├── .gitignore ├── Android.bp ├── Android.mk ├── CONTRIBUTING.md ├── Changelog.md ├── Dockerfile ├── GNUmakefile ├── LICENSE ├── Makefile ├── QuickStartGuide.md ├── README.md ├── README_aflpp.md ├── TODO.md ├── afl-cmin ├── afl-cmin.bash ├── afl-plot ├── afl-system-config ├── afl-whatsup ├── afl-wine-trace ├── config.h ├── custom_mutators ├── README.md ├── honggfuzz │ ├── Makefile │ ├── README.md │ ├── common.h │ ├── custom_mutator_helpers.h │ ├── honggfuzz.c │ ├── honggfuzz.h │ ├── input.h │ ├── libhfcommon │ ├── log.h │ ├── mangle.c │ ├── mangle.h │ └── util.h └── radamsa │ ├── GNUmakefile │ ├── LICENSE │ ├── README.md │ ├── custom_mutator_helpers.h │ ├── libradamsa-test.c │ ├── libradamsa.c │ ├── radamsa-mutator.c │ └── radamsa.h ├── dictionaries ├── README.md ├── aff.dict ├── ass.dict ├── atom.dict ├── av1_dc.dict ├── bash.dict ├── bdf.dict ├── bmp.dict ├── bz2.dict ├── creole.dict ├── css.dict ├── csv.dict ├── dds.dict ├── djvu.dict ├── docommand.dict ├── exif.dict ├── fbs.dict ├── ftp.dict ├── gif.dict ├── graphviz.dict ├── heif.dict ├── hoextdown.dict ├── html_tags.dict ├── http.dict ├── icc.dict ├── iccprofile.dict ├── icns.dict ├── initfile.dict ├── jbig2.dict ├── jpeg.dict ├── jpeg2000.dict ├── js.dict ├── json.dict ├── jsonnet.dict ├── markdown.dict ├── math.dict ├── mathml.dict ├── mp4.dict ├── mysqld.dict ├── ogg.dict ├── openexr.dict ├── otf.dict ├── pbm.dict ├── pcap.dict ├── pdf.dict ├── perl.dict ├── png.dict ├── proj4.dict ├── protobuf.dict ├── ps.dict ├── psd.dict ├── regexp.dict ├── riff.dict ├── rss.dict ├── rst.dict ├── rtf.dict ├── sas.dict ├── spss.dict ├── sql.dict ├── stata.dict ├── svg.dict ├── tex.dict ├── theme-load-fuzz.dict ├── tiff.dict ├── tokener_parse_ex.dict ├── toml.dict ├── type42.dict ├── url.dict ├── utf8.dict ├── vcf.dict ├── vhd.dict ├── vpx_dec.dict ├── wav.dict ├── webm.dict ├── webp.dict ├── wkt.dict ├── x86.dict ├── xml.dict ├── xml_UTF_16.dict ├── xml_UTF_16BE.dict ├── xml_UTF_16LE.dict ├── xpath.dict ├── xslt.dict ├── yaml.dict ├── yara.dict └── zip.dict ├── docs ├── COPYING ├── Changelog.md ├── FAQ.md ├── INSTALL.md ├── PATCHES.md ├── QuickStartGuide.md ├── README.MOpt.md ├── README.md ├── binaryonly_fuzzing.md ├── custom_mutators.md ├── env_variables.md ├── historical_notes.md ├── ideas.md ├── life_pro_tips.md ├── notes_for_asan.md ├── parallel_fuzzing.md ├── perf_tips.md ├── power_schedules.md ├── screenshot.png ├── sister_projects.md ├── status_screen.md ├── technical_details.md ├── visualization │ └── afl_gzip.png └── vuln_samples │ ├── bash-cmd-exec.var │ ├── bash-uninit-mem.var │ ├── ffmpeg-h264-bad-ptr-800m.mp4 │ ├── ffmpeg-h264-bad-read.mp4 │ ├── ffmpeg-h264-call-stack-overflow.mp4 │ ├── file-fpu-exception.elf │ ├── firefox-bmp-leak.bmp │ ├── firefox-chrome-leak.jpg │ ├── firefox-gif-leak.gif │ ├── firefox-gif-leak2.gif │ ├── jxrlib-crash.jxr │ ├── jxrlib-crash2.jxr │ ├── jxrlib-crash3.jxr │ ├── jxrlib-crash4.jxr │ ├── lesspipe-cpio-bad-write.cpio │ ├── libjpeg-sos-leak.jpg │ ├── libjpeg-turbo-dht-leak.jpg │ ├── libtiff-bad-write.tif │ ├── libtiff-uninit-mem.tif │ ├── libtiff-uninit-mem2.tif │ ├── libtiff-uninit-mem3.tif │ ├── libtiff-uninit-mem4.tif │ ├── libxml2-bad-read.xml │ ├── msie-dht-leak.jpg │ ├── msie-jxr-mem-leak.jxr │ ├── msie-png-mem-leak.png │ ├── msie-tiff-mem-leak.tif │ ├── msie-zlib-dos.png │ ├── openssl-null-ptr.der │ ├── openssl-null-ptr2.der │ ├── photoshop-mem-leak.jpg │ ├── sqlite-bad-free.sql │ ├── sqlite-bad-ptr.sql │ ├── sqlite-bad-ptr2.sql │ ├── sqlite-bad-ptr3.sql │ ├── sqlite-heap-overflow.sql │ ├── sqlite-heap-overwrite.sql │ ├── sqlite-negative-memset.sql │ ├── sqlite-null-ptr1.sql │ ├── sqlite-null-ptr10.sql │ ├── sqlite-null-ptr11.sql │ ├── sqlite-null-ptr12.sql │ ├── sqlite-null-ptr13.sql │ ├── sqlite-null-ptr14.sql │ ├── sqlite-null-ptr15.sql │ ├── sqlite-null-ptr2.sql │ ├── sqlite-null-ptr3.sql │ ├── sqlite-null-ptr4.sql │ ├── sqlite-null-ptr5.sql │ ├── sqlite-null-ptr6.sql │ ├── sqlite-null-ptr7.sql │ ├── sqlite-null-ptr8.sql │ ├── sqlite-null-ptr9.sql │ ├── sqlite-oob-read.sql │ ├── sqlite-oob-write.sql │ ├── sqlite-stack-buf-overflow.sql │ ├── sqlite-stack-exhaustion.sql │ ├── sqlite-unint-mem.sql │ ├── sqlite-use-after-free.sql │ ├── strings-bfd-badptr.elf │ ├── strings-bfd-badptr2.elf │ ├── strings-stack-overflow │ ├── strings-unchecked-ctr.elf │ ├── tcpdump-arp-crash.pcap │ ├── tcpdump-ppp-crash.pcap │ ├── unrtf-arbitrary-read.rtf │ └── unzip-t-mem-corruption.zip ├── dynamic_list.txt ├── examples ├── README.md ├── afl_frida │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ ├── afl-frida.c │ ├── afl-frida.h │ └── libtestinstr.c ├── afl_network_proxy │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ ├── afl-network-client.c │ └── afl-network-server.c ├── afl_proxy │ ├── Makefile │ ├── README.md │ └── afl-proxy.c ├── afl_untracer │ ├── Makefile │ ├── README.md │ ├── TODO │ ├── afl-untracer.c │ ├── ghidra_get_patchpoints.java │ ├── ida_get_patchpoints.py │ ├── libtestinstr.c │ └── patches.txt ├── aflpp_driver │ ├── GNUmakefile │ ├── Makefile │ ├── aflpp_driver.c │ ├── aflpp_driver_test.c │ ├── aflpp_qemu_driver.c │ └── aflpp_qemu_driver_hook.c ├── argv_fuzzing │ ├── Makefile │ ├── README.md │ ├── argv-fuzz-inl.h │ └── argvfuzz.c ├── asan_cgroups │ └── limit_memory.sh ├── bash_shellshock │ └── shellshock-fuzz.diff ├── canvas_harness │ └── canvas_harness.html ├── crash_triage │ └── triage_crashes.sh ├── custom_mutators │ ├── Makefile │ ├── README.md │ ├── XmlMutatorMin.py │ ├── common.py │ ├── custom_mutator_helpers.h │ ├── example.c │ ├── example.py │ ├── post_library_gif.so.c │ ├── post_library_png.so.c │ ├── simple-chunk-replace.py │ ├── simple_example.c │ └── wrapper_afl_min.py ├── defork │ ├── Makefile │ ├── README.md │ ├── defork.c │ └── forking_target.c ├── distributed_fuzzing │ └── sync_script.sh ├── libpng_no_checksum │ └── libpng-nocrc.patch ├── persistent_demo │ ├── Makefile │ ├── persistent_demo.c │ ├── persistent_demo_new.c │ └── test-instr.c ├── qemu_persistent_hook │ ├── README.md │ ├── read_into_rdi.c │ └── test.c └── socket_fuzzing │ ├── Makefile │ ├── README.md │ └── socketfuzz.c ├── gcc_plugin ├── GNUmakefile ├── Makefile ├── README.instrument_list.md ├── README.md ├── afl-gcc-fast.c ├── afl-gcc-pass.so.cc └── afl-gcc-rt.o.c ├── include ├── afl-as.h ├── afl-fuzz.h ├── afl-prealloc.h ├── alloc-inl.h ├── android-ashmem.h ├── cmplog.h ├── common.h ├── config.h ├── debug.h ├── envs.h ├── forkserver.h ├── hash.h ├── hier.h ├── kbtree.h ├── list.h ├── sharedmem.h ├── snapshot-inl.h ├── types.h └── xxhash.h ├── libdislocator ├── Makefile ├── README.md └── libdislocator.so.c ├── libtokencap ├── Makefile ├── README.md └── libtokencap.so.c ├── llvm_mode ├── GNUmakefile ├── LLVMInsTrim.so.cc ├── Makefile ├── MarkNodes.cc ├── MarkNodes.h ├── README.cmplog.md ├── README.ctx.md ├── README.instrim.md ├── README.instrument_list.md ├── README.laf-intel.md ├── README.lto.md ├── README.md ├── README.neverzero.md ├── README.ngram.md ├── README.persistent_mode.md ├── README.snapshot.md ├── SanitizerCoverageLTO.so.cc ├── afl-clang-fast.c ├── afl-ld-lto.c ├── afl-llvm-common.cc ├── afl-llvm-common.h ├── afl-llvm-lto-instrumentation.so.cc ├── afl-llvm-lto-instrumentlist.so.cc ├── afl-llvm-pass.so.cc ├── afl-llvm-rt-lto.o.c ├── afl-llvm-rt.o.c ├── cmplog-instructions-pass.cc ├── cmplog-routines-pass.cc ├── compare-transform-pass.so.cc ├── llvm-ngram-coverage.h ├── split-compares-pass.so.cc └── split-switches-pass.so.cc ├── qbdi_mode ├── README.md ├── assets │ └── screen1.png ├── build.sh ├── demo-so.c └── template.cpp ├── qemu_mode ├── README.md ├── README.persistent.md ├── build_qemu_support.sh ├── libcompcov │ ├── Makefile │ ├── README.md │ ├── compcovtest.cc │ ├── libcompcov.so.c │ └── pmparser.h ├── patches │ ├── __init__.py.diff │ ├── afl-qemu-common.h │ ├── afl-qemu-cpu-inl.h │ ├── afl-qemu-cpu-translate-inl.h │ ├── afl-qemu-floats.h │ ├── afl-qemu-tcg-inl.h │ ├── afl-qemu-tcg-runtime-inl.h │ ├── afl-qemu-translate-inl.h │ ├── arm-translate-a64.diff │ ├── arm-translate.diff │ ├── bsd-elfload.diff │ ├── configure.diff │ ├── cpu-exec.diff │ ├── elfload.diff │ ├── i386-fpu_helper.diff │ ├── i386-ops_sse.diff │ ├── i386-translate.diff │ ├── make_strncpy_safe.diff │ ├── mips-fpu.diff │ ├── mmap_fixes.diff │ ├── softfloat.diff │ ├── syscall.diff │ ├── tcg-runtime-head.diff │ ├── tcg-runtime.diff │ ├── tcg.diff │ ├── translate-all.diff │ └── translator.diff └── unsigaction │ ├── Makefile │ ├── README.md │ └── unsigaction.c ├── src ├── README.md ├── afl-analyze.c ├── afl-as.c ├── afl-common.c ├── afl-forkserver.c ├── afl-fuzz-bitmap.c ├── afl-fuzz-cmplog.c ├── afl-fuzz-extras.c ├── afl-fuzz-hier.c ├── afl-fuzz-init.c ├── afl-fuzz-mutators.c ├── afl-fuzz-one.c ├── afl-fuzz-python.c ├── afl-fuzz-queue.c ├── afl-fuzz-redqueen.c ├── afl-fuzz-run.c ├── afl-fuzz-state.c ├── afl-fuzz-stats.c ├── afl-fuzz.c ├── afl-gcc.c ├── afl-gotcpu.c ├── afl-performance.c ├── afl-sharedmem.c ├── afl-showmap.c └── afl-tmin.c ├── test-instr.c ├── test ├── checkcommit.sh ├── test-all.sh ├── test-basic.sh ├── test-cmplog.c ├── test-compcov.c ├── test-custom-mutator.c ├── test-custom-mutators.sh ├── test-floatingpoint.c ├── test-fp_cases.c ├── test-gcc-plugin.sh ├── test-libextensions.sh ├── test-llvm-lto.sh ├── test-llvm.sh ├── test-multiple-mutators.c ├── test-performance.sh ├── test-post.sh ├── test-pre.sh ├── test-qemu-mode.sh ├── test-unicorn-mode.sh ├── test-unittests.sh ├── test-unsigaction.c ├── travis │ ├── bionic │ │ └── Dockerfile │ ├── focal │ │ └── Dockerfile │ ├── trusty │ │ └── Dockerfile │ └── xenial │ │ └── Dockerfile └── unittests │ ├── unit_hash.c │ ├── unit_list.c │ ├── unit_maybe_alloc.c │ ├── unit_preallocable.c │ └── unit_rand.c ├── testcases ├── README.md ├── archives │ ├── common │ │ ├── ar │ │ │ └── small_archive.a │ │ ├── bzip2 │ │ │ └── small_archive.bz2 │ │ ├── cab │ │ │ └── small_archive.cab │ │ ├── compress │ │ │ └── small_archive.Z │ │ ├── cpio │ │ │ └── small_archive.cpio │ │ ├── gzip │ │ │ └── small_archive.gz │ │ ├── lzo │ │ │ └── small_archive.lzo │ │ ├── rar │ │ │ └── small_archive.rar │ │ ├── tar │ │ │ └── small_archive.tar │ │ ├── xz │ │ │ └── small_archive.xz │ │ └── zip │ │ │ └── small_archive.zip │ └── exotic │ │ ├── arj │ │ └── small_archive.arj │ │ ├── lha │ │ └── small_archive.lha │ │ ├── lrzip │ │ └── small_archive.lrz │ │ ├── lzip │ │ └── small_archive.lz │ │ ├── lzma │ │ └── small_archive.lzma │ │ ├── rzip │ │ └── small_archive.rz │ │ └── zoo │ │ └── small_archive.zoo ├── images │ ├── bmp │ │ └── not_kitty.bmp │ ├── gif │ │ └── not_kitty.gif │ ├── ico │ │ └── not_kitty.ico │ ├── jp2 │ │ └── not_kitty.jp2 │ ├── jpeg │ │ └── not_kitty.jpg │ ├── jxr │ │ └── not_kitty.jxr │ ├── png │ │ ├── not_kitty.png │ │ ├── not_kitty_alpha.png │ │ ├── not_kitty_gamma.png │ │ └── not_kitty_icc.png │ ├── tiff │ │ └── not_kitty.tiff │ └── webp │ │ └── not_kitty.webp ├── multimedia │ └── h264 │ │ └── small_movie.mp4 └── others │ ├── elf │ └── small_exec.elf │ ├── js │ └── small_script.js │ ├── pcap │ └── small_capture.pcap │ ├── pdf │ └── small.pdf │ ├── rtf │ └── small_document.rtf │ ├── sql │ └── simple_queries.sql │ ├── text │ └── hello_world.txt │ └── xml │ └── small_document.xml ├── types.h └── unicorn_mode ├── README.md ├── UNICORNAFL_VERSION ├── build_unicorn_support.sh ├── helper_scripts ├── template_test_harness.py ├── unicorn_dumper_gdb.py ├── unicorn_dumper_ida.py ├── unicorn_dumper_lldb.py ├── unicorn_dumper_pwndbg.py └── unicorn_loader.py ├── samples ├── c │ ├── .gitignore │ ├── COMPILE.md │ ├── Makefile │ ├── harness.c │ ├── persistent_target.c │ ├── persistent_target_x86_64 │ ├── sample_all.sh │ ├── sample_inputs │ │ ├── sample1.bin │ │ ├── sample2.bin │ │ ├── sample3.bin │ │ ├── sample4.bin │ │ └── sample5.bin │ └── simple_target_x86_64 ├── compcov_x64 │ ├── COMPILE.md │ ├── compcov_target.bin │ ├── compcov_target.c │ ├── compcov_target.elf │ ├── compcov_test_harness.py │ └── sample_inputs │ │ └── sample1.bin ├── persistent │ ├── .gitignore │ ├── COMPILE.md │ ├── Makefile │ ├── harness.c │ ├── persistent_target │ ├── persistent_target.c │ ├── persistent_target_x86_64 │ ├── sample_all.sh │ ├── sample_inputs │ │ ├── sample1.bin │ │ ├── sample2.bin │ │ ├── sample3.bin │ │ ├── sample4.bin │ │ └── sample5.bin │ ├── simple_target_noncrashing.c │ └── simple_target_x86_64 └── simple │ ├── COMPILE.md │ ├── sample_inputs │ ├── sample1.bin │ ├── sample2.bin │ ├── sample3.bin │ ├── sample4.bin │ └── sample5.bin │ ├── simple_target.bin │ ├── simple_target.c │ ├── simple_test_harness.py │ └── simple_test_harness_alt.py └── update_uc_ref.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .test 2 | .test2 3 | .sync_tmp 4 | .vscode 5 | *.o 6 | *.so 7 | *.swp 8 | *.pyc 9 | *.dSYM 10 | as 11 | ld 12 | in 13 | out 14 | core* 15 | compile_commands.json 16 | afl-analyze 17 | afl-as 18 | afl-clang 19 | afl-clang++ 20 | afl-clang-fast 21 | afl-clang-fast++ 22 | afl-clang-lto 23 | afl-clang-lto++ 24 | afl-fuzz 25 | afl-g++ 26 | afl-gcc 27 | afl-gcc-fast 28 | afl-g++-fast 29 | afl-gotcpu 30 | afl-ld 31 | afl-ld-lto 32 | afl-qemu-trace 33 | afl-showmap 34 | afl-tmin 35 | afl-analyze.8 36 | afl-as.8 37 | afl-clang-fast++.8 38 | afl-clang-fast.8 39 | afl-clang-lto.8 40 | afl-clang-lto++.8 41 | afl-cmin.8 42 | afl-cmin.bash.8 43 | afl-fuzz.8 44 | afl-gcc.8 45 | afl-g++.8 46 | afl-gcc-fast.8 47 | afl-g++-fast.8 48 | afl-gotcpu.8 49 | afl-plot.8 50 | afl-showmap.8 51 | afl-system-config.8 52 | afl-tmin.8 53 | afl-whatsup.8 54 | qemu_mode/libcompcov/compcovtest 55 | unicorn_mode/samples/*/\.test-* 56 | unicorn_mode/samples/*/output/ 57 | unicorn_mode/unicornafl 58 | test/unittests/unit_maybe_alloc 59 | test/unittests/unit_preallocable 60 | test/unittests/unit_list 61 | test/unittests/unit_rand 62 | test/unittests/unit_hash 63 | examples/afl_network_proxy/afl-network-server 64 | examples/afl_network_proxy/afl-network-client 65 | examples/afl_frida/afl-frida 66 | examples/afl_frida/libtestinstr.so 67 | examples/afl_frida/frida-gum-example.c 68 | examples/afl_frida/frida-gum.h 69 | -------------------------------------------------------------------------------- /Android.mk: -------------------------------------------------------------------------------- 1 | Makefile -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to submit a Pull Request to AFLplusplus 2 | 3 | All contributions (pull requests) must be made against our `dev` branch. 4 | 5 | Each modified source file, before merging, must be formatted. 6 | 7 | ``` 8 | make code-format 9 | ``` 10 | 11 | This should be fine if you modified one of the files already present in the 12 | project, or added a file in a directory we already format, otherwise run: 13 | 14 | ``` 15 | ./.custom-format.py -i file-that-you-have-created.c 16 | ``` 17 | 18 | Regarding the coding style, please follow the AFL style. 19 | No camel case at all and use the AFL's macros wherever possible 20 | (e.g. WARNF, FATAL, MAP_SIZE, ...). 21 | 22 | Remember that AFLplusplus has to build and run on many platforms, so 23 | generalize your Makefiles/GNUmakefile (or your patches to our pre-existing 24 | Makefiles) to be as much generic as possible. 25 | -------------------------------------------------------------------------------- /Changelog.md: -------------------------------------------------------------------------------- 1 | docs/Changelog.md -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | source-only: 6 | @gmake source-only 7 | 8 | binary-only: 9 | @gmake binary-only 10 | 11 | distrib: 12 | @gmake distrib 13 | 14 | man: 15 | @gmake man 16 | 17 | install: 18 | @gmake install 19 | 20 | document: 21 | @gmake document 22 | 23 | deepclean: 24 | @gmake deepclean 25 | 26 | code-format: 27 | @gmake code-format 28 | 29 | help: 30 | @gmake help 31 | 32 | tests: 33 | @gmake tests 34 | 35 | unit: 36 | @gmake unit 37 | 38 | unit_clean: 39 | @gmake unit_clean 40 | 41 | clean: 42 | @gmake clean 43 | -------------------------------------------------------------------------------- /QuickStartGuide.md: -------------------------------------------------------------------------------- 1 | docs/QuickStartGuide.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This is developed based on AFLplusplus (2.68c, Qemu mode), thanks to its amazing maintainers and community 2 | 3 | ## Build and Run 4 | 5 | 1. Please follow the instructions of building afl++ and its qemu mode (please refer to README_aflpp) 6 | 7 | 2. The running command is the same as afl++ (remember to add "-Q" to launch the qemu mode), in addition 8 | 9 | * To enable the multi-level coverage metric, please set the env variable "AFL_USE_MULTI_LEVEL_COV=1 " 10 | * To enable the hierarchical scheduler, please set the env variable "AFL_USE_HIER_SCHEDULE=1 " 11 | * We highly recommend to add "-d" to skip the deterministic mutation stage 12 | * We use the EXPLORE power schedule ("-p explore") 13 | 14 | -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | # TODO list for AFL++ 2 | 3 | ## Roadmap 2.68+ 4 | 5 | - AFL_MAP_SIZE for qemu_mode and unicorn_mode 6 | - CPU affinity for many cores? There seems to be an issue > 96 cores 7 | - afl-plot to support multiple plot_data 8 | - afl_custom_fuzz_splice_optin() 9 | - intel-pt tracer 10 | 11 | ## Further down the road 12 | 13 | afl-fuzz: 14 | - setting min_len/max_len/start_offset/end_offset limits for mutation output 15 | - add __sanitizer_cov_trace_cmp* support via shmem 16 | 17 | llvm_mode: 18 | - add __sanitizer_cov_trace_cmp* support 19 | 20 | gcc_plugin: 21 | - (wait for submission then decide) 22 | 23 | qemu_mode: 24 | - non colliding instrumentation 25 | - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, 26 | AFL_COMPCOV_LEVEL?) 27 | - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as we have 28 | persistent mode 29 | - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM 30 | - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses 31 | 32 | ## Ideas 33 | 34 | - LTO/sancov: write current edge to prev_loc and use that information when 35 | using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow 36 | up edge numbers that both following cmp paths have been found and then 37 | disable working on this edge id -> cmplog_intelligence branch 38 | 39 | - new tancov: use some lightweight taint analysis to see which parts of a 40 | new queue entry is accessed and only fuzz these bytes - or better, only 41 | fuzz those bytes that are newly in coverage compared to the queue entry 42 | the new one is based on -> taint branch, not useful :-( 43 | -------------------------------------------------------------------------------- /config.h: -------------------------------------------------------------------------------- 1 | include/config.h -------------------------------------------------------------------------------- /custom_mutators/README.md: -------------------------------------------------------------------------------- 1 | # Custom Mutators 2 | 3 | Custom mutators enhance and alter the mutation strategies of afl++. 4 | For further information and documentation on how to write your own, read [the docs](../docs/custom_mutators.md). 5 | 6 | ## The afl++ Grammar Mutator 7 | 8 | If you use git to clone afl++, then the following will incorporate our 9 | excellent grammar custom mutator: 10 | ``` 11 | git submodule init 12 | git submodule update 13 | ``` 14 | 15 | otherwise just checkout the repository here with either 16 | `git clone https://github.com/AFLplusplus/Grammar-Mutator` or 17 | `svn co https://github.com/AFLplusplus/Grammar-Mutator`. 18 | 19 | Read the [Grammar-Mutator/README.md](Grammar-Mutator/README.md) on how to use 20 | it. 21 | 22 | ## Production-Ready Custom Mutators 23 | 24 | This directory holds ready to use custom mutators. 