23 | "CMAP"
24 | "MIDI"
25 | "MThd"
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/png/persistent/hook/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | 32:
6 | @echo trying to use GNU make...
7 | @gmake 32 || echo please install GNUmake
8 |
9 | clean:
10 | @gmake clean
11 |
12 | format:
13 | @gmake format
14 |
15 | qemu:
16 | @gmake qemu
17 |
18 | qemu_entry:
19 | @gmake qemu_entry
20 |
21 | frida:
22 | @gmake frida
23 |
24 | frida_entry:
25 | @gmake frida_entry
26 |
27 | frida_js:
28 | @gmake frida_js
29 |
30 | debug:
31 | @gmake debug
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/jpeg.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JPEG images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_jfif="JFIF\x00"
9 | header_jfxx="JFXX\x00"
10 |
11 | section_ffc0="\xff\xc0"
12 | section_ffc2="\xff\xc2"
13 | section_ffc4="\xff\xc4"
14 | section_ffd0="\xff\xd0"
15 | section_ffd8="\xff\xd8"
16 | section_ffd9="\xff\xd9"
17 | section_ffda="\xff\xda"
18 | section_ffdb="\xff\xdb"
19 | section_ffdd="\xff\xdd"
20 | section_ffe0="\xff\xe0"
21 | section_ffe1="\xff\xe1"
22 | section_fffe="\xff\xfe"
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/bdf.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/Glyph_Bitmap_Distribution_Format
2 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5005.BDF_Spec.pdf
3 |
4 | "STARTFONT"
5 | "COMMENT"
6 | "CONTENTVERSION"
7 | "FONT"
8 | "SIZE"
9 | "FONTBOUNDINGBOX"
10 | "METRICSSET"
11 | "SWIDTH"
12 | "DWIDTH"
13 | "SWIDTH1"
14 | "DWIDTH1"
15 | "VVECTOR"
16 | "STARTPROPERTIES"
17 | "ENDPROPERTIES"
18 | "CHARS"
19 | "STARTCHAR"
20 | "ENCODING"
21 | "BBX"
22 | "BITMAP"
23 | "ENDCHAR"
24 | "ENDFONT"
25 |
26 | # misc
27 | "255"
28 | "-1"
29 | "0"
30 | "2.1"
31 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/aflpp_driver/aflpp_driver_test.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
6 |
7 | if (Size < 5) return;
8 |
9 | if (Data[0] == 'F')
10 | if (Data[1] == 'A')
11 | if (Data[2] == '$')
12 | if (Data[3] == '$')
13 | if (Data[4] == '$') abort();
14 |
15 | }
16 |
17 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
18 |
19 | if (Size) crashme(Data, Size);
20 |
21 | return 0;
22 |
23 | }
24 |
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/icns.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/Apple_Icon_Image_format
2 |
3 | "ICN#"
4 | "ICON"
5 | "TOC "
6 | "h8mk"
7 | "ic04"
8 | "ic05"
9 | "ic07"
10 | "ic08"
11 | "ic09"
12 | "ic10"
13 | "ic11"
14 | "ic12"
15 | "ic13"
16 | "ic14"
17 | "ich#"
18 | "ich4"
19 | "ich8"
20 | "icl4"
21 | "icl8"
22 | "icm#"
23 | "icm4"
24 | "icm8"
25 | "icnV"
26 | "icns"
27 | "icp4"
28 | "icp5"
29 | "icp6"
30 | "ics#"
31 | "ics4"
32 | "ics8"
33 | "icsB"
34 | "icsb"
35 | "ih32"
36 | "il32"
37 | "info"
38 | "is32"
39 | "it32"
40 | "l8mk"
41 | "name"
42 | "s8mk"
43 | "t8mk"
44 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/ctx.h:
--------------------------------------------------------------------------------
1 | #ifndef _CTX_H
2 | #define _CTX_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | #if defined(__x86_64__)
7 | gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg);
8 | #elif defined(__i386__)
9 | gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg);
10 | #elif defined(__aarch64__)
11 | gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg);
12 | size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand);
13 | #elif defined(__arm__)
14 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg);
15 | #endif
16 |
17 | #endif
18 |
19 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/README.md:
--------------------------------------------------------------------------------
1 | # Rust Custom Mutators
2 |
3 | Bindings to create custom mutators in Rust.
4 |
5 | These bindings are documented with rustdoc. To view the documentation run
6 | ```cargo doc -p custom_mutator --open```.
7 |
8 | A minimal example can be found in `example`. Build it using `cargo build --example example_mutator`.
9 |
10 | An example using [lain](https://github.com/microsoft/lain) for structured fuzzing can be found in `example_lain`.
11 | Since lain requires a nightly rust toolchain, you need to set one up before you can play with it.
12 |
--------------------------------------------------------------------------------
/CITATION.cff:
--------------------------------------------------------------------------------
1 | cff-version: 1.2.0
2 | message: "If you use this software, please cite it as below."
3 | authors:
4 | - given-names: "ZhiYuan"
5 | family-names: "Jiang"
6 | - given-names: "Shuitao"
7 | family-names: "Gan"
8 | - given-names: "Lucio"
9 | family-names: "Romerio"
10 | title: "Evocatio"
11 | version: 1.0.0
12 | type: software
13 | date-released: 2022-11-18
14 | url: "https://github.com/HexHive/Evocatio"
15 | keywords:
16 | - security
17 | - exploit
18 | - fuzzing
19 | - program-analysis
20 | - sanitizer
21 | - severity
22 | - patch-testing
23 | - bug-capability
24 | license: Apache-2.0
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/type42.dict:
--------------------------------------------------------------------------------
1 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5012.Type42_Spec.pdf
2 | # This format is a super-set of postscript, so don't forget to use ps.dict as well
3 |
4 | magic="%!PS-TrueTypeFont"
5 | "%%VMUsage:"
6 | "/FontType"
7 | "/FontMatrix"
8 | "/FontName"
9 | "/FontInfo"
10 | "/Encoding"
11 | "/FontBBox"
12 | "/UniqueID"
13 | "/XUID"
14 | "/PaintType"
15 | "/StrokeWidth"
16 | "/Metrics"
17 | "/Metrics2"
18 | "/CDevProc"
19 | "/CharStrings"
20 | "/sfnts"
21 | "/CIDMap"
22 | "/GDBytes"
23 | "/GlyphDirectory"
24 | "/MetricsCount"
25 | "/WMode"
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/asan/asan_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "asan.h"
6 | #include "util.h"
7 |
8 | #if defined(__arm__)
9 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
10 |
11 | UNUSED_PARAMETER(instr);
12 | UNUSED_PARAMETER(iterator);
13 | if (asan_initialized) {
14 |
15 | FATAL("ASAN mode not supported on this architecture");
16 |
17 | }
18 |
19 | }
20 |
21 | void asan_arch_init(void) {
22 |
23 | FATAL("ASAN mode not supported on this architecture");
24 |
25 | }
26 |
27 | #endif
28 |
29 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/rss.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/RSS
2 |
3 | ""
4 | ""
5 | ""
6 | ""
7 | ""
8 | ""
9 | ""
10 | ""
11 | ""
12 | ""
13 | ""
14 | ""
15 | ""
16 | ""
17 | "- "
18 | ""
19 | ""
20 | ""
21 | ""
22 | ""
23 | ""
24 | ""
25 | ""
26 | ""
27 | ""
28 | ""
29 | "<ttl>"
30 | "<url>"
31 | "<webMaster>"
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/many-linux/README.md:
--------------------------------------------------------------------------------
1 | # many-linux
2 |
3 | This folder contains a Docker image to allow the building of
4 | `afl-frida-trace.so` using the `many-linux` docker image. This docker image is
5 | based on CentOS Linux 5. By building `afl-frida-trace.so` for such an old
6 | version of Linux, given the strong backward compatibility of Linux, this should
7 | work on the majority of Linux environments. This may be useful for targetting
8 | Linux distributions other than your development environment. `many-local` builds
9 | `AFLplusplus` from the local working copy in the `many-linux` environment.
10 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/markdown.dict:
--------------------------------------------------------------------------------
1 | strike="~~"
2 | list="2."
3 | link="[a]("
4 | link_without_ref="[a]["
5 | image="![b]("
6 | bold="**"
7 | separator="---"
8 | title="# "
9 | fence="```"
10 | link_bottom="[a]:"
11 | link_inline="<http://"
12 | link_bottom_title="[1]: http://a.com"
13 | checklist="- [x"
14 | toc="[TOC]"
15 | highlight_rst=":::python"
16 |
17 |
18 | # GFM - https://github.github.com/gfm/
19 | "| ---"
20 | leaf1="***"
21 | leaf2="___"
22 | code_hl="```html"
23 | task="- [ ]"
24 |
25 |
26 | # Extended syntax: https://www.markdownguide.org/extended-syntax/
27 | footnote="[^a]"
28 | title_id="#a {#b}"
29 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/spss.dict:
--------------------------------------------------------------------------------
1 | "("
2 | "(NOMINAL)"
3 | "(ORDINAL)"
4 | "(SCALE)"
5 | ")"
6 | "."
7 | "/"
8 | "/VARIABLES"
9 | "="
10 | " "
11 | "A"
12 | "ADATE"
13 | "COMMENT"
14 | "DATA"
15 | "DATASET"
16 | "DATE"
17 | "DELIMITERS"
18 | "DICTIONARY"
19 | "DISPLAY"
20 | "END"
21 | "EXECUTE"
22 | "F"
23 | "FILE"
24 | "FIRSTCASE"
25 | "FIXED"
26 | "FORMATS"
27 | "HANDLE"
28 | "IF"
29 | "INPUT"
30 | "LABEL"
31 | "LABELS"
32 | "LEVEL"
33 | "LIST"
34 | "NAME"
35 | "OUTFILE"
36 | "PROGRAM"
37 | "RECODE"
38 | "RECORD"
39 | "SAVE"
40 | "SELECT"
41 | "SET"
42 | "SYSMIS"
43 | "TABLE"
44 | "VALUE"
45 | "VARIABLE"
46 | "WINDOW"
47 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/build-codeql.sh:
--------------------------------------------------------------------------------
1 | cd ~
2 | if [ -d "codeql-home" ]; then
3 | echo "Exist !"
4 | exit 1
5 | fi
6 | mkdir codeql-home
7 | cd codeql-home
8 | git clone https://github.com/github/codeql.git codeql-repo
9 | git clone https://github.com/github/codeql-go.git
10 | wget https://github.com/github/codeql-cli-binaries/releases/download/v2.4.6/codeql-linux64.zip
11 | unzip codeql-linux64.zip
12 | mv codeql codeql-cli
13 | export "PATH=~/codeql-home/codeql-cli/:$PATH"
14 | echo "export PATH=~/codeql-home/codeql-cli/:$PATH" >> ~/.bashrc
15 | codeql resolve languages
16 | codeql resolve qlpacks
17 | codeql
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qemu_persistent_hook/test.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 |
3 | int target_func(unsigned char *buf, int size) {
4 |
5 | printf("buffer:%p, size:%d\n", buf, size);
6 | switch (buf[0]) {
7 |
8 | case 1:
9 | if (buf[1] == '\x44') { puts("a"); }
10 | break;
11 | case 0xff:
12 | if (buf[2] == '\xff') {
13 |
14 | if (buf[1] == '\x44') { puts("b"); }
15 |
16 | }
17 |
18 | break;
19 | default:
20 | break;
21 |
22 | }
23 |
24 | return 1;
25 |
26 | }
27 |
28 | char data[1024];
29 |
30 | int main() {
31 |
32 | target_func(data, 1024);
33 |
34 | }
35 |
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/asan/asan.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "asan.h"
6 |
7 | static gboolean asan_enabled = FALSE;
8 | gboolean asan_initialized = FALSE;
9 |
10 | void asan_config(void) {
11 |
12 | if (getenv("AFL_USE_FASAN") != NULL) {
13 |
14 | OKF("Frida ASAN mode enabled");
15 | asan_enabled = TRUE;
16 |
17 | } else {
18 |
19 | OKF("Frida ASAN mode disabled");
20 |
21 | }
22 |
23 | }
24 |
25 | void asan_init(void) {
26 |
27 | if (asan_enabled) {
28 |
29 | asan_arch_init();
30 | asan_initialized = TRUE;
31 |
32 | }
33 |
34 | }
35 |
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | @echo trying to use GNU make...
3 | @gmake all || echo please install GNUmake
4 |
5 | source-only:
6 | @gmake source-only
7 |
8 | binary-only:
9 | @gmake binary-only
10 |
11 | distrib:
12 | @gmake distrib
13 |
14 | man:
15 | @gmake man
16 |
17 | install:
18 | @gmake install
19 |
20 | document:
21 | @gmake document
22 |
23 | deepclean:
24 | @gmake deepclean
25 |
26 | code-format:
27 | @gmake code-format
28 |
29 | help:
30 | @gmake help
31 |
32 | tests:
33 | @gmake tests
34 |
35 | unit:
36 | @gmake unit
37 |
38 | unit_clean:
39 | @gmake unit_clean
40 |
41 | clean:
42 | @gmake clean
43 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/atom.dict:
--------------------------------------------------------------------------------
1 | # https://validator.w3.org/feed/docs/atom.html
2 | # https://tools.ietf.org/html/rfc4287
3 |
4 | "<?xml version='1.0' encoding='utf-8'?>"
5 | "<feed xmlns='http://www.w3.org/2005/Atom'>"
6 |
7 | "<alternate>"
8 | "<author>"
9 | "<category>"
10 | "<content>"
11 | "<contributor>"
12 | "<email>"
13 | "<entry>"
14 | "<feed>"
15 | "<first>"
16 | "<generator>"
17 | "<icon>"
18 | "<id>"
19 | "<last>"
20 | "<link>"
21 | "<logo>"
22 | "<modified/>
23 | "<name>"
24 | "<next>"
25 | "<previous>"
26 | "<published>"
27 | "<rights>"
28 | "<source>"
29 | "<subtitle>"
30 | "<summary>"
31 | "<title>"
32 | "<updated>"
33 | "<uri>"
34 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/speedtest/rust/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: all fuzz
2 |
3 | all: ../target ./target/release/unicornafl_harness
4 |
5 | afl-fuzz: ../../../../afl-fuzz
6 | ../../../../afl-fuzz:
7 | $(MAKE) -C ../../../../ afl-fuzz
8 |
9 | clean:
10 | cargo clean
11 |
12 | ./target/release/unicornafl_harness: ./src/main.rs
13 | cargo build --release
14 |
15 | ./target/debug/unicornafl_harness: ./src/main.rs
16 | cargo build
17 |
18 | ../target:
19 | $(MAKE) -C ..