25 | Just type "make" in the individual subdirectories. 26 | 27 | Use with e.g. 28 | 29 | `AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/radamsa/radamsa-mutator.so afl-fuzz ....` 30 | 31 | and add `AFL_CUSTOM_MUTATOR_ONLY=1` if you only want to use the custom mutator. 32 | 33 | Multiple custom mutators can be used by separating their paths with `:` in the environment variable. 34 | 35 | ## 3rd Party Custom Mutators 36 | 37 | ### Superion Mutators 38 | 39 | Adrian Tiron ported the Superion grammar fuzzer to afl++, it is WIP and 40 | requires cmake (among other things): 41 | [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) 42 | 43 | ### libprotobuf Mutators 44 | 45 | There are two WIP protobuf projects, that require work to be working though: 46 | 47 | transforms protobuf raw: 48 | https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator 49 | 50 | has a transform function you need to fill for your protobuf format, however 51 | needs to be ported to the updated afl++ custom mutator API (not much work): 52 | https://github.com/thebabush/afl-libprotobuf-mutator 53 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/Makefile: -------------------------------------------------------------------------------- 1 | 2 | CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic 3 | 4 | all: honggfuzz.so 5 | 6 | honggfuzz.so: honggfuzz.c input.h mangle.c ../../src/afl-performance.c 7 | $(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz.so honggfuzz.c mangle.c ../../src/afl-performance.c 8 | 9 | update: 10 | @# seriously? --unlink is a dud option? sigh ... 11 | rm -f mangle.c mangle.h honggfuzz.h 12 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c 13 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h 14 | wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h 15 | 16 | clean: 17 | rm -f *.o *~ *.so core 18 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: honggfuzz mangle 2 | 3 | this is the very good honggfuzz mutator in mangle.c as a custom mutator 4 | module for afl++. It is the original mangle.c, mangle.h and honggfuzz.h 5 | with a lot of mocking around it :-) 6 | 7 | just type `make` to build 8 | 9 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz.so afl-fuzz ...``` 10 | 11 | > Original repository: https://github.com/google/honggfuzz 12 | > Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5 13 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/common.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/custom_mutators/honggfuzz/common.h -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/custom_mutator_helpers.h: -------------------------------------------------------------------------------- 1 | #ifndef CUSTOM_MUTATOR_HELPERS 2 | #define CUSTOM_MUTATOR_HELPERS 3 | 4 | #include "config.h" 5 | #include "types.h" 6 | #include "afl-fuzz.h" 7 | #include 8 | 9 | #define INITIAL_GROWTH_SIZE (64) 10 | 11 | /* Use in a struct: creates a name_buf and a name_size variable. */ 12 | #define BUF_VAR(type, name) \ 13 | type * name##_buf; \ 14 | size_t name##_size; 15 | /* this filles in `&structptr->something_buf, &structptr->something_size`. */ 16 | #define BUF_PARAMS(struct, name) \ 17 | (void **)&struct->name##_buf, &struct->name##_size 18 | 19 | #undef INITIAL_GROWTH_SIZE 20 | 21 | #endif 22 | 23 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/libhfcommon: -------------------------------------------------------------------------------- 1 | . -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/log.h: -------------------------------------------------------------------------------- 1 | common.h -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/mangle.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * honggfuzz - buffer mangling routines 4 | * ----------------------------------------- 5 | * 6 | * Author: Robert Swiecki 7 | * 8 | * Copyright 2010-2018 by Google Inc. All Rights Reserved. 9 | * 10 | * Licensed under the Apache License, Version 2.0 (the "License"); you may 11 | * not use this file except in compliance with the License. You may obtain 12 | * a copy of the License at 13 | * 14 | * http://www.apache.org/licenses/LICENSE-2.0 15 | * 16 | * Unless required by applicable law or agreed to in writing, software 17 | * distributed under the License is distributed on an "AS IS" BASIS, 18 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 19 | * implied. See the License for the specific language governing 20 | * permissions and limitations under the License. 21 | * 22 | */ 23 | 24 | #ifndef _HF_MANGLE_H_ 25 | #define _HF_MANGLE_H_ 26 | 27 | #include "honggfuzz.h" 28 | 29 | extern void mangle_mangleContent(run_t* run, int speed_factor); 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/util.h: -------------------------------------------------------------------------------- 1 | common.h -------------------------------------------------------------------------------- /custom_mutators/radamsa/GNUmakefile: -------------------------------------------------------------------------------- 1 | CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) 2 | 3 | all: radamsa-mutator.so 4 | 5 | # These can be overriden: 6 | CFLAGS ?= $(CFLAGS_FLTO) 7 | 8 | # These are required: (otherwise radamsa gets very very slooooow) 9 | CFLAGS += -O3 -funroll-loops 10 | 11 | #libradamsa.so: libradamsa.a 12 | # $(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so 13 | 14 | libradamsa.a: libradamsa.c radamsa.h 15 | @echo " ***************************************************************" 16 | @echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *" 17 | @echo " ***************************************************************" 18 | $(CC) -fPIC $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c 19 | 20 | radamsa-mutator.so: radamsa-mutator.c libradamsa.a 21 | $(CC) $(CFLAGS) $(CPPFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c 22 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a 23 | 24 | test: libradamsa.a libradamsa-test.c 25 | $(CC) $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a 26 | ./libradamsa-test libradamsa-test.c | grep "library test passed" 27 | rm /tmp/libradamsa-*.fuzz 28 | 29 | clean: 30 | rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core 31 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013 Aki Helin 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: libradamsa 2 | 3 | Pretranslated radamsa library. This code belongs to the radamsa author. 4 | 5 | > Original repository: https://gitlab.com/akihe/radamsa 6 | 7 | > Source commit: 7b2cc2d0 8 | 9 | > The code here is adapted for AFL++ with minor changes respect the original version 10 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/libradamsa-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | size_t filesize(char *filename) { 13 | 14 | struct stat st; 15 | stat(filename, &st); 16 | return st.st_size; 17 | 18 | } 19 | 20 | #define BUFSIZE 1024 * 1024 21 | 22 | void fail(char *why) { 23 | 24 | printf("fail: %s\n", why); 25 | exit(1); 26 | 27 | } 28 | 29 | void write_output(char *data, size_t len, int num) { 30 | 31 | char path[32]; 32 | int fd; 33 | int wrote; 34 | sprintf(path, "/tmp/libradamsa-%d.fuzz", num); 35 | fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); 36 | printf("Opened %s -> %d\n", path, fd); 37 | if (fd < 0) { fail("failed to open output file"); } 38 | wrote = write(fd, data, len); 39 | printf("wrote %d of %zu bytes\n", wrote, len); 40 | if (wrote != len) { fail("failed to write all of output at once"); } 41 | close(fd); 42 | printf("Wrote %zu bytes to %s\n", len, path); 43 | 44 | } 45 | 46 | int main(int nargs, char **argv) { 47 | 48 | char * spath = argv[1]; 49 | int fd = open(spath, O_RDONLY, 0); 50 | size_t len; 51 | char * input; 52 | char * output; 53 | int seed = 0; 54 | if (fd < 0) { fail("cannot open input file"); } 55 | len = filesize(spath); 56 | input = malloc(len); 57 | output = malloc(BUFSIZE); 58 | if (!input || !output) { fail("failed to allocate buffers\n"); } 59 | radamsa_init(); 60 | if (len != read(fd, input, len)) { 61 | 62 | fail("failed to read the entire sample at once"); 63 | 64 | } 65 | 66 | while (seed++ < 100) { 67 | 68 | size_t n; 69 | n = radamsa((uint8_t *)input, len, (uint8_t *)output, BUFSIZE, seed); 70 | write_output(output, n, seed); 71 | printf("Fuzzed %zu -> %zu bytes\n", len, n); 72 | 73 | } 74 | 75 | printf("library test passed\n"); 76 | free(output); 77 | free(input); 78 | return 0; 79 | 80 | } 81 | 82 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/radamsa-mutator.c: -------------------------------------------------------------------------------- 1 | // This simple example just creates random buffer <= 100 filled with 'A' 2 | // needs -I /path/to/AFLplusplus/include 3 | //#include "custom_mutator_helpers.h" 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "radamsa.h" 11 | #include "custom_mutator_helpers.h" 12 | 13 | typedef struct my_mutator { 14 | 15 | afl_t *afl; 16 | 17 | u8 *mutator_buf; 18 | 19 | unsigned int seed; 20 | 21 | } my_mutator_t; 22 | 23 | my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { 24 | 25 | srand(seed); 26 | my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); 27 | if (!data) { 28 | 29 | perror("afl_custom_init alloc"); 30 | return NULL; 31 | 32 | } 33 | 34 | if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) { 35 | 36 | perror("mutator_buf alloc"); 37 | return NULL; 38 | 39 | } 40 | 41 | data->afl = afl; 42 | data->seed = seed; 43 | 44 | radamsa_init(); 45 | 46 | return data; 47 | 48 | } 49 | 50 | size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, 51 | u8 **out_buf, uint8_t *add_buf, size_t add_buf_size, 52 | size_t max_size) { 53 | 54 | *out_buf = data->mutator_buf; 55 | return radamsa(buf, buf_size, data->mutator_buf, max_size, data->seed++); 56 | 57 | } 58 | 59 | /** 60 | * Deinitialize everything 61 | * 62 | * @param data The data ptr from afl_custom_init 63 | */ 64 | void afl_custom_deinit(my_mutator_t *data) { 65 | 66 | free(data->mutator_buf); 67 | free(data); 68 | 69 | } 70 | 71 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/radamsa.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void radamsa_init(void); 5 | 6 | size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max, 7 | unsigned int seed); 8 | 9 | size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed); 10 | 11 | -------------------------------------------------------------------------------- /dictionaries/aff.dict: -------------------------------------------------------------------------------- 1 | # https://www.systutorials.com/docs/linux/man/4-hunspell/ 2 | 3 | # Affix keywords 4 | "AF" 5 | "AM" 6 | "BREAK" 7 | "CHECKCOMPOUNDCASE" 8 | "CHECKCOMPOUNDDUP" 9 | "CHECKCOMPOUNDPATTERN" 10 | "CHECKCOMPOUNDREP" 11 | "CHECKCOMPOUNDTRIPLE" 12 | "COMPLEXPREFIXES" 13 | "COMPOUNDBEGIN" 14 | "COMPOUNDFLAG" 15 | "COMPOUNDFORBIDFLAG" 16 | "COMPOUNDLAST" 17 | "COMPOUNDMIDDLE" 18 | "COMPOUNDMIN" 19 | "COMPOUNDPERMITFLAG" 20 | "COMPOUNDROOT" 21 | "COMPOUNDRULE" 22 | "COMPOUNDSYLLABLE" 23 | "COMPOUNDWORDMAX" 24 | "FLAG" 25 | "FORBIDWARN" 26 | "FORCEUCASE" 27 | "IGNORE" 28 | "KEY" 29 | "LANG" 30 | "MAP" 31 | "MAXCODSUGS" 32 | "MAXDIFF" 33 | "MAXNGRAMSUGS" 34 | "NOSPLITSUGS" 35 | "NOSUGGEST" 36 | "ONLYINCOMPOUND" 37 | "ONLYMAXDIFF" 38 | "PFX" 39 | "PHONE" 40 | "REP" 41 | "SET" 42 | "SFX" 43 | "SIMPLIFIEDTRIPLE" 44 | "SUGWITHDOTS" 45 | "SYLLABLENUM" 46 | "TRY" 47 | "WARN" 48 | "CIRCUMFIX" 49 | "FORBIDDENWORD" 50 | "FULLSTRIP" 51 | "KEEPCASE" 52 | "ICONV" 53 | "OCONV" 54 | "LEMMA_PRESENT" 55 | "NEEDAFFIX" 56 | "PSEUDOROOT" 57 | "SUBSTANDARD" 58 | "WORDCHARS" 59 | "CHECKSHARPS" 60 | 61 | # Optional data fields 62 | "ph:" 63 | "st:" 64 | "al:" 65 | "po:" 66 | "ds:" 67 | "is:" 68 | "ts:" 69 | "sp:" 70 | "pa:" 71 | "dp:" 72 | "ip:" 73 | "tp:" 74 | -------------------------------------------------------------------------------- /dictionaries/ass.dict: -------------------------------------------------------------------------------- 1 | "0x" 2 | "\\1a" 3 | "\\2a" 4 | "\\2c" 5 | "\\3a" 6 | "\\3c" 7 | "\\4a" 8 | "\\4c" 9 | "\\a" 10 | "\\alpha" 11 | "\\an" 12 | "Arial" 13 | "\\b" 14 | "Banner;" 15 | "\\be" 16 | "\\blur" 17 | "\\bord" 18 | "\\c" 19 | "CFF" 20 | "CID Type 1" 21 | "\\clip" 22 | "clip" 23 | "Courier" 24 | "Courier New" 25 | "Default" 26 | "Dialogue:" 27 | "[Events]" 28 | "\\fade" 29 | "\\fax" 30 | "\\fay" 31 | "\\fe" 32 | "\\fn" 33 | "fontname:" 34 | "[Fonts]" 35 | "Format:" 36 | "\\frx" 37 | "\\fry" 38 | "\\frz" 39 | "\\fs" 40 | "\\fsc" 41 | "\\fscx" 42 | "\\fscy" 43 | "\\fsp" 44 | "&h" 45 | "Helvetica" 46 | "\\i" 47 | "\\iclip" 48 | "iclip" 49 | "\\k" 50 | "Kerning:" 51 | "Kerning" 52 | "\\kf" 53 | "\\ko" 54 | "Language:" 55 | "monospace" 56 | "\\move" 57 | "move" 58 | "none" 59 | "\\org" 60 | "org" 61 | "OverrideStyle" 62 | "\\p" 63 | "p" 64 | "\\pbo" 65 | "pbo" 66 | "pc.240m" 67 | "pc.601" 68 | "pc.709" 69 | "pc.fcc" 70 | "PlayResX:" 71 | "PlayResX" 72 | "PlayResY:" 73 | "PlayResY" 74 | "\\pos" 75 | "pos" 76 | "\\q" 77 | "\\r" 78 | "\\s" 79 | "sans-serif" 80 | "ScaledBorderAndShadow:" 81 | "ScaledBorderAndShadow" 82 | "[Script Info]" 83 | "Scroll down;" 84 | "Scroll up;" 85 | "serif" 86 | "\\shad" 87 | "Style:" 88 | "\\t" 89 | "Text" 90 | "Timer:" 91 | "Timer" 92 | "Times" 93 | "Times New Roman" 94 | "tv.240m" 95 | "tv.601" 96 | "tv.709" 97 | "tv.fcc" 98 | "Type 1" 99 | "Type 42" 100 | "\\u" 101 | "UTF-8" 102 | "[V4 Styles]" 103 | "[V4+ Styles]" 104 | "WrapStyle:" 105 | "WrapStyle" 106 | "\\xbord" 107 | "\\xshad" 108 | "\\ybord" 109 | "YCbCr Matrix:" 110 | "YCbCr Matrix" 111 | "yes" 112 | "\\yshad" 113 | -------------------------------------------------------------------------------- /dictionaries/atom.dict: -------------------------------------------------------------------------------- 1 | # https://validator.w3.org/feed/docs/atom.html 2 | # https://tools.ietf.org/html/rfc4287 3 | 4 | "" 5 | "" 6 | 7 | "" 8 | "" 9 | "" 10 | "" 11 | "" 12 | "" 13 | "" 14 | "" 15 | "" 16 | "" 17 | "" 18 | "" 19 | "" 20 | "" 21 | "" 22 | " 23 | "" 24 | "" 25 | "" 26 | "" 27 | "" 28 | "" 29 | "" 30 | "" 31 | "" 32 | "<updated>" 33 | "<uri>" 34 | -------------------------------------------------------------------------------- /dictionaries/av1_dc.dict: -------------------------------------------------------------------------------- 1 | # IVF Signature + version (bytes 0-5) 2 | kw1="DKIF\x00\x00" 3 | 4 | # AV1 codec fourCC (bytes 8-11) 5 | kw2="AV01" 6 | -------------------------------------------------------------------------------- /dictionaries/bdf.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Glyph_Bitmap_Distribution_Format 2 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5005.BDF_Spec.pdf 3 | 4 | "STARTFONT" 5 | "COMMENT" 6 | "CONTENTVERSION" 7 | "FONT" 8 | "SIZE" 9 | "FONTBOUNDINGBOX" 10 | "METRICSSET" 11 | "SWIDTH" 12 | "DWIDTH" 13 | "SWIDTH1" 14 | "DWIDTH1" 15 | "VVECTOR" 16 | "STARTPROPERTIES" 17 | "ENDPROPERTIES" 18 | "CHARS" 19 | "STARTCHAR" 20 | "ENCODING" 21 | "BBX" 22 | "BITMAP" 23 | "ENDCHAR" 24 | "ENDFONT" 25 | 26 | # misc 27 | "255" 28 | "-1" 29 | "0" 30 | "2.1" 31 | -------------------------------------------------------------------------------- /dictionaries/bmp.dict: -------------------------------------------------------------------------------- 1 | windows="BM" 2 | os2_bitmap="BA" 3 | os2_icon="CI" 4 | os2_pointer="CP" 5 | os2_struct="IC" 6 | os2_ptr="PT" 7 | windows_color_space="Win " 8 | srgb="sRGB" 9 | link="LINK" 10 | mbed="MBED" 11 | -------------------------------------------------------------------------------- /dictionaries/bz2.dict: -------------------------------------------------------------------------------- 1 | magic="BZ" 2 | compress_magic="\x31\x41\x59\x26\x53\x59" 3 | eos_magic="\x17\x72\x45\x38\x50\x90" 4 | -------------------------------------------------------------------------------- /dictionaries/creole.dict: -------------------------------------------------------------------------------- 1 | # http://www.wikicreole.org/wiki/Creole1.0 2 | 3 | bold="**" 4 | italic="//" 5 | heading="==" 6 | link1="[[a|b]]" 7 | link2="[[a:b]]" 8 | hr="----" 9 | img=" {{a|b}}" 10 | table_heading="|=a |=b |" 11 | raw="{{{a}}}" 12 | escape="~" 13 | placeholder="<<<x>>>" 14 | line_break="\\\\" 15 | -------------------------------------------------------------------------------- /dictionaries/csv.dict: -------------------------------------------------------------------------------- 1 | "\x00" 2 | "\r\n" 3 | ";;" 4 | ",," 5 | "\t;" 6 | "\n;" 7 | -------------------------------------------------------------------------------- /dictionaries/dds.dict: -------------------------------------------------------------------------------- 1 | # See http://www.mindcontrol.org/~hplus/graphics/dds-info/ 2 | 3 | magic="\x20\x53\x44\x44" 4 | 5 | # Headers 6 | "\x00\x00\x00\x01" 7 | "\x00\x00\x00\x02" 8 | "\x00\x00\x00\x04" 9 | "\x00\x00\x00\x08" 10 | "\x00\x00\x10\x00" 11 | "\x00\x02\x00\x00" 12 | "\x00\x08\x00\x00" 13 | "\x00\x80\x00\x00" 14 | "\x00\x00\x00\x01" 15 | "\x00\x00\x00\x04" 16 | "\x00\x00\x00\x20" 17 | "\x00\x00\x00\x40" 18 | "\x00\x00\x00\x08" 19 | "\x00\x00\x10\x00" 20 | "\x00\x40\x00\x00" 21 | "\x00\x00\x02\x00" 22 | "\x00\x00\x04\x00" 23 | "\x00\x00\x08\x00" 24 | "\x00\x00\x10\x00" 25 | "\x00\x00\x20\x00" 26 | "\x00\x00\x40\x00" 27 | "\x00\x00\x80\x00" 28 | "\x00\x20\x00\x00" 29 | 30 | #formats 31 | "1TXD" 32 | "2TXD" 33 | "3TXD" 34 | "4TXD" 35 | "5TXD" 36 | -------------------------------------------------------------------------------- /dictionaries/djvu.dict: -------------------------------------------------------------------------------- 1 | "ANTa" 2 | "ANTz" 3 | "BG2k" 4 | "BG44" 5 | "BGjp" 6 | "BM44" 7 | "CELX" 8 | "DIRM" 9 | "DJVI" 10 | "DJVM" 11 | "DJVU" 12 | "Djbz" 13 | "FAKE" 14 | "FG2k" 15 | "FG44" 16 | "FGbz" 17 | "FGjp" 18 | "FORM" 19 | "INCL" 20 | "INFO" 21 | "LINK" 22 | "METa" 23 | "METz" 24 | "NAVM" 25 | "NDIR" 26 | "PM44" 27 | "SINF" 28 | "Sjbz" 29 | "Smmr" 30 | "TH44" 31 | "THUM" 32 | "TXTa" 33 | "TXTz" 34 | "WMRM" 35 | -------------------------------------------------------------------------------- /dictionaries/fbs.dict: -------------------------------------------------------------------------------- 1 | # spec: https://google.github.io/flatbuffers/flatbuffers_grammar.html 2 | 3 | attribute="attribute" 4 | bool="bool" 5 | byte="byte" 6 | double="double" 7 | enum="enum" 8 | false="false" 9 | file_extension="file_extension" 10 | float32="float32" 11 | float64="float64" 12 | float="float" 13 | include="include" 14 | inf="inf" 15 | infinity="infinity" 16 | int16="int16" 17 | int32="int32" 18 | int64="int64" 19 | int8="int8" 20 | int="int" 21 | long="long" 22 | namespace="namespace" 23 | nan="nan" 24 | root_type="root_type" 25 | root_type="root_type" 26 | rpc_service="rpc_service" 27 | short="short" 28 | string="string" 29 | struct="struct" 30 | table="table" 31 | true="true" 32 | ubyte="ubyte" 33 | uint16="uint16" 34 | uint32="uint32" 35 | uint64="uint64" 36 | uint="uint" 37 | ulong="ulong" 38 | union="union" 39 | ushort="ushort" 40 | 41 | separator=":" 42 | eol=";" 43 | -------------------------------------------------------------------------------- /dictionaries/ftp.dict: -------------------------------------------------------------------------------- 1 | # from https://github.com/antonio-morales/Fuzzing/Dictionaries/FTP/Example.dict.txt 2 | #Parameters 3 | #tls = {0,1,2,3} 4 | 5 | #Input1 6 | "user" 7 | "pass" 8 | "syst" 9 | "acct" 10 | "feat" 11 | "noop" 12 | "help" 13 | "stat" 14 | "stru" 15 | "adat" 16 | "site" 17 | 18 | #Input2 19 | "mkd" 20 | "cwd" 21 | "pwd" 22 | "cdup" 23 | 24 | #Input3 25 | "port" 26 | "list" 27 | "mlst" 28 | "nlst" 29 | "mlsd" 30 | 31 | #Input4 32 | "rmd" 33 | 34 | #Input5 35 | "stor" 36 | 37 | #Input6 38 | "retr" 39 | 40 | #Input7 41 | "dele" 42 | 43 | #Input8 44 | "pasv" 45 | 46 | #Input9 47 | "epsv" 48 | 49 | #Input10 50 | "type" 51 | "size" 52 | 53 | #Input11 54 | "mode" 55 | 56 | #Input12 57 | "rnfr" 58 | "rnto" 59 | 60 | #Input13 61 | "appe" 62 | 63 | #Input14 64 | "allo" 65 | "quit" 66 | 67 | #Input15 68 | "connect" 69 | 70 | #Input16 71 | "esta" 72 | "estp" 73 | 74 | #Input17 75 | "mdtm" 76 | "opts" 77 | "eprt" 78 | 79 | #Input18 80 | "mfmt" 81 | "pret" 82 | "stou" 83 | "rest" 84 | 85 | 86 | #------------------------------------- 87 | "\x00" 88 | "\x0d\x0a" 89 | "\x0d" 90 | "\x0a" 91 | "-" 92 | "-a " 93 | "-C " 94 | "-d " 95 | "-F " 96 | "-l " 97 | "-r " 98 | "-R " 99 | "-S " 100 | "-t" 101 | " " 102 | "fuzzing" 103 | "test" 104 | "teste" 105 | ".txt" 106 | "test.txt" 107 | " UTC" 108 | "C" 109 | "E" 110 | "P" 111 | "S" 112 | "abor" 113 | 114 | #ifdef WITH_TLS 115 | "pbsz" 116 | "auth" 117 | "prot" 118 | "ccc" 119 | 120 | #ifdef DEBUG 121 | "xdbg" 122 | 123 | # ifdef WITH_DIRALIASES 124 | "alias" 125 | -------------------------------------------------------------------------------- /dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /dictionaries/heif.dict: -------------------------------------------------------------------------------- 1 | # https://standards.iso.org/ittf/PubliclyAvailableStandards/c066067_ISO_IEC_23008-12_2017.zip 2 | 3 | "altr" 4 | "auxC" 5 | "auxc" 6 | "auxi" 7 | "auxv" 8 | "avcC" 9 | "avci" 10 | "avcs" 11 | "ccst" 12 | "cdsc" 13 | "clap" 14 | "colr" 15 | "dimg" 16 | "dinf" 17 | "dref" 18 | "elst" 19 | "equi" 20 | "free" 21 | "frma" 22 | "ftyp" 23 | "grid" 24 | "grp1" 25 | "hdlr" 26 | "heic" 27 | "heim" 28 | "heis" 29 | "heix" 30 | "hevc" 31 | "hevx" 32 | "hvc1" 33 | "hvc2" 34 | "hvcC" 35 | "idat" 36 | "iden" 37 | "iinf" 38 | "iloc" 39 | "imir" 40 | "infe" 41 | "iovl" 42 | "ipro" 43 | "iprp" 44 | "iref" 45 | "irot" 46 | "ispe" 47 | "jpeg" 48 | "jpgC" 49 | "jpgs" 50 | "lhv1" 51 | "lhvC" 52 | "lsel" 53 | "mdat" 54 | "meta" 55 | "mif1" 56 | "mime" 57 | "mjpg" 58 | "msf1" 59 | "oinf" 60 | "pasp" 61 | "pict" 62 | "pitm" 63 | "pixi" 64 | "refs" 65 | "rloc" 66 | "schi" 67 | "schm" 68 | "sgpd" 69 | "sinf" 70 | "skip" 71 | "stsz" 72 | "subs" 73 | "thmb" 74 | "tkhd" 75 | "tols" 76 | "trak" 77 | -------------------------------------------------------------------------------- /dictionaries/hoextdown.dict: -------------------------------------------------------------------------------- 1 | asterisk="*" 2 | attr_generic=" a=\"1\"" 3 | attr_href=" href=\"1\"" 4 | attr_xml_lang=" xml:lang=\"1\"" 5 | attr_xmlns=" xmlns=\"1\"" 6 | backslash="\\" 7 | backtick="`" 8 | colon=":" 9 | dashes="---" 10 | double_quote="\"" 11 | entity_builtin="<" 12 | entity_decimal="" 13 | entity_external="&a;" 14 | entity_hex="" 15 | equals="===" 16 | exclamation="!" 17 | greater_than=">" 18 | hash="#" 19 | hyphen="-" 20 | indent=" " 21 | left_bracket="[" 22 | left_paren="(" 23 | less_than="<" 24 | plus="+" 25 | right_bracket="]" 26 | right_paren=")" 27 | single_quote="'" 28 | string_any="ANY" 29 | string_brackets="[]" 30 | string_cdata="CDATA" 31 | string_dashes="--" 32 | string_empty_dblquotes="\"\"" 33 | string_empty_quotes="''" 34 | string_idrefs="IDREFS" 35 | string_parentheses="()" 36 | string_pcdata="#PCDATA" 37 | tag_cdata="<![CDATA[" 38 | tag_close="</a>" 39 | tag_doctype="<!DOCTYPE" 40 | tag_element="<!ELEMENT" 41 | tag_entity="<!ENTITY" 42 | tag_notation="<!NOTATION" 43 | tag_open="<a>" 44 | tag_open_close="<a />" 45 | tag_open_exclamation="<!" 46 | tag_open_q="<?" 47 | tag_sq2_close="]]>" 48 | tag_xml_q="<?xml?>" 49 | underscore="_" 50 | -------------------------------------------------------------------------------- /dictionaries/iccprofile.dict: -------------------------------------------------------------------------------- 1 | # Dict for ICC profiles parsed by skcms. 2 | 3 | "mft1" 4 | "mft2" 5 | "mAB " 6 | "rXYZ" 7 | "gXYZ" 8 | "bXYZ" 9 | "rTRC" 10 | "gTRC" 11 | "bTRC" 12 | "kTRC" 13 | "A2B0" 14 | "curv" 15 | "para" 16 | "mluc" 17 | "XYZ " 18 | "Lab " 19 | "RGB " 20 | "CMYK" 21 | "GRAY" 22 | "mntr" 23 | "scnr" 24 | "prtr" 25 | "spac" 26 | -------------------------------------------------------------------------------- /dictionaries/icns.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Apple_Icon_Image_format 2 | 3 | "ICN#" 4 | "ICON" 5 | "TOC " 6 | "h8mk" 7 | "ic04" 8 | "ic05" 9 | "ic07" 10 | "ic08" 11 | "ic09" 12 | "ic10" 13 | "ic11" 14 | "ic12" 15 | "ic13" 16 | "ic14" 17 | "ich#" 18 | "ich4" 19 | "ich8" 20 | "icl4" 21 | "icl8" 22 | "icm#" 23 | "icm4" 24 | "icm8" 25 | "icnV" 26 | "icns" 27 | "icp4" 28 | "icp5" 29 | "icp6" 30 | "ics#" 31 | "ics4" 32 | "ics8" 33 | "icsB" 34 | "icsb" 35 | "ih32" 36 | "il32" 37 | "info" 38 | "is32" 39 | "it32" 40 | "l8mk" 41 | "name" 42 | "s8mk" 43 | "t8mk" 44 | -------------------------------------------------------------------------------- /dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /dictionaries/jpeg2000.dict: -------------------------------------------------------------------------------- 1 | type="jP " 2 | ftyp="ftyp" 3 | subtype1="jp2 " 4 | subtype2="jp20" 5 | subtype3="jpm " 6 | subtype4="jpx " 7 | subtype5="jp2h" 8 | subtype6="jpxb" 9 | subtype7="mjp2" 10 | subtype8="mj2s" 11 | subtype9="jp2c" 12 | subtype10="jpch" 13 | subtype11="jplh" 14 | codestream="\xFF\x4F\xFF\x51" 15 | signature="\x0d\x0a\x87\x0a" 16 | tag1="hdr" 17 | tag2="colr" 18 | tag3="url" 19 | tag4="req" 20 | tag5="res" 21 | tag6="page" 22 | tag7="obj" 23 | -------------------------------------------------------------------------------- /dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net> 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | 54 | "$ref" 55 | "type" 56 | "coordinates" 57 | "@context" 58 | "@id" 59 | 60 | "," 61 | ":" 62 | -------------------------------------------------------------------------------- /dictionaries/jsonnet.dict: -------------------------------------------------------------------------------- 1 | # https://jsonnet.org/ref/spec.html 2 | 3 | # Keywords 4 | "assert" 5 | "else" 6 | "error" 7 | "false" 8 | "for" 9 | "function" 10 | "if" 11 | "import" 12 | "importstr" 13 | "in" 14 | "local" 15 | "null" 16 | "self" 17 | "super" 18 | "tailstrict" 19 | "then" 20 | "true" 21 | "super" 22 | "local" 23 | 24 | # operators 25 | "|||" 26 | "@\"" 27 | "@'" 28 | "!=" 29 | "==" 30 | "[::]" 31 | "+:::" 32 | 33 | # functions 34 | "std.acos(" 35 | "std.asin(" 36 | "std.atan(" 37 | "std.ceil(" 38 | "std.char(" 39 | "std.codepoint(" 40 | "std.cos(" 41 | "std.equals(" 42 | "std.exp(" 43 | "std.exponent(" 44 | "std.floor(" 45 | "std.join(" 46 | "std.length(" 47 | "std.log(" 48 | "std.makeArray(" 49 | "std.mantissa(" 50 | "std.mod" 51 | "std.modulo(" 52 | "std.objectFiledsEx(" 53 | "std.objectsHasEx(" 54 | "std.pow(" 55 | "std.primitiveEquals(" 56 | "std.sin(" 57 | "std.slice(" 58 | "std.sqrt(" 59 | "std.tan(" 60 | "std.type(" 61 | -------------------------------------------------------------------------------- /dictionaries/markdown.dict: -------------------------------------------------------------------------------- 1 | strike="~~" 2 | list="2." 3 | link="[a](" 4 | link_without_ref="[a][" 5 | image="![b](" 6 | bold="**" 7 | separator="---" 8 | title="# " 9 | fence="```" 10 | link_bottom="[a]:" 11 | link_inline="<http://" 12 | link_bottom_title="[1]: http://a.com" 13 | checklist="- [x" 14 | toc="[TOC]" 15 | highlight_rst=":::python" 16 | 17 | 18 | # GFM - https://github.github.com/gfm/ 19 | "| ---" 20 | leaf1="***" 21 | leaf2="___" 22 | code_hl="```html" 23 | task="- [ ]" 24 | 25 | 26 | # Extended syntax: https://www.markdownguide.org/extended-syntax/ 27 | footnote="[^a]" 28 | title_id="#a {#b}" 29 | -------------------------------------------------------------------------------- /dictionaries/math.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "," 4 | "[" 5 | "]" 6 | "," 7 | ":" 8 | "e" 9 | "e+" 10 | "e-" 11 | "E" 12 | "E+" 13 | "E-" 14 | "\"" 15 | "\\" 16 | " " 17 | "null" 18 | "1" 19 | "1.234" 20 | "3e4" 21 | -------------------------------------------------------------------------------- /dictionaries/mysqld.dict: -------------------------------------------------------------------------------- 1 | user="root" 2 | -------------------------------------------------------------------------------- /dictionaries/ogg.dict: -------------------------------------------------------------------------------- 1 | # https://xiph.org/vorbis/doc/Vorbis_I_spec.html 2 | 3 | header="OggS" 4 | 5 | # Codecs 6 | "BBCD\x00" 7 | "\x7fFLAC" 8 | "\x80theora" 9 | "\x01vorbis" 10 | "CELT " 11 | "CMML\x00\x00\x00\x00" 12 | "\x8bJNG\x0d\x0a\x1a\x0a" 13 | "\x80kate\x00\x00\x00" 14 | "OggMIDI\x00" 15 | "\x8aMNG\x0d\x0a\x1a\x0a" 16 | "PCM " 17 | "\x89PNG\x0d\x0a\x1a\x0a" 18 | "Speex " 19 | "YUV4MPEG" 20 | 21 | # Metadata 22 | "TITLE=" 23 | "VERSION=" 24 | "ALBUM=" 25 | "TRACKNUMBER=" 26 | "ARTIST=" 27 | "PERFORMER=" 28 | "COPYRIGHT=" 29 | "LICENSE=" 30 | "ORGANIZATION=" 31 | "DESCRIPTION=" 32 | "GENRE=" 33 | "DATE=" 34 | "LOCATION=" 35 | "CONTACT=" 36 | "ISRC=" 37 | -------------------------------------------------------------------------------- /dictionaries/openexr.dict: -------------------------------------------------------------------------------- 1 | # specs: 2 | # - https://www.openexr.com/documentation/openexrfilelayout.pdf 3 | # - https://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/OpenEXR.html 4 | 5 | lay="_lay" 6 | ver="_ver" 7 | adoptNeutral="AdoptNeutral" 8 | altitude="altitude" 9 | aperture="aperture" 10 | box2f="box2f" 11 | box2i="box2i" 12 | capdate="capDate" 13 | channels="channels" 14 | chlist="chlist" 15 | chromaticities="chromaticities" 16 | comments="comments" 17 | compression="compression" 18 | dataWindow="dataWindow" 19 | displayWindow="displayWindow" 20 | double="double" 21 | envmap="envmap" 22 | expTime="expTime" 23 | focus="focus" 24 | framesPerSecond="framesPerSecond" 25 | float="float" 26 | header="\x76\x2F\x31\x01" 27 | int="int" 28 | isoSpeed="isoSpeed" 29 | keycode="keyCode" 30 | latitude="latitude" 31 | lineOrder="lineOrder" 32 | longitude="longitude" 33 | lookModTransform="lookModTransform" 34 | m33f="m33f" 35 | m44f="m44f" 36 | owner="owner" 37 | pixelAspectRatio="pixelAspectRatio" 38 | preview="preview" 39 | renderingTransform="renderingTransform" 40 | rational="rational" 41 | screenWindowCenter="screenWindowCenter" 42 | screenWindowWidth="screenWindowWidth" 43 | string="string" 44 | stringvector="stringvector" 45 | tiles="tiles" 46 | tiledesc="tileDesc" 47 | timecode="timeCode" 48 | utcOffset="itcOffset" 49 | whiteLuminance="whiteLuminance" 50 | worldToCamera="worldToCamera" 51 | worldToNDC="worldToNDC" 52 | v2f="v2f" 53 | v2i="v2i" 54 | v3f="v3f" 55 | v3i="v3i" 56 | wrapmodes="wrapmodes" 57 | xDensity="xDensity" 58 | -------------------------------------------------------------------------------- /dictionaries/pbm.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Netpbm_format 2 | header1="P1" 3 | header2="P2" 4 | header3="P3" 5 | header4="P4" 6 | header5="P5" 7 | header6="P6" 8 | zero="0" 9 | one="1" 10 | comment="#" 11 | max="255" 12 | overflow="256" 13 | 14 | # PAM - https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format 15 | header7="P7" 16 | width="WIDTH" 17 | height="HEIGHT" 18 | depth="DEPTH" 19 | maxval="MAXVAL" 20 | enhdr="ENDHDR" 21 | tupltype="TUPLTYPE" 22 | tupltype1="RGB_ALPHA" 23 | tupltype2="RGB" 24 | typltype3="BLACKANDWHITE" 25 | typltype4="BLACKANDWHITE_ALPHA" 26 | typltype5="GRAYSCALE" 27 | typltype6="GRAYSCALE_ALPHA" 28 | maxval_num="65535" 29 | maxval_overlfow="65536" 30 | -------------------------------------------------------------------------------- /dictionaries/pcap.dict: -------------------------------------------------------------------------------- 1 | # https://www.tcpdump.org/pcap/pcap.html 2 | 3 | # Headers 4 | "\xa1\xb2\xc3\xd4" 5 | "\xd4\xc3\xb2\xa1" 6 | "\xa1\xb2\x3c\x4d" 7 | "\x4d\x3c\xb2\xa1" 8 | 9 | 10 | current_version="\x02\x00\x04\x00" 11 | -------------------------------------------------------------------------------- /dictionaries/perl.dict: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # AFL dictionary for fuzzing Perl 4 | # -------------------------------- 5 | # 6 | # Created by @RandomDhiraj 7 | # 8 | 9 | "<:crlf" 10 | "fwrite()" 11 | "fread()" 12 | ":raw:utf8" 13 | ":raw:eol(LF)" 14 | "Perl_invert()" 15 | ":raw:eol(CRLF)" 16 | "Perl_PerlIO_eof()" 17 | -------------------------------------------------------------------------------- /dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /dictionaries/protobuf.dict: -------------------------------------------------------------------------------- 1 | # Keywords taken from https://developers.google.com/protocol-buffers/docs/reference/proto2-spec 2 | 3 | bool="bool" 4 | bytes="bytes" 5 | double="double" 6 | enum="enum" 7 | extend="extend" 8 | extension="extension" 9 | false="false" 10 | fixed32="fixed32" 11 | fixed64="fixed64" 12 | float="float" 13 | group="group" 14 | import="import" 15 | inner="inner" 16 | int32="int32" 17 | int64="int64" 18 | map="map<" 19 | message="message" 20 | option="option" 21 | optional="optional" 22 | package="package" 23 | public="public" 24 | repeated="repeated" 25 | required="required" 26 | reserved="reserved" 27 | returns="returns" 28 | rpc="rpc" 29 | service="service" 30 | sfixed32="sfixed32" 31 | sfixed64="sfixed64" 32 | sint32="sint32" 33 | sint64="sint64" 34 | stream="stream" 35 | string="string" 36 | syntax="syntax" 37 | true="true" 38 | uint32="uint32" 39 | uint64="uint64" 40 | weak="weak" 41 | -------------------------------------------------------------------------------- /dictionaries/riff.dict: -------------------------------------------------------------------------------- 1 | # https://developers.google.com/speed/webp/docs/riff_container 2 | 3 | # FourCC 4 | "ALPH" 5 | "ANIM" 6 | "ANMF" 7 | "EXIF" 8 | "ICCP" 9 | "RIFF" 10 | "VP8 " 11 | "VP8L" 12 | "VP8X" 13 | "WEBP" 14 | "XMP " 15 | 16 | # VP8 signature 17 | "\x9D\x01\x2A" 18 | -------------------------------------------------------------------------------- /dictionaries/rss.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/RSS 2 | 3 | "<?xml version='1.0' encoding='UTF-8' ?>" 4 | "<rss version='2.0'>" 5 | "<author>" 6 | "<category>" 7 | "<channel>" 8 | "<cloud>" 9 | "<comments>" 10 | "<copyright>" 11 | "<description>" 12 | "<docs>" 13 | "<enclosure>" 14 | "<generator>" 15 | "<guid>" 16 | "<image>" 17 | "<item>" 18 | "<language>" 19 | "<lastBuildDate>" 20 | "<link>" 21 | "<managingEditor>" 22 | "<pubDate>" 23 | "<rating>" 24 | "<skipDays>" 25 | "<skipHours>" 26 | "<source>" 27 | "<textInput>" 28 | "<title>" 29 | "<ttl>" 30 | "<url>" 31 | "<webMaster>" 32 | -------------------------------------------------------------------------------- /dictionaries/rst.dict: -------------------------------------------------------------------------------- 1 | # https://docutils.readthedocs.io/en/sphinx-docs/ref/rst/restructuredtext.html 2 | 3 | bold="**" 4 | list1="1. " 5 | list2="(1) " 6 | list3="1) " 7 | list4="I. " 8 | list5="i. " 9 | list6="* " 10 | list7="- " 11 | list8="+ " 12 | end_of_paragraph="::" 13 | title="=====" 14 | image=".. image:: " 15 | image_attr=" :a: 1" 16 | doctest=">>>" 17 | table1="+--+"" 18 | table2="+==+"" 19 | footnote_and_citation=".. [a] " 20 | hyperlink=".. _a: http://a " 21 | macro=".. |b| a" 22 | -------------------------------------------------------------------------------- /dictionaries/sas.dict: -------------------------------------------------------------------------------- 1 | " " 2 | "#" 3 | "$" 4 | "$CHAR" 5 | "%LET" 6 | "(" 7 | ")" 8 | "*/" 9 | "/*" 10 | ";" 11 | "@" 12 | "ATTRIB" 13 | "CLEAR" 14 | "CONTENTS" 15 | "DATA" 16 | "DATE" 17 | "FILENAME" 18 | "FOOTNOTE" 19 | "FORMAT" 20 | "IF" 21 | "INFILE" 22 | "INPUT" 23 | "INVALUE" 24 | "LABEL" 25 | "LENGTH" 26 | "LIBNAME" 27 | "LIST" 28 | "MISSING" 29 | "OPTIONS" 30 | "OTHER" 31 | "PRINT" 32 | "PROC" 33 | "RUN" 34 | "VALUE" 35 | "_ALL_" 36 | "dlm" 37 | "firstobs" 38 | -------------------------------------------------------------------------------- /dictionaries/spss.dict: -------------------------------------------------------------------------------- 1 | "(" 2 | "(NOMINAL)" 3 | "(ORDINAL)" 4 | "(SCALE)" 5 | ")" 6 | "." 7 | "/" 8 | "/VARIABLES" 9 | "=" 10 | " " 11 | "A" 12 | "ADATE" 13 | "COMMENT" 14 | "DATA" 15 | "DATASET" 16 | "DATE" 17 | "DELIMITERS" 18 | "DICTIONARY" 19 | "DISPLAY" 20 | "END" 21 | "EXECUTE" 22 | "F" 23 | "FILE" 24 | "FIRSTCASE" 25 | "FIXED" 26 | "FORMATS" 27 | "HANDLE" 28 | "IF" 29 | "INPUT" 30 | "LABEL" 31 | "LABELS" 32 | "LEVEL" 33 | "LIST" 34 | "NAME" 35 | "OUTFILE" 36 | "PROGRAM" 37 | "RECODE" 38 | "RECORD" 39 | "SAVE" 40 | "SELECT" 41 | "SET" 42 | "SYSMIS" 43 | "TABLE" 44 | "VALUE" 45 | "VARIABLE" 46 | "WINDOW" 47 | -------------------------------------------------------------------------------- /dictionaries/stata.dict: -------------------------------------------------------------------------------- 1 | " " 2 | ")" 3 | "*/" 4 | "/*" 5 | "_column(" 6 | "_firstlineoffile(" 7 | "_line(" 8 | "_lines(" 9 | "_lrecl(" 10 | "_newline" 11 | "_skip(" 12 | "byte" 13 | "dictionary" 14 | "double" 15 | "float" 16 | "infile" 17 | "int" 18 | "long" 19 | "str" 20 | "using" 21 | "{" 22 | "}" 23 | -------------------------------------------------------------------------------- /dictionaries/tex.dict: -------------------------------------------------------------------------------- 1 | # main keywords 2 | 3 | "@article{" 4 | "@conference{" 5 | "@misc{" 6 | "\\@." 7 | "\\Huge" 8 | "\\LARGE" 9 | "\\LaTeX\\" 10 | "\\Large" 11 | "\\author{" 12 | "\\begin{" 13 | "\\caption" 14 | "\\centering" 15 | "\\chapter{" 16 | "\\citeA{" 17 | "\\citeNP" 18 | "\\citeN{" 19 | "\\citeyear{" 20 | "\\cite{" 21 | "\\cline{" 22 | "\\date{" 23 | "\\documentclass{" 24 | "\\emph{" 25 | "\\end{" 26 | "\\footnotesize" 27 | "\\footnote{" 28 | "\\frac{" 29 | "\\hline" 30 | "\\hspace{" 31 | "\\huge" 32 | "\\includegraphics" 33 | "\\item{" 34 | "\\kill" 35 | "\\label{" 36 | "\\large" 37 | "\\ldots" 38 | "\\leq" 39 | "\\linespread" 40 | "\\maketitle{}" 41 | "\\multicolumn{" 42 | "\\newcommand{" 43 | "\\noindent" 44 | "\\normalfont{" 45 | "\\normalsize" 46 | "\\pagebreak" 47 | "\\pageref{" 48 | "\\pagestyle{" 49 | "\\part{" 50 | "\\prod_{" 51 | "\\raggedleft" 52 | "\\raggedright" 53 | "\\ref{" 54 | "\\rule{" 55 | "\\scriptsize" 56 | "\\section{" 57 | "\\setcounter{" 58 | "\\shortciteA{" 59 | "\\shortciteNP" 60 | "\\shortciteN{" 61 | "\\shortcite{" 62 | "\\small" 63 | "\\sqrt{" 64 | "\\subsection{" 65 | "\\sum_{" 66 | "\\tableofcontents" 67 | "\\textbackslash" 68 | "\\textbar" 69 | "\\textbf{" 70 | "\\textgreater" 71 | "\\textit{" 72 | "\\textless" 73 | "\\textmd{" 74 | "\\textnormal{" 75 | "\\textrm{" 76 | "\\textsc{" 77 | "\\textsf{" 78 | "\\textsl{" 79 | "\\texttt{" 80 | "\\textup{" 81 | "\\tiny" 82 | "\\title{" 83 | "\\today" 84 | "\\underline{" 85 | "\\usepackage" 86 | "\\vspace{" 87 | 88 | 89 | # misc 90 | 91 | "abbrv" 92 | "addres" 93 | "article" 94 | "book" 95 | "center" 96 | "description" 97 | "document" 98 | "draft" 99 | "em" 100 | "enumerate" 101 | "equation" 102 | "figure" 103 | "flushleft" 104 | "flushright" 105 | "hyperref" 106 | "itemize" 107 | "landscape" 108 | "letter" 109 | "letterpaper" 110 | "plain" 111 | "publisher" 112 | "quotation" 113 | "quote" 114 | "report" 115 | "slides" 116 | "tabular*" 117 | "twocolumn" 118 | "twoside" 119 | "unsrt" 120 | "verbatim*" 121 | "verse" 122 | "year" 123 | -------------------------------------------------------------------------------- /dictionaries/theme-load-fuzz.