20 |
21 | fuzz: all afl-fuzz
22 | rm -rf ./output
23 | SKIP_BIN_CHECK=1 ../../../../afl-fuzz -s 1 -i ../sample_inputs -o ./output -- ./target/release/unicornafl_harness @@
24 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/optimin/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | cmake_minimum_required(VERSION 3.10)
2 |
3 | project(optimin
4 | LANGUAGES CXX
5 | DESCRIPTION "MaxSAT-based fuzzing corpus minimizer"
6 | )
7 |
8 | set(CMAKE_CXX_STANDARD 17)
9 | set(CMAKE_CXX_STANDARD_REQUIRED ON)
10 | set(CMAKE_CXX_EXTENSIONS OFF)
11 |
12 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Wextra")
13 |
14 | # Add LLVM
15 | find_package(LLVM REQUIRED CONFIG)
16 | message(STATUS "Found LLVM ${LLVM_PACKAGE_VERSION}")
17 |
18 | include_directories(${LLVM_INCLUDE_DIRS})
19 | add_definitions(${LLVM_DEFINITIONS} -DNDEBUG)
20 |
21 | add_subdirectory(EvalMaxSAT)
22 | add_subdirectory(src)
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/wkt.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry
2 |
3 | "AFFINEPLACEMENT"
4 | "BREPSOLID"
5 | "CIRCLE"
6 | "CIRCULARSTRING"
7 | "CLOTHOID"
8 | "COMPOUNDCURVE"
9 | "CURVE"
10 | "CURVEPOLYGON"
11 | "ELLIPTICALCURVE"
12 | "EMPTY"
13 | "GEODESICSTRING"
14 | "GEOMETRY"
15 | "GEOMETRYCOLLECTION"
16 | "LINESTRING"
17 | "MULTICURVE"
18 | "MULTILINESTRING"
19 | "MULTIPOINT"
20 | "MULTIPOLYGON"
21 | "MULTISURFACE"
22 | "NURBSCURVE"
23 | "POINT"
24 | "PATCHES"
25 | "POLYGON"
26 | "POLYHEDRALSURFACE"
27 | "SPIRALCURVE"
28 | "SRID"
29 | "SURFACE"
30 | "TIN"
31 | "TRIANGLE"
32 | "ZM"
33 |
34 | # misc
35 | "(1,2)"
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/stats/stats_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "stats.h"
6 | #include "util.h"
7 |
8 | #if defined(__arm__)
9 |
10 | void starts_arch_init(void) {
11 |
12 | FATAL("Stats not supported on this architecture");
13 |
14 | }
15 |
16 | void stats_write_arch(stats_data_t *data) {
17 |
18 | FATAL("Stats not supported on this architecture");
19 |
20 | }
21 |
22 | void stats_collect_arch(const cs_insn *instr, gboolean begin) {
23 |
24 | UNUSED_PARAMETER(instr);
25 | UNUSED_PARAMETER(begin);
26 | FATAL("Stats not supported on this architecture");
27 |
28 | }
29 |
30 | #endif
31 |
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/ogg.dict:
--------------------------------------------------------------------------------
1 | # https://xiph.org/vorbis/doc/Vorbis_I_spec.html
2 |
3 | header="OggS"
4 |
5 | # Codecs
6 | "BBCD\x00"
7 | "\x7fFLAC"
8 | "\x80theora"
9 | "\x01vorbis"
10 | "CELT "
11 | "CMML\x00\x00\x00\x00"
12 | "\x8bJNG\x0d\x0a\x1a\x0a"
13 | "\x80kate\x00\x00\x00"
14 | "OggMIDI\x00"
15 | "\x8aMNG\x0d\x0a\x1a\x0a"
16 | "PCM "
17 | "\x89PNG\x0d\x0a\x1a\x0a"
18 | "Speex "
19 | "YUV4MPEG"
20 |
21 | # Metadata
22 | "TITLE="
23 | "VERSION="
24 | "ALBUM="
25 | "TRACKNUMBER="
26 | "ARTIST="
27 | "PERFORMER="
28 | "COPYRIGHT="
29 | "LICENSE="
30 | "ORGANIZATION="
31 | "DESCRIPTION="
32 | "GENRE="
33 | "DATE="
34 | "LOCATION="
35 | "CONTACT="
36 | "ISRC="
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/custom_mutator_helpers.h:
--------------------------------------------------------------------------------
1 | #ifndef CUSTOM_MUTATOR_HELPERS
2 | #define CUSTOM_MUTATOR_HELPERS
3 |
4 | #include "config.h"
5 | #include "types.h"
6 | #include "afl-fuzz.h"
7 | #include <stdlib.h>
8 |
9 | #define INITIAL_GROWTH_SIZE (64)
10 |
11 | /* Use in a struct: creates a name_buf and a name_size variable. */
12 | #define BUF_VAR(type, name) \
13 | type * name##_buf; \
14 | size_t name##_size;
15 | /* this filles in `&structptr->something_buf, &structptr->something_size`. */
16 | #define BUF_PARAMS(struct, name) \
17 | (void **)&struct->name##_buf, &struct->name##_size
18 |
19 | #undef INITIAL_GROWTH_SIZE
20 |
21 | #endif
22 |
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-cmplog.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <string.h>
3 | #include <stdarg.h>
4 | #include <stdlib.h>
5 | #include <stdint.h>
6 | #include <unistd.h>
7 | int main(int argc, char *argv[]) {
8 |
9 | char buf[1024];
10 | ssize_t i;
11 | if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0;
12 | buf[i] = 0;
13 | if (buf[0] != 'A') return 0;
14 | if (buf[1] != 'B') return 0;
15 | if (buf[2] != 'C') return 0;
16 | if (buf[3] != 'D') return 0;
17 | if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0;
18 | if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0)
19 | abort();
20 | return 0;
21 |
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/pbm.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/Netpbm_format
2 | header1="P1"
3 | header2="P2"
4 | header3="P3"
5 | header4="P4"
6 | header5="P5"
7 | header6="P6"
8 | zero="0"
9 | one="1"
10 | comment="#"
11 | max="255"
12 | overflow="256"
13 |
14 | # PAM - https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format
15 | header7="P7"
16 | width="WIDTH"
17 | height="HEIGHT"
18 | depth="DEPTH"
19 | maxval="MAXVAL"
20 | enhdr="ENDHDR"
21 | tupltype="TUPLTYPE"
22 | tupltype1="RGB_ALPHA"
23 | tupltype2="RGB"
24 | typltype3="BLACKANDWHITE"
25 | typltype4="BLACKANDWHITE_ALPHA"
26 | typltype5="GRAYSCALE"
27 | typltype6="GRAYSCALE_ALPHA"
28 | maxval_num="65535"
29 | maxval_overlfow="65536"
30 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "unicorn_mode/unicornafl"]
2 | path = unicorn_mode/unicornafl
3 | url = https://github.com/AFLplusplus/unicornafl
4 | [submodule "custom_mutators/grammar_mutator"]
5 | path = custom_mutators/grammar_mutator/grammar_mutator
6 | url = https://github.com/AFLplusplus/Grammar-Mutator
7 | [submodule "qemu_mode/qemuafl"]
8 | path = qemu_mode/qemuafl
9 | url = https://github.com/AFLplusplus/qemuafl
10 | [submodule "custom_mutators/gramatron/json-c"]
11 | path = custom_mutators/gramatron/json-c
12 | url = https://github.com/json-c/json-c
13 | [submodule "utils/optimin/EvalMaxSAT"]
14 | path = utils/optimin/EvalMaxSAT
15 | url = https://github.com/FlorentAvellaneda/EvalMaxSAT
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/js/entry.js:
--------------------------------------------------------------------------------
1 | Afl.print('******************');
2 | Afl.print('* AFL FRIDA MODE *');
3 | Afl.print('******************');
4 | Afl.print('');
5 |
6 | Afl.print(`PID: ${Process.id}`);
7 |
8 | new ModuleMap().values().forEach(m => {
9 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
10 | });
11 |
12 | const name = Process.enumerateModules()[0].name;
13 | Afl.print(`Name: ${name}`);
14 |
15 | if (name === 'test') {
16 |
17 | Afl.print('Searching...\n');
18 | const entry_point = DebugSymbol.fromName('run');
19 | Afl.print(`entry_point: ${entry_point}`);
20 |
21 | Afl.setEntryPoint(entry_point.address);
22 |
23 | }
24 |
25 | Afl.done();
26 | Afl.print("done");
27 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/symcc/README.md:
--------------------------------------------------------------------------------
1 | # custum mutator: symcc
2 |
3 | This uses the excellent symcc to find new paths into the target.
4 |
5 | To use this custom mutator follow the steps in the symcc repository
6 | [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/)
7 | on how to build symcc and how to instrument a target binary (the same target
8 | that you are fuzzing).
9 |
10 | The target program compiled with symcc has to be pointed to with the
11 | `SYMCC_TARGET` environment variable.
12 |
13 | just type `make` to build this custom mutator.
14 |
15 | ```SYMCC_TARGET=/prg/to/symcc/compiled/target AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symcc/symcc-mutator.so afl-fuzz ...```
16 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/Makefile:
--------------------------------------------------------------------------------
1 |
2 | CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
3 |
4 | all: honggfuzz-mutator.so
5 |
6 | honggfuzz-mutator.so: honggfuzz.c input.h mangle.c ../../src/afl-performance.c
7 | $(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz-mutator.so honggfuzz.c mangle.c ../../src/afl-performance.c
8 |
9 | update:
10 | @# seriously? --unlink is a dud option? sigh ...
11 | rm -f mangle.c mangle.h honggfuzz.h
12 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
13 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
14 | wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h
15 |
16 | clean:
17 | rm -f *.o *~ *.so core
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/symcc/test_examples/stdin_test.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdint.h>
3 | #include <stdlib.h>
4 | #include <unistd.h>
5 |
6 | int main(int argc, char **argv) {
7 |
8 | char input_buffer[16];
9 | uint32_t comparisonValue;
10 | size_t bytesRead;
11 | bytesRead = read(STDIN_FILENO, input_buffer, sizeof(input_buffer));
12 | if (bytesRead < 0) exit(-1);
13 | comparisonValue = *(uint32_t *)input_buffer;
14 | comparisonValue = comparisonValue ^ 0xff112233;
15 | if (comparisonValue == 0x66554493) {
16 |
17 | printf("First value\n");
18 |
19 | } else {
20 |
21 | if (comparisonValue == 0x84444415) printf("Second value\n");
22 |
23 | }
24 |
25 | return 0;
26 |
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/update_frida_version.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | test -n "$1" && { echo This script has no options. It updates the referenced Frida version in GNUmakefile to the most current one. ; exit 1 ; }
3 |
4 | OLD=$(egrep '^GUM_DEVKIT_VERSION=' GNUmakefile 2>/dev/null|awk -F= '{print$2}')
5 | NEW=$(curl https://github.com/frida/frida/releases/ 2>/dev/null|egrep 'frida-gum-devkit-[0-9.]*-linux-x86_64'|head -n 1|sed 's/.*frida-gum-devkit-//'|sed 's/-linux.*//')
6 |
7 | echo Current set version: $OLD
8 | echo Newest available version: $NEW
9 |
10 | test -z "$OLD" -o -z "$NEW" -o "$OLD" = "$NEW" && { echo Nothing to be done. ; exit 0 ; }
11 |
12 | sed -i "s/=$OLD/=$NEW/" GNUmakefile || exit 1
13 | echo Successfully updated GNUmakefile
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/workflows/build_aflplusplus_docker.yaml:
--------------------------------------------------------------------------------
1 | name: Publish Docker Images
2 |
3 | on:
4 | push:
5 | branches: [ stable ]
6 | # paths:
7 | # - Dockerfile
8 |
9 | jobs:
10 | push_to_registry:
11 | name: Push Docker images to Dockerhub
12 | runs-on: ubuntu-latest
13 | steps:
14 | - uses: actions/checkout@master
15 | - name: Login to Dockerhub
16 | uses: docker/login-action@v1
17 | with:
18 | username: ${{ secrets.DOCKER_USERNAME }}
19 | password: ${{ secrets.DOCKER_TOKEN }}
20 | - name: Publish aflpp to Registry
21 | uses: docker/build-push-action@v2
22 | with:
23 | context: .
24 | push: true
25 | tags: aflplusplus/aflplusplus:latest
26 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
4 | github: AFLplusplus
5 | patreon: # Replace with a single Patreon username
6 | open_collective: AFLplusplusEU
7 | ko_fi: # Replace with a single Ko-fi username
8 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
9 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
10 | liberapay: # Replace with a single Liberapay username
11 | issuehunt: # Replace with a single IssueHunt username
12 | otechie: # Replace with a single Otechie username
13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
14 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/dds.dict:
--------------------------------------------------------------------------------
1 | # See http://www.mindcontrol.org/~hplus/graphics/dds-info/
2 |
3 | magic="\x20\x53\x44\x44"
4 |
5 | # Headers
6 | "\x00\x00\x00\x01"
7 | "\x00\x00\x00\x02"
8 | "\x00\x00\x00\x04"
9 | "\x00\x00\x00\x08"
10 | "\x00\x00\x10\x00"
11 | "\x00\x02\x00\x00"
12 | "\x00\x08\x00\x00"
13 | "\x00\x80\x00\x00"
14 | "\x00\x00\x00\x01"
15 | "\x00\x00\x00\x04"
16 | "\x00\x00\x00\x20"
17 | "\x00\x00\x00\x40"
18 | "\x00\x00\x00\x08"
19 | "\x00\x00\x10\x00"
20 | "\x00\x40\x00\x00"
21 | "\x00\x00\x02\x00"
22 | "\x00\x00\x04\x00"
23 | "\x00\x00\x08\x00"
24 | "\x00\x00\x10\x00"
25 | "\x00\x00\x20\x00"
26 | "\x00\x00\x40\x00"
27 | "\x00\x00\x80\x00"
28 | "\x00\x20\x00\x00"
29 |
30 | #formats
31 | "1TXD"
32 | "2TXD"
33 | "3TXD"
34 | "4TXD"
35 | "5TXD"
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/plot_ui/README.md:
--------------------------------------------------------------------------------
1 | # afl-plot-ui
2 |
3 | `afl-plot-ui` is a helper utility for rendering the GNUplot graphs in a GTK window. This allows to real time resizing, scrolling, and cursor positioning features while viewing the graph. This utility also provides options to hide graphs using check buttons.
4 |
5 | Currently, this utility is not built by default.
6 | You can manually build and install `afl-plot-ui` as follows
7 |
8 | ```shell
9 | sudo apt install libgtk-3-0 libgtk-3-dev pkg-config
10 | make
11 | cd ../../
12 | sudo make install
13 | ```
14 |
15 | *NOTE:* This utility is not meant to be used standalone. Never run this utility directly. Always run [`afl-plot`](../../afl-plot), which will, in turn, invoke this utility (when run using `-g` or `--graphical` flag).
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/workflows/codeql-analysis.yml:
--------------------------------------------------------------------------------
1 | name: "CodeQL"
2 |
3 | on:
4 | push:
5 | branches: [ stable, dev ]
6 | pull_request:
7 | branches: [ stable, dev ]
8 |
9 | jobs:
10 | analyze:
11 | name: Analyze
12 | runs-on: ubuntu-latest
13 |
14 | strategy:
15 | fail-fast: false
16 | matrix:
17 | language: [ 'cpp' ]
18 |
19 | steps:
20 | - name: Checkout repository
21 | uses: actions/checkout@v2
22 |
23 | - name: Initialize CodeQL
24 | uses: github/codeql-action/init@v1
25 | with:
26 | languages: ${{ matrix.language }}
27 |
28 | - name: Autobuild
29 | uses: github/codeql-action/autobuild@v1
30 |
31 | - name: Perform CodeQL Analysis
32 | uses: github/codeql-action/analyze@v1
33 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/COMPILE.md:
--------------------------------------------------------------------------------
1 | # Compiling compcov_target.c
2 |
3 | compcov_target.c was compiled without optimization, position-independent,
4 | and without standard libraries using the following command line:
5 |
6 | ```
7 | gcc -o compcov_target.elf compcov_target.c -fPIC -O0 -nostdlib
8 | ```
9 |
10 | The .text section from the resulting ELF binary was then extracted to create
11 | the raw binary blob that is loaded and emulated by compcov_test_harness.py:
12 |
13 | ```
14 | objcopy -O binary --only-section=.text compcov_target.elf compcov_target.bin
15 | ```
16 |
17 | Note that the output of this is padded with nulls for 16-byte alignment. This is
18 | important when emulating it, as NOPs will be added after the return of main()
19 | as necessary.
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/json.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JSON
3 | # -----------------------
4 | #
5 | # Just the very basics.
6 | #
7 | # Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
8 | #
9 |
10 | "0"
11 | ",0"
12 | ":0"
13 | "0:"
14 | "-1.2e+3"
15 |
16 | "true"
17 | "false"
18 | "null"
19 |
20 | "\"\""
21 | ",\"\""
22 | ":\"\""
23 | "\"\":"
24 |
25 | "{}"
26 | ",{}"
27 | ":{}"
28 | "{\"\":0}"
29 | "{{}}"
30 |
31 | "[]"
32 | ",[]"
33 | ":[]"
34 | "[0]"
35 | "[[]]"
36 |
37 | "''"
38 | "\\"
39 | "\\b"
40 | "\\f"
41 | "\\n"
42 | "\\r"
43 | "\\t"
44 | "\\u0000"
45 | "\\x00"
46 | "\\0"
47 | "\\uD800\\uDC00"
48 | "\\uDBFF\\uDFFF"
49 |
50 | "\"\":0"
51 | "//"
52 | "/**/"
53 |
54 | "$ref"
55 | "type"
56 | "coordinates"
57 | "@context"
58 | "@id"
59 |
60 | ","
61 | ":"
62 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/js.h:
--------------------------------------------------------------------------------
1 | #ifndef _JS_H
2 | #define _JS_H
3 |
4 | #include "frida-gumjs.h"
5 |
6 | typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn,
7 | gboolean begin, gboolean excluded,
8 | GumStalkerOutput *output);
9 |
10 | extern unsigned char api_js[];
11 | extern unsigned int api_js_len;
12 |
13 | extern gboolean js_done;
14 | extern js_api_stalker_callback_t js_user_callback;
15 |
16 | /* Frida Mode */
17 |
18 | void js_config(void);
19 |
20 | void js_start(void);
21 |
22 | gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
23 | gboolean excluded, GumStalkerOutput *output);
24 |
25 | #endif
26 |
27 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/symcc/test_examples/file_test.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdint.h>
3 | #include <stdlib.h>
4 | #include <unistd.h>
5 | #include <fcntl.h>
6 |
7 | int main(int argc, char **argv) {
8 |
9 | if (argc < 2) {
10 |
11 | printf("Need a file argument\n");
12 | return 1;
13 |
14 | }
15 |
16 | int fd = open(argv[1], O_RDONLY);
17 | if (fd < 0) {
18 |
19 | printf("Couldn't open file\n");
20 | return 1;
21 |
22 | }
23 |
24 | uint32_t value = 0;
25 |
26 | read(fd, &value, sizeof(value));
27 | close(fd);
28 |
29 | value = value ^ 0xffffffff;
30 | if (value == 0x11223344) printf("Value one\n");
31 | if (value == 0x44332211) printf("Value two\n");
32 | if (value != 0x0) printf("Not zero\n");
33 | return 0;
34 |
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/COMPILE.md:
--------------------------------------------------------------------------------
1 | # C Sample
2 |
3 | This shows a simple harness for unicornafl in C
4 |
5 | ## Compiling sample.c
6 |
7 | The target can be built using the `make` command.
8 | Just make sure you have built unicorn support first:
9 | ```bash
10 | cd /path/to/afl/unicorn_mode
11 | ./build_unicorn_support.sh
12 | ```
13 |
14 | ## Compiling simple_target.c
15 |
16 | You shouldn't need to compile simple_target.c since a X86_64 binary version is
17 | pre-built and shipped in this sample folder. This file documents how the binary
18 | was built in case you want to rebuild it or recompile it for any reason.
19 |
20 | The pre-built binary (persistent_target_x86_64) was built using -g -O0 in gcc.
21 |
22 | We then load the binary and execute the main function directly.