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "\"" 4 | ";" 5 | "=" 6 | "formats" 7 | "replaces" 8 | "abstracts" 9 | "timestamp" 10 | -------------------------------------------------------------------------------- /dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /dictionaries/tokener_parse_ex.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "," 4 | "[" 5 | "]" 6 | "," 7 | ":" 8 | "e" 9 | "e+" 10 | "e-" 11 | "E" 12 | "E+" 13 | "E-" 14 | "\"" 15 | "null" 16 | "1" 17 | "1.234" 18 | "3e4" 19 | -------------------------------------------------------------------------------- /dictionaries/toml.dict: -------------------------------------------------------------------------------- 1 | # https://github.com/toml-lang/toml 2 | 3 | key_value="a.b=\"c\"" 4 | unicode="\\u1234" 5 | unicode_long="\\u12345678" 6 | true="true" 7 | false="false" 8 | multiline_literal="'''" 9 | multiline="\"\"\"" 10 | integer="+1_2_3_4" 11 | negative_integer="-1" 12 | hex="0xde_ad" 13 | oct="0o6" 14 | bin="0b1" 15 | float="-6_3.6e-05" 16 | nan="nan" 17 | inf="inf" 18 | time="1979-05-27T07:32:00Z" 19 | array="[1,2]" 20 | table="[a]" 21 | inline_table="a={1=2,3=4}" 22 | array_table="[[a]]" 23 | -------------------------------------------------------------------------------- /dictionaries/type42.dict: -------------------------------------------------------------------------------- 1 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5012.Type42_Spec.pdf 2 | # This format is a super-set of postscript, so don't forget to use ps.dict as well 3 | 4 | magic="%!PS-TrueTypeFont" 5 | "%%VMUsage:" 6 | "/FontType" 7 | "/FontMatrix" 8 | "/FontName" 9 | "/FontInfo" 10 | "/Encoding" 11 | "/FontBBox" 12 | "/UniqueID" 13 | "/XUID" 14 | "/PaintType" 15 | "/StrokeWidth" 16 | "/Metrics" 17 | "/Metrics2" 18 | "/CDevProc" 19 | "/CharStrings" 20 | "/sfnts" 21 | "/CIDMap" 22 | "/GDBytes" 23 | "/GlyphDirectory" 24 | "/MetricsCount" 25 | "/WMode" 26 | -------------------------------------------------------------------------------- /dictionaries/url.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Uniform_Resource_Identifier 2 | 3 | # scheme 4 | "aim" 5 | "callto" 6 | "cvs" 7 | "data" 8 | "facetime" 9 | "feed" 10 | "file" 11 | "ftp" 12 | "git" 13 | "gopher" 14 | "gtalk" 15 | "h323" 16 | "hdl" 17 | "http" 18 | "https" 19 | "imap" 20 | "irc" 21 | "irc6" 22 | "ircs" 23 | "itms" 24 | "javascript" 25 | "magnet" 26 | "mailto" 27 | "mms" 28 | "msnim" 29 | "news" 30 | "nntp" 31 | "prospero" 32 | "rsync" 33 | "rtsp" 34 | "rtspu" 35 | "sftp" 36 | "shttp" 37 | "sip" 38 | "sips" 39 | "skype" 40 | "smb" 41 | "snews" 42 | "ssh" 43 | "svn" 44 | "svn" 45 | "svn+ssh" 46 | "telnet" 47 | "tel" 48 | "wais" 49 | "ymsg" 50 | 51 | # encoded characters 52 | "%2f" 53 | "%40" 54 | "%26" 55 | 56 | # misc 57 | "://" 58 | "//" 59 | "\\" 60 | "../" 61 | ";type=a" 62 | "xn--" 63 | -------------------------------------------------------------------------------- /dictionaries/utf8.dict: -------------------------------------------------------------------------------- 1 | # https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt 2 | 3 | 4 | # Defines byteorder and endianess 5 | byte_order="\xFE\xFF" 6 | 7 | # Reorder the display of text for RTL reading 8 | right_to_left="\x20\x2E" 9 | 10 | # Mongolian Vowel Separator: invisible and has the whitespace property 11 | invisible_separator="\x18\x03" 12 | 13 | # Invisible zero-width character. 14 | word_join="\x20\x60" 15 | 16 | # Reserved code point 17 | reserved="\xfe\xfe" 18 | 19 | # Invalid code point 20 | invalid1="\xff\xff" 21 | invalid2="\x01\xff\xff" 22 | invalid3="\xfdd0" 23 | 24 | # unassigned code point 25 | unassigned="\x0f\xed" 26 | 27 | # illegal low half-surrogate 28 | illegal_low="\xde\xad" 29 | 30 | # illegal high half-surrogate 31 | illegal_high="\xda\xad" 32 | 33 | # private use area code usbed by apple for its logo 34 | apple="\xf8\xff" 35 | 36 | # hostname normalization 37 | fullwidth_solidus="\xff\x0f" 38 | 39 | # numerical mapping and a value 40 | bold_eight="\x01\xd7\xd6" 41 | 42 | # # U+00DF normalizes to "ss" during IDNA2003's mapping phase, 43 | # different from its IDNA2008 mapping. See http://www.unicode.org/reports/tr46/ 44 | weird="\x00\xdf" 45 | 46 | # U+FDFD expands by 11x (UTF-8) and 18x (UTF-16) under NFKC/NFKC 47 | expansion="\xfd\xfd" 48 | 49 | # U+0390 expands by 3x (UTF-8) under NFD 50 | expansion2="\x03\x90" 51 | 52 | # U+1F82 expands by 4x (UTF-16) under NFD 53 | expansion3= "\x1F\x82" 54 | 55 | # U+FB2C expands by 3x (UTF-16) under NFC 56 | expansion4="\xFB\x2C" 57 | 58 | # Lowecaser expansion: https://twitter.com/jifa/status/625776454479970304 59 | low_exp1="\x02\x3a" 60 | low_exp2="\x02\x3e" 61 | low_exp3="\x00\xdf" 62 | low_exp4="\x1e\x9e" 63 | 64 | # Null byte 65 | null="\x00\x00" 66 | "\xfc\x80\x80\x80\x80\x80" 67 | "fc\x80\x80\x80\x80\xaf" 68 | 69 | # Confusing new lines 70 | "\x00\x1b" 71 | "\x00\x85" 72 | "\x20\x28" 73 | "\x20\x29" 74 | -------------------------------------------------------------------------------- /dictionaries/vhd.dict: -------------------------------------------------------------------------------- 1 | # https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-VHDX/%5bMS-VHDX%5d.pdf 2 | 3 | magic="\x65\x6C\x69\x66\x78\x64\x68\x76" 4 | head="\x64\x61\x65\x68" 5 | regi="\x69\x67\x65\x72" 6 | loge="\x65\x67\x6F\x6C" 7 | zero="\x6F\x72\x65\x7A" 8 | desc="\x63\x73\x65\x64" 9 | data="\x61\x74\x61\x64" 10 | metadata="\x61\x74\x61\x64\x61\x74\x65\x6D" 11 | -------------------------------------------------------------------------------- /dictionaries/vpx_dec.dict: -------------------------------------------------------------------------------- 1 | # IVF Signature + version (bytes 0-5) 2 | kw1="DKIF\x00\x00" 3 | 4 | # VP9 codec fourCC (bytes 8-11) 5 | kw2="VP90" 6 | 7 | # VP8 codec fourCC (bytes 8-11) 8 | kw3="VP80" 9 | -------------------------------------------------------------------------------- /dictionaries/wav.dict: -------------------------------------------------------------------------------- 1 | header="RIFF" 2 | header_id="WAVE" 3 | 4 | fmt_chunk="fmt " 5 | fact_chunk="fact" 6 | data_chunk="data" 7 | cue_chunk="cue " 8 | playlist_chunk="plst" 9 | list_chunk="list" 10 | label_chunk="labl" 11 | note_chunk="note" 12 | labeled_text_chunk="ltxt" 13 | sampler_chunk="smpl" 14 | instrument_chunk="inst" 15 | 16 | # IFF extension: https://web.archive.org/web/20080114200405/http://www.borg.com/~jglatt/tech/aboutiff.htm 17 | "FORM" 18 | "LIST" 19 | "CAT " 20 | "ILBM" 21 | "AIFF" 22 | "ANIM" 23 | "CMAP" 24 | "MIDI" 25 | "MThd" 26 | -------------------------------------------------------------------------------- /dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /dictionaries/wkt.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry 2 | 3 | "AFFINEPLACEMENT" 4 | "BREPSOLID" 5 | "CIRCLE" 6 | "CIRCULARSTRING" 7 | "CLOTHOID" 8 | "COMPOUNDCURVE" 9 | "CURVE" 10 | "CURVEPOLYGON" 11 | "ELLIPTICALCURVE" 12 | "EMPTY" 13 | "GEODESICSTRING" 14 | "GEOMETRY" 15 | "GEOMETRYCOLLECTION" 16 | "LINESTRING" 17 | "MULTICURVE" 18 | "MULTILINESTRING" 19 | "MULTIPOINT" 20 | "MULTIPOLYGON" 21 | "MULTISURFACE" 22 | "NURBSCURVE" 23 | "POINT" 24 | "PATCHES" 25 | "POLYGON" 26 | "POLYHEDRALSURFACE" 27 | "SPIRALCURVE" 28 | "SRID" 29 | "SURFACE" 30 | "TIN" 31 | "TRIANGLE" 32 | "ZM" 33 | 34 | # misc 35 | "(1,2)" 36 | -------------------------------------------------------------------------------- /dictionaries/xml.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for XML 3 | # ---------------------- 4 | # 5 | # Several basic syntax elements and attributes, modeled on libxml2. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | attr_encoding=" encoding=\"1\"" 11 | attr_generic=" a=\"1\"" 12 | attr_href=" href=\"1\"" 13 | attr_standalone=" standalone=\"no\"" 14 | attr_version=" version=\"1\"" 15 | attr_xml_base=" xml:base=\"1\"" 16 | attr_xml_id=" xml:id=\"1\"" 17 | attr_xml_lang=" xml:lang=\"1\"" 18 | attr_xml_space=" xml:space=\"1\"" 19 | attr_xmlns=" xmlns=\"1\"" 20 | 21 | entity_builtin="<" 22 | entity_decimal="" 23 | entity_external="&a;" 24 | entity_hex="" 25 | 26 | string_any="ANY" 27 | string_brackets="[]" 28 | string_cdata="CDATA" 29 | string_col_fallback=":fallback" 30 | string_col_generic=":a" 31 | string_col_include=":include" 32 | string_dashes="--" 33 | string_empty="EMPTY" 34 | string_empty_dblquotes="\"\"" 35 | string_empty_quotes="''" 36 | string_entities="ENTITIES" 37 | string_entity="ENTITY" 38 | string_fixed="#FIXED" 39 | string_id="ID" 40 | string_idref="IDREF" 41 | string_idrefs="IDREFS" 42 | string_implied="#IMPLIED" 43 | string_nmtoken="NMTOKEN" 44 | string_nmtokens="NMTOKENS" 45 | string_notation="NOTATION" 46 | string_parentheses="()" 47 | string_pcdata="#PCDATA" 48 | string_percent="%a" 49 | string_public="PUBLIC" 50 | string_required="#REQUIRED" 51 | string_schema=":schema" 52 | string_system="SYSTEM" 53 | string_ucs4="UCS-4" 54 | string_utf16="UTF-16" 55 | string_utf8="UTF-8" 56 | string_xmlns="xmlns:" 57 | 58 | tag_attlist="<!ATTLIST" 59 | tag_cdata="<![CDATA[" 60 | tag_close="</a>" 61 | tag_doctype="<!DOCTYPE" 62 | tag_element="<!ELEMENT" 63 | tag_entity="<!ENTITY" 64 | tag_ignore="<![IGNORE[" 65 | tag_include="<![INCLUDE[" 66 | tag_notation="<!NOTATION" 67 | tag_open="<a>" 68 | tag_open_close="<a />" 69 | tag_open_exclamation="<!" 70 | tag_open_q="<?" 71 | tag_sq2_close="]]>" 72 | tag_xml_q="<?xml?>" 73 | -------------------------------------------------------------------------------- /dictionaries/xpath.dict: -------------------------------------------------------------------------------- 1 | # https://developer.mozilla.org/en-US/docs/Web/XPath 2 | # https://devhints.io/xpath 3 | 4 | # selectors 5 | "//" 6 | "./" 7 | "::" 8 | "[*]" 9 | 10 | 11 | # functions - https://developer.mozilla.org/en-US/docs/Web/XPath/Functions 12 | "boolean(" 13 | "ceiling(" 14 | "choose(" 15 | "concat(" 16 | "contains(" 17 | "count(" 18 | "current()" 19 | "document(" 20 | "element-available(" 21 | "ends-with(" 22 | "false()" 23 | "floor(" 24 | "format-number(" 25 | "function-available(" 26 | "generate-id(" 27 | "id(" 28 | "key(" 29 | "lang(" 30 | "last()" 31 | "local-name(" 32 | "name(" 33 | "namespace-uri(" 34 | "normalize-space(" 35 | "not(" 36 | "number(" 37 | "or" 38 | "position(" 39 | "round(" 40 | "starts-with(" 41 | "string(" 42 | "string-length(" 43 | "substring(" 44 | "substring-after(" 45 | "substring-before(" 46 | "sum(" 47 | "system-property(" 48 | "text()" 49 | "translate(" 50 | "true()" 51 | "unparsed-entity-url(" 52 | 53 | # axes - https://developer.mozilla.org/en-US/docs/Web/XPath/Axes 54 | "ancestor" 55 | "ancestor-or-self" 56 | "attribute" 57 | "child" 58 | "descendant" 59 | "descendant-or-self" 60 | "following" 61 | "following-sibling" 62 | "namespace" 63 | "parent" 64 | "preceding" 65 | "preceding-sibling" 66 | "self" 67 | -------------------------------------------------------------------------------- /dictionaries/yaml.dict: -------------------------------------------------------------------------------- 1 | # sources: 2 | # - https://en.wikipedia.org/wiki/YAML 3 | # - https://yaml.org/spec/1.1/ 4 | # - https://yaml.org/type/ 5 | 6 | directive_yaml="%YAML 1.2" 7 | directive_tag="%TAG !yaml! tag:yaml.org,2002:" 8 | directive_tag2="%TAG !m! !my-" 9 | true="true" 10 | caps_true="TRUE" 11 | caps_false="FALSE" 12 | literal_true="YES" 13 | literal_false="NO" 14 | false="false" 15 | start="---" 16 | comment="#" 17 | list="- " 18 | key="k: " 19 | walrus="=:" 20 | question_key="?k: " 21 | number="\"0e5\"" 22 | expand="!!" 23 | list="[a,b]" 24 | dict="{k: v, x: y}" 25 | value=": v" 26 | exponent="e+03" 27 | neg_inf="-.inf" 28 | nan=".NaN" 29 | end="..." 30 | quoted_key="'k'" 31 | newline="k: |" 32 | newline2="k: >" 33 | anchor="&a" 34 | reference="*a" 35 | type_binary="!!binary" 36 | type_bool="!!bool" 37 | type_float="!!float" 38 | type_int="!!int" 39 | type_map="!!map" 40 | type_merge="!!merge" 41 | type_null="!!null" 42 | type_omap="!!omap" 43 | type_pairs="!!pairs" 44 | type_seq="!!seq" 45 | type_set="!!set" 46 | type_str="!!str" 47 | type_timestamp="!!timestamp" 48 | type_value="!!value" 49 | type_yaml="!!yaml" 50 | type_python="!!python" 51 | merge = "<<" 52 | number_separation="_" 53 | decimal_number="+30_123" 54 | octal_number="0123" 55 | hex_number="0x_12_23" 56 | bin_number="0b1001_1001" 57 | sexa_number="123:34:75" 58 | complex_mapping="? " 59 | litteral_style=" |" 60 | folded_style=" >" 61 | timestamp="2001-12-14t21:59:43.10-05:00" 62 | escaped_unicode="\\u2029" 63 | "[" 64 | "]" 65 | "{" 66 | "}" 67 | "-" 68 | "," 69 | "&" 70 | "<<" 71 | ":" 72 | "|" 73 | "!!" 74 | ">" 75 | "\"" 76 | "'" 77 | integer="123" 78 | float="12.5" 79 | mantissa="1.3e+9" 80 | -------------------------------------------------------------------------------- /dictionaries/zip.dict: -------------------------------------------------------------------------------- 1 | header1="\x50\x4B\x03\x04" 2 | header2="\x50\x4B\x05\x06" 3 | header2="\x50\x4B\x07\x08" 4 | -------------------------------------------------------------------------------- /docs/PATCHES.md: -------------------------------------------------------------------------------- 1 | # Applied Patches 2 | 3 | The following patches from https://github.com/vanhauser-thc/afl-patches 4 | have been installed or not installed: 5 | 6 | 7 | ## INSTALLED 8 | ``` 9 | afl-llvm-fix.diff by kcwu(at)csie(dot)org 10 | afl-sort-all_uniq-fix.diff by legarrec(dot)vincent(at)gmail(dot)com 11 | laf-intel.diff by heiko(dot)eissfeldt(at)hexco(dot)de 12 | afl-llvm-optimize.diff by mh(at)mh-sec(dot)de 13 | afl-fuzz-tmpdir.diff by mh(at)mh-sec(dot)de 14 | afl-fuzz-79x24.diff by heiko(dot)eissfeldt(at)hexco(dot)de 15 | afl-fuzz-fileextensionopt.diff tbd 16 | afl-as-AFL_INST_RATIO.diff by legarrec(dot)vincent(at)gmail(dot)com 17 | afl-qemu-ppc64.diff by william(dot)barsse(at)airbus(dot)com 18 | afl-qemu-optimize-entrypoint.diff by mh(at)mh-sec(dot)de 19 | afl-qemu-speed.diff by abiondo on github 20 | afl-qemu-optimize-map.diff by mh(at)mh-sec(dot)de 21 | ``` 22 | 23 | + llvm_mode ngram prev_loc coverage (github.com/adrianherrera/afl-ngram-pass) 24 | + Custom mutator (native library) (by kyakdan) 25 | + unicorn_mode (modernized and updated by domenukk) 26 | + instrim (https://github.com/csienslab/instrim) was integrated 27 | + MOpt (github.com/puppet-meteor/MOpt-AFL) was imported 28 | + AFLfast additions (github.com/mboehme/aflfast) were incorporated. 29 | + Qemu 3.1 upgrade with enhancement patches (github.com/andreafioraldi/afl) 30 | + Python mutator modules support (github.com/choller/afl) 31 | + Instrument file list in LLVM mode (github.com/choller/afl) 32 | + forkserver patch for afl-tmin (github.com/nccgroup/TriforceAFL) 33 | 34 | 35 | ## NOT INSTALLED 36 | 37 | ``` 38 | afl-fuzz-context_sensitive.diff - changes too much of the behaviour 39 | afl-tmpfs.diff - same as afl-fuzz-tmpdir.diff but more complex 40 | afl-cmin-reduce-dataset.diff - unsure of the impact 41 | afl-llvm-fix2.diff - not needed with the other patches 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | ../README.md -------------------------------------------------------------------------------- /docs/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/screenshot.png -------------------------------------------------------------------------------- /docs/visualization/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/visualization/afl_gzip.png -------------------------------------------------------------------------------- /docs/vuln_samples/bash-cmd-exec.var: -------------------------------------------------------------------------------- 1 | () { _; } >_[$($())] { id; } -------------------------------------------------------------------------------- /docs/vuln_samples/bash-uninit-mem.var: -------------------------------------------------------------------------------- 1 | () { x() { _; }; x() { _; } <<a; } -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-bad-read.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/ffmpeg-h264-bad-read.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/file-fpu-exception.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/file-fpu-exception.elf -------------------------------------------------------------------------------- /docs/vuln_samples/firefox-bmp-leak.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/firefox-bmp-leak.bmp -------------------------------------------------------------------------------- /docs/vuln_samples/firefox-chrome-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/firefox-chrome-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/firefox-gif-leak.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/firefox-gif-leak.gif -------------------------------------------------------------------------------- /docs/vuln_samples/firefox-gif-leak2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/firefox-gif-leak2.gif -------------------------------------------------------------------------------- /docs/vuln_samples/jxrlib-crash.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/jxrlib-crash.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/jxrlib-crash2.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/jxrlib-crash2.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/jxrlib-crash3.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/jxrlib-crash3.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/jxrlib-crash4.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/jxrlib-crash4.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/lesspipe-cpio-bad-write.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/lesspipe-cpio-bad-write.cpio -------------------------------------------------------------------------------- /docs/vuln_samples/libjpeg-sos-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libjpeg-sos-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/libjpeg-turbo-dht-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/libtiff-bad-write.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libtiff-bad-write.tif -------------------------------------------------------------------------------- /docs/vuln_samples/libtiff-uninit-mem.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libtiff-uninit-mem.tif -------------------------------------------------------------------------------- /docs/vuln_samples/libtiff-uninit-mem2.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libtiff-uninit-mem2.tif -------------------------------------------------------------------------------- /docs/vuln_samples/libtiff-uninit-mem3.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libtiff-uninit-mem3.tif -------------------------------------------------------------------------------- /docs/vuln_samples/libtiff-uninit-mem4.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/libtiff-uninit-mem4.tif -------------------------------------------------------------------------------- /docs/vuln_samples/libxml2-bad-read.xml: -------------------------------------------------------------------------------- 1 | <!DOCTYPEd[<!ENTITY 2 | S ""><!ENTITY % 3 | N "<!ELEMENT<![INCLUDE0"<!ENTITYL%N; -------------------------------------------------------------------------------- /docs/vuln_samples/msie-dht-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/msie-dht-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/msie-jxr-mem-leak.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/msie-jxr-mem-leak.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/msie-png-mem-leak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/msie-png-mem-leak.png -------------------------------------------------------------------------------- /docs/vuln_samples/msie-tiff-mem-leak.