23 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libprotobuf-mutator-example/Android.bp:
--------------------------------------------------------------------------------
1 | cc_library_shared {
2 | name: "libprotobuf-mutator-example-afl",
3 | vendor_available: true,
4 | host_supported: true,
5 |
6 | cflags: [
7 | "-g",
8 | "-O0",
9 | "-fPIC",
10 | "-Wall",
11 | "-Wno-unused-parameter",
12 | ],
13 |
14 | srcs: [
15 | "lpm_aflpp_custom_mutator_input.cc",
16 | "test.proto",
17 | ],
18 |
19 | shared_libs: [
20 | "libprotobuf-cpp-full",
21 | "libprotobuf-mutator",
22 | ],
23 | }
24 |
25 | cc_binary {
26 | name: "libprotobuf-mutator-vuln",
27 | vendor_available: true,
28 | host_supported: true,
29 |
30 | srcs: [
31 | "vuln.c",
32 | ],
33 |
34 | cflags: [
35 | "-Wno-unused-result",
36 | "-Wno-unused-parameter",
37 | ],
38 | }
39 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/autodict_ql/strtool.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.DataFlow
3 | class StringLiteralNode extends DataFlow::Node {
4 | StringLiteralNode() { this.asExpr() instanceof StringLiteral }
5 | }
6 | class CmpArgNode extends DataFlow::Node {
7 | CmpArgNode() {
8 | exists(FunctionCall fc |
9 | fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and
10 | fc.getArgument(0) = this.asExpr()
11 | )
12 | or
13 | exists(FunctionCall fc |
14 | fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and
15 | fc.getArgument(1) = this.asExpr()
16 | )
17 | }
18 | }
19 |
20 | from StringLiteralNode src, CmpArgNode arg
21 | where
22 | DataFlow::localFlow(src, arg)
23 |
24 | select src.asExpr().(StringLiteral).toString()
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qbdi_mode/demo-so.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 |
3 | // gcc -shared -o libdemo.so demo-so.c -w
4 | int target_func(char *buf, int size) {
5 |
6 | printf("buffer:%p, size:%p\n", buf, size);
7 | switch (buf[0]) {
8 |
9 | case 1:
10 | puts("222");
11 | if (buf[1] == '\x44') {
12 |
13 | puts("null ptr deference");
14 | *(char *)(0) = 1;
15 |
16 | }
17 |
18 | break;
19 | case 0xff:
20 | if (buf[2] == '\xff') {
21 |
22 | if (buf[1] == '\x44') {
23 |
24 | puts("crash....");
25 | *(char *)(0xdeadbeef) = 1;
26 |
27 | }
28 |
29 | }
30 |
31 | break;
32 | default:
33 | puts("default action");
34 | break;
35 |
36 | }
37 |
38 | return 1;
39 |
40 | }
41 |
42 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/url.dict:
--------------------------------------------------------------------------------
1 | # https://en.wikipedia.org/wiki/Uniform_Resource_Identifier
2 |
3 | # scheme
4 | "aim"
5 | "callto"
6 | "cvs"
7 | "data"
8 | "facetime"
9 | "feed"
10 | "file"
11 | "ftp"
12 | "git"
13 | "gopher"
14 | "gtalk"
15 | "h323"
16 | "hdl"
17 | "http"
18 | "https"
19 | "imap"
20 | "irc"
21 | "irc6"
22 | "ircs"
23 | "itms"
24 | "javascript"
25 | "magnet"
26 | "mailto"
27 | "mms"
28 | "msnim"
29 | "news"
30 | "nntp"
31 | "prospero"
32 | "rsync"
33 | "rtsp"
34 | "rtspu"
35 | "sftp"
36 | "shttp"
37 | "sip"
38 | "sips"
39 | "skype"
40 | "smb"
41 | "snews"
42 | "ssh"
43 | "svn"
44 | "svn"
45 | "svn+ssh"
46 | "telnet"
47 | "tel"
48 | "wais"
49 | "ymsg"
50 |
51 | # encoded characters
52 | "%2f"
53 | "%40"
54 | "%26"
55 |
56 | # misc
57 | "://"
58 | "//"
59 | "\\"
60 | "../"
61 | ";type=a"
62 | "xn--"
63 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/README.snapshot.md:
--------------------------------------------------------------------------------
1 | # AFL++ snapshot feature
2 |
3 | **NOTE:** the snapshot lkm is currently not supported and needs a maintainer :-)
4 |
5 | Snapshotting is a feature that makes a snapshot from a process and then
6 | restores its state, which is faster then forking it again.
7 |
8 | All targets compiled with llvm_mode are automatically enabled for the
9 | snapshot feature.
10 |
11 | To use the snapshot feature for fuzzing compile and load this kernel
12 | module: [https://github.com/AFLplusplus/AFL-Snapshot-LKM](https://github.com/AFLplusplus/AFL-Snapshot-LKM)
13 |
14 | Note that is has little value for persistent (__AFL_LOOP) fuzzing.
15 |
16 | ## Notes
17 |
18 | Snapshot does not work with multithreaded targets yet. Still in WIP, it is now usable only for single threaded applications.
19 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/afl-llvm-rt-lto.o.c:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop++ - LLVM instrumentation bootstrap
3 | -----------------------------------------------------
4 |
5 | Licensed under the Apache License, Version 2.0 (the "License");
6 | you may not use this file except in compliance with the License.
7 | You may obtain a copy of the License at:
8 |
9 | http://www.apache.org/licenses/LICENSE-2.0
10 |
11 | */
12 |
13 | #include <stdio.h>
14 | #include <stdlib.h>
15 |
16 | // to prevent the function from being removed
17 | unsigned char __afl_lto_mode = 0;
18 |
19 | /* Proper initialization routine. */
20 |
21 | __attribute__((constructor(0))) void __afl_auto_init_globals(void) {
22 |
23 | if (getenv("AFL_DEBUG")) fprintf(stderr, "[__afl_auto_init_globals]\n");
24 | __afl_lto_mode = 1;
25 |
26 | }
27 |
28 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-floatingpoint.c:
--------------------------------------------------------------------------------
1 | #include <stdlib.h>
2 | #include <unistd.h>
3 | #include <limits.h>
4 | #include <stdint.h>
5 |
6 | __AFL_FUZZ_INIT();
7 |
8 | int main(void) {
9 |
10 | ssize_t bytes_read;
11 |
12 | __AFL_INIT();
13 | float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF;
14 |
15 | while (__AFL_LOOP(INT_MAX)) {
16 |
17 | int len = __AFL_FUZZ_TESTCASE_LEN;
18 | if (len < sizeof(float)) return 1;
19 |
20 | /* 15 + 1/2 = 15.5 */
21 | /* 15 + 1/2 + 1/8 = 15.625 */
22 | /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */
23 | /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */
24 | if ((*magic >= 15.0 + 0.5 + 0.125 + 0.03125) &&
25 | (*magic <= 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125))
26 | abort();
27 |
28 | }
29 |
30 | return 0;
31 |
32 | }
33 |
34 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/README.out_of_line.md:
--------------------------------------------------------------------------------
1 | ## Using AFL++ without inlined instrumentation
2 |
3 | This file describes how you can disable inlining of instrumentation.
4 |
5 |
6 | By default, the GCC plugin will duplicate the effects of calling
7 | `__afl_trace` (see `afl-gcc-rt.o.c`) in instrumented code, instead of
8 | issuing function calls.
9 |
10 | The calls are presumed to be slower, more so because the rt file
11 | itself is not optimized by the compiler.
12 |
13 | Setting `AFL_GCC_OUT_OF_LINE=1` in the environment while compiling code
14 | with the plugin will disable this inlining, issuing calls to the
15 | unoptimized runtime instead.
16 |
17 | You probably don't want to do this, but it might be useful in certain
18 | AFL debugging scenarios, and it might work as a fallback in case
19 | something goes wrong with the inlined instrumentation.
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/instrument/instrument_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "instrument.h"
6 | #include "util.h"
7 |
8 | #if defined(__arm__)
9 |
10 | gboolean instrument_is_coverage_optimize_supported(void) {
11 |
12 | return false;
13 |
14 | }
15 |
16 | void instrument_coverage_optimize(const cs_insn * instr,
17 | GumStalkerOutput *output) {
18 |
19 | UNUSED_PARAMETER(instr);
20 | UNUSED_PARAMETER(output);
21 | FATAL("Optimized coverage not supported on this architecture");
22 |
23 | }
24 |
25 | void instrument_flush(GumStalkerOutput *output) {
26 |
27 | gum_arm_writer_flush(output->writer.arm);
28 |
29 | }
30 |
31 | gpointer instrument_cur(GumStalkerOutput *output) {
32 |
33 | return gum_arm_writer_cur(output->writer.arm);
34 |
35 | }
36 |
37 | #endif
38 |
39 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/argv_fuzzing/README.md:
--------------------------------------------------------------------------------
1 | # argvfuzz
2 |
3 | AFL supports fuzzing file inputs or stdin. When source is available,
4 | `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin.
5 |
6 | `argvfuzz` tries to provide the same functionality for binaries. When loaded
7 | using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
8 | argv using the same logic of `argv-fuzz-inl.h`.
9 |
10 | A few conditions need to be fulfilled for this mechanism to work correctly:
11 |
12 | 1. As it relies on hooking the loader, it cannot work on static binaries.
13 | 2. If the target binary does not use the default libc's `_start` implementation
14 | (crt1.o), the hook may not run.
15 | 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the
16 | target binary expects argv to be living on the stack, things may go wrong.
17 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # How to submit a Pull Request to AFLplusplus
2 |
3 | All contributions (pull requests) must be made against our `dev` branch.
4 |
5 | Each modified source file, before merging, must be formatted.
6 |
7 | ```
8 | make code-format
9 | ```
10 |
11 | This should be fine if you modified one of the files already present in the
12 | project, or added a file in a directory we already format, otherwise run:
13 |
14 | ```
15 | ./.custom-format.py -i file-that-you-have-created.c
16 | ```
17 |
18 | Regarding the coding style, please follow the AFL style.
19 | No camel case at all and use AFL's macros wherever possible
20 | (e.g. WARNF, FATAL, MAP_SIZE, ...).
21 |
22 | Remember that AFLplusplus has to build and run on many platforms, so
23 | generalize your Makefiles/GNUmakefile (or your patches to our pre-existing
24 | Makefiles) to be as generic as possible.
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/fbs.dict:
--------------------------------------------------------------------------------
1 | # spec: https://google.github.io/flatbuffers/flatbuffers_grammar.html
2 |
3 | attribute="attribute"
4 | bool="bool"
5 | byte="byte"
6 | double="double"
7 | enum="enum"
8 | false="false"
9 | file_extension="file_extension"
10 | float32="float32"
11 | float64="float64"
12 | float="float"
13 | include="include"
14 | inf="inf"
15 | infinity="infinity"
16 | int16="int16"
17 | int32="int32"
18 | int64="int64"
19 | int8="int8"
20 | int="int"
21 | long="long"
22 | namespace="namespace"
23 | nan="nan"
24 | root_type="root_type"
25 | root_type="root_type"
26 | rpc_service="rpc_service"
27 | short="short"
28 | string="string"
29 | struct="struct"
30 | table="table"
31 | true="true"
32 | ubyte="ubyte"
33 | uint16="uint16"
34 | uint32="uint32"
35 | uint64="uint64"
36 | uint="uint"
37 | ulong="ulong"
38 | union="union"
39 | ushort="ushort"
40 |
41 | separator=":"
42 | eol=";"
43 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/workflows/rust_custom_mutator.yml:
--------------------------------------------------------------------------------
1 | name: Rust Custom Mutators
2 |
3 | on:
4 | push:
5 | branches: [ stable, dev ]
6 | pull_request:
7 | branches: [ stable, dev ]
8 |
9 | jobs:
10 | test:
11 | name: Test Rust Custom Mutator Support
12 | runs-on: '${{ matrix.os }}'
13 | defaults:
14 | run:
15 | working-directory: custom_mutators/rust
16 | strategy:
17 | matrix:
18 | os: [ubuntu-20.04]
19 | steps:
20 | - uses: actions/checkout@v2
21 | - name: Install Rust Toolchain
22 | uses: actions-rs/toolchain@v1
23 | with:
24 | toolchain: stable
25 | - name: Check Code Compiles
26 | run: cargo check
27 | - name: Run General Tests
28 | run: cargo test
29 | - name: Run Tests for afl_internals feature flag
30 | run: cd custom_mutator && cargo test --features=afl_internals
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/testcases/README.md:
--------------------------------------------------------------------------------
1 | # AFL starting test cases
2 |
3 | (See [../README.md](../README.md) for the general instruction manual.)
4 |
5 | The archives/, images/, multimedia/, and others/ subdirectories contain small,
6 | standalone files that can be used to seed afl-fuzz when testing parsers for a
7 | variety of common data formats.
8 |
9 | There is probably not much to be said about these files, except that they were
10 | optimized for size and stripped of any non-essential fluff. Some directories
11 | contain several examples that exercise various features of the underlying format.
12 | For example, there is a PNG file with and without a color profile.
13 |
14 | Additional test cases are always welcome.
15 |
16 | In addition to well-chosen starting files, many fuzzing jobs benefit from a
17 | small and concise dictionary. See [../dictionaries/README.md](../dictionaries/README.md) for more.
18 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/README.md:
--------------------------------------------------------------------------------
1 | # custum mutator: libfuzzer LLVMFuzzerMutate()
2 |
3 | This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.
4 |
5 | just type `make` to build
6 |
7 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libfuzzer/libfuzzer-mutator.so afl-fuzz ...```
8 |
9 | Note that this is currently a simple implementation and it is missing two features:
10 | * Splicing ("Crossover")
11 | * Dictionary support
12 |
13 | To update the source, all that is needed is that FuzzerDriver.cpp has to receive
14 | ```
15 | #include "libfuzzer.inc"
16 | ```
17 | before the closing namespace bracket.
18 |
19 | It is also libfuzzer.inc where the configuration of the libfuzzer mutations
20 | are done.
21 |
22 | > Original repository: https://github.com/llvm/llvm-project
23 | > Path: compiler-rt/lib/fuzzer/*.{h|cpp}
24 | > Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/protobuf.dict:
--------------------------------------------------------------------------------
1 | # Keywords taken from https://developers.google.com/protocol-buffers/docs/reference/proto2-spec
2 |
3 | bool="bool"
4 | bytes="bytes"
5 | double="double"
6 | enum="enum"
7 | extend="extend"
8 | extension="extension"
9 | false="false"
10 | fixed32="fixed32"
11 | fixed64="fixed64"
12 | float="float"
13 | group="group"
14 | import="import"
15 | inner="inner"
16 | int32="int32"
17 | int64="int64"
18 | map="map<"
19 | message="message"
20 | option="option"
21 | optional="optional"
22 | package="package"
23 | public="public"
24 | repeated="repeated"
25 | required="required"
26 | reserved="reserved"
27 | returns="returns"
28 | rpc="rpc"
29 | service="service"
30 | sfixed32="sfixed32"
31 | sfixed64="sfixed64"
32 | sint32="sint32"
33 | sint64="sint64"
34 | stream="stream"
35 | string="string"
36 | syntax="syntax"
37 | true="true"
38 | uint32="uint32"
39 | uint64="uint64"
40 | weak="weak"
41 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/ts/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "@worksbutnottested/aflplusplus-frida",
3 | "version": "1.0.1",
4 | "description": "AFLplusplus Frida Mode",
5 | "main": "./dist/afl.js",
6 | "types": "./dist/afl.d.ts",
7 | "files": [
8 | "/dist/"
9 | ],
10 | "repository": {
11 | "type": "git",
12 | "url": "git@github.com:worksbutnottested/AFLplusplus.git"
13 | },
14 | "publishConfig": {
15 | "cache": "~/.npm",
16 | "registry": "https://npm.pkg.github.com/@worksbutnottested"
17 | },
18 | "scripts": {
19 | "prepare": "npm run build",
20 | "build": "tsc",
21 | "lint": "tslint -p tslint.json"
22 | },
23 | "devDependencies": {
24 | "@types/node": "^14.14.2",
25 | "typescript": "^4.0.3",
26 | "typescript-tslint-plugin": "^0.5.5",
27 | "tslint": "^6.1.3"
28 | },
29 | "dependencies": {
30 | "@types/frida-gum": "^16.2.0"
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerFork.h:
--------------------------------------------------------------------------------
1 | //===- FuzzerFork.h - run fuzzing in sub-processes --------------*- C++ -* ===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 |
9 | #ifndef LLVM_FUZZER_FORK_H
10 | #define LLVM_FUZZER_FORK_H
11 |
12 | #include "FuzzerDefs.h"
13 | #include "FuzzerOptions.h"
14 | #include "FuzzerRandom.h"
15 |
16 | #include <string>
17 |
18 | namespace fuzzer {
19 | void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
20 | const Vector<std::string> &Args,
21 | const Vector<std::string> &CorpusDirs, int NumJobs);
22 | } // namespace fuzzer
23 |
24 | #endif // LLVM_FUZZER_FORK_H
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/test-unsigaction.c:
--------------------------------------------------------------------------------
1 | #include <signal.h> /* sigemptyset(), sigaction(), kill(), SIGUSR1 */
2 | #include <stdlib.h> /* exit() */
3 | #include <unistd.h> /* getpid() */
4 | #include <errno.h> /* errno */
5 | #include <stdio.h> /* fprintf() */
6 |
7 | static void mysig_handler(int sig) {
8 |
9 | exit(2);
10 |
11 | }
12 |
13 | int main() {
14 |
15 | /* setup sig handler */
16 | struct sigaction sa;
17 | sa.sa_handler = mysig_handler;
18 | sigemptyset(&sa.sa_mask);
19 | sa.sa_flags = 0;
20 | if (sigaction(SIGCHLD, &sa, NULL)) {
21 |
22 | fprintf(stderr, "could not set signal handler %d, aborted\n", errno);
23 | exit(1);
24 |
25 | }
26 |
27 | kill(getpid(), SIGCHLD);
28 | return 0;
29 |
30 | }
31 |
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/png.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for PNG images
3 | # -----------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_png="\x89PNG\x0d\x0a\x1a\x0a"
12 |
13 | section_IDAT="IDAT"
14 | section_IEND="IEND"
15 | section_IHDR="IHDR"
16 | section_PLTE="PLTE"
17 | section_bKGD="bKGD"
18 | section_cHRM="cHRM"
19 | section_fRAc="fRAc"
20 | section_gAMA="gAMA"
21 | section_gIFg="gIFg"
22 | section_gIFt="gIFt"
23 | section_gIFx="gIFx"
24 | section_hIST="hIST"
25 | section_iCCP="iCCP"
26 | section_iTXt="iTXt"
27 | section_oFFs="oFFs"
28 | section_pCAL="pCAL"
29 | section_pHYs="pHYs"
30 | section_sBIT="sBIT"
31 | section_sCAL="sCAL"
32 | section_sPLT="sPLT"
33 | section_sRGB="sRGB"
34 | section_sTER="sTER"
35 | section_tEXt="tEXt"
36 | section_tIME="tIME"
37 | section_tRNS="tRNS"
38 | section_zTXt="zTXt"
39 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/compcov_x64/compcov_target.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Sample target file to test afl-unicorn fuzzing capabilities.