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/msie-tiff-mem-leak.tif -------------------------------------------------------------------------------- /docs/vuln_samples/msie-zlib-dos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/msie-zlib-dos.png -------------------------------------------------------------------------------- /docs/vuln_samples/openssl-null-ptr.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/openssl-null-ptr.der -------------------------------------------------------------------------------- /docs/vuln_samples/openssl-null-ptr2.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/openssl-null-ptr2.der -------------------------------------------------------------------------------- /docs/vuln_samples/photoshop-mem-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/photoshop-mem-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-free.sql: -------------------------------------------------------------------------------- 1 | create table t0(o CHar(0)CHECK(0&O>O));insert into t0 2 | select randomblob(0)-trim(0); 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-ptr.sql: -------------------------------------------------------------------------------- 1 | SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-ptr2.sql: -------------------------------------------------------------------------------- 1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-ptr3.sql: -------------------------------------------------------------------------------- 1 | create table t(l);PRAGMA writable_schema=ON; 2 | UPDATE sqlite_master SET sql='0�0000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM; 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-heap-overflow.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-negative-memset.sql: -------------------------------------------------------------------------------- 1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr1.sql: -------------------------------------------------------------------------------- 1 | create table t0(t);insert into t0 2 | select strftime(); 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr10.sql: -------------------------------------------------------------------------------- 1 | SELECT fts3_tokenizer(@0()); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr11.sql: -------------------------------------------------------------------------------- 1 | select''like''like''like#0; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr12.sql: -------------------------------------------------------------------------------- 1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr13.sql: -------------------------------------------------------------------------------- 1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr14.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr15.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr2.sql: -------------------------------------------------------------------------------- 1 | DETACH(select group_concat(q)); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr3.sql: -------------------------------------------------------------------------------- 1 | select(select strftime()); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr4.sql: -------------------------------------------------------------------------------- 1 | select n()AND+#00; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr5.sql: -------------------------------------------------------------------------------- 1 | select e.*,0 from(s,(L))e; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr6.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/sqlite-null-ptr6.sql -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr7.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t USING fts4(tokenize=); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr8.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr9.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-oob-read.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/sqlite-oob-read.sql -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-oob-write.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); 2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); 3 | INSERT INTO t0 VALUES(''); 4 | INSERT INTO t0 VALUES(''); 5 | INSeRT INTO t0 VALUES('o'); 6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; 7 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-stack-buf-overflow.sql: -------------------------------------------------------------------------------- 1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-stack-exhaustion.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(content=t0); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-unint-mem.sql: -------------------------------------------------------------------------------- 1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-use-after-free.sql: -------------------------------------------------------------------------------- 1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/strings-bfd-badptr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/strings-bfd-badptr.elf -------------------------------------------------------------------------------- /docs/vuln_samples/strings-bfd-badptr2.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/strings-bfd-badptr2.elf -------------------------------------------------------------------------------- /docs/vuln_samples/strings-stack-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/strings-stack-overflow -------------------------------------------------------------------------------- /docs/vuln_samples/strings-unchecked-ctr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/strings-unchecked-ctr.elf -------------------------------------------------------------------------------- /docs/vuln_samples/tcpdump-arp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/tcpdump-arp-crash.pcap -------------------------------------------------------------------------------- /docs/vuln_samples/tcpdump-ppp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/tcpdump-ppp-crash.pcap -------------------------------------------------------------------------------- /docs/vuln_samples/unrtf-arbitrary-read.rtf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/unrtf-arbitrary-read.rtf -------------------------------------------------------------------------------- /docs/vuln_samples/unzip-t-mem-corruption.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/docs/vuln_samples/unzip-t-mem-corruption.zip -------------------------------------------------------------------------------- /dynamic_list.txt: -------------------------------------------------------------------------------- 1 | { 2 | "__afl_area_ptr"; 3 | "__afl_manual_init"; 4 | "__afl_persistent_loop"; 5 | "__afl_auto_init"; 6 | "__afl_area_initial"; 7 | "__afl_prev_loc"; 8 | "__sanitizer_cov_trace_pc_guard"; 9 | "__sanitizer_cov_trace_pc_guard_init"; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/afl_frida/GNUmakefile: -------------------------------------------------------------------------------- 1 | ifdef DEBUG 2 | OPT=-O0 -D_DEBUG=\"1\" 3 | else 4 | OPT=-O3 -funroll-loops 5 | endif 6 | 7 | all: afl-frida libtestinstr.so 8 | 9 | libfrida-gum.a: 10 | @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest 11 | @exit 1 12 | 13 | afl-frida: afl-frida.c libfrida-gum.a 14 | $(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread 15 | 16 | libtestinstr.so: libtestinstr.c 17 | $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c 18 | 19 | clean: 20 | rm -f afl-frida *~ core *.o libtestinstr.so 21 | 22 | deepclean: clean 23 | rm -f libfrida-gum.a frida-gum* 24 | -------------------------------------------------------------------------------- /examples/afl_frida/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo please use GNU make, thanks! 3 | -------------------------------------------------------------------------------- /examples/afl_frida/README.md: -------------------------------------------------------------------------------- 1 | # afl-frida - faster fuzzing of binary-only libraries 2 | 3 | ## Introduction 4 | 5 | afl-frida is an example skeleton file which can easily be used to fuzz 6 | a closed source library. 7 | 8 | It requires less memory and is x5-10 faster than qemu_mode but does not 9 | provide interesting features like compcov or cmplog. 10 | 11 | ## How-to 12 | 13 | ### Modify afl-frida.c 14 | 15 | Read and modify afl-frida.c then `make`. 16 | To adapt afl-frida.c to your needs, read the header of the file and then 17 | search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. 18 | 19 | ### Fuzzing 20 | 21 | Example (after modifying afl-frida.c to your needs and compile it): 22 | ``` 23 | LD_LIBRARY_PATH=/path/to/the/target/library afl-fuzz -i in -o out -- ./afl-frida 24 | ``` 25 | (or even remote via afl-network-proxy). 26 | 27 | # Speed and stability 28 | 29 | The speed is very good, about x12 of fork() qemu_mode. 30 | However the stability is low. Reason is currently unknown. 31 | 32 | # Background 33 | 34 | This code is copied for a larger part from https://github.com/meme/hotwax 35 | -------------------------------------------------------------------------------- /examples/afl_frida/afl-frida.h: -------------------------------------------------------------------------------- 1 | extern int is_persistent; 2 | 3 | G_BEGIN_DECLS 4 | 5 | #define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) 6 | 7 | G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, 8 | FAKE_EVENT_SINK, GObject) 9 | 10 | struct _GumFakeEventSink { 11 | 12 | GObject parent; 13 | GumEventType mask; 14 | 15 | }; 16 | 17 | GumEventSink *gum_fake_event_sink_new(void); 18 | void gum_fake_event_sink_reset(GumFakeEventSink *self); 19 | 20 | G_END_DECLS 21 | 22 | typedef struct { 23 | 24 | GumAddress base_address; 25 | guint64 code_start, code_end; 26 | 27 | } range_t; 28 | 29 | void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, 30 | gpointer user_data); 31 | #pragma once 32 | 33 | void afl_setup(void); 34 | void afl_start_forkserver(void); 35 | int __afl_persistent_loop(unsigned int max_cnt); 36 | 37 | inline static inline void afl_maybe_log(guint64 current_pc) { 38 | 39 | extern unsigned int afl_instr_rms; 40 | extern uint8_t * afl_area_ptr; 41 | 42 | static __thread guint64 previous_pc; 43 | 44 | current_pc = (current_pc >> 4) ^ (current_pc << 8); 45 | current_pc &= MAP_SIZE - 1; 46 | 47 | if (current_pc >= afl_instr_rms) return; 48 | 49 | afl_area_ptr[current_pc ^ previous_pc]++; 50 | previous_pc = current_pc >> 1; 51 | 52 | } 53 | 54 | -------------------------------------------------------------------------------- /examples/afl_frida/libtestinstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | #include <unistd.h> 16 | #include <string.h> 17 | #include <sys/types.h> 18 | #include <sys/stat.h> 19 | #include <fcntl.h> 20 | 21 | void testinstr(char *buf, int len) { 22 | 23 | if (len < 1) return; 24 | buf[len] = 0; 25 | 26 | // we support three input cases 27 | if (buf[0] == '0') 28 | printf("Looks like a zero to me!\n"); 29 | else if (buf[0] == '1') 30 | printf("Pretty sure that is a one!\n"); 31 | else 32 | printf("Neither one or zero? How quaint!\n"); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /examples/afl_network_proxy/GNUmakefile: -------------------------------------------------------------------------------- 1 | PREFIX ?= /usr/local 2 | BIN_PATH = $(PREFIX)/bin 3 | DOC_PATH = $(PREFIX)/share/doc/afl 4 | 5 | PROGRAMS = afl-network-client afl-network-server 6 | 7 | HASH=\# 8 | 9 | CFLAGS += -Wno-pointer-sign 10 | 11 | ifdef STATIC 12 | CFLAGS += -static 13 | endif 14 | 15 | ifeq "$(shell echo '$(HASH)include <libdeflate.h>@int main() { struct libdeflate_compressor *d = libdeflate_alloc_compressor(1); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 -ldeflate 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" 16 | CFLAGS += -DUSE_DEFLATE=1 17 | LDFLAGS += -ldeflate 18 | $(info libdeflate-dev was detected, using compression) 19 | else 20 | $(warn did not find libdeflate-dev, cannot use compression) 21 | endif 22 | 23 | all: $(PROGRAMS) 24 | 25 | help: 26 | @echo make options: 27 | @echo STATIC - build as static binaries 28 | @echo COMPRESS_TESTCASES - compress test cases 29 | 30 | afl-network-client: afl-network-client.c 31 | $(CC) $(CFLAGS) -I../../include -o afl-network-client afl-network-client.c $(LDFLAGS) 32 | 33 | afl-network-server: afl-network-server.c 34 | $(CC) $(CFLAGS) -I../../include -o afl-network-server afl-network-server.c ../../src/afl-forkserver.c ../../src/afl-sharedmem.c ../../src/afl-common.c -DBIN_PATH=\"$(BIN_PATH)\" $(LDFLAGS) 35 | 36 | clean: 37 | rm -f $(PROGRAMS) *~ core 38 | 39 | install: all 40 | install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(DOC_PATH) 41 | install -m 755 $(PROGRAMS) $${DESTDIR}$(BIN_PATH) 42 | install -T -m 644 README.md $${DESTDIR}$(DOC_PATH)/README.network_proxy.md 43 | 44 | -------------------------------------------------------------------------------- /examples/afl_network_proxy/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo please use GNU make, thanks! 3 | -------------------------------------------------------------------------------- /examples/afl_proxy/Makefile: -------------------------------------------------------------------------------- 1 | all: afl-proxy 2 | 3 | afl-proxy: afl-proxy.c 4 | $(CC) -I../../include -o afl-proxy afl-proxy.c 5 | 6 | clean: 7 | rm -f afl-proxy *~ core 8 | -------------------------------------------------------------------------------- /examples/afl_proxy/README.md: -------------------------------------------------------------------------------- 1 | # afl-proxy 2 | 3 | afl-proxy is an example skeleton file which can easily be used to fuzz 4 | and instrument non-standard things. 5 | 6 | You only need to change the while() loop of the main() to send the 7 | data of buf[] with length len to the target and write the coverage 8 | information to __afl_area_ptr[__afl_map_size] 9 | 10 | -------------------------------------------------------------------------------- /examples/afl_untracer/Makefile: -------------------------------------------------------------------------------- 1 | ifdef DEBUG 2 | OPT=-O0 3 | else 4 | OPT=-O3 5 | endif 6 | 7 | all: afl-untracer libtestinstr.so 8 | 9 | afl-untracer: afl-untracer.c 10 | $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl 11 | 12 | libtestinstr.so: libtestinstr.c 13 | $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c 14 | 15 | clean: 16 | rm -f afl-untracer libtestinstr.so *~ core 17 | -------------------------------------------------------------------------------- /examples/afl_untracer/TODO: -------------------------------------------------------------------------------- 1 | * add shmem fuzzing 2 | * add snapshot feature? 3 | -------------------------------------------------------------------------------- /examples/afl_untracer/ida_get_patchpoints.py: -------------------------------------------------------------------------------- 1 | # 2 | # IDAPython script for IDA Pro 3 | # Slightly modified from https://github.com/googleprojectzero/p0tools/blob/master/TrapFuzz/findPatchPoints.py 4 | # 5 | 6 | import idautils 7 | import idaapi 8 | import ida_nalt 9 | import idc 10 | 11 | # See https://www.hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml 12 | 13 | from os.path import expanduser 14 | home = expanduser("~") 15 | 16 | patchpoints = set() 17 | 18 | max_offset = 0 19 | for seg_ea in idautils.Segments(): 20 | name = idc.get_segm_name(seg_ea) 21 | #print("Segment: " + name) 22 | if name != "__text" and name != ".text": 23 | continue 24 | 25 | start = idc.get_segm_start(seg_ea) 26 | end = idc.get_segm_end(seg_ea) 27 | first = 0 28 | subtract_addr = 0 29 | #print("Start: " + hex(start) + " End: " + hex(end)) 30 | for func_ea in idautils.Functions(start, end): 31 | f = idaapi.get_func(func_ea) 32 | if not f: 33 | continue 34 | for block in idaapi.FlowChart(f): 35 | if start <= block.start_ea < end: 36 | if first == 0: 37 | if block.start_ea >= 0x1000: 38 | subtract_addr = 0x1000 39 | first = 1 40 | 41 | max_offset = max(max_offset, block.start_ea) 42 | patchpoints.add(block.start_ea - subtract_addr) 43 | #else: 44 | # print("Warning: broken CFG?") 45 | 46 | # Round up max_offset to page size 47 | size = max_offset 48 | rem = size % 0x1000 49 | if rem != 0: 50 | size += 0x1000 - rem 51 | 52 | print("Writing to " + home + "/Desktop/patches.txt") 53 | 54 | with open(home + "/Desktop/patches.txt", "w") as f: 55 | f.write(ida_nalt.get_root_filename() + ':' + hex(size) + '\n') 56 | f.write('\n'.join(map(hex, sorted(patchpoints)))) 57 | f.write('\n') 58 | 59 | print("Done, found {} patchpoints".format(len(patchpoints))) 60 | 61 | # For headless script running remove the comment from the next line 62 | #ida_pro.qexit() 63 | -------------------------------------------------------------------------------- /examples/afl_untracer/libtestinstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | #include <unistd.h> 16 | #include <string.h> 17 | #include <sys/types.h> 18 | #include <sys/stat.h> 19 | #include <fcntl.h> 20 | 21 | void testinstr(char *buf, int len) { 22 | 23 | if (len < 1) return; 24 | buf[len] = 0; 25 | 26 | // we support three input cases 27 | if (buf[0] == '0') 28 | printf("Looks like a zero to me!\n"); 29 | else if (buf[0] == '1') 30 | printf("Pretty sure that is a one!\n"); 31 | else 32 | printf("Neither one or zero? How quaint!\n"); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /examples/afl_untracer/patches.txt: -------------------------------------------------------------------------------- 1 | libtestinstr.so:0x1000 2 | 0x10 3 | 0x12 4 | 0x20 5 | 0x36 6 | 0x30 7 | 0x40 8 | 0x50 9 | 0x63 10 | 0x6f 11 | 0x78 12 | 0x80 13 | 0xa4 14 | 0xb0 15 | 0xb8 16 | 0x100 17 | 0xc0 18 | 0xc9 19 | 0xd7 20 | 0xe3 21 | 0xe8 22 | 0xf8 23 | 0x105 24 | 0x11a 25 | 0x135 26 | 0x141 27 | 0x143 28 | 0x14e 29 | 0x15a 30 | 0x15c 31 | 0x168 32 | 0x16a 33 | 0x16b 34 | 0x170 35 | -------------------------------------------------------------------------------- /examples/aflpp_driver/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake all || echo please install GNUmake 3 | -------------------------------------------------------------------------------- /examples/aflpp_driver/aflpp_driver_test.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <stdint.h> 4 | 5 | #include "hash.h" 6 | 7 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { 8 | 9 | if (Size < 5) return; 10 | 11 | if (Data[0] == 'F') 12 | if (Data[1] == 'A') 13 | if (Data[2] == '$') 14 | if (Data[3] == '$') 15 | if (Data[4] == '$') abort(); 16 | 17 | } 18 | 19 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 20 | 21 | if (Size) 22 | fprintf(stderr, "FUNC crc: %016llx len: %lu\n", 23 | hash64((u8 *)Data, (unsigned int)Size, 24 | (unsigned long long int)0xa5b35705), 25 | Size); 26 | 27 | crashme(Data, Size); 28 | 29 | return 0; 30 | 31 | } 32 | 33 | -------------------------------------------------------------------------------- /examples/aflpp_driver/aflpp_qemu_driver.c: -------------------------------------------------------------------------------- 1 | #include <stdint.h> 2 | #include <stdlib.h> 3 | #include <unistd.h> 4 | 5 | // libFuzzer interface is thin, so we don't include any libFuzzer headers. 6 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); 7 | __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); 8 | 9 | static const size_t kMaxAflInputSize = 1 * 1024 * 1024; 10 | static uint8_t AflInputBuf[kMaxAflInputSize]; 11 | 12 | void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { 13 | 14 | size_t l = read(0, AflInputBuf, kMaxAflInputSize); 15 | LLVMFuzzerTestOneInput(AflInputBuf, l); 16 | 17 | } 18 | 19 | int main(int argc, char **argv) { 20 | 21 | if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); 22 | // Do any other expensive one-time initialization here. 23 | 24 | if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { 25 | 26 | afl_qemu_driver_stdin_input(); 27 | 28 | } else { 29 | 30 | uint8_t dummy_input[1024000] = {0}; 31 | LLVMFuzzerTestOneInput(dummy_input, 1); 32 | 33 | } 34 | 35 | return 0; 36 | 37 | } 38 | 39 | -------------------------------------------------------------------------------- /examples/aflpp_driver/aflpp_qemu_driver_hook.c: -------------------------------------------------------------------------------- 1 | #include <stdint.h> 2 | #include <string.h> 3 | 4 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) 5 | 6 | #define REGS_RDI 7 7 | #define REGS_RSI 6 8 | 9 | void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, 10 | uint8_t *input_buf, uint32_t input_len) { 11 | 12 | memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); 13 | regs[REGS_RSI] = input_len; 14 | 15 | } 16 | 17 | int afl_persistent_hook_init(void) { 18 | 19 | return 1; 20 | 21 | } 22 | 23 | -------------------------------------------------------------------------------- /examples/argv_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # argvfuzz 2 | 3 | afl supports fuzzing file inputs or stdin. When source is available, 4 | `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. 5 | 6 | `argvfuzz` tries to provide the same functionality for binaries. When loaded 7 | using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace 8 | argv using the same logic of `argv-fuzz-inl.h`. 9 | 10 | A few conditions need to be fulfilled for this mechanism to work correctly: 11 | 12 | 1. As it relies on hooking the loader, it cannot work on static binaries. 13 | 2. If the target binary does not use the default libc's `_start` implementation 14 | (crt1.o), the hook may not run. 15 | 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the 16 | target binary expects argv to be living on the stack, things may go wrong. 17 | -------------------------------------------------------------------------------- /examples/argv_fuzzing/argvfuzz.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - LD_PRELOAD for fuzzing argv in binaries 3 | ------------------------------------------------------------ 4 | 5 | Copyright 2019-2020 Kjell Braden <afflux@pentabarf.de> 6 | 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | 11 | http://www.apache.org/licenses/LICENSE-2.0 12 | 13 | */ 14 | 15 | #define _GNU_SOURCE /* for RTLD_NEXT */ 16 | #include <dlfcn.h> 17 | #include <stdlib.h> 18 | #include <stdio.h> 19 | #include <unistd.h> 20 | #include "argv-fuzz-inl.h" 21 | 22 | int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv, 23 | void (*init)(void), void (*fini)(void), 24 | void (*rtld_fini)(void), void *stack_end) { 25 | 26 | int (*orig)(int (*main)(int, char **, char **), int argc, char **argv, 27 | void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), 28 | void *stack_end); 29 | int sub_argc; 30 | char **sub_argv; 31 | 32 | (void)argc; 33 | (void)argv; 34 | 35 | orig = dlsym(RTLD_NEXT, __func__); 36 | 37 | if (!orig) { 38 | 39 | fprintf(stderr, "hook did not find original %s: %s\n", __func__, dlerror()); 40 | exit(EXIT_FAILURE); 41 | 42 | } 43 | 44 | sub_argv = afl_init_argv(&sub_argc); 45 | 46 | return orig(main, sub_argc, sub_argv, init, fini, rtld_fini, stack_end); 47 | 48 | } 49 | 50 | -------------------------------------------------------------------------------- /examples/custom_mutators/Makefile: -------------------------------------------------------------------------------- 1 | all: libexamplemutator.so 2 | 3 | libexamplemutator.so: 4 | $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so 5 | 6 | clean: 7 | rm -rf libexamplemutator.so 8 | -------------------------------------------------------------------------------- /examples/custom_mutators/README.md: -------------------------------------------------------------------------------- 1 | # Examples for the custom mutator 2 | 3 | These are example and helper files for the custom mutator feature. 4 | See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information 5 | 6 | Note that if you compile with python3.7 you must use python3 scripts, and if 7 | you use python2.7 to compile python2 scripts! 8 | 9 | simple_example.c - most simplest example. generates a random sized buffer 10 | filled with 'A' 11 | 12 | example.c - this is a simple example written in C and should be compiled to a 13 | shared library. Use make to compile it and produce libexamplemutator.so 14 | 15 | example.py - this is the template you can use, the functions are there but they 16 | are empty 17 | 18 | post_library_gif.so.c - fix a fuzz input to ensure it is valid for GIF 19 | 20 | post_library_png.so.c - fix a fuzz input to ensure it is valid for PNG 21 | 22 | simple-chunk-replace.py - this is a simple example where chunks are replaced 23 | 24 | common.py - this can be used for common functions and helpers. 25 | the examples do not use this though. But you can :) 26 | 27 | wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py 28 | 29 | XmlMutatorMin.py - module for XML mutation 30 | 31 | custom_mutator_helpers.h is an header that defines some helper routines 32 | like surgical_havoc_mutate() that allow to perform a randomly chosen 33 | mutation from a subset of the havoc mutations. 34 | If you do so, you have to specify -I /path/to/AFLplusplus/include when 35 | compiling. 36 | -------------------------------------------------------------------------------- /examples/custom_mutators/common.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | ''' 4 | Module containing functions shared between multiple AFL modules 5 | 6 | @author: Christian Holler (:decoder) 7 | 8 | @license: 9 | 10 | This Source Code Form is subject to the terms of the Mozilla Public 11 | License, v. 2.0. If a copy of the MPL was not distributed with this 12 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 13 | 14 | @contact: choller@mozilla.com 15 | ''' 16 | 17 | from __future__ import print_function 18 | import random 19 | import os 20 | import re 21 | 22 | 23 | def randel(l): 24 | if not l: 25 | return None 26 | return l[random.randint(0, len(l)-1)] 27 | 28 | 29 | def randel_pop(l): 30 | if not l: 31 | return None 32 | return l.pop(random.randint(0, len(l)-1)) 33 | 34 | 35 | def write_exc_example(data, exc): 36 | exc_name = re.sub(r'[^a-zA-Z0-9]', '_', repr(exc)) 37 | 38 | if not os.path.exists(exc_name): 39 | with open(exc_name, 'w') as f: 40 | f.write(data) 41 | -------------------------------------------------------------------------------- /examples/custom_mutators/simple-chunk-replace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | ''' 4 | Simple Chunk Cross-Over Replacement Module for AFLFuzz 5 | 6 | @author: Christian Holler (:decoder) 7 | 8 | @license: 9 | 10 | This Source Code Form is subject to the terms of the Mozilla Public 11 | License, v. 2.0. If a copy of the MPL was not distributed with this 12 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 13 | 14 | @contact: choller@mozilla.com 15 | ''' 16 | 17 | import random 18 | 19 | 20 | def init(seed): 21 | ''' 22 | Called once when AFLFuzz starts up. Used to seed our RNG. 23 | 24 | @type seed: int 25 | @param seed: A 32-bit random value 26 | ''' 27 | # Seed our RNG 28 | random.seed(seed) 29 | 30 | 31 | def fuzz(buf, add_buf, max_size): 32 | ''' 33 | Called per fuzzing iteration. 34 | 35 | @type buf: bytearray 36 | @param buf: The buffer that should be mutated. 37 | 38 | @type add_buf: bytearray 39 | @param add_buf: A second buffer that can be used as mutation source. 40 | 41 | @type max_size: int 42 | @param max_size: Maximum size of the mutated output. The mutation must not 43 | produce data larger than max_size. 44 | 45 | @rtype: bytearray 46 | @return: A new bytearray containing the mutated data 47 | ''' 48 | # Make a copy of our input buffer for returning 49 | ret = bytearray(buf) 50 | 51 | # Take a random fragment length between 2 and 32 (or less if add_buf is shorter) 52 | fragment_len = random.randint(1, min(len(add_buf), 32)) 53 | 54 | # Determine a random source index where to take the data chunk from 55 | rand_src_idx = random.randint(0, len(add_buf) - fragment_len) 56 | 57 | # Determine a random destination index where to put the data chunk 58 | rand_dst_idx = random.randint(0, len(buf)) 59 | 60 | # Make the chunk replacement 61 | ret[rand_dst_idx:rand_dst_idx + fragment_len] = add_buf[rand_src_idx:rand_src_idx + fragment_len] 62 | 63 | # Return data 64 | return ret 65 | -------------------------------------------------------------------------------- /examples/custom_mutators/simple_example.c: -------------------------------------------------------------------------------- 1 | // This simple example just creates random buffer <= 100 filled with 'A' 2 | // needs -I /path/to/AFLplusplus/include 3 | #include "custom_mutator_helpers.h" 4 | 5 | #include <stdint.h> 6 | #include <stdlib.h> 7 | #include <string.h> 8 | #include <stdio.h> 9 | 10 | #ifndef _FIXED_CHAR 11 | #define 0x41 12 | #endif 13 | 14 | typedef struct my_mutator { 15 | 16 | afl_t *afl; 17 | 18 | // Reused buffers: 19 | BUF_VAR(u8, fuzz); 20 | 21 | } my_mutator_t; 22 | 23 | my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { 24 | 25 | srand(seed); 26 | my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); 27 | if (!data) { 28 | 29 | perror("afl_custom_init alloc"); 30 | return NULL; 31 | 32 | } 33 | 34 | data->afl = afl; 35 | 36 | return data; 37 | 38 | } 39 | 40 | size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, 41 | u8 **out_buf, uint8_t *add_buf, 42 | size_t add_buf_size, // add_buf can be NULL 43 | size_t max_size) { 44 | 45 | int size = (rand() % 100) + 1; 46 | if (size > max_size) size = max_size; 47 | u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size); 48 | if (!mutated_out) { 49 | 50 | *out_buf = NULL; 51 | perror("custom mutator allocation (maybe_grow)"); 52 | return 0; /* afl-fuzz will very likely error out after this. */ 53 | 54 | } 55 | 56 | memset(mutated_out, _FIXED_CHAR, size); 57 | 58 | *out_buf = mutated_out; 59 | return size; 60 | 61 | } 62 | 63 | /** 64 | * Deinitialize everything 65 | * 66 | * @param data The data ptr from afl_custom_init 67 | */ 68 | void afl_custom_deinit(my_mutator_t *data) { 69 | 70 | free(data->fuzz_buf); 71 | free(data); 72 | 73 | } 74 | 75 | -------------------------------------------------------------------------------- /examples/defork/README.md: -------------------------------------------------------------------------------- 1 | # defork 2 | 3 | when the target forks, this breaks all normal fuzzing runs. 4 | Sometimes, though, it is enough to just run the child process. 5 | If this is the case, then this LD_PRELOAD library will always return 0 on fork, 6 | the target will belive it is running as the child, post-fork. 7 | 8 | This is defork.c from the amazing preeny project 9 | https://github.com/zardus/preeny 10 | 11 | It is altered for afl++ to work with its fork-server: the initial fork will go through, the second fork will be blocked. 12 | -------------------------------------------------------------------------------- /examples/defork/defork.c: -------------------------------------------------------------------------------- 1 | #define __GNU_SOURCE 2 | #include <dlfcn.h> 3 | #include <unistd.h> 4 | #include <stdio.h> 5 | #include <stdbool.h> 6 | 7 | #include "../../include/config.h" 8 | 9 | /* we want to fork once (for the afl++ forkserver), 10 | then immediately return as child on subsequent forks. */ 11 | static bool forked = 0; 12 | 13 | pid_t (*original_fork)(void); 14 | 15 | /* In case we are not running in afl, we use a dummy original_fork */ 16 | static pid_t nop(void) { 17 | 18 | return 0; 19 | 20 | } 21 | 22 | __attribute__((constructor)) void preeny_fork_orig() { 23 | 24 | if (getenv(SHM_ENV_VAR)) { 25 | 26 | printf("defork: running in AFL++. Allowing forkserver.\n"); 27 | original_fork = dlsym(RTLD_NEXT, "socket"); 28 | 29 | } else { 30 | 31 | printf("defork: no AFL++ detected. Disabling fork from the start.\n"); 32 | original_fork = &nop; 33 | 34 | } 35 | 36 | } 37 | 38 | pid_t fork(void) { 39 | 40 | /* If we forked before, or if we're in the child (pid==0), 41 | we don't want to fork anymore, else, we are still in the forkserver. 42 | The forkserver parent needs to fork infinite times, each child should never 43 | fork again. This can be written without branches and I hate myself for it. 44 | */ 45 | pid_t ret = !forked && original_fork(); 46 | forked = !ret; 47 | return ret; 48 | 49 | } 50 | 51 | -------------------------------------------------------------------------------- /examples/defork/forking_target.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <unistd.h> 3 | #include <stdint.h> 4 | #include <sys/types.h> 5 | 6 | /* This is an example target for defork.c - fuzz using 7 | ``` 8 | mkdir in; echo a > ./in/a 9 | AFL_PRELOAD=./defork64.so ../../afl-fuzz -i in -o out -- ./forking_target @@ 10 | ``` 11 | */ 12 | 13 | int main(int argc, char **argv) { 14 | 15 | if (argc < 2) { 16 | 17 | printf("Example tool to test defork.\nUsage ./forking_target <input>\n"); 18 | return -1; 19 | 20 | } 21 | 22 | pid_t pid = fork(); 23 | if (pid == 0) { 24 | 25 | printf("We're in the child.\n"); 26 | FILE *f = fopen(argv[1], "r"); 27 | char buf[4096]; 28 | fread(buf, 1, 4096, f); 29 | uint32_t offset = buf[100] + (buf[101] << 8); 30 | char test_val = buf[offset]; 31 | return test_val < 100; 32 | 33 | } else if (pid < 0) { 34 | 35 | perror("fork"); 36 | return -1; 37 | 38 | } else { 39 | 40 | printf("We are in the parent - defork didn't work! :( (pid=%d)\n", 41 | (int)pid); 42 | 43 | } 44 | 45 | return 0; 46 | 47 | } 48 | 49 | -------------------------------------------------------------------------------- /examples/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /examples/persistent_demo/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | afl-clang-fast -o persistent_demo persistent_demo.c 3 | afl-clang-fast -o persistent_demo_new persistent_demo_new.c 4 | AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c 5 | 6 | document: 7 | AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c 8 | 9 | clean: 10 | rm -f persistent_demo persistent_demo_new test-instr 11 | -------------------------------------------------------------------------------- /examples/persistent_demo/test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | #include <unistd.h> 16 | #include <string.h> 17 | #include <sys/types.h> 18 | #include <sys/stat.h> 19 | #include <fcntl.h> 20 | 21 | __AFL_FUZZ_INIT(); 22 | 23 | int main(int argc, char **argv) { 24 | 25 | __AFL_INIT(); 26 | unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; 27 | 28 | while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability 29 | 30 | unsigned int len = __AFL_FUZZ_TESTCASE_LEN; 31 | 32 | #ifdef _AFL_DOCUMENT_MUTATIONS 33 | static unsigned int counter = 0; 34 | char fn[32]; 35 | sprintf(fn, "%09u:test-instr", counter); 36 | int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); 37 | if (fd_doc >= 0) { 38 | 39 | if (write(fd_doc, buf, len) != __afl_fuzz_len) { 40 | 41 | fprintf(stderr, "write of mutation file failed: %s\n", fn); 42 | unlink(fn); 43 | 44 | } 45 | 46 | close(fd_doc); 47 | 48 | } 49 | 50 | counter++; 51 | #endif 52 | 53 | // fprintf(stderr, "len: %u\n", len); 54 | 55 | if (!len) continue; 56 | 57 | if (buf[0] == '0') 58 | printf("Looks like a zero to me!\n"); 59 | else if (buf[0] == '1') 60 | printf("Pretty sure that is a one!\n"); 61 | else 62 | printf("Neither one or zero? How quaint!\n"); 63 | 64 | } 65 | 66 | return 0; 67 | 68 | } 69 | 70 | -------------------------------------------------------------------------------- /examples/qemu_persistent_hook/README.md: -------------------------------------------------------------------------------- 1 | # QEMU persistent hook example 2 | 3 | Compile the test binary and the library: 4 | 5 | ``` 6 | gcc -no-pie test.c -o test 7 | gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so 8 | ``` 9 | 10 | Fuzz with: 11 | 12 | ``` 13 | export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}') 14 | export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so 15 | 16 | mkdir in 17 | echo 0000 > in/in 18 | 19 | ../../afl-fuzz -Q -i in -o out -- ./test 20 | ``` 21 | -------------------------------------------------------------------------------- /examples/qemu_persistent_hook/read_into_rdi.c: -------------------------------------------------------------------------------- 1 | #include <stdint.h> 2 | #include <stdio.h> 3 | #include <unistd.h> 4 | #include <string.h> 5 | 6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) 7 | #define h2g(x) ((uint64_t)(x)-guest_base) 8 | 9 | enum { 10 | 11 | R_EAX = 0, 12 | R_ECX = 1, 13 | R_EDX = 2, 14 | R_EBX = 3, 15 | R_ESP = 4, 16 | R_EBP = 5, 17 | R_ESI = 6, 18 | R_EDI = 7, 19 | R_R8 = 8, 20 | R_R9 = 9, 21 | R_R10 = 10, 22 | R_R11 = 11, 23 | R_R12 = 12, 24 | R_R13 = 13, 25 | R_R14 = 14, 26 | R_R15 = 15, 27 | 28 | R_AL = 0, 29 | R_CL = 1, 30 | R_DL = 2, 31 | R_BL = 3, 32 | R_AH = 4, 33 | R_CH = 5, 34 | R_DH = 6, 35 | R_BH = 7, 36 | 37 | }; 38 | 39 | void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, 40 | uint8_t *input_buf, uint32_t input_len) { 41 | 42 | // In this example the register RDI is pointing to the memory location 43 | // of the target buffer, and the length of the input is in RSI. 44 | // This can be seen with a debugger, e.g. gdb (and "disass main") 45 | 46 | printf("placing input into %p\n", regs[R_EDI]); 47 | 48 | if (input_len > 1024) input_len = 1024; 49 | memcpy(g2h(regs[R_EDI]), input_buf, input_len); 50 | regs[R_ESI] = input_len; 51 | 52 | } 53 | 54 | int afl_persistent_hook_init(void) { 55 | 56 | // 1 for shared memory input (faster), 0 for normal input (you have to use 57 | // read(), input_buf will be NULL) 58 | return 1; 59 | 60 | } 61 | 62 | -------------------------------------------------------------------------------- /examples/qemu_persistent_hook/test.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int target_func(unsigned char *buf, int size) { 4 | 5 | printf("buffer:%p, size:%p\n", buf, size); 6 | switch (buf[0]) { 7 | 8 | case 1: 9 | if (buf[1] == '\x44') { puts("a"); } 10 | break; 11 | case 0xff: 12 | if (buf[2] == '\xff') { 13 | 14 | if (buf[1] == '\x44') { puts("b"); } 15 | 16 | } 17 | 18 | break; 19 | default: 20 | break; 21 | 22 | } 23 | 24 | return 1; 25 | 26 | } 27 | 28 | char data[1024]; 29 | 30 | int main() { 31 | 32 | target_func(data, 1024); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /examples/socket_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # socketfuzz 2 | 3 | when you want to fuzz a network service and you can not/do not want to modify 4 | the source (or just have a binary), then this LD_PRELOAD library will allow 5 | for sending input to stdin which the target binary will think is coming from 6 | a network socket. 7 | 8 | This is desock_dup.c from the amazing preeny project 9 | https://github.com/zardus/preeny 10 | 11 | It is packaged in afl++ to have it at hand if needed 12 | -------------------------------------------------------------------------------- /include/cmplog.