3 | * This is a very trivial example that will crash pretty easily
4 | * in several different exciting ways.
5 | *
6 | * Input is assumed to come from a buffer located at DATA_ADDRESS
7 | * (0x00300000), so make sure that your Unicorn emulation of this
8 | * puts user data there.
9 | *
10 | * Written by Andrea Fioraldi
11 | */
12 |
13 | // Magic address where mutated data will be placed
14 | #define DATA_ADDRESS 0x00300000
15 |
16 | int main(void) {
17 | unsigned int *data_buf = (unsigned int *) DATA_ADDRESS;
18 |
19 | if (((unsigned short*)data_buf)[0] == 0x0100) {
20 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
21 | } else if (data_buf[1] == data_buf[2] + 0xfffe) {
22 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
23 | }
24 |
25 | return 0;
26 | }
27 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerMain.cpp:
--------------------------------------------------------------------------------
1 | //===- FuzzerMain.cpp - main() function and flags -------------------------===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // main() and flags.
9 | //===----------------------------------------------------------------------===//
10 |
11 | #include "FuzzerDefs.h"
12 | #include "FuzzerPlatform.h"
13 |
14 | extern "C" {
15 |
16 | // This function should be defined by the user.
17 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
18 |
19 | } // extern "C"
20 |
21 | ATTRIBUTE_INTERFACE int main(int argc, char **argv) {
22 |
23 | return fuzzer::FuzzerDriver(&argc, &argv, LLVMFuzzerTestOneInput);
24 |
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/jsonnet.dict:
--------------------------------------------------------------------------------
1 | # https://jsonnet.org/ref/spec.html
2 |
3 | # Keywords
4 | "assert"
5 | "else"
6 | "error"
7 | "false"
8 | "for"
9 | "function"
10 | "if"
11 | "import"
12 | "importstr"
13 | "in"
14 | "local"
15 | "null"
16 | "self"
17 | "super"
18 | "tailstrict"
19 | "then"
20 | "true"
21 | "super"
22 | "local"
23 |
24 | # operators
25 | "|||"
26 | "@\""
27 | "@'"
28 | "!="
29 | "=="
30 | "[::]"
31 | "+:::"
32 |
33 | # functions
34 | "std.acos("
35 | "std.asin("
36 | "std.atan("
37 | "std.ceil("
38 | "std.char("
39 | "std.codepoint("
40 | "std.cos("
41 | "std.equals("
42 | "std.exp("
43 | "std.exponent("
44 | "std.floor("
45 | "std.join("
46 | "std.length("
47 | "std.log("
48 | "std.makeArray("
49 | "std.mantissa("
50 | "std.mod"
51 | "std.modulo("
52 | "std.objectFiledsEx("
53 | "std.objectsHasEx("
54 | "std.pow("
55 | "std.primitiveEquals("
56 | "std.sin("
57 | "std.slice("
58 | "std.sqrt("
59 | "std.tan("
60 | "std.type("
61 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/png/persistent/hook/load.js:
--------------------------------------------------------------------------------
1 | Afl.print('******************');
2 | Afl.print('* AFL FRIDA MODE *');
3 | Afl.print('******************');
4 | Afl.print('');
5 |
6 | Afl.print(`PID: ${Process.id}`);
7 |
8 | const name = Process.enumerateModules()[0].name;
9 | Afl.print(`Name: ${name}`);
10 |
11 | new ModuleMap().values().forEach(m => {
12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 |
15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
16 | Afl.print(`persistent_addr: ${persistent_addr}`);
17 | Afl.setEntryPoint(persistent_addr);
18 | Afl.setPersistentAddress(persistent_addr);
19 |
20 | const path = Afl.module.path;
21 | const dir = path.substring(0, path.lastIndexOf("/"));
22 | const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`);
23 | const hook = mod.getExportByName('afl_persistent_hook');
24 | Afl.setPersistentHook(hook);
25 |
26 | Afl.print("done");
27 | Afl.done();
28 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/heif.dict:
--------------------------------------------------------------------------------
1 | # https://standards.iso.org/ittf/PubliclyAvailableStandards/c066067_ISO_IEC_23008-12_2017.zip
2 |
3 | "altr"
4 | "auxC"
5 | "auxc"
6 | "auxi"
7 | "auxv"
8 | "avcC"
9 | "avci"
10 | "avcs"
11 | "ccst"
12 | "cdsc"
13 | "clap"
14 | "colr"
15 | "dimg"
16 | "dinf"
17 | "dref"
18 | "elst"
19 | "equi"
20 | "free"
21 | "frma"
22 | "ftyp"
23 | "grid"
24 | "grp1"
25 | "hdlr"
26 | "heic"
27 | "heim"
28 | "heis"
29 | "heix"
30 | "hevc"
31 | "hevx"
32 | "hvc1"
33 | "hvc2"
34 | "hvcC"
35 | "idat"
36 | "iden"
37 | "iinf"
38 | "iloc"
39 | "imir"
40 | "infe"
41 | "iovl"
42 | "ipro"
43 | "iprp"
44 | "iref"
45 | "irot"
46 | "ispe"
47 | "jpeg"
48 | "jpgC"
49 | "jpgs"
50 | "lhv1"
51 | "lhvC"
52 | "lsel"
53 | "mdat"
54 | "meta"
55 | "mif1"
56 | "mime"
57 | "mjpg"
58 | "msf1"
59 | "oinf"
60 | "pasp"
61 | "pict"
62 | "pitm"
63 | "pixi"
64 | "refs"
65 | "rloc"
66 | "schi"
67 | "schm"
68 | "sgpd"
69 | "sinf"
70 | "skip"
71 | "stsz"
72 | "subs"
73 | "thmb"
74 | "tkhd"
75 | "tols"
76 | "trak"
77 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/aflpp_driver/aflpp_qemu_driver_hook.c:
--------------------------------------------------------------------------------
1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h"
2 |
3 | #include <stdint.h>
4 | #include <string.h>
5 |
6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
7 | #define h2g(x) ((uint64_t)(x)-guest_base)
8 |
9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
10 | uint8_t *input_buf, uint32_t input_buf_len) {
11 |
12 | // In this example the register RDI is pointing to the memory location
13 | // of the target buffer, and the length of the input is in RSI.
14 | // This can be seen with a debugger, e.g. gdb (and "disass main")
15 |
16 | memcpy(g2h(regs->rdi), input_buf, input_buf_len);
17 | regs->rsi = input_buf_len;
18 |
19 | }
20 |
21 | #undef g2h
22 | #undef h2g
23 |
24 | int afl_persistent_hook_init(void) {
25 |
26 | // 1 for shared memory input (faster), 0 for normal input (you have to use
27 | // read(), input_buf will be NULL)
28 | return 1;
29 |
30 | }
31 |
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/unsigaction/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # american fuzzy lop++ - unsigaction
3 | # --------------------------------
4 | #
5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com>
6 | #
7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved.
8 | #
9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | # http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 | .POSIX:
16 |
17 | _UNIQ=_QINU_
18 |
19 | TARGETCANDIDATES=unsigaction.so
20 | _TARGETS=$(_UNIQ)$(AFL_NO_X86)$(_UNIQ)
21 | __TARGETS=$(_TARGETS:$(_UNIQ)1$(_UNIQ)=)
22 | TARGETS=$(__TARGETS:$(_UNIQ)$(_UNIQ)=$(TARGETCANDIDATES))
23 |
24 | all: $(TARGETS)
25 |
26 | unsigaction.so: unsigaction.c
27 | @if $(CC) -fPIC -shared unsigaction.c -o unsigaction.so 2>/dev/null ; then echo "unsigaction build success"; else echo "unsigaction build failure (that's fine)"; fi
28 |
29 | clean:
30 | rm -f unsigaction.so
31 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/COMPILE.md:
--------------------------------------------------------------------------------
1 | # C Sample
2 |
3 | This shows a simple persistent harness for unicornafl in C.
4 | In contrast to the normal c harness, this harness manually resets the unicorn state on each new input.
5 | Thanks to this, we can rerun the testcase in unicorn multiple times, without the need to fork again.
6 |
7 | ## Compiling sample.c
8 |
9 | The target can be built using the `make` command.
10 | Just make sure you have built unicorn support first:
11 | ```bash
12 | cd /path/to/afl/unicorn_mode
13 | ./build_unicorn_support.sh
14 | ```
15 |
16 | ## Compiling persistent_target.c
17 |
18 | You don't need to compile persistent_target.c since a X86_64 binary version is
19 | pre-built and shipped in this sample folder. This file documents how the binary
20 | was built in case you want to rebuild it or recompile it for any reason.
21 |
22 | The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in gcc.
23 |
24 | We then load the binary and we execute the main function directly.
25 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 | **IMPORTANT**
11 | 1. You have verified that the issue to be present in the current `dev` branch
12 | 2. Please supply the command line options and relevant environment variables, e.g. a copy-paste of the contents of `out/default/fuzzer_setup`
13 |
14 | Thank you for making AFL++ better!
15 |
16 | **Describe the bug**
17 | A clear and concise description of what the bug is.
18 |
19 | **To Reproduce**
20 | Steps to reproduce the behavior:
21 | 1. ...
22 | 2. ...
23 |
24 | **Expected behavior**
25 | A clear and concise description of what you expected to happen.
26 |
27 | **Screen output/Screenshots**
28 | If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in **English** and not in Chinese, Russian, German, etc.
29 |
30 | **Additional context**
31 | Add any other context about the problem here.
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/js/patch.js:
--------------------------------------------------------------------------------
1 | Afl.print('******************');
2 | Afl.print('* AFL FRIDA MODE *');
3 | Afl.print('******************');
4 | Afl.print('');
5 |
6 | const main = DebugSymbol.fromName('main').address;
7 | Afl.print(`main: ${main}`);
8 | Afl.setEntryPoint(main);
9 | Afl.setPersistentAddress(main);
10 | Afl.setPersistentCount(10000000);
11 |
12 | const crc32_check = DebugSymbol.fromName('crc32_check').address;
13 | const crc32_replacement = new NativeCallback(
14 | (buf, len) => {
15 | Afl.print(`len: ${len}`);
16 | if (len < 4) {
17 | return 0;
18 | }
19 |
20 | return 1;
21 | },
22 | 'int',
23 | ['pointer', 'int']);
24 | Interceptor.replace(crc32_check, crc32_replacement);
25 |
26 | const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
27 | const boring_replacement = new NativeCallback(
28 | (c) => { },
29 | 'void',
30 | ['char']);
31 | Interceptor.replace(some_boring_bug, boring_replacement);
32 |
33 | Afl.done();
34 | Afl.print("done");
35 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/examples/common.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | """
4 | Module containing functions shared between multiple AFL modules
5 |
6 | @author: Christian Holler (:decoder)
7 |
8 | @license:
9 |
10 | This Source Code Form is subject to the terms of the Mozilla Public
11 | License, v. 2.0. If a copy of the MPL was not distributed with this
12 | file, You can obtain one at http://mozilla.org/MPL/2.0/.
13 |
14 | @contact: choller@mozilla.com
15 | """
16 |
17 | from __future__ import print_function
18 | import random
19 | import os
20 | import re
21 |
22 |
23 | def randel(l):
24 | if not l:
25 | return None
26 | return l[random.randint(0, len(l) - 1)]
27 |
28 |
29 | def randel_pop(l):
30 | if not l:
31 | return None
32 | return l.pop(random.randint(0, len(l) - 1))
33 |
34 |
35 | def write_exc_example(data, exc):
36 | exc_name = re.sub(r"[^a-zA-Z0-9]", "_", repr(exc))
37 |
38 | if not os.path.exists(exc_name):
39 | with open(exc_name, "w") as f:
40 | f.write(data)
41 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/honggfuzz/mangle.h:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * honggfuzz - buffer mangling routines
4 | * -----------------------------------------
5 | *
6 | * Author: Robert Swiecki <swiecki@google.com>
7 | *
8 | * Copyright 2010-2018 by Google Inc. All Rights Reserved.
9 | *
10 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 | * not use this file except in compliance with the License. You may obtain
12 | * a copy of the License at
13 | *
14 | * http://www.apache.org/licenses/LICENSE-2.0
15 | *
16 | * Unless required by applicable law or agreed to in writing, software
17 | * distributed under the License is distributed on an "AS IS" BASIS,
18 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
19 | * implied. See the License for the specific language governing
20 | * permissions and limitations under the License.
21 | *
22 | */
23 |
24 | #ifndef _HF_MANGLE_H_
25 | #define _HF_MANGLE_H_
26 |
27 | #include "honggfuzz.h"
28 |
29 | extern void mangle_mangleContent(run_t* run, int speed_factor);
30 |
31 | #endif
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/intercept.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "intercept.h"
6 |
7 | void intercept_hook(void *address, gpointer replacement, gpointer user_data) {
8 |
9 | GumInterceptor *interceptor = gum_interceptor_obtain();
10 | gum_interceptor_begin_transaction(interceptor);
11 | GumReplaceReturn ret =
12 | gum_interceptor_replace(interceptor, address, replacement, user_data);
13 | if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); }
14 | gum_interceptor_end_transaction(interceptor);
15 |
16 | }
17 |
18 | void intercept_unhook(void *address) {
19 |
20 | GumInterceptor *interceptor = gum_interceptor_obtain();
21 |
22 | gum_interceptor_begin_transaction(interceptor);
23 | gum_interceptor_revert(interceptor, address);
24 | gum_interceptor_end_transaction(interceptor);
25 | gum_interceptor_flush(interceptor);
26 |
27 | }
28 |
29 | void intercept_unhook_self(void) {
30 |
31 | GumInvocationContext *ctx = gum_interceptor_get_current_invocation();
32 | intercept_unhook(ctx->function);
33 |
34 | }
35 |
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/qemu_persistent_hook/read_into_rdi.c:
--------------------------------------------------------------------------------
1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h"
2 |
3 | #include <stdio.h>
4 | #include <string.h>
5 |
6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
7 | #define h2g(x) ((uint64_t)(x)-guest_base)
8 |
9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
10 | uint8_t *input_buf, uint32_t input_buf_len) {
11 |
12 | // In this example the register RDI is pointing to the memory location
13 | // of the target buffer, and the length of the input is in RSI.
14 | // This can be seen with a debugger, e.g. gdb (and "disass main")
15 |
16 | printf("Placing input into 0x%lx\n", regs->rdi);
17 |
18 | if (input_buf_len > 1024) input_buf_len = 1024;
19 | memcpy(g2h(regs->rdi), input_buf, input_buf_len);
20 | regs->rsi = input_buf_len;
21 |
22 | }
23 |
24 | #undef g2h
25 | #undef h2g
26 |
27 | int afl_persistent_hook_init(void) {
28 |
29 | // 1 for shared memory input (faster), 0 for normal input (you have to use
30 | // read(), input_buf will be NULL)
31 | return 1;
32 |
33 | }
34 |
35 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/frida.map:
--------------------------------------------------------------------------------
1 | {
2 | global:
3 | __afl_fuzz_len;
4 | __afl_fuzz_ptr;
5 | __afl_sharedmem_fuzzing;
6 | afl_frida_start;
7 | js_api_add_exclude_range;
8 | js_api_add_include_range;
9 | js_api_done;
10 | js_api_error;
11 | js_api_set_debug_maps;
12 | js_api_set_entrypoint;
13 | js_api_set_instrument_coverage_file;
14 | js_api_set_instrument_debug_file;
15 | js_api_set_instrument_jit;
16 | js_api_set_instrument_libraries;
17 | js_api_set_instrument_no_optimize;
18 | js_api_set_instrument_seed;
19 | js_api_set_instrument_trace;
20 | js_api_set_instrument_trace_unique;
21 | js_api_set_persistent_address;
22 | js_api_set_persistent_count;
23 | js_api_set_persistent_debug;
24 | js_api_set_persistent_hook;
25 | js_api_set_persistent_return;
26 | js_api_set_prefetch_backpatch_disable;
27 | js_api_set_prefetch_disable;
28 | js_api_set_stalker_callback;
29 | js_api_set_stats_file;
30 | js_api_set_stats_interval;
31 | js_api_set_stderr;
32 | js_api_set_stdout;
33 |
34 | local:
35 | *;
36 | };
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/osx-lib/harness3.c:
--------------------------------------------------------------------------------
1 | #include <string.h>
2 | #include <assert.h>
3 | #include <stdio.h>
4 | #include <stdlib.h>
5 | #include <dlfcn.h>
6 |
7 |
8 | extern void crashme(const uint8_t *Data, size_t Size);
9 |
10 | int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
11 | crashme(data, size);
12 | return 0;
13 | }
14 |
15 | void run (int argc, const char * argv[])
16 | {
17 | for (int i = 1; i < argc; i++) {
18 | fprintf(stderr, "Running: %s\n", argv[i]);
19 | FILE *f = fopen(argv[i], "r");
20 | assert(f);
21 | fseek(f, 0, SEEK_END);
22 | size_t len = ftell(f);
23 | fseek(f, 0, SEEK_SET);
24 | unsigned char *buf = (unsigned char*)malloc(len);
25 | size_t n_read = fread(buf, 1, len, f);
26 | fclose(f);
27 | assert(n_read == len);
28 | LLVMFuzzerTestOneInput(buf, len);
29 | free(buf);
30 | fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
31 | }
32 | }
33 |
34 | int main(int argc, const char * argv[])
35 | {
36 |
37 | run(argc, argv);
38 |
39 | return 0;
40 | }
41 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/defork/forking_target.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <unistd.h>
3 | #include <stdint.h>
4 | #include <sys/types.h>
5 |
6 | /* This is an example target for defork.c - fuzz using
7 | ```
8 | mkdir in; echo a > ./in/a
9 | AFL_PRELOAD=./defork64.so ../../afl-fuzz -i in -o out -- ./forking_target @@
10 | ```
11 | */
12 |
13 | int main(int argc, char **argv) {
14 |
15 | if (argc < 2) {
16 |
17 | printf("Example tool to test defork.\nUsage ./forking_target <input>\n");
18 | return -1;
19 |
20 | }
21 |
22 | pid_t pid = fork();
23 | if (pid == 0) {
24 |
25 | printf("We're in the child.\n");
26 | FILE *f = fopen(argv[1], "r");
27 | char buf[4096];
28 | fread(buf, 1, 4096, f);
29 | fclose(f);
30 | uint32_t offset = buf[100] + (buf[101] << 8);
31 | char test_val = buf[offset];
32 | return test_val < 100;
33 |
34 | } else if (pid < 0) {
35 |
36 | perror("fork");
37 | return -1;
38 |
39 | } else {
40 |
41 | printf("We are in the parent - defork didn't work! :( (pid=%d)\n",
42 | (int)pid);
43 |
44 | }
45 |
46 | return 0;
47 |
48 | }
49 |
50 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/afl_untracer/libtestinstr.c:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop++ - a trivial program to test the build
3 | --------------------------------------------------------
4 | Originally written by Michal Zalewski
5 | Copyright 2014 Google Inc. All rights reserved.
6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved.
7 | Licensed under the Apache License, Version 2.0 (the "License");
8 | you may not use this file except in compliance with the License.
9 | You may obtain a copy of the License at:
10 | http://www.apache.org/licenses/LICENSE-2.0
11 | */
12 |
13 | #include <stdio.h>
14 | #include <stdlib.h>
15 | #include <unistd.h>
16 | #include <string.h>
17 | #include <sys/types.h>
18 | #include <sys/stat.h>
19 | #include <fcntl.h>
20 |
21 | void testinstr(char *buf, int len) {
22 |
23 | if (len < 1) return;
24 | buf[len] = 0;
25 |
26 | // we support three input cases
27 | if (buf[0] == '0')
28 | printf("Looks like a zero to me!\n");
29 | else if (buf[0] == '1')
30 | printf("Pretty sure that is a one!\n");
31 | else
32 | printf("Neither one or zero? How quaint!\n");
33 |
34 | }
35 |
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerSHA1.h:
--------------------------------------------------------------------------------
1 | //===- FuzzerSHA1.h - Internal header for the SHA1 utils --------*- C++ -* ===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // SHA1 utils.
9 | //===----------------------------------------------------------------------===//
10 |
11 | #ifndef LLVM_FUZZER_SHA1_H
12 | #define LLVM_FUZZER_SHA1_H
13 |
14 | #include "FuzzerDefs.h"
15 | #include <cstddef>
16 | #include <stdint.h>
17 |
18 | namespace fuzzer {
19 |
20 | // Private copy of SHA1 implementation.
21 | static const int kSHA1NumBytes = 20;
22 |
23 | // Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
24 | void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
25 |
26 | std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]);
27 |
28 | std::string Hash(const Unit &U);
29 |
30 | } // namespace fuzzer
31 |
32 | #endif // LLVM_FUZZER_SHA1_H
33 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/gramatron/preprocess/prep_automaton.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # This script creates a FSA describing the input grammar *.g4
4 |
5 | if [ ! "$#" -lt 4 ]; then
6 | echo "Usage: ./prep_pda.sh <grammar_file> <start> [stack_limit]"
7 | exit 1
8 | fi
9 |
10 | GRAMMAR_FILE=$1
11 | GRAMMAR_DIR="$(dirname $GRAMMAR_FILE)"
12 | START="$2"
13 | STACK_LIMIT="$3"
14 |
15 | # Get filename
16 | FILE=$(basename -- "$GRAMMAR_FILE")
17 | echo "File:$FILE"
18 | FILENAME="${FILE%.*}"
19 | echo "Name:$FILENAME"
20 |
21 |
22 | # Create the GNF form of the grammar
23 | CMD="python gnf_converter.py --gf $GRAMMAR_FILE --out ${FILENAME}.json --start $START"
24 | $CMD
25 |
26 | # Generate grammar automaton
27 | # Check if user provided a stack limit
28 | if [ -z "${STACK_LIMIT}" ]; then
29 | CMD="python3 construct_automata.py --gf ${FILENAME}.json"
30 | else
31 | CMD="python construct_automata.py --gf ${FILENAME}.json --limit ${STACK_LIMIT}"
32 | fi
33 | echo $CMD
34 | $CMD
35 |
36 | # Move PDA to the source dir of the grammar
37 | echo "Copying ${FILENAME}_automata.json to $GRAMMAR_DIR"
38 | mv "${FILENAME}_automata.json" $GRAMMAR_DIR/
39 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/radamsa/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2013 Aki Helin
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy
4 | of this software and associated documentation files (the "Software"), to deal
5 | in the Software without restriction, including without limitation the rights
6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7 | copies of the Software, and to permit persons to whom the Software is
8 | furnished to do so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in
11 | all copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19 | THE SOFTWARE.
20 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/README.wine.md:
--------------------------------------------------------------------------------
1 | # How to troubleshoot AFL++'s wine mode
2 |
3 | ## 1) Debugging
4 | To turn on wine debugging use the `WINEDEBUG` environment variable,
5 | e.g. `WINEDEBUG=+timestamp,+tid,+loaddll`.
6 |
7 | ## 2) LoadLibraryA workaround
8 | The forked process fails to load libraries loaded via `LoadLibrary`
9 | if the load happens after the entry point (error code: 87). To resolve
10 | this issue, one needs to load any external libraries before the fork happens.
11 |
12 | An early DLL load can be achieved by adding the DLL name into the `Import Directory`
13 | in the PE file. Such an entry can be added manually in any PE editor.
14 |
15 | Alternativly, one can generate a `.lib` file from the DLL exports and link
16 | them together with the harness to create an entry in the `Import Directory`.
17 | Use `dumpbin /exports <filename>.dll` to extract the exports and paste the
18 | exported function names into a `.def` file. Use `lib /def:<deffile> /OUT:<libfile>`
19 | to generate a `.lib` and add the library to the linker options. Once the usage of
20 | an export is detected (`__declspec(dllimport)`), the
21 | linker adds the early DLL load.
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/hoextdown.dict:
--------------------------------------------------------------------------------
1 | asterisk="*"
2 | attr_generic=" a=\"1\""
3 | attr_href=" href=\"1\""
4 | attr_xml_lang=" xml:lang=\"1\""
5 | attr_xmlns=" xmlns=\"1\""
6 | backslash="\\"
7 | backtick="`"
8 | colon=":"
9 | dashes="---"
10 | double_quote="\""
11 | entity_builtin="<"
12 | entity_decimal="�"
13 | entity_external="&a;"
14 | entity_hex="�"
15 | equals="==="
16 | exclamation="!"
17 | greater_than=">"
18 | hash="#"
19 | hyphen="-"
20 | indent=" "
21 | left_bracket="["
22 | left_paren="("
23 | less_than="<"
24 | plus="+"
25 | right_bracket="]"
26 | right_paren=")"
27 | single_quote="'"
28 | string_any="ANY"
29 | string_brackets="[]"
30 | string_cdata="CDATA"
31 | string_dashes="--"
32 | string_empty_dblquotes="\"\""
33 | string_empty_quotes="''"
34 | string_idrefs="IDREFS"
35 | string_parentheses="()"
36 | string_pcdata="#PCDATA"
37 | tag_cdata="<![CDATA["
38 | tag_close="</a>"
39 | tag_doctype="<!DOCTYPE"
40 | tag_element="<!ELEMENT"
41 | tag_entity="<!ENTITY"
42 | tag_notation="<!NOTATION"
43 | tag_open="<a>"
44 | tag_open_close="<a />"
45 | tag_open_exclamation="<!"
46 | tag_open_q="<?"
47 | tag_sq2_close="]]>"
48 | tag_xml_q="<?xml?>"
49 | underscore="_"
50 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/png/persistent/hook/cmodule.js:
--------------------------------------------------------------------------------
1 | Afl.print('******************');
2 | Afl.print('* AFL FRIDA MODE *');
3 | Afl.print('******************');
4 | Afl.print('');
5 |
6 | Afl.print(`PID: ${Process.id}`);
7 |
8 | const name = Process.enumerateModules()[0].name;
9 | Afl.print(`Name: ${name}`);
10 |
11 | new ModuleMap().values().forEach(m => {
12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 |
15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
16 | Afl.print(`persistent_addr: ${persistent_addr}`);
17 | Afl.setEntryPoint(persistent_addr);
18 | Afl.setPersistentAddress(persistent_addr);
19 |
20 | const cm = new CModule(`
21 |
22 | #include <string.h>
23 | #include <gum/gumdefs.h>
24 |
25 | void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
26 | uint32_t input_buf_len) {
27 |
28 | memcpy((void *)regs->rdi, input_buf, input_buf_len);
29 | regs->rsi = input_buf_len;
30 |
31 | }
32 | `,
33 | {
34 | memcpy: Module.getExportByName(null, 'memcpy')
35 | });
36 | Afl.setPersistentHook(cm.afl_persistent_hook);
37 |
38 | Afl.print("done");
39 | Afl.done();
40 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/output/GNUmakefile:
--------------------------------------------------------------------------------
1 | PWD:=$(shell pwd)/
2 | ROOT:=$(PWD)../../../
3 | BUILD_DIR:=$(PWD)build/
4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
6 |
7 | TESTINSTBIN:=$(BUILD_DIR)testinstr
8 | TESTINSTSRC:=$(PWD)testinstr.c
9 |
10 | QEMU_OUT:=$(BUILD_DIR)qemu-out
11 | FRIDA_OUT:=$(BUILD_DIR)frida-out
12 |
13 | .PHONY: all 32 clean qemu frida
14 |
15 | all: $(TESTINSTBIN)
16 | make -C $(ROOT)frida_mode/
17 |
18 | 32:
19 | CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
20 |
21 | $(BUILD_DIR):
22 | mkdir -p $@
23 |
24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
25 | mkdir -p $@
26 |
27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
28 | echo -n "000" > $@
29 |
30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
31 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
32 |
33 | clean:
34 | rm -rf $(BUILD_DIR)
35 |
36 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
37 | AFL_FRIDA_OUTPUT_STDOUT=frida_stdout.txt \
38 | AFL_FRIDA_OUTPUT_STDERR=frida_stderr.txt \
39 | AFL_FRIDA_STATS_FILE=frida_stats.txt \
40 | AFL_FRIDA_STATS_INTERVAL=1 \
41 | $(ROOT)afl-fuzz \
42 | -D \
43 | -O \
44 | -i $(TESTINSTR_DATA_DIR) \
45 | -o $(FRIDA_OUT) \
46 | -- \
47 | $(TESTINSTBIN) @@
48 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | name: CI
2 |
3 | on:
4 | push:
5 | branches: [ stable, dev ]
6 | pull_request:
7 | branches: [ stable, dev ]
8 |
9 | jobs:
10 | build:
11 | runs-on: '${{ matrix.os }}'
12 | strategy:
13 | matrix:
14 | os: [ubuntu-20.04, ubuntu-18.04]
15 | steps:
16 | - uses: actions/checkout@v2
17 | - name: debug
18 | run: apt-cache search plugin-dev | grep gcc- ; echo ; apt-cache search clang-format- | grep clang-format-
19 | - name: update
20 | run: sudo apt-get update && sudo apt-get upgrade -y
21 | - name: install packages
22 | run: sudo apt-get install -y -m -f --install-suggests build-essential git libtool libtool-bin automake bison libglib2.0-0 clang llvm-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build
23 | - name: compiler installed
24 | run: gcc -v ; echo ; clang -v
25 | - name: install gcc plugin
26 | run: sudo apt-get install -y -m -f --install-suggests $(readlink /usr/bin/gcc)-plugin-dev
27 | - name: build afl++
28 | run: make distrib ASAN_BUILD=1
29 | - name: run tests
30 | run: sudo -E ./afl-system-config ; export AFL_SKIP_CPUFREQ=1 ; make tests
31 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/aff.dict:
--------------------------------------------------------------------------------
1 | # https://www.systutorials.com/docs/linux/man/4-hunspell/
2 |
3 | # Affix keywords
4 | "AF"
5 | "AM"
6 | "BREAK"
7 | "CHECKCOMPOUNDCASE"
8 | "CHECKCOMPOUNDDUP"
9 | "CHECKCOMPOUNDPATTERN"
10 | "CHECKCOMPOUNDREP"
11 | "CHECKCOMPOUNDTRIPLE"
12 | "COMPLEXPREFIXES"
13 | "COMPOUNDBEGIN"
14 | "COMPOUNDFLAG"
15 | "COMPOUNDFORBIDFLAG"
16 | "COMPOUNDLAST"
17 | "COMPOUNDMIDDLE"
18 | "COMPOUNDMIN"
19 | "COMPOUNDPERMITFLAG"
20 | "COMPOUNDROOT"
21 | "COMPOUNDRULE"
22 | "COMPOUNDSYLLABLE"
23 | "COMPOUNDWORDMAX"
24 | "FLAG"
25 | "FORBIDWARN"
26 | "FORCEUCASE"
27 | "IGNORE"
28 | "KEY"
29 | "LANG"
30 | "MAP"
31 | "MAXCODSUGS"
32 | "MAXDIFF"
33 | "MAXNGRAMSUGS"
34 | "NOSPLITSUGS"
35 | "NOSUGGEST"
36 | "ONLYINCOMPOUND"
37 | "ONLYMAXDIFF"
38 | "PFX"
39 | "PHONE"
40 | "REP"
41 | "SET"
42 | "SFX"
43 | "SIMPLIFIEDTRIPLE"
44 | "SUGWITHDOTS"
45 | "SYLLABLENUM"
46 | "TRY"
47 | "WARN"
48 | "CIRCUMFIX"
49 | "FORBIDDENWORD"
50 | "FULLSTRIP"
51 | "KEEPCASE"
52 | "ICONV"
53 | "OCONV"
54 | "LEMMA_PRESENT"
55 | "NEEDAFFIX"
56 | "PSEUDOROOT"
57 | "SUBSTANDARD"
58 | "WORDCHARS"
59 | "CHECKSHARPS"
60 |
61 | # Optional data fields
62 | "ph:"
63 | "st:"
64 | "al:"
65 | "po:"
66 | "ds:"
67 | "is:"
68 | "ts:"
69 | "sp:"
70 | "pa:"
71 | "dp:"
72 | "ip:"
73 | "tp:"
74 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/util/get_symbol_addr.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright 2020 Google LLC
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | # set -x
16 | target="$1"
17 | symbol="$2"
18 | base="$3"
19 |
20 | test -z "$target" -o -z "$symbol" -o '!' -e "$target" && exit 0
21 |
22 | test $(uname -s) = "Darwin" && symbol=_"$symbol"
23 |
24 | file "$target" | grep -q executable && {
25 | nm "$target" | grep -i "T $symbol" | awk '{print"0x"$1}'
26 | exit 0
27 | }
28 |
29 | hex_base=$(echo "$3" | awk '{sub("^0x","");print $0}' | tr a-f A-F )
30 | nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F | \
31 | xargs echo "ibase=16;obase=10;$hex_base + " | bc | tr A-F a-f | awk '{print "0x"$0}'
32 | exit 0
33 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerExtFunctions.h:
--------------------------------------------------------------------------------
1 | //===- FuzzerExtFunctions.h - Interface to external functions ---*- C++ -* ===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // Defines an interface to (possibly optional) functions.
9 | //===----------------------------------------------------------------------===//
10 |
11 | #ifndef LLVM_FUZZER_EXT_FUNCTIONS_H
12 | #define LLVM_FUZZER_EXT_FUNCTIONS_H
13 |
14 | #include <stddef.h>
15 | #include <stdint.h>
16 |
17 | namespace fuzzer {
18 |
19 | struct ExternalFunctions {
20 | // Initialize function pointers. Functions that are not available will be set
21 | // to nullptr. Do not call this constructor before ``main()`` has been
22 | // entered.
23 | ExternalFunctions();
24 |
25 | #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
26 | RETURN_TYPE(*NAME) FUNC_SIG = nullptr
27 |
28 | #include "FuzzerExtFunctions.def"
29 |
30 | #undef EXT_FUNC
31 | };
32 | } // namespace fuzzer
33 |
34 | #endif
35 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/xpath.dict:
--------------------------------------------------------------------------------
1 | # https://developer.mozilla.org/en-US/docs/Web/XPath
2 | # https://devhints.io/xpath
3 |
4 | # selectors
5 | "//"
6 | "./"
7 | "::"
8 | "[*]"
9 |
10 |
11 | # functions - https://developer.mozilla.org/en-US/docs/Web/XPath/Functions
12 | "boolean("
13 | "ceiling("
14 | "choose("
15 | "concat("
16 | "contains("
17 | "count("
18 | "current()"
19 | "document("
20 | "element-available("
21 | "ends-with("
22 | "false()"
23 | "floor("
24 | "format-number("
25 | "function-available("
26 | "generate-id("
27 | "id("
28 | "key("
29 | "lang("
30 | "last()"
31 | "local-name("
32 | "name("
33 | "namespace-uri("
34 | "normalize-space("
35 | "not("
36 | "number("
37 | "or"
38 | "position("
39 | "round("
40 | "starts-with("
41 | "string("
42 | "string-length("
43 | "substring("
44 | "substring-after("
45 | "substring-before("
46 | "sum("
47 | "system-property("
48 | "text()"
49 | "translate("
50 | "true()"
51 | "unparsed-entity-url("
52 |
53 | # axes - https://developer.mozilla.org/en-US/docs/Web/XPath/Axes
54 | "ancestor"
55 | "ancestor-or-self"
56 | "attribute"
57 | "child"
58 | "descendant"
59 | "descendant-or-self"
60 | "following"
61 | "following-sibling"
62 | "namespace"
63 | "parent"
64 | "preceding"
65 | "preceding-sibling"
66 | "self"
67 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/aflpp_driver/aflpp_qemu_driver.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdint.h>
3 | #include <stdlib.h>
4 | #include <unistd.h>
5 |
6 | // libFuzzer interface is thin, so we don't include any libFuzzer headers.