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - cmplog header 3 | ------------------------------------ 4 | 5 | Originally written by Michal Zalewski 6 | 7 | Forkserver design by Jann Horn <jannhorn@googlemail.com> 8 | 9 | Now maintained by Marc Heuse <mh@mh-sec.de>, 10 | Heiko Eißfeldt <heiko.eissfeldt@hexco.de>, 11 | Andrea Fioraldi <andreafioraldi@gmail.com>, 12 | Dominik Maier <mail@dmnk.co> 13 | 14 | Copyright 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | Shared code to handle the shared memory. This is used by the fuzzer 24 | as well the other components like afl-tmin, afl-showmap, etc... 25 | 26 | */ 27 | 28 | #ifndef _AFL_CMPLOG_H 29 | #define _AFL_CMPLOG_H 30 | 31 | #include "config.h" 32 | #include "forkserver.h" 33 | 34 | #define CMP_MAP_W 65536 35 | #define CMP_MAP_H 256 36 | #define CMP_MAP_RTN_H (CMP_MAP_H / 4) 37 | 38 | #define SHAPE_BYTES(x) (x + 1) 39 | 40 | #define CMP_TYPE_INS 0 41 | #define CMP_TYPE_RTN 1 42 | 43 | struct cmp_header { 44 | 45 | unsigned hits : 20; 46 | 47 | unsigned cnt : 20; 48 | unsigned id : 16; 49 | 50 | unsigned shape : 5; // from 0 to 31 51 | unsigned type : 1; 52 | 53 | } __attribute__((packed)); 54 | 55 | struct cmp_operands { 56 | 57 | u64 v0; 58 | u64 v1; 59 | 60 | }; 61 | 62 | struct cmpfn_operands { 63 | 64 | u8 v0[32]; 65 | u8 v1[32]; 66 | 67 | }; 68 | 69 | typedef struct cmp_operands cmp_map_list[CMP_MAP_H]; 70 | 71 | struct cmp_map { 72 | 73 | struct cmp_header headers[CMP_MAP_W]; 74 | struct cmp_operands log[CMP_MAP_W][CMP_MAP_H]; 75 | 76 | }; 77 | 78 | /* Execs the child */ 79 | 80 | void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv); 81 | 82 | #endif 83 | 84 | -------------------------------------------------------------------------------- /include/hier.h: -------------------------------------------------------------------------------- 1 | 2 | #include "types.h" 3 | #include "config.h" 4 | #include "common.h" 5 | 6 | 7 | typedef struct hier_node{ 8 | 9 | u32 id; 10 | x_cov_t cov_level; 11 | 12 | double base_score; // rareness of the features covered by the node 13 | double fuzz_score; // fuzzzing reward, related to rareness of features covered by test cases/seeds that are generated from the node 14 | 15 | u64 n_fuzz; // times of be selected 16 | 17 | u64 n_seeds; // number of seeds 18 | 19 | u8 *exec_trace, *fuzz_trace; 20 | 21 | struct hier_node *parent; 22 | 23 | void *children; 24 | 25 | struct queue_entry* the_seed; //bottom-level node containing the real seed 26 | 27 | u64 times_wo_finds; 28 | 29 | } hier_node_t; 30 | 31 | 32 | 33 | typedef struct hier_key{ 34 | u8* bits; 35 | u32 size; 36 | hier_node_t* node; 37 | } hier_key_t; 38 | 39 | 40 | 41 | typedef struct hier_tree{ 42 | u32 n_nodes[COV_INFI], 43 | n_fuzzed_nodes[COV_INFI]; 44 | 45 | hier_node_t *root, 46 | *leaf_cur; 47 | 48 | u8 has_new_node; 49 | 50 | u32 n_bits[COV_INFI], 51 | n_fuzzed_bits[COV_INFI]; // bitmap log 52 | } hier_tree_t; 53 | 54 | 55 | 56 | typedef struct hier_sched{ 57 | 58 | u16* step_exec_map; // feature frequence for the current fuzzing round 59 | u64* exec_map; // global feature frequece for all fuzzing rounds 60 | 61 | u32 map_size; 62 | u8 n_cov_level; 63 | double c_param; 64 | 65 | u32 current_entry; 66 | u64 current_queue_cycle; 67 | u64 current_wo_finds; 68 | 69 | hier_tree_t* tree; 70 | 71 | u64 t[3]; 72 | 73 | u8 need_update; 74 | 75 | } hier_sched_t; 76 | 77 | 78 | hier_sched_t* new_hier_sched(uint32_t); 79 | 80 | void delete_hier_sched(hier_sched_t* ); 81 | 82 | 83 | // cluster a new seed for the multi-level coverage 84 | void do_clustering(hier_sched_t* , struct queue_entry*, u8* ); 85 | 86 | void update_feature_freq(hier_sched_t*, u8*); 87 | 88 | void update_wo_finds(hier_sched_t*, bool); 89 | 90 | 91 | // seed scheduling 92 | struct queue_entry* choose_next_seed(hier_sched_t* ); 93 | -------------------------------------------------------------------------------- /include/sharedmem.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - shared memory related header 3 | --------------------------------------------------- 4 | 5 | Originally written by Michal Zalewski 6 | 7 | Forkserver design by Jann Horn <jannhorn@googlemail.com> 8 | 9 | Now maintained by Marc Heuse <mh@mh-sec.de>, 10 | Heiko Eißfeldt <heiko.eissfeldt@hexco.de>, 11 | Andrea Fioraldi <andreafioraldi@gmail.com>, 12 | Dominik Maier <mail@dmnk.co> 13 | 14 | Copyright 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | Shared code to handle the shared memory. This is used by the fuzzer 24 | as well the other components like afl-tmin, afl-showmap, etc... 25 | 26 | */ 27 | 28 | #ifndef __AFL_SHAREDMEM_H 29 | #define __AFL_SHAREDMEM_H 30 | 31 | #include "types.h" 32 | 33 | typedef struct sharedmem { 34 | 35 | // extern unsigned char *trace_bits; 36 | 37 | #ifdef USEMMAP 38 | /* ================ Proteas ================ */ 39 | int g_shm_fd; 40 | char g_shm_file_path[L_tmpnam]; 41 | int cmplog_g_shm_fd; 42 | char cmplog_g_shm_file_path[L_tmpnam]; 43 | /* ========================================= */ 44 | #else 45 | s32 shm_id; /* ID of the SHM region */ 46 | s32 cmplog_shm_id; 47 | #endif 48 | 49 | u8 *map; /* shared memory region */ 50 | 51 | size_t map_size; /* actual allocated size */ 52 | 53 | int cmplog_mode; 54 | struct cmp_map *cmp_map; 55 | 56 | } sharedmem_t; 57 | 58 | u8 * afl_shm_init(sharedmem_t *, size_t, unsigned char non_instrumented_mode); 59 | void afl_shm_deinit(sharedmem_t *); 60 | 61 | #endif 62 | 63 | -------------------------------------------------------------------------------- /libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Originally written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 22 | CFLAGS += -I ../include/ -Wall -g -Wno-pointer-sign 23 | 24 | CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) 25 | CFLAGS += $(CFLAGS_ADD) 26 | 27 | all: libdislocator.so 28 | 29 | VPATH = .. 30 | libdislocator.so: libdislocator.so.c ../config.h 31 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC libdislocator.so.c -o ../$@ $(LDFLAGS) 32 | 33 | .NOTPARALLEL: clean 34 | 35 | clean: 36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 37 | rm -f ../libdislocator.so 38 | 39 | install: all 40 | install -m 755 -d $${DESTDIR}$(HELPER_PATH) 41 | install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH) 42 | install -m 644 -T README.md $${DESTDIR}$(HELPER_PATH)/README.dislocator.md 43 | 44 | -------------------------------------------------------------------------------- /llvm_mode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake all || echo please install GNUmake 3 | -------------------------------------------------------------------------------- /llvm_mode/MarkNodes.h: -------------------------------------------------------------------------------- 1 | #ifndef __MARK_NODES__ 2 | #define __MARK_NODES__ 3 | 4 | #include "llvm/IR/BasicBlock.h" 5 | #include "llvm/IR/Function.h" 6 | #include <vector> 7 | 8 | std::pair<std::vector<llvm::BasicBlock *>, std::vector<llvm::BasicBlock *>> 9 | markNodes(llvm::Function *F); 10 | 11 | #endif 12 | 13 | -------------------------------------------------------------------------------- /llvm_mode/README.cmplog.md: -------------------------------------------------------------------------------- 1 | # CmpLog instrumentation 2 | 3 | The CmpLog instrumentation enables the logging of the comparisons operands in a 4 | shared memory. 5 | 6 | These values can be used by various mutators built on top of it. 7 | At the moment we support the RedQueen mutator (input-2-state instructions only). 8 | 9 | ## Build 10 | 11 | To use CmpLog, you have to build two versions of the instrumented target 12 | program. 13 | 14 | The first version is built using the regular AFL++ instrumentation. 15 | 16 | The second one, the CmpLog binary, with setting AFL_LLVM_CMPLOG during the compilation. 17 | 18 | For example: 19 | 20 | ``` 21 | ./configure --cc=~/path/to/afl-clang-fast 22 | make 23 | cp ./program ./program.afl 24 | make clean 25 | export AFL_LLVM_CMPLOG=1 26 | ./configure --cc=~/path/to/afl-clang-fast 27 | make 28 | cp ./program ./program.cmplog 29 | ``` 30 | 31 | ## Use 32 | 33 | AFL++ has the new -c option that can be used to specify a CmpLog binary (the second 34 | build). 35 | 36 | For example: 37 | 38 | ``` 39 | afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@ 40 | ``` 41 | 42 | Be careful to use -m none because CmpLog maps a lot of pages. 43 | -------------------------------------------------------------------------------- /llvm_mode/README.ctx.md: -------------------------------------------------------------------------------- 1 | # AFL Context Sensitive Branch Coverage 2 | 3 | ## What is this? 4 | 5 | This is an LLVM-based implementation of the context sensitive branch coverage. 6 | 7 | Basically every function gets it's own ID and that ID is combined with the 8 | edges of the called functions. 9 | 10 | So if both function A and function B call a function C, the coverage 11 | collected in C will be different. 12 | 13 | In math the coverage is collected as follows: 14 | `map[current_location_ID ^ previous_location_ID >> 1 ^ previous_callee_ID] += 1` 15 | 16 | ## Usage 17 | 18 | Set the `AFL_LLVM_INSTRUMENT=CTX` or `AFL_LLVM_CTX=1` environment variable. 19 | 20 | It is highly recommended to increase the MAP_SIZE_POW2 definition in 21 | config.h to at least 18 and maybe up to 20 for this as otherwise too 22 | many map collisions occur. 23 | -------------------------------------------------------------------------------- /llvm_mode/README.instrim.md: -------------------------------------------------------------------------------- 1 | # InsTrim 2 | 3 | InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing 4 | 5 | ## Introduction 6 | 7 | InsTrim uses CFG and markers to instrument just what is necessary in the 8 | binary in llvm_mode. It is about 10-15% faster without disadvantages. 9 | It requires at least llvm version 3.8.0. 10 | 11 | ## Usage 12 | 13 | Set the environment variable `AFL_LLVM_INSTRUMENT=CFG` or `AFL_LLVM_INSTRIM=1` 14 | during compilation of the target. 15 | 16 | There is also an advanced mode which instruments loops in a way so that 17 | afl-fuzz can see which loop path has been selected but not being able to 18 | see how often the loop has been rerun. 19 | This again is a tradeoff for speed for less path information. 20 | To enable this mode set `AFL_LLVM_INSTRIM_LOOPHEAD=1`. 21 | 22 | ## Background 23 | 24 | The paper: [InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing] 25 | (https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_14_Hsu_paper.pdf) 26 | -------------------------------------------------------------------------------- /llvm_mode/README.laf-intel.md: -------------------------------------------------------------------------------- 1 | # laf-intel instrumentation 2 | 3 | ## Usage 4 | 5 | By default these passes will not run when you compile programs using 6 | afl-clang-fast. Hence, you can use AFL as usual. 7 | To enable the passes you must set environment variables before you 8 | compile the target project. 9 | 10 | The following options exist: 11 | 12 | `export AFL_LLVM_LAF_SPLIT_SWITCHES=1` 13 | 14 | Enables the split-switches pass. 15 | 16 | `export AFL_LLVM_LAF_TRANSFORM_COMPARES=1` 17 | 18 | Enables the transform-compares pass (strcmp, memcmp, strncmp, 19 | strcasecmp, strncasecmp). 20 | 21 | `export AFL_LLVM_LAF_SPLIT_COMPARES=1` 22 | 23 | Enables the split-compares pass. 24 | By default it will 25 | 1. simplify operators >= (and <=) into chains of > (<) and == comparisons 26 | 2. change signed integer comparisons to a chain of sign-only comparison 27 | and unsigned comparisons 28 | 3. split all unsigned integer comparisons with bit widths of 29 | 64, 32 or 16 bits to chains of 8 bits comparisons. 30 | 31 | You can change the behaviour of the last step by setting 32 | `export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where 33 | bit_width may be 64, 32 or 16. 34 | 35 | A new experimental feature is splitting floating point comparisons into a 36 | series of sign, exponent and mantissa comparisons followed by splitting each 37 | of them into 8 bit comparisons when necessary. 38 | It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting. 39 | Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES` 40 | 41 | You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled :-) 42 | 43 | -------------------------------------------------------------------------------- /llvm_mode/README.neverzero.md: -------------------------------------------------------------------------------- 1 | # NeverZero counters for LLVM instrumentation 2 | 3 | ## Usage 4 | 5 | In larger, complex or reiterative programs the counters that collect the edge 6 | coverage can easily fill up and wrap around. 7 | This is not that much of an issue - unless by chance it wraps just to a value 8 | of zero when the program execution ends. 9 | In this case afl-fuzz is not able to see that the edge has been accessed and 10 | will ignore it. 11 | 12 | NeverZero prevents this behaviour. If a counter wraps, it jumps over the value 13 | 0 directly to a 1. This improves path discovery (by a very little amount) 14 | at a very little cost (one instruction per edge). 15 | 16 | (The alternative of saturated counters has been tested also and proved to be 17 | inferior in terms of path discovery.) 18 | 19 | This is implemented in afl-gcc, however for llvm_mode this is optional if 20 | the llvm version is below 9 - as there is a perfomance bug that is only fixed 21 | in version 9 and onwards. 22 | 23 | If you want to enable this for llvm versions below 9 then set 24 | 25 | ``` 26 | export AFL_LLVM_NOT_ZERO=1 27 | ``` 28 | 29 | In case you are on llvm 9 or greater and you do not want this behaviour then 30 | you can set: 31 | ``` 32 | AFL_LLVM_SKIP_NEVERZERO=1 33 | ``` 34 | If the target does not have extensive loops or functions that are called 35 | a lot then this can give a small performance boost. 36 | -------------------------------------------------------------------------------- /llvm_mode/README.ngram.md: -------------------------------------------------------------------------------- 1 | # AFL N-Gram Branch Coverage 2 | 3 | ## Source 4 | 5 | This is an LLVM-based implementation of the n-gram branch coverage proposed in 6 | the paper ["Be Sensitive and Collaborative: Analzying Impact of Coverage Metrics 7 | in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf), 8 | by Jinghan Wang, et. al. 9 | 10 | Note that the original implementation (available 11 | [here](https://github.com/bitsecurerlab/afl-sensitive)) 12 | is built on top of AFL's QEMU mode. 13 | This is essentially a port that uses LLVM vectorized instructions to achieve 14 | the same results when compiling source code. 15 | 16 | In math the branch coverage is performed as follows: 17 | `map[current_location ^ prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1` 18 | 19 | ## Usage 20 | 21 | The size of `n` (i.e., the number of branches to remember) is an option 22 | that is specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the 23 | `AFL_LLVM_NGRAM_SIZE` environment variable. 24 | Good values are 2, 4 or 8, valid are 2-16. 25 | 26 | It is highly recommended to increase the MAP_SIZE_POW2 definition in 27 | config.h to at least 18 and maybe up to 20 for this as otherwise too 28 | many map collisions occur. 29 | -------------------------------------------------------------------------------- /llvm_mode/README.snapshot.md: -------------------------------------------------------------------------------- 1 | # AFL++ snapshot feature 2 | 3 | Snapshotting is a feature that makes a snapshot from a process and then 4 | restores it's state, which is faster then forking it again. 5 | 6 | All targets compiled with llvm_mode are automatically enabled for the 7 | snapshot feature. 8 | 9 | To use the snapshot feature for fuzzing compile and load this kernel 10 | module: [https://github.com/AFLplusplus/AFL-Snapshot-LKM](https://github.com/AFLplusplus/AFL-Snapshot-LKM) 11 | 12 | Note that is has little value for persistent (__AFL_LOOP) fuzzing. 13 | 14 | ## Notes 15 | 16 | Snapshot does not work with multithreaded targets yet. Still in WIP, it is now usable only for single threaded applications. 17 | -------------------------------------------------------------------------------- /llvm_mode/afl-llvm-common.h: -------------------------------------------------------------------------------- 1 | #ifndef __AFLLLVMCOMMON_H 2 | #define __AFLLLVMCOMMON_H 3 | 4 | #include <stdio.h> 5 | #include <stdlib.h> 6 | #include <unistd.h> 7 | 8 | #include <list> 9 | #include <string> 10 | #include <fstream> 11 | #include <sys/time.h> 12 | 13 | #include "llvm/Config/llvm-config.h" 14 | #if LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR < 5 15 | typedef long double max_align_t; 16 | #endif 17 | 18 | #include "llvm/IR/IRBuilder.h" 19 | #include "llvm/IR/LegacyPassManager.h" 20 | #include "llvm/IR/BasicBlock.h" 21 | #include "llvm/IR/Module.h" 22 | #include "llvm/Support/Debug.h" 23 | #include "llvm/Support/MathExtras.h" 24 | #include "llvm/Transforms/IPO/PassManagerBuilder.h" 25 | 26 | #if LLVM_VERSION_MAJOR > 3 || \ 27 | (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) 28 | #include "llvm/IR/DebugInfo.h" 29 | #include "llvm/IR/CFG.h" 30 | #else 31 | #include "llvm/DebugInfo.h" 32 | #include "llvm/Support/CFG.h" 33 | #endif 34 | 35 | char * getBBName(const llvm::BasicBlock *BB); 36 | bool isIgnoreFunction(const llvm::Function *F); 37 | void initInstrumentList(); 38 | bool isInInstrumentList(llvm::Function *F); 39 | unsigned long long int calculateCollisions(uint32_t edges); 40 | void scanForDangerousFunctions(llvm::Module *M); 41 | 42 | #ifndef IS_EXTERN 43 | #define IS_EXTERN 44 | #endif 45 | 46 | IS_EXTERN int debug; 47 | IS_EXTERN int be_quiet; 48 | 49 | #undef IS_EXTERN 50 | 51 | #endif 52 | 53 | -------------------------------------------------------------------------------- /llvm_mode/afl-llvm-rt-lto.o.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - LLVM instrumentation bootstrap 3 | ----------------------------------------------------- 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at: 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | 16 | // to prevent the function from being removed 17 | unsigned char __afl_lto_mode = 0; 18 | 19 | /* Proper initialization routine. */ 20 | 21 | __attribute__((constructor(0))) void __afl_auto_init_globals(void) { 22 | 23 | if (getenv("AFL_DEBUG")) fprintf(stderr, "[__afl_auto_init_globals]\n"); 24 | __afl_lto_mode = 1; 25 | 26 | } 27 | 28 | -------------------------------------------------------------------------------- /llvm_mode/llvm-ngram-coverage.h: -------------------------------------------------------------------------------- 1 | #ifndef AFL_NGRAM_CONFIG_H 2 | #define AFL_NGRAM_CONFIG_H 3 | 4 | #include "../config.h" 5 | 6 | #if (MAP_SIZE_POW2 <= 16) 7 | typedef u16 PREV_LOC_T; 8 | #elif (MAP_SIZE_POW2 <= 32) 9 | typedef u32 PREV_LOC_T; 10 | #else 11 | typedef u64 PREV_LOC_T; 12 | #endif 13 | 14 | /* Maximum ngram size */ 15 | #define NGRAM_SIZE_MAX 16U 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /qbdi_mode/assets/screen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/qbdi_mode/assets/screen1.png -------------------------------------------------------------------------------- /qbdi_mode/build.sh: -------------------------------------------------------------------------------- 1 | 2 | if [ -z ${STANDALONE_TOOLCHAIN_PATH} ]; then 3 | echo "please set the android-standalone-toolchain path in STANDALONE_TOOLCHAIN_PATH environmental variable" 4 | echo "for example: " 5 | echo " export STANDALONE_TOOLCHAIN_PATH=/home/android-standalone-toolchain-21/" 6 | exit 7 | fi 8 | 9 | if [ -z ${QBDI_SDK_PATH} ]; then 10 | echo "please set the qbdi sdk path in QBDI_SDK_PATH environmental variable" 11 | echo "for example: " 12 | echo " export QBDI_SDK_PATH=/home/QBDI-Android/" 13 | exit 14 | fi 15 | 16 | 17 | 18 | if [ "$1" = "x86" ]; then 19 | echo "build x86 qbdi" 20 | compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/" 21 | if [ -z ${CC} ]; then 22 | export CC=i686-linux-android-gcc 23 | fi 24 | if [ -z ${CXX} ]; then 25 | export CXX=i686-linux-android-g++ 26 | fi 27 | elif [ "$1" = "x86_64" ]; then 28 | echo "build x86_64 qbdi" 29 | compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/" 30 | if [ -z ${CC} ]; then 31 | export CC=x86_64-linux-android-gcc 32 | fi 33 | if [ -z ${CXX} ]; then 34 | export CXX=x86_64-linux-android-g++ 35 | fi 36 | else 37 | echo "usage: ./build.sh arch[x86, x86_64]" 38 | exit 39 | fi 40 | 41 | 42 | CFLAGS="-I${QBDI_SDK_PATH}/usr/local/include/ -L${QBDI_SDK_PATH}/usr/local/lib/" 43 | 44 | echo "[+] Building the QBDI template" 45 | # build the qbdi template 46 | ${compiler_prefix}${CXX} -o loader template.cpp -lQBDI -ldl -w -g ${CFLAGS} 47 | 48 | echo "[+] Building the demo library" 49 | # build the demo share library 50 | ${compiler_prefix}${CC} -shared -o libdemo.so demo-so.c -w -g 51 | 52 | echo "[+] Building afl-fuzz for Android" 53 | # build afl-fuzz 54 | cd .. 