7 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
8 | __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
9 |
10 | #define kMaxAflInputSize (1 * 1024 * 1024)
11 | static uint8_t AflInputBuf[kMaxAflInputSize];
12 |
13 | void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) {
14 |
15 | size_t l = read(0, AflInputBuf, kMaxAflInputSize);
16 | LLVMFuzzerTestOneInput(AflInputBuf, l);
17 |
18 | }
19 |
20 | int main(int argc, char **argv) {
21 |
22 | if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
23 | // Do any other expensive one-time initialization here.
24 |
25 | if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) {
26 |
27 | afl_qemu_driver_stdin_input();
28 |
29 | } else {
30 |
31 | fprintf(stderr,
32 | "Using shared-memory testcases. To read via stdin, set "
33 | "AFL_QEMU_DRIVER_NO_HOOK=1.\n");
34 | uint8_t dummy_input[1024000] = {0};
35 | LLVMFuzzerTestOneInput(dummy_input, 1);
36 |
37 | }
38 |
39 | return 0;
40 |
41 | }
42 |
43 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/exe/GNUmakefile:
--------------------------------------------------------------------------------
1 | PWD:=$(shell pwd)/
2 | ROOT:=$(PWD)../../../
3 | BUILD_DIR:=$(PWD)build/
4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
6 |
7 | TESTINSTBIN:=$(BUILD_DIR)testinstr
8 | TESTINSTSRC:=$(PWD)testinstr.c
9 |
10 | QEMU_OUT:=$(BUILD_DIR)qemu-out
11 | FRIDA_OUT:=$(BUILD_DIR)frida-out
12 |
13 | .PHONY: all 32 clean qemu frida
14 |
15 | all: $(TESTINSTBIN)
16 | make -C $(ROOT)frida_mode/
17 |
18 | 32:
19 | CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
20 |
21 | $(BUILD_DIR):
22 | mkdir -p $@
23 |
24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
25 | mkdir -p $@
26 |
27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
28 | echo -n "000" > $@
29 |
30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
31 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -no-pie
32 |
33 | clean:
34 | rm -rf $(BUILD_DIR)
35 |
36 |
37 | qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
38 | $(ROOT)afl-fuzz \
39 | -D \
40 | -Q \
41 | -i $(TESTINSTR_DATA_DIR) \
42 | -o $(QEMU_OUT) \
43 | -- \
44 | $(TESTINSTBIN) @@
45 |
46 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
47 | $(ROOT)afl-fuzz \
48 | -D \
49 | -O \
50 | -i $(TESTINSTR_DATA_DIR) \
51 | -o $(FRIDA_OUT) \
52 | -- \
53 | $(TESTINSTBIN) @@
54 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/include/persistent.h:
--------------------------------------------------------------------------------
1 |
2 | #ifndef _PERSISTENT_H
3 | #define _PERSISTENT_H
4 |
5 | #include "frida-gumjs.h"
6 | #include "config.h"
7 |
8 | typedef struct arch_api_regs api_regs;
9 |
10 | typedef void (*afl_persistent_hook_fn)(api_regs *regs, uint64_t guest_base,
11 | uint8_t *input_buf,
12 | uint32_t input_buf_len);
13 |
14 | extern int __afl_persistent_loop(unsigned int max_cnt);
15 |
16 | extern unsigned int * __afl_fuzz_len;
17 | extern unsigned char *__afl_fuzz_ptr;
18 |
19 | extern guint64 persistent_start;
20 | extern guint64 persistent_count;
21 | extern guint64 persistent_ret;
22 | extern gboolean persistent_debug;
23 | extern afl_persistent_hook_fn persistent_hook;
24 |
25 | void persistent_config(void);
26 |
27 | void persistent_init(void);
28 |
29 | /* Functions to be implemented by the different architectures */
30 | gboolean persistent_is_supported(void);
31 |
32 | void persistent_prologue(GumStalkerOutput *output);
33 | void persistent_prologue_arch(GumStalkerOutput *output);
34 |
35 | void persistent_epilogue(GumStalkerOutput *output);
36 | void persistent_epilogue_arch(GumStalkerOutput *output);
37 |
38 | #endif
39 |
40 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/dictionaries/tiff.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for TIFF images
3 | # ------------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_ii="II*\x00"
12 | header_mm="MM\x00*"
13 |
14 | section_100="\x00\x01"
15 | section_101="\x01\x01"
16 | section_102="\x02\x01"
17 | section_103="\x03\x01"
18 | section_106="\x06\x01"
19 | section_107="\x07\x01"
20 | section_10D="\x0d\x01"
21 | section_10E="\x0e\x01"
22 | section_10F="\x0f\x01"
23 | section_110="\x10\x01"
24 | section_111="\x11\x01"
25 | section_112="\x12\x01"
26 | section_115="\x15\x01"
27 | section_116="\x16\x01"
28 | section_117="\x17\x01"
29 | section_11A="\x1a\x01"
30 | section_11B="\x1b\x01"
31 | section_11C="\x1c\x01"
32 | section_11D="\x1d\x01"
33 | section_11E="\x1e\x01"
34 | section_11F="\x1f\x01"
35 | section_122="\"\x01"
36 | section_123="#\x01"
37 | section_124="$\x01"
38 | section_125="%\x01"
39 | section_128="(\x01"
40 | section_129=")\x01"
41 | section_12D="-\x01"
42 | section_131="1\x01"
43 | section_132="2\x01"
44 | section_13B=";\x01"
45 | section_13C="<\x01"
46 | section_13D="=\x01"
47 | section_13E=">\x01"
48 | section_13F="?\x01"
49 | section_140="@\x01"
50 | section_FE="\xfe\x00"
51 | section_FF="\xff\x00"
52 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/libfuzzer.inc:
--------------------------------------------------------------------------------
1 |
2 |
3 | extern "C" ATTRIBUTE_INTERFACE void
4 | LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
5 | Random Rand(Seed);
6 | FuzzingOptions Options;
7 | Options.Verbosity = 3;
8 | Options.MaxLen = 1024000;
9 | Options.LenControl = true;
10 | Options.DoCrossOver = false;
11 | Options.MutateDepth = 6;
12 | Options.UseCounters = false;
13 | Options.UseMemmem = false;
14 | Options.UseCmp = false;
15 | Options.UseValueProfile = false;
16 | Options.Shrink = false;
17 | Options.ReduceInputs = false;
18 | Options.PreferSmall = false;
19 | Options.ReloadIntervalSec = 0;
20 | Options.OnlyASCII = false;
21 | Options.DetectLeaks = false;
22 | Options.PurgeAllocatorIntervalSec = 0;
23 | Options.TraceMalloc = false;
24 | Options.RssLimitMb = 100;
25 | Options.MallocLimitMb = 100;
26 | Options.MaxNumberOfRuns = 0;
27 | Options.ReportSlowUnits = false;
28 | Options.Entropic = false;
29 |
30 | struct EntropicOptions Entropic;
31 | Entropic.Enabled = Options.Entropic;
32 | EF = new ExternalFunctions();
33 | auto *MD = new MutationDispatcher(Rand, Options);
34 | auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
35 | auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
36 | }
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/README.ngram.md:
--------------------------------------------------------------------------------
1 | # AFL N-Gram Branch Coverage
2 |
3 | ## Source
4 |
5 | This is an LLVM-based implementation of the n-gram branch coverage proposed in
6 | the paper ["Be Sensitive and Collaborative: Analzying Impact of Coverage Metrics
7 | in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf),
8 | by Jinghan Wang, et. al.
9 |
10 | Note that the original implementation (available
11 | [here](https://github.com/bitsecurerlab/afl-sensitive))
12 | is built on top of AFL's QEMU mode.
13 | This is essentially a port that uses LLVM vectorized instructions (available from
14 | llvm versions 4.0.1 and higher) to achieve the same results when compiling source code.
15 |
16 | In math the branch coverage is performed as follows:
17 | `map[current_location ^ prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1`
18 |
19 | ## Usage
20 |
21 | The size of `n` (i.e., the number of branches to remember) is an option
22 | that is specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the
23 | `AFL_LLVM_NGRAM_SIZE` environment variable.
24 | Good values are 2, 4 or 8, valid are 2-16.
25 |
26 | It is highly recommended to increase the MAP_SIZE_POW2 definition in
27 | config.h to at least 18 and maybe up to 20 for this as otherwise too
28 | many map collisions occur.
29 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/rust/example/src/example_mutator.rs:
--------------------------------------------------------------------------------
1 | #![cfg(unix)]
2 | #![allow(unused_variables)]
3 |
4 | use custom_mutator::{export_mutator, CustomMutator};
5 |
6 | struct ExampleMutator;
7 |
8 | impl CustomMutator for ExampleMutator {
9 | type Error = ();
10 |
11 | fn init(seed: u32) -> Result<Self, Self::Error> {
12 | Ok(Self)
13 | }
14 |
15 | fn fuzz<'b, 's: 'b>(
16 | &'s mut self,
17 | buffer: &'b mut [u8],
18 | add_buff: Option<&[u8]>,
19 | max_size: usize,
20 | ) -> Result<Option<&'b [u8]>, Self::Error> {
21 | buffer.reverse();
22 | Ok(Some(buffer))
23 | }
24 | }
25 |
26 | struct OwnBufferExampleMutator {
27 | own_buffer: Vec<u8>,
28 | }
29 |
30 | impl CustomMutator for OwnBufferExampleMutator {
31 | type Error = ();
32 |
33 | fn init(seed: u32) -> Result<Self, Self::Error> {
34 | Ok(Self {
35 | own_buffer: Vec::new(),
36 | })
37 | }
38 |
39 | fn fuzz<'b, 's: 'b>(
40 | &'s mut self,
41 | buffer: &'b mut [u8],
42 | add_buff: Option<&[u8]>,
43 | max_size: usize,
44 | ) -> Result<Option<&'b [u8]>, ()> {
45 | self.own_buffer.reverse();
46 | Ok(Some(self.own_buffer.as_slice()))
47 | }
48 | }
49 |
50 | export_mutator!(ExampleMutator);
51 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/jpeg/get_symbol_addr.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | import argparse
3 | from elftools.elf.elffile import ELFFile
4 |
5 | def process_file(file, symbol, base):
6 | with open(file, 'rb') as f:
7 | elf = ELFFile(f)
8 | symtab = elf.get_section_by_name('.symtab')
9 | mains = symtab.get_symbol_by_name(symbol)
10 | if len(mains) != 1:
11 | print ("Failed to find main")
12 | return 1
13 |
14 | main_addr = mains[0]['st_value']
15 | main = base + main_addr
16 | print ("0x%016x" % main)
17 | return 0
18 |
19 | def hex_value(x):
20 | return int(x, 16)
21 |
22 | def main():
23 | parser = argparse.ArgumentParser(description='Process some integers.')
24 | parser.add_argument('-f', '--file', dest='file', type=str,
25 | help='elf file name', required=True)
26 | parser.add_argument('-s', '--symbol', dest='symbol', type=str,
27 | help='symbol name', required=True)
28 | parser.add_argument('-b', '--base', dest='base', type=hex_value,
29 | help='elf base address', required=True)
30 |
31 | args = parser.parse_args()
32 | return process_file (args.file, args.symbol, args.base)
33 |
34 | if __name__ == "__main__":
35 | ret = main()
36 | exit(ret)
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/proj4/get_symbol_addr.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | import argparse
3 | from elftools.elf.elffile import ELFFile
4 |
5 | def process_file(file, symbol, base):
6 | with open(file, 'rb') as f:
7 | elf = ELFFile(f)
8 | symtab = elf.get_section_by_name('.symtab')
9 | mains = symtab.get_symbol_by_name(symbol)
10 | if len(mains) != 1:
11 | print ("Failed to find main")
12 | return 1
13 |
14 | main_addr = mains[0]['st_value']
15 | main = base + main_addr
16 | print ("0x%016x" % main)
17 | return 0
18 |
19 | def hex_value(x):
20 | return int(x, 16)
21 |
22 | def main():
23 | parser = argparse.ArgumentParser(description='Process some integers.')
24 | parser.add_argument('-f', '--file', dest='file', type=str,
25 | help='elf file name', required=True)
26 | parser.add_argument('-s', '--symbol', dest='symbol', type=str,
27 | help='symbol name', required=True)
28 | parser.add_argument('-b', '--base', dest='base', type=hex_value,
29 | help='elf base address', required=True)
30 |
31 | args = parser.parse_args()
32 | return process_file (args.file, args.symbol, args.base)
33 |
34 | if __name__ == "__main__":
35 | ret = main()
36 | exit(ret)
37 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/gramatron/test.h:
--------------------------------------------------------------------------------
1 | #include <stdint.h>
2 | #include <stdlib.h>
3 | #include <string.h>
4 | #include <stdio.h>
5 | #include <json-c/json.h>
6 | #include <unistd.h>
7 | #include "hashmap.h"
8 | #include "uthash.h"
9 | #include "utarray.h"
10 |
11 | #define INIT_SIZE 100 // Initial size of the dynamic array holding the input
12 |
13 | typedef struct terminal {
14 |
15 | int state;
16 | int trigger_idx;
17 | size_t symbol_len;
18 | char * symbol;
19 |
20 | } terminal;
21 |
22 | typedef struct trigger {
23 |
24 | char * id;
25 | int dest;
26 | char * term;
27 | size_t term_len;
28 |
29 | } trigger;
30 |
31 | typedef struct state {
32 |
33 | int state_name; // Integer State name
34 | int trigger_len; // Number of triggers associated with this state
35 | trigger *ptr; // Pointer to beginning of the list of triggers
36 |
37 | } state;
38 |
39 | typedef struct {
40 |
41 | size_t used;
42 | size_t size;
43 | size_t inputlen;
44 | terminal *start;
45 |
46 | } Array;
47 |
48 | int init_state;
49 | int curr_state;
50 | int final_state;
51 |
52 | state *create_pda(char *);
53 | Array *gen_input(state *, Array *);
54 | void print_repr(Array *, char *);
55 | void initArray(Array *, size_t);
56 | void insertArray(Array *, int, char *, size_t, int);
57 |
58 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/Makefile:
--------------------------------------------------------------------------------
1 | # UnicornAFL Usage
2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh <aquynh@gmail.com>, 2015
3 | # Adapted for AFL++ by domenukk <domenukk@gmail.com>, 2020
4 | .POSIX:
5 | UNAME_S =$(shell uname -s)# GNU make
6 | UNAME_S:sh=uname -s # BSD make
7 | _UNIQ=_QINU_
8 |
9 | LIBDIR = ../../unicornafl
10 | BIN_EXT =
11 | AR_EXT = a
12 |
13 | # Verbose output?
14 | V ?= 0
15 |
16 | CFLAGS += -Wall -Werror -I../../unicornafl/include
17 |
18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm
19 |
20 | _LRT = $(_UNIQ)$(UNAME_S:Linux=)
21 | __LRT = $(_LRT:$(_UNIQ)=-lrt)
22 | LRT = $(__LRT:$(_UNIQ)=)
23 |
24 | LDFLAGS += $(LRT)
25 |
26 | _CC = $(_UNIQ)$(CROSS)
27 | __CC = $(_CC:$(_UNIQ)=$(CC))
28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc)
29 |
30 | .PHONY: all clean
31 |
32 | all: harness
33 |
34 | clean:
35 | rm -rf *.o harness harness-debug
36 |
37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h
38 | ${MYCC} ${CFLAGS} -O3 -c harness.c
39 |
40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h
41 | ${MYCC} ${CFLAGS} -g -c harness.c -o $@
42 |
43 | harness: harness.o
44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@
45 |
46 | debug: harness-debug.o
47 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug
48 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/.dockerignore:
--------------------------------------------------------------------------------
1 | .test
2 | .test2
3 | .sync_tmp
4 | *.o
5 | *.so
6 | *.pyc
7 | *.dSYM
8 | as
9 | ld
10 | in
11 | out
12 | core*
13 | afl-analyze
14 | afl-as
15 | afl-clang
16 | afl-clang\+\+
17 | afl-clang-fast
18 | afl-clang-fast\+\+
19 | afl-clang-lto
20 | afl-clang-lto\+\+
21 | afl-fuzz
22 | afl-g\+\+
23 | afl-gcc
24 | afl-gcc-fast
25 | afl-g\+\+-fast
26 | afl-gotcpu
27 | afl-ld
28 | afl-ld-lto
29 | afl-qemu-trace
30 | afl-showmap
31 | afl-tmin
32 | afl-analyze.8
33 | afl-as.8
34 | afl-clang-fast\+\+.8
35 | afl-clang-fast.8
36 | afl-clang-lto.8
37 | afl-clang-lto\+\+.8
38 | afl-cmin.8
39 | afl-cmin.bash.8
40 | afl-fuzz.8
41 | afl-gcc.8
42 | afl-gcc-fast.8
43 | afl-g\+\+-fast.8
44 | afl-gotcpu.8
45 | afl-plot.8
46 | afl-showmap.8
47 | afl-system-config.8
48 | afl-tmin.8
49 | afl-whatsup.8
50 | qemu_mode/libcompcov/compcovtest
51 | qemu_mode/qemu-*
52 | unicorn_mode/samples/*/\.test-*
53 | unicorn_mode/samples/*/output
54 | unicorn_mode/unicornafl
55 | test/unittests/unit_maybe_alloc
56 | test/unittests/unit_preallocable
57 | test/unittests/unit_list
58 | test/unittests/unit_rand
59 | test/unittests/unit_hash
60 | examples/afl_network_proxy/afl-network-server
61 | examples/afl_network_proxy/afl-network-client
62 | examples/afl_frida/afl-frida
63 | examples/afl_frida/libtestinstr.so
64 | examples/afl_frida/frida-gum-example.c
65 | examples/afl_frida/frida-gum.h
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/radamsa/GNUmakefile:
--------------------------------------------------------------------------------
1 | CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
2 |
3 | all: radamsa-mutator.so
4 |
5 | # These can be overriden:
6 | CFLAGS ?= $(CFLAGS_FLTO)
7 |
8 | # These are required: (otherwise radamsa gets very very slooooow)
9 | CFLAGS += -O3 -funroll-loops
10 |
11 | #libradamsa.so: libradamsa.a
12 | # $(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so
13 |
14 | libradamsa.a: libradamsa.c radamsa.h
15 | @echo " ***************************************************************"
16 | @echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *"
17 | @echo " ***************************************************************"
18 | $(CC) -fPIC $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c
19 |
20 | radamsa-mutator.so: radamsa-mutator.c libradamsa.a
21 | $(CC) $(CFLAGS) $(CPPFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c
22 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a
23 |
24 | test: libradamsa.a libradamsa-test.c
25 | $(CC) $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a
26 | ./libradamsa-test libradamsa-test.c | grep "library test passed"
27 | rm /tmp/libradamsa-*.fuzz
28 |
29 | clean:
30 | rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core
31 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/persistent/persistent_arm32.c:
--------------------------------------------------------------------------------
1 | #include "frida-gumjs.h"
2 |
3 | #include "debug.h"
4 |
5 | #include "persistent.h"
6 | #include "util.h"
7 |
8 | #if defined(__arm__)
9 |
10 | struct arm_regs {
11 |
12 | uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10;
13 |
14 | union {
15 |
16 | uint32_t r11;
17 | uint32_t fp;
18 |
19 | };
20 |
21 | union {
22 |
23 | uint32_t r12;
24 | uint32_t ip;
25 |
26 | };
27 |
28 | union {
29 |
30 | uint32_t r13;
31 | uint32_t sp;
32 |
33 | };
34 |
35 | union {
36 |
37 | uint32_t r14;
38 | uint32_t lr;
39 |
40 | };
41 |
42 | union {
43 |
44 | uint32_t r15;
45 | uint32_t pc;
46 |
47 | };
48 |
49 | uint32_t cpsr;
50 |
51 | uint8_t vfp_zregs[32][16];
52 | uint32_t vfp_xregs[16];
53 |
54 | };
55 |
56 | typedef struct arm_regs arch_api_regs;
57 |
58 | gboolean persistent_is_supported(void) {
59 |
60 | return false;
61 |
62 | }
63 |
64 | void persistent_prologue_arch(GumStalkerOutput *output) {
65 |
66 | UNUSED_PARAMETER(output);
67 | FATAL("Persistent mode not supported on this architecture");
68 |
69 | }
70 |
71 | void persistent_epilogue_arch(GumStalkerOutput *output) {
72 |
73 | UNUSED_PARAMETER(output);
74 | FATAL("Persistent mode not supported on this architecture");
75 |
76 | }
77 |
78 | #endif
79 |
80 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/osx-lib/lib2.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdlib.h>
3 | #include <stdint.h>
4 | #include <string.h>
5 |
6 |
7 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
8 |
9 | if (Size < 1) return;
10 |
11 | char *buf = malloc(10);
12 |
13 | if (buf == NULL) return;
14 |
15 | switch (Data[0]) {
16 |
17 | /* Underflow */
18 | case 'U':
19 | printf("Underflow\n");
20 | buf[-1] = '\0';
21 | free(buf);
22 | break;
23 | /* Overflow */
24 | case 'O':
25 | printf("Overflow\n");
26 | buf[10] = '\0';
27 | free(buf);
28 | break;
29 | /* Double free */
30 | case 'D':
31 | printf("Double free\n");
32 | free(buf);
33 | free(buf);
34 | break;
35 | /* Use after free */
36 | case 'A':
37 | printf("Use after free\n");
38 | free(buf);
39 | buf[0] = '\0';
40 | break;
41 | /* Test Limits (OK) */
42 | case 'T':
43 | printf("Test-Limits - No Error\n");
44 | buf[0] = 'A';
45 | buf[9] = 'I';
46 | free(buf);
47 | break;
48 | case 'M':
49 | printf("Memset too many\n");
50 | memset(buf, '\0', 11);
51 | free(buf);
52 | break;
53 | default:
54 | printf("Nop - No Error\n");
55 | break;
56 |
57 | }
58 |
59 |
60 | }
61 |
62 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/simple/simple_target.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Sample target file to test afl-unicorn fuzzing capabilities.
3 | * This is a very trivial example that will crash pretty easily
4 | * in several different exciting ways.
5 | *
6 | * Input is assumed to come from a buffer located at DATA_ADDRESS
7 | * (0x00300000), so make sure that your Unicorn emulation of this
8 | * puts user data there.
9 | *
10 | * Written by Nathan Voss <njvoss99@gmail.com>
11 | */
12 |
13 | // Magic address where mutated data will be placed
14 | #define DATA_ADDRESS 0x00300000
15 |
16 | int main(void) {
17 | unsigned char *data_buf = (unsigned char *) DATA_ADDRESS;
18 |
19 | if (data_buf[20] != 0) {
20 | // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04'
21 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
22 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
23 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2]
24 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
25 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) {
26 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero
27 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
28 | }
29 |
30 | return 0;
31 | }
32 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/js/replace.js:
--------------------------------------------------------------------------------
1 | Afl.print('******************');
2 | Afl.print('* AFL FRIDA MODE *');
3 | Afl.print('******************');
4 | Afl.print('');
5 |
6 | Afl.print(`PID: ${Process.id}`);
7 |
8 | const name = Process.enumerateModules()[0].name;
9 | Afl.print(`Name: ${name}`);
10 |
11 | new ModuleMap().values().forEach(m => {
12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 |
15 | const slow = DebugSymbol.fromName('slow').address;
16 | Afl.print(`slow: ${slow}`);
17 |
18 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
19 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
20 |
21 | const cm = new CModule(`
22 |
23 | extern unsigned char * __afl_fuzz_ptr;
24 | extern unsigned int * __afl_fuzz_len;
25 | extern void LLVMFuzzerTestOneInput(char *buf, int len);
26 |
27 | void slow(void) {
28 |
29 | LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
30 | }
31 | `,
32 | {
33 | LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
34 | __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
35 | __afl_fuzz_len: Afl.getAflFuzzLen()
36 | });
37 |
38 | Afl.setEntryPoint(cm.slow);
39 | Afl.setPersistentAddress(cm.slow);
40 | Afl.setInMemoryFuzzing();
41 | Interceptor.replace(slow, cm.slow);
42 | Afl.print("done");
43 | Afl.done();
44 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp:
--------------------------------------------------------------------------------
1 | //===- FuzzerUtilLinux.cpp - Misc utils for Linux. ------------------------===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // Misc utils for Linux.
9 | //===----------------------------------------------------------------------===//
10 | #include "FuzzerPlatform.h"
11 | #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
12 | LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
13 | #include "FuzzerCommand.h"
14 |
15 | #include <stdlib.h>
16 | #include <sys/types.h>
17 | #include <sys/wait.h>
18 | #include <unistd.h>
19 |
20 | namespace fuzzer {
21 |
22 | int ExecuteCommand(const Command &Cmd) {
23 |
24 | std::string CmdLine = Cmd.toString();
25 | int exit_code = system(CmdLine.c_str());
26 | if (WIFEXITED(exit_code)) return WEXITSTATUS(exit_code);
27 | return exit_code;
28 |
29 | }
30 |
31 | void DiscardOutput(int Fd) {
32 |
33 | FILE *Temp = fopen("/dev/null", "w");
34 | if (!Temp) return;
35 | dup2(fileno(Temp), Fd);
36 | fclose(Temp);
37 |
38 | }
39 |
40 | } // namespace fuzzer
41 |
42 | #endif
43 |
44 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/output.c:
--------------------------------------------------------------------------------
1 | #include <errno.h>
2 | #include <fcntl.h>
3 | #include <unistd.h>
4 |
5 | #include "frida-gumjs.h"
6 |
7 | #include "debug.h"
8 |
9 | #include "output.h"
10 |
11 | char *output_stdout = NULL;
12 | char *output_stderr = NULL;
13 |
14 | static void output_redirect(int fd, char *filename) {
15 |
16 | char *path = NULL;
17 |
18 | if (filename == NULL) { return; }
19 |
20 | path = g_canonicalize_filename(filename, g_get_current_dir());
21 |
22 | OKF("Redirect %d -> '%s'", fd, path);
23 |
24 | int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
25 | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
26 |
27 | g_free(path);
28 |
29 | if (output_fd < 0) { FATAL("Failed to open fd(%d) error %d", fd, errno); }
30 |
31 | if (dup2(output_fd, fd) < 0) {
32 |
33 | FATAL("Failed to set fd(%d) error %d", fd, errno);
34 |
35 | }
36 |
37 | close(output_fd);
38 |
39 | }
40 |
41 | void output_config(void) {
42 |
43 | output_stdout = getenv("AFL_FRIDA_OUTPUT_STDOUT");
44 | output_stderr = getenv("AFL_FRIDA_OUTPUT_STDERR");
45 |
46 | }
47 |
48 | void output_init(void) {
49 |
50 | OKF("Output - StdOut: %s", output_stdout);
51 | OKF("Output - StdErr: %s", output_stderr);
52 |
53 | output_redirect(STDOUT_FILENO, output_stdout);
54 | output_redirect(STDERR_FILENO, output_stderr);
55 |
56 | }
57 |
58 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/instrumentation/README.cmplog.md:
--------------------------------------------------------------------------------
1 | # CmpLog instrumentation
2 |
3 | The CmpLog instrumentation enables logging of comparison operands in a
4 | shared memory.
5 |
6 | These values can be used by various mutators built on top of it.
7 | At the moment we support the RedQueen mutator (input-2-state instructions only),
8 | for details see [the RedQueen paper](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf).
9 |
10 | ## Build
11 |
12 | To use CmpLog, you have to build two versions of the instrumented target
13 | program.
14 |
15 | The first version is built using the regular AFL++ instrumentation.
16 |
17 | The second one, the CmpLog binary, is built with setting AFL_LLVM_CMPLOG during the compilation.
18 |
19 | For example:
20 |
21 | ```
22 | ./configure --cc=~/path/to/afl-clang-fast
23 | make
24 | cp ./program ./program.afl
25 | make clean
26 | export AFL_LLVM_CMPLOG=1
27 | ./configure --cc=~/path/to/afl-clang-fast
28 | make
29 | cp ./program ./program.cmplog
30 | unset AFL_LLVM_CMPLOG
31 | ```
32 |
33 | ## Use
34 |
35 | AFL++ has the new `-c` option that needs to be used to specify the CmpLog binary (the second
36 | build).
37 |
38 | For example:
39 |
40 | ```
41 | afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
42 | ```
43 |
44 | Be sure to use `-m none` because CmpLog can map a lot of pages.
45 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/update_uc_ref.sh:
--------------------------------------------------------------------------------
1 | #/bin/sh
2 |
3 | ##################################################
4 | # AFL++ internal tool to update unicornafl ref.
5 | # Usage: ./update_uc_ref.sh <new commit hash>
6 | # If no commit hash was provided, it'll take HEAD.
7 | ##################################################
8 |
9 | UC_VERSION_FILE='./UNICORNAFL_VERSION'
10 |
11 | NEW_VERSION="$1"
12 |
13 | if [ "$NEW_VERSION" = "-h" ]; then
14 | echo "Internal script to update bound unicornafl version."
15 | echo
16 | echo "Usage: ./update_uc_ref.sh <new commit hash>"
17 | echo "If no commit hash is provided, will use HEAD."
18 | echo "-h to show this help screen."
19 | exit 1
20 | fi
21 |
22 | git submodule init && git submodule update unicornafl || exit 1
23 | cd ./unicornafl || exit 1
24 | git fetch origin dev 1>/dev/null || exit 1
25 | git stash 1>/dev/null 2>/dev/null
26 | git stash drop 1>/dev/null 2>/dev/null
27 | git checkout dev
28 |
29 | if [ -z "$NEW_VERSION" ]; then
30 | # No version provided, take HEAD.
31 | NEW_VERSION=$(git rev-parse --short HEAD)
32 | fi
33 |
34 | if [ -z "$NEW_VERSION" ]; then
35 | echo "Error getting version."
36 | exit 1
37 | fi
38 |
39 | git checkout "$NEW_VERSION" || exit 1
40 |
41 | cd ..
42 |
43 | rm "$UC_VERSION_FILE"
44 | echo "$NEW_VERSION" > "$UC_VERSION_FILE"
45 |
46 | echo "Done. New unicornafl version is $NEW_VERSION."
47 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/libqasan/README.md:
--------------------------------------------------------------------------------
1 | # QEMU AddressSanitizer Runtime
2 |
3 | This library is the injected runtime used by QEMU AddressSanitizer (QASan).
4 |
5 | The original repository is [here](https://github.com/andreafioraldi/qasan).
6 |
7 | The version embedded in qemuafl is an updated version of just the usermode part
8 | and this runtime is injected via LD_PRELOAD (so works just for dynamically
9 | linked binaries).
10 |
11 | The usage is super simple, just set the env var `AFL_USE_QASAN=1` when fuzzing
12 | in qemu mode (-Q). afl-fuzz will automatically set AFL_PRELOAD to load this
13 | library and enable the QASan instrumentation in afl-qemu-trace.
14 |
15 | For debugging purposes, we still suggest to run the original QASan as the
16 | stacktrace support for ARM (just a debug feature, it does not affect the bug
17 | finding capabilities during fuzzing) is WIP.
18 |
19 | ### When should I use QASan?
20 |
21 | If your target binary is PIC x86_64, you should also give a try to
22 | [retrowrite](https://github.com/HexHive/retrowrite) for static rewriting.
23 |
24 | If it fails, or if your binary is for another architecture, or you want to use
25 | persistent and snapshot mode, AFL++ QASan mode is what you want/have to use.
26 |
27 | Note that the overhead of libdislocator when combined with QEMU mode is much
28 | lower but it can catch less bugs. This is a short blanket, take your choice.
29 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/update_ref.sh:
--------------------------------------------------------------------------------
1 | #/bin/sh
2 |
3 | ##################################################
4 | # AFL++ internal tool to update qemuafl ref.
5 | # Usage: ./update_ref.sh <new commit hash>
6 | # If no commit hash was provided, it'll take HEAD.
7 | ##################################################
8 |
9 | UC_VERSION_FILE='./QEMUAFL_VERSION'
10 |
11 | NEW_VERSION="$1"
12 |
13 | if [ "$NEW_VERSION" = "-h" ]; then
14 | echo "Internal script to update bound qemuafl version."
15 | echo
16 | echo "Usage: ./update_ref.sh <new commit hash>"
17 | echo "If no commit hash is provided, will use HEAD."
18 | echo "-h to show this help screen."
19 | exit 1
20 | fi
21 |
22 | git submodule init && git submodule update || exit 1
23 | cd ./qemuafl || exit 1
24 | git fetch origin master 1>/dev/null || exit 1
25 | git stash 1>/dev/null 2>/dev/null
26 | git stash drop 1>/dev/null 2>/dev/null
27 | git checkout master
28 | git pull origin master 1>/dev/null || exit 1
29 |
30 | if [ -z "$NEW_VERSION" ]; then
31 | # No version provided, take HEAD.
32 | NEW_VERSION=$(git rev-parse --short HEAD)
33 | fi
34 |
35 | if [ -z "$NEW_VERSION" ]; then
36 | echo "Error getting version."
37 | exit 1
38 | fi
39 |
40 | git checkout "$NEW_VERSION" || exit 1
41 |
42 | cd ..
43 |
44 | rm "$UC_VERSION_FILE"
45 | echo "$NEW_VERSION" > "$UC_VERSION_FILE"
46 |
47 | echo "Done. New qemuafl version is $NEW_VERSION."
48 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/defork/defork.c:
--------------------------------------------------------------------------------
1 | #define _GNU_SOURCE
2 | #include <dlfcn.h>
3 | #include <unistd.h>
4 | #include <stdio.h>
5 | #include <stdbool.h>
6 |
7 | #include "../../include/config.h"
8 | #include "../../include/types.h"
9 |
10 | /* we want to fork once (for the afl++ forkserver),
11 | then immediately return as child on subsequent forks. */
12 | static bool forked = 0;
13 |
14 | pid_t (*original_fork)(void);
15 |
16 | /* In case we are not running in afl, we use a dummy original_fork */
17 | static pid_t nop(void) {
18 |
19 | return 0;
20 |
21 | }
22 |
23 | __attribute__((constructor)) void preeny_fork_orig() {
24 |
25 | if (getenv(SHM_ENV_VAR)) {
26 |
27 | printf("defork: running in AFL++. Allowing forkserver.\n");
28 | original_fork = dlsym(RTLD_NEXT, "socket");
29 |
30 | } else {
31 |
32 | printf("defork: no AFL++ detected. Disabling fork from the start.\n");
33 | original_fork = &nop;
34 |
35 | }
36 |
37 | }
38 |
39 | pid_t fork(void) {
40 |
41 | /* If we forked before, or if we're in the child (pid==0),
42 | we don't want to fork anymore, else, we are still in the forkserver.
43 | The forkserver parent needs to fork infinite times, each child should never
44 | fork again. This can be written without branches and I hate myself for it.
45 | */
46 | pid_t ret = !forked && original_fork();
47 | forked = !ret;
48 | return ret;
49 |
50 | }
51 |
52 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/libqasan/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # american fuzzy lop++ - libqasan
3 | # -------------------------------
4 | #
5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com>
6 | #
7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved.
8 | #
9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | # http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 |
16 | PREFIX ?= /usr/local
17 | HELPER_PATH = $(PREFIX)/lib/afl
18 | DOC_PATH ?= $(PREFIX)/share/doc/afl
19 | MAN_PATH ?= $(PREFIX)/share/man/man8
20 |
21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
22 |
23 | CFLAGS += -I ../qemuafl/qemuafl/
24 | CFLAGS += -Wno-int-to-void-pointer-cast -ggdb
25 | LDFLAGS += -ldl -pthread
26 |
27 | SRC := libqasan.c hooks.c malloc.c string.c uninstrument.c patch.c dlmalloc.c
28 | HDR := libqasan.h
29 |
30 | all: libqasan.so
31 |
32 | libqasan.so: $(HDR) $(SRC)
33 | $(CC) $(CFLAGS) -fPIC -shared $(SRC) -o ../../$@ $(LDFLAGS)
34 |
35 | .NOTPARALLEL: clean
36 |
37 | clean:
38 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
39 | rm -f ../../libqasan.so
40 |
41 | install: all
42 | install -m 755 ../../libqasan.so $${DESTDIR}$(HELPER_PATH)
43 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.qasan.md
44 |
45 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/simple_target_noncrashing.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Sample target file to test afl-unicorn fuzzing capabilities.
3 | * This is a very trivial example that will crash pretty easily
4 | * in several different exciting ways.
5 | *
6 | * Input is assumed to come from a buffer located at DATA_ADDRESS
7 | * (0x00300000), so make sure that your Unicorn emulation of this
8 | * puts user data there.
9 | *
10 | * Written by Nathan Voss <njvoss99@gmail.com>
11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de>
12 | */
13 | #include <string.h>
14 |
15 | int main(int argc, char** argv) {
16 | if(argc < 2){
17 | return -1;
18 | }
19 |
20 | char *data_buf = argv[1];
21 |
22 | if (strlen(data_buf) >= 21 && data_buf[20] != 0) {
23 | printf("Not crashing");
24 | } else if (strlen(data_buf) > 1
25 | && data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
26 | printf("Also not crashing with databuf[0] == %c", data_buf[0])
27 | }
28 | #if 0
29 | // not possible with argv (zero terminated strings) (hexcoder-)
30 | // do not try to access data_buf[10] and beyond
31 | else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) {
32 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero
33 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
34 | }
35 | #endif
36 | return 0;
37 | }
38 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/utils/libdislocator/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # american fuzzy lop++ - libdislocator
3 | # ----------------------------------
4 | #
5 | # Originally written by Michal Zalewski
6 | #
7 | # Copyright 2016 Google Inc. All rights reserved.
8 | #
9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | # http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 |
16 | PREFIX ?= /usr/local
17 | HELPER_PATH = $(PREFIX)/lib/afl
18 |
19 | VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2)
20 |
21 | CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2
22 | override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign
23 |
24 | CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE)
25 | CFLAGS += $(CFLAGS_ADD)
26 |
27 | all: libdislocator.so
28 |
29 | libdislocator.so: libdislocator.so.c ../../config.h
30 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC libdislocator.so.c -o $@ $(LDFLAGS)
31 | cp -fv libdislocator.so ../../
32 |
33 | .NOTPARALLEL: clean
34 |
35 | clean:
36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
37 | rm -f ../../libdislocator.so
38 |
39 | install: all
40 | install -m 755 -d $${DESTDIR}$(HELPER_PATH)
41 | install -m 755 ../../libdislocator.so $${DESTDIR}$(HELPER_PATH)
42 | install -m 644 -T README.md $${DESTDIR}$(HELPER_PATH)/README.dislocator.md
43 |
44 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/test/cmplog/get_section_addrs.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import argparse
3 | from elftools.elf.elffile import ELFFile
4 |
5 |
6 | def process_file(file, section, base):
7 | with open(file, "rb") as f:
8 | for sect in ELFFile(f).iter_sections():
9 | if sect.name == section:
10 | start = base + sect.header["sh_offset"]
11 | end = start + sect.header["sh_size"]
12 | print("0x%016x-0x%016x" % (start, end))
13 | return
14 |
15 | print("Section '%s' not found in '%s'" % (section, file))
16 |
17 |
18 | def hex_value(x):
19 | return int(x, 16)
20 |
21 |
22 | def main():
23 | parser = argparse.ArgumentParser(description="Process some integers.")
24 | parser.add_argument(
25 | "-f", "--file", dest="file", type=str, help="elf file name", required=True
26 | )
27 | parser.add_argument(
28 | "-s",
29 | "--section",
30 | dest="section",
31 | type=str,
32 | help="elf section name",
33 | required=True,
34 | )
35 | parser.add_argument(
36 | "-b",
37 | "--base",
38 | dest="base",
39 | type=hex_value,
40 | help="elf base address",
41 | required=True,
42 | )
43 |
44 | args = parser.parse_args()
45 | process_file(args.file, args.section, args.base)
46 |
47 |
48 | if __name__ == "__main__":
49 | main()
50 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerRandom.h:
--------------------------------------------------------------------------------
1 | //===- FuzzerRandom.h - Internal header for the Fuzzer ----------*- C++ -* ===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // fuzzer::Random
9 | //===----------------------------------------------------------------------===//
10 |
11 | #ifndef LLVM_FUZZER_RANDOM_H
12 | #define LLVM_FUZZER_RANDOM_H
13 |
14 | #include <random>
15 |
16 | namespace fuzzer {
17 | class Random : public std::minstd_rand {
18 | public:
19 | explicit Random(unsigned int seed) : std::minstd_rand(seed) {}
20 | result_type operator()() { return this->std::minstd_rand::operator()(); }
21 | size_t Rand() { return this->operator()(); }
22 | size_t RandBool() { return Rand() % 2; }
23 | size_t SkewTowardsLast(size_t n) {
24 | size_t T = this->operator()(n * n);
25 | size_t Res = sqrt(T);
26 | return Res;
27 | }
28 | size_t operator()(size_t n) { return n ? Rand() % n : 0; }
29 | intptr_t operator()(intptr_t From, intptr_t To) {
30 | assert(From < To);
31 | intptr_t RangeSize = To - From + 1;
32 | return operator()(RangeSize) + From;
33 | }
34 | };
35 |
36 | } // namespace fuzzer
37 |
38 | #endif // LLVM_FUZZER_RANDOM_H
39 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/libfuzzer/FuzzerBuiltins.h:
--------------------------------------------------------------------------------
1 | //===- FuzzerBuiltins.h - Internal header for builtins ----------*- C++ -* ===//
2 | //
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 | // See https://llvm.org/LICENSE.txt for license information.
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 | //
7 | //===----------------------------------------------------------------------===//
8 | // Wrapper functions and macros around builtin functions.
9 | //===----------------------------------------------------------------------===//
10 |
11 | #ifndef LLVM_FUZZER_BUILTINS_H
12 | #define LLVM_FUZZER_BUILTINS_H
13 |
14 | #include "FuzzerPlatform.h"
15 |
16 | #if !LIBFUZZER_MSVC
17 | #include <cstdint>
18 |
19 | #define GET_CALLER_PC() __builtin_return_address(0)
20 |
21 | namespace fuzzer {
22 |
23 | inline uint8_t Bswap(uint8_t x) { return x; }
24 | inline uint16_t Bswap(uint16_t x) { return __builtin_bswap16(x); }
25 | inline uint32_t Bswap(uint32_t x) { return __builtin_bswap32(x); }
26 | inline uint64_t Bswap(uint64_t x) { return __builtin_bswap64(x); }
27 |
28 | inline uint32_t Clzll(unsigned long long X) { return __builtin_clzll(X); }
29 | inline uint32_t Clz(unsigned long long X) { return __builtin_clz(X); }
30 | inline int Popcountll(unsigned long long X) { return __builtin_popcountll(X); }
31 |
32 | } // namespace fuzzer
33 |
34 | #endif // !LIBFUZZER_MSVC
35 | #endif // LLVM_FUZZER_BUILTINS_H
36 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/qemu_mode/libcompcov/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # american fuzzy lop++ - libcompcov
3 | # --------------------------------
4 | #
5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com>
6 | #
7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved.
8 | #
9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | # http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 |
16 | PREFIX ?= /usr/local
17 | HELPER_PATH = $(PREFIX)/lib/afl
18 | DOC_PATH ?= $(PREFIX)/share/doc/afl
19 | MAN_PATH ?= $(PREFIX)/share/man/man8
20 |
21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
22 |
23 | CFLAGS ?= -O3 -funroll-loops
24 | CFLAGS += -I ../../include/
25 | CFLAGS += -Wall -Wno-unused-result -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
26 | LDFLAGS += -ldl
27 |
28 | all: libcompcov.so
29 |
30 | libcompcov.so: libcompcov.so.c ../../config.h
31 | $(CC) $(CFLAGS) -shared -fPIC $< -o ../../$@ $(LDFLAGS)
32 |
33 | .NOTPARALLEL: clean
34 |
35 | clean:
36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
37 | rm -f ../../libcompcov.so compcovtest
38 |
39 | compcovtest: compcovtest.cc
40 | $(CXX) -std=c++11 $< -o $@
41 |
42 | install: all
43 | install -m 755 ../../libcompcov.so $${DESTDIR}$(HELPER_PATH)
44 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.compcov.md
45 |
46 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/custom_mutators/grammar_mutator/update_grammar_ref.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | ##################################################
4 | # AFL++ tool to update a git ref.
5 | # Usage: ./<script>.sh <new commit hash>
6 | # If no commit hash was provided, it'll take HEAD.
7 | ##################################################
8 |
9 | TOOL="grammar mutator"
10 | VERSION_FILE='./GRAMMAR_VERSION'
11 | REPO_FOLDER='./grammar_mutator'
12 | THIS_SCRIPT=`basename $0`
13 | BRANCH="stable"
14 |
15 | NEW_VERSION="$1"
16 |
17 | if [ "$NEW_VERSION" = "-h" ]; then
18 | echo "Internal script to update bound $TOOL version."
19 | echo
20 | echo "Usage: $THIS_SCRIPT <new commit hash>"
21 | echo "If no commit hash is provided, will use HEAD."
22 | echo "-h to show this help screen."
23 | exit 1
24 | fi
25 |
26 | git submodule init && git submodule update ./grammar_mutator || exit 1
27 | cd "$REPO_FOLDER" || exit 1
28 | git fetch origin $BRANCH 1>/dev/null || exit 1
29 | git stash 1>/dev/null 2>/dev/null
30 | git stash drop 1>/dev/null 2>/dev/null
31 | git checkout $BRANCH
32 |
33 | if [ -z "$NEW_VERSION" ]; then
34 | # No version provided, take HEAD.
35 | NEW_VERSION=$(git rev-parse --short HEAD)
36 | fi
37 |
38 | if [ -z "$NEW_VERSION" ]; then
39 | echo "Error getting version."
40 | exit 1
41 | fi
42 |
43 | git checkout "$NEW_VERSION" || exit 1
44 |
45 | cd ..
46 |
47 | rm "$VERSION_FILE"
48 | echo "$NEW_VERSION" > "$VERSION_FILE"
49 |
50 | echo "Done. New $TOOL version is $NEW_VERSION."
51 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/test/checkcommit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | CMDLINE="/prg/tests/normal/tiff-4.0.4/tools/thumbnail @@ /dev/null"
3 | INDIR="/prg/tests/normal/tiff-4.0.4/in-small"
4 |
5 | test -z "$1" -o -n "$4" && {
6 | echo "Syntax: $0 commit-id <indir> \"<cmdline>\""
7 | echo
8 | echo "Switches to the defined commit ID, compiles with profiling and runs"
9 | echo "afl-fuzz on a defind target and input directory, saving timing,"
10 | echo "fuzzer_stats and profiling output to \"<commit-id>.out\""
11 | echo "Honors CFLAGS and LDFLAGS"
12 | echo
13 | echo "Defaults:"
14 | echo " indir: \"$INDIR\""
15 | echo " cmdline: \"$CMDLINE\""
16 | exit 1
17 | }
18 |
19 | C=$1
20 | test -n "$2" && INDIR=$2
21 | test -n "$3" && CMDLINE=$3
22 |
23 | git checkout "$C" || { echo "CHECKOUT FAIL $C" > $C.out ; exit 1 ; }
24 | export AFL_BENCH_JUST_ONE=1
25 | test -z "$CFLAGS" && CFLAGS="-O3 -funroll-loops"
26 | export CFLAGS="$CFLAGS -pg"
27 | export LDFLAGS="$LDFLAGS -pg"
28 | make >/dev/null 2>&1 || echo ERROR: BUILD FAILURE
29 | test -x ./afl-fuzz || { echo "BUILD FAIL $C" > $C.out ; make clean ; exit 1 ; }
30 |
31 | START=`date +%s`
32 | echo $START > $C.out
33 | time nice -n -20 ./afl-fuzz -i "$INDIR" -s 123 -o out-profile -- $CMDLINE 2>> $C.out
34 | STOP=`date +%s`
35 | echo $STOP >> $C.out
36 | echo RUNTIME: `expr $STOP - $START` >> $C.out
37 | cat out-profile/default/fuzzer_stats >> $C.out
38 | gprof ./afl-fuzz gmon.out >> $C.out
39 |
40 | make clean >/dev/null 2>&1
41 | rm -rf out-profile gmon.out
42 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/frida_mode/src/util.c:
--------------------------------------------------------------------------------
1 | #include "util.h"
2 |
3 | #include "debug.h"
4 |
5 | guint64 util_read_address(char *key) {
6 |
7 | char *value_str = getenv(key);
8 |
9 | if (value_str == NULL) { return 0; }
10 |
11 | if (!g_str_has_prefix(value_str, "0x")) {
12 |
13 | FATAL("Invalid address should have 0x prefix: %s=%s\n", key, value_str);
14 |
15 | }
16 |
17 | char *value_str2 = &value_str[2];
18 |
19 | for (char *c = value_str2; *c != '\0'; c++) {
20 |
21 | if (!g_ascii_isxdigit(*c)) {
22 |
23 | FATAL("Invalid address not formed of hex digits: %s=%s ('%c')\n", key,
24 | value_str, *c);
25 |
26 | }
27 |
28 | }
29 |
30 | guint64 value = g_ascii_strtoull(value_str2, NULL, 16);
31 | if (value == 0) {
32 |
33 | FATAL("Invalid address failed hex conversion: %s=%s\n", key, value_str2);
34 |
35 | }
36 |
37 | return value;
38 |
39 | }
40 |
41 | guint64 util_read_num(char *key) {
42 |
43 | char *value_str = getenv(key);
44 |
45 | if (value_str == NULL) { return 0; }
46 |
47 | for (char *c = value_str; *c != '\0'; c++) {
48 |
49 | if (!g_ascii_isdigit(*c)) {
50 |
51 | FATAL("Invalid address not formed of decimal digits: %s=%s\n", key,
52 | value_str);
53 |
54 | }
55 |
56 | }
57 |
58 | guint64 value = g_ascii_strtoull(value_str, NULL, 10);
59 | if (value == 0) {
60 |
61 | FATAL("Invalid address failed numeric conversion: %s=%s\n", key, value_str);
62 |
63 | }
64 |
65 | return value;
66 |
67 | }
68 |
69 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/c/persistent_target.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Sample target file to test afl-unicorn fuzzing capabilities.
3 | * This is a very trivial example that will crash pretty easily
4 | * in several different exciting ways.
5 | *
6 | * Input is assumed to come from a buffer located at DATA_ADDRESS
7 | * (0x00300000), so make sure that your Unicorn emulation of this
8 | * puts user data there.
9 | *
10 | * Written by Nathan Voss <njvoss99@gmail.com>
11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de>
12 | */
13 | #include <stdint.h>
14 | #include <string.h>
15 |
16 |
17 | int main(int argc, char** argv) {
18 | if (argc < 2) return -1;
19 |
20 | char *data_buf = argv[1];
21 | uint64_t data_len = strlen(data_buf);
22 | if (data_len < 20) return -2;
23 |
24 | for (; data_len --> 0 ;) {
25 | if (data_len >= 18) continue;
26 | if (data_len > 2 && data_len < 18) {
27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1];
28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) {
29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero
30 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
31 | }
32 | }
33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2]
35 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
36 | }
37 |
38 | return 0;
39 | }
40 |
--------------------------------------------------------------------------------
/bug-severity-AFLplusplus/unicorn_mode/samples/persistent/persistent_target.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Sample target file to test afl-unicorn fuzzing capabilities.
3 | * This is a very trivial example that will crash pretty easily
4 | * in several different exciting ways.
5 | *
6 | * Input is assumed to come from a buffer located at DATA_ADDRESS
7 | * (0x00300000), so make sure that your Unicorn emulation of this
8 | * puts user data there.
9 | *
10 | * Written by Nathan Voss <njvoss99@gmail.com>
11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de>
12 | */
13 | #include <stdint.h>
14 | #include <string.h>
15 |
16 |
17 | int main(int argc, char** argv) {
18 | if (argc < 2) return -1;
19 |
20 | char *data_buf = argv[1];
21 | uint64_t data_len = strlen(data_buf);
22 | if (data_len < 20) return -2;
23 |
24 | for (; data_len --> 0 ;) {
25 | if (data_len >= 18) continue;
26 | if (data_len > 2 && data_len < 18) {
27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1];
28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) {
29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero
30 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
31 | }
32 | }
33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2]
35 | unsigned char invalid_read = *(unsigned char *) 0x00000000;
36 | }
37 |
38 | return 0;
39 | }
40 |
--------------------------------------------------------------------------------