55 | ${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-*.c src/afl-fuzz.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz -ldl -w 56 | 57 | echo "[+] All done. Enjoy!" 58 | -------------------------------------------------------------------------------- /qbdi_mode/demo-so.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | // gcc -shared -o libdemo.so demo-so.c -w 4 | int target_func(char *buf, int size) { 5 | 6 | printf("buffer:%p, size:%p\n", buf, size); 7 | switch (buf[0]) { 8 | 9 | case 1: 10 | puts("222"); 11 | if (buf[1] == '\x44') { 12 | 13 | puts("null ptr deference"); 14 | *(char *)(0) = 1; 15 | 16 | } 17 | 18 | break; 19 | case 0xff: 20 | if (buf[2] == '\xff') { 21 | 22 | if (buf[1] == '\x44') { 23 | 24 | puts("crash...."); 25 | *(char *)(0xdeadbeef) = 1; 26 | 27 | } 28 | 29 | } 30 | 31 | break; 32 | default: 33 | puts("default action"); 34 | break; 35 | 36 | } 37 | 38 | return 1; 39 | 40 | } 41 | 42 | -------------------------------------------------------------------------------- /qemu_mode/libcompcov/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libcompcov 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com> 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | DOC_PATH ?= $(PREFIX)/share/doc/afl 19 | MAN_PATH ?= $(PREFIX)/share/man/man8 20 | 21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 22 | 23 | CFLAGS ?= -O3 -funroll-loops 24 | CFLAGS += -I ../../include/ 25 | CFLAGS += -Wall -Wno-unused-result -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 26 | LDFLAGS += -ldl 27 | 28 | all: libcompcov.so 29 | 30 | libcompcov.so: libcompcov.so.c ../../config.h 31 | $(CC) $(CFLAGS) -shared -fPIC $< -o ../../$@ $(LDFLAGS) 32 | 33 | .NOTPARALLEL: clean 34 | 35 | clean: 36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 37 | rm -f ../../libcompcov.so compcovtest 38 | 39 | compcovtest: compcovtest.cc 40 | $(CXX) -std=c++11 $< -o $@ 41 | 42 | install: all 43 | install -m 755 ../../libcompcov.so $${DESTDIR}$(HELPER_PATH) 44 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.compcov.md 45 | 46 | -------------------------------------------------------------------------------- /qemu_mode/libcompcov/README.md: -------------------------------------------------------------------------------- 1 | # strcmp() / memcmp() CompareCoverage library for afl++ QEMU 2 | 3 | Written by Andrea Fioraldi <andreafioraldi@gmail.com> 4 | 5 | This Linux-only companion library allows you to instrument `strcmp()`, `memcmp()`, 6 | and related functions to log the CompareCoverage of these libcalls. 7 | 8 | Use this with caution. While this can speedup a lot the bypass of hard 9 | branch conditions it can also waste a lot of time and take up unnecessary space 10 | in the shared memory when logging the coverage related to functions that 11 | doesn't process input-related data. 12 | 13 | To use the library, you *need* to make sure that your fuzzing target is linked 14 | dynamically and make use of strcmp(), memcmp(), and related functions. 15 | For optimized binaries this is an issue, those functions are often inlined 16 | and this module is not capable to log the coverage in this case. 17 | 18 | If you have the source code of the fuzzing target you should nto use this 19 | library and QEMU but build it with afl-clang-fast and the laf-intel options. 20 | 21 | To use this library make sure to preload it with AFL_PRELOAD. 22 | 23 | ``` 24 | export AFL_PRELOAD=/path/to/libcompcov.so 25 | export AFL_COMPCOV_LEVEL=1 26 | 27 | afl-fuzz -Q -i input -o output <your options> -- <target args> 28 | ``` 29 | 30 | The AFL_COMPCOV_LEVEL tells to QEMU and libcompcov how to log comaprisons. 31 | Level 1 logs just comparison with immediates / read-only memory and level 2 32 | logs all the comparisons. 33 | 34 | The library make use of https://github.com/ouadev/proc_maps_parser and so it is 35 | Linux specific. However this is not a strict dependency, other UNIX operating 36 | systems can be supported simply replacing the code related to the 37 | /proc/self/maps parsing. 38 | -------------------------------------------------------------------------------- /qemu_mode/libcompcov/compcovtest.cc: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////// 2 | // 3 | // Author: Mateusz Jurczyk (mjurczyk@google.com) 4 | // 5 | // Copyright 2019-2020 Google LLC 6 | // 7 | // Licensed under the Apache License, Version 2.0 (the "License"); 8 | // you may not use this file except in compliance with the License. 9 | // You may obtain a copy of the License at 10 | // 11 | // https://www.apache.org/licenses/LICENSE-2.0 12 | // 13 | // Unless required by applicable law or agreed to in writing, software 14 | // distributed under the License is distributed on an "AS IS" BASIS, 15 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | // See the License for the specific language governing permissions and 17 | // limitations under the License. 18 | // 19 | 20 | // solution: echo -ne 'The quick brown fox jumps over the lazy 21 | // dog\xbe\xba\xfe\xca\xbe\xba\xfe\xca\xde\xc0\xad\xde\xef\xbe' | ./compcovtest 22 | 23 | #include <cstdint> 24 | #include <cstdio> 25 | #include <cstdlib> 26 | #include <cstring> 27 | 28 | int main() { 29 | 30 | char buffer[44] = {/* zero padding */}; 31 | fread(buffer, 1, sizeof(buffer) - 1, stdin); 32 | 33 | if (memcmp(&buffer[0], "The quick brown fox ", 20) != 0 || 34 | strncmp(&buffer[20], "jumps over ", 11) != 0 || 35 | strcmp(&buffer[31], "the lazy dog") != 0) { 36 | 37 | return 1; 38 | 39 | } 40 | 41 | uint64_t x = 0; 42 | fread(&x, sizeof(x), 1, stdin); 43 | if (x != 0xCAFEBABECAFEBABE) { return 2; } 44 | 45 | uint32_t y = 0; 46 | fread(&y, sizeof(y), 1, stdin); 47 | if (y != 0xDEADC0DE) { return 3; } 48 | 49 | uint16_t z = 0; 50 | fread(&z, sizeof(z), 1, stdin); 51 | 52 | switch (z) { 53 | 54 | case 0xBEEF: 55 | break; 56 | 57 | default: 58 | return 4; 59 | 60 | } 61 | 62 | printf("Puzzle solved, congrats!\n"); 63 | abort(); 64 | return 0; 65 | 66 | } 67 | 68 | -------------------------------------------------------------------------------- /qemu_mode/patches/__init__.py.diff: -------------------------------------------------------------------------------- 1 | --- a/scripts/tracetool/__init__.py 2020-03-28 13:42:21.937700726 +0100 2 | +++ b/scripts/tracetool/__init__.py 2020-03-28 13:41:50.991034257 +0100 3 | @@ -447,12 +447,12 @@ 4 | import tracetool 5 | 6 | format = str(format) 7 | - if len(format) is 0: 8 | + if len(format) == 0: 9 | raise TracetoolError("format not set") 10 | if not tracetool.format.exists(format): 11 | raise TracetoolError("unknown format: %s" % format) 12 | 13 | - if len(backends) is 0: 14 | + if len(backends) == 0: 15 | raise TracetoolError("no backends specified") 16 | for backend in backends: 17 | if not tracetool.backend.exists(backend): 18 | -------------------------------------------------------------------------------- /qemu_mode/patches/afl-qemu-tcg-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - high-performance binary-only instrumentation 3 | ------------------------------------------------------------------- 4 | 5 | Originally written by Andrew Griffiths <agriffiths@google.com> and 6 | Michal Zalewski 7 | 8 | TCG instrumentation and block chaining support by Andrea Biondo 9 | <andrea.biondo965@gmail.com> 10 | 11 | QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero 12 | counters by Andrea Fioraldi <andreafioraldi@gmail.com> 13 | 14 | Copyright 2015, 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | This code is a shim patched into the separately-distributed source 24 | code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality 25 | to implement AFL-style instrumentation and to take care of the remaining 26 | parts of the AFL fork server logic. 27 | 28 | The resulting QEMU binary is essentially a standalone instrumentation 29 | tool; for an example of how to leverage it for other purposes, you can 30 | have a look at afl-showmap.c. 31 | 32 | */ 33 | void afl_gen_tcg_plain_call(void *func); 34 | 35 | void afl_gen_tcg_plain_call(void *func) { 36 | 37 | TCGOp *op = tcg_emit_op(INDEX_op_call); 38 | 39 | TCGOP_CALLO(op) = 0; 40 | 41 | op->args[0] = (uintptr_t)func; 42 | op->args[1] = 0; 43 | TCGOP_CALLI(op) = 0; 44 | 45 | } 46 | 47 | -------------------------------------------------------------------------------- /qemu_mode/patches/configure.diff: -------------------------------------------------------------------------------- 1 | --- a/configure 2019-08-02 18:04:50.000000000 +0200 2 | +++ b/configure 2020-02-28 06:31:30.424895061 +0100 3 | @@ -1479,6 +1479,8 @@ 4 | ;; 5 | --enable-capstone=system) capstone="system" 6 | ;; 7 | + --enable-capstone=internal) capstone="internal" 8 | + ;; 9 | --with-git=*) git="$optarg" 10 | ;; 11 | --enable-git-update) git_update=yes 12 | @@ -4604,6 +4606,21 @@ 13 | fi 14 | 15 | ########################################## 16 | +cat > $TMPC << EOF 17 | +#include <dlfcn.h> 18 | +#include <stdlib.h> 19 | +int main(int argc, char **argv) { return dlopen("libc.so", RTLD_NOW) != NULL; } 20 | +EOF 21 | +if compile_prog "" "" ; then 22 | + : 23 | +elif compile_prog "" "-ldl" ; then 24 | + LIBS="-ldl $LIBS" 25 | + libs_qga="-ldl $libs_qga" 26 | +else 27 | + error_exit "libdl check failed" 28 | +fi 29 | + 30 | +########################################## 31 | # spice probe 32 | if test "$spice" != "no" ; then 33 | cat > $TMPC << EOF 34 | -------------------------------------------------------------------------------- /qemu_mode/patches/cpu-exec.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c 2 | index 870027d4..0bc87dfc 100644 3 | --- a/accel/tcg/cpu-exec.c 4 | +++ b/accel/tcg/cpu-exec.c 5 | @@ -36,6 +36,8 @@ 6 | #include "sysemu/cpus.h" 7 | #include "sysemu/replay.h" 8 | 9 | +#include "../patches/afl-qemu-cpu-inl.h" 10 | + 11 | /* -icount align implementation. */ 12 | 13 | typedef struct SyncClocks { 14 | @@ -397,11 +399,13 @@ static inline TranslationBlock *tb_find(CPUState *cpu, 15 | TranslationBlock *tb; 16 | target_ulong cs_base, pc; 17 | uint32_t flags; 18 | + bool was_translated = false, was_chained = false; 19 | 20 | tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); 21 | if (tb == NULL) { 22 | mmap_lock(); 23 | tb = tb_gen_code(cpu, pc, cs_base, flags, cf_mask); 24 | + was_translated = true; 25 | mmap_unlock(); 26 | /* We add the TB in the virtual pc hash table for the fast lookup */ 27 | atomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb); 28 | @@ -418,6 +422,10 @@ static inline TranslationBlock *tb_find(CPUState *cpu, 29 | /* See if we can patch the calling TB. */ 30 | if (last_tb) { 31 | tb_add_jump(last_tb, tb_exit, tb); 32 | + was_chained = true; 33 | + } 34 | + if (was_translated || was_chained) { 35 | + afl_request_tsl(pc, cs_base, flags, cf_mask, was_chained ? last_tb : NULL, tb_exit); 36 | } 37 | return tb; 38 | } 39 | -------------------------------------------------------------------------------- /qemu_mode/patches/make_strncpy_safe.diff: -------------------------------------------------------------------------------- 1 | --- a/util/qemu-sockets.c 2020-03-28 13:55:09.511029429 +0100 2 | +++ b/util/qemu-sockets.c 2020-03-28 14:01:12.147693937 +0100 3 | @@ -877,7 +877,7 @@ 4 | 5 | memset(&un, 0, sizeof(un)); 6 | un.sun_family = AF_UNIX; 7 | - strncpy(un.sun_path, path, sizeof(un.sun_path)); 8 | + strncpy(un.sun_path, path, sizeof(un.sun_path) - 1); 9 | 10 | if (bind(sock, (struct sockaddr*) &un, sizeof(un)) < 0) { 11 | error_setg_errno(errp, errno, "Failed to bind socket to %s", path); 12 | @@ -922,7 +922,7 @@ 13 | 14 | memset(&un, 0, sizeof(un)); 15 | un.sun_family = AF_UNIX; 16 | - strncpy(un.sun_path, saddr->path, sizeof(un.sun_path)); 17 | + strncpy(un.sun_path, saddr->path, sizeof(un.sun_path) - 1); 18 | 19 | /* connect to peer */ 20 | do { 21 | --- a/block/sheepdog.c 2020-03-28 14:01:57.164360270 +0100 22 | +++ b/block/sheepdog.c 2020-03-28 14:02:52.781026597 +0100 23 | @@ -1236,7 +1236,7 @@ 24 | * don't want the send_req to read uninitialized data. 25 | */ 26 | strncpy(buf, filename, SD_MAX_VDI_LEN); 27 | - strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN); 28 | + strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN - 1); 29 | 30 | memset(&hdr, 0, sizeof(hdr)); 31 | if (lock) { 32 | -------------------------------------------------------------------------------- /qemu_mode/patches/mips-fpu.diff: -------------------------------------------------------------------------------- 1 | --- a/linux-user/elfload.c 2020-07-13 20:10:37.776374566 -0700 2 | +++ b/linux-user/elfload.c 2020-07-13 20:11:51.794957015 -0700 3 | @@ -2667,6 +2667,11 @@ 4 | char *elf_interpreter = NULL; 5 | char *scratch; 6 | 7 | + memset(&interp_info, 0, sizeof(interp_info)); 8 | +#ifdef TARGET_MIPS 9 | + interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN; 10 | +#endif 11 | + 12 | info->start_mmap = (abi_ulong)ELF_START_MMAP; 13 | 14 | load_elf_image(bprm->filename, bprm->fd, info, 15 | 16 | -------------------------------------------------------------------------------- /qemu_mode/patches/softfloat.diff: -------------------------------------------------------------------------------- 1 | diff --git a/fpu/softfloat.c b/fpu/softfloat.c 2 | index e1eef954..2f8d0d62 100644 3 | --- a/fpu/softfloat.c 4 | +++ b/fpu/softfloat.c 5 | @@ -7205,3 +7205,5 @@ float128 float128_scalbn(float128 a, int n, float_status *status) 6 | , status); 7 | 8 | } 9 | + 10 | +#include "../../patches/afl-qemu-floats.h" 11 | -------------------------------------------------------------------------------- /qemu_mode/patches/tcg-runtime-head.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h 2 | index 1bd39d1..8dd45ee 100644 3 | --- a/accel/tcg/tcg-runtime.h 4 | +++ b/accel/tcg/tcg-runtime.h 5 | @@ -260,3 +260,21 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 6 | DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 7 | DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 8 | DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 9 | + 10 | +DEF_HELPER_FLAGS_1(afl_entry_routine, TCG_CALL_NO_RWG, void, env) 11 | +DEF_HELPER_FLAGS_1(afl_maybe_log, TCG_CALL_NO_RWG, void, tl) 12 | +DEF_HELPER_FLAGS_3(afl_compcov_16, TCG_CALL_NO_RWG, void, tl, tl, tl) 13 | +DEF_HELPER_FLAGS_3(afl_compcov_32, TCG_CALL_NO_RWG, void, tl, tl, tl) 14 | +DEF_HELPER_FLAGS_3(afl_compcov_64, TCG_CALL_NO_RWG, void, tl, tl, tl) 15 | +DEF_HELPER_FLAGS_3(afl_cmplog_8, TCG_CALL_NO_RWG, void, tl, tl, tl) 16 | +DEF_HELPER_FLAGS_3(afl_cmplog_16, TCG_CALL_NO_RWG, void, tl, tl, tl) 17 | +DEF_HELPER_FLAGS_3(afl_cmplog_32, TCG_CALL_NO_RWG, void, tl, tl, tl) 18 | +DEF_HELPER_FLAGS_3(afl_cmplog_64, TCG_CALL_NO_RWG, void, tl, tl, tl) 19 | +DEF_HELPER_FLAGS_1(afl_cmplog_rtn, TCG_CALL_NO_RWG, void, env) 20 | + 21 | +DEF_HELPER_FLAGS_1(afl_fncov, TCG_CALL_NO_RWG, void, tl) 22 | +DEF_HELPER_FLAGS_3(afl_cmpcov_8, TCG_CALL_NO_RWG, void, tl, tl, tl) 23 | +DEF_HELPER_FLAGS_3(afl_cmpcov_16, TCG_CALL_NO_RWG, void, tl, tl, tl) 24 | +DEF_HELPER_FLAGS_3(afl_cmpcov_32, TCG_CALL_NO_RWG, void, tl, tl, tl) 25 | +DEF_HELPER_FLAGS_3(afl_cmpcov_64, TCG_CALL_NO_RWG, void, tl, tl, tl) 26 | +// DEF_HELPER_FLAGS_2(afl_memcov, TCG_CALL_NO_RWG, void, tl, tl) 27 | -------------------------------------------------------------------------------- /qemu_mode/patches/tcg-runtime.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c 2 | index d0d44844..009ef15a 100644 3 | --- a/accel/tcg/tcg-runtime.c 4 | +++ b/accel/tcg/tcg-runtime.c 5 | @@ -167,3 +167,5 @@ void HELPER(exit_atomic)(CPUArchState *env) 6 | { 7 | cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC()); 8 | } 9 | + 10 | +#include "../../../patches/afl-qemu-tcg-runtime-inl.h" 11 | -------------------------------------------------------------------------------- /qemu_mode/patches/tcg.diff: -------------------------------------------------------------------------------- 1 | diff --git a/tcg/tcg.c b/tcg/tcg.c 2 | index e85133ef..54b9b390 100644 3 | --- a/tcg/tcg.c 4 | +++ b/tcg/tcg.c 5 | @@ -1612,6 +1612,9 @@ bool tcg_op_supported(TCGOpcode op) 6 | } 7 | } 8 | 9 | + 10 | +#include "../../patches/afl-qemu-tcg-inl.h" 11 | + 12 | /* Note: we convert the 64 bit args to 32 bit and do some alignment 13 | and endian swap. Maybe it would be better to do the alignment 14 | and endian swap in tcg_reg_alloc_call(). */ 15 | -------------------------------------------------------------------------------- /qemu_mode/patches/translate-all.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c 2 | index 639f0b27..21a45494 100644 3 | --- a/accel/tcg/translate-all.c 4 | +++ b/accel/tcg/translate-all.c 5 | @@ -59,6 +59,8 @@ 6 | #include "exec/log.h" 7 | #include "sysemu/cpus.h" 8 | 9 | +#include "../patches/afl-qemu-translate-inl.h" 10 | + 11 | /* #define DEBUG_TB_INVALIDATE */ 12 | /* #define DEBUG_TB_FLUSH */ 13 | /* make various TB consistency checks */ 14 | @@ -1721,6 +1723,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, 15 | tcg_func_start(tcg_ctx); 16 | 17 | tcg_ctx->cpu = ENV_GET_CPU(env); 18 | + afl_gen_trace(pc); 19 | gen_intermediate_code(cpu, tb); 20 | tcg_ctx->cpu = NULL; 21 | 22 | -------------------------------------------------------------------------------- /qemu_mode/patches/translator.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c 2 | index afd0a49e..773ea712 100644 3 | --- a/accel/tcg/translator.c 4 | +++ b/accel/tcg/translator.c 5 | @@ -18,6 +18,8 @@ 6 | #include "exec/log.h" 7 | #include "exec/translator.h" 8 | 9 | +#include "../../../patches/afl-qemu-common.h" 10 | + 11 | /* Pairs with tcg_clear_temp_count. 12 | To be called by #TranslatorOps.{translate_insn,tb_stop} if 13 | (1) the target is sufficiently clean to support reporting, 14 | @@ -92,6 +94,11 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db, 15 | break; 16 | } 17 | } 18 | + 19 | + if (db->pc_next == afl_entry_point) { 20 | + afl_setup(); 21 | + gen_helper_afl_entry_routine(cpu_env); 22 | + } 23 | 24 | /* Disassemble one instruction. The translate_insn hook should 25 | update db->pc_next and db->is_jmp to indicate what should be 26 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - unsigaction 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com> 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | .POSIX: 16 | 17 | _UNIQ=_QINU_ 18 | 19 | TARGETCANDIDATES=unsigaction32.so unsigaction64.so 20 | _TARGETS=$(_UNIQ)$(AFL_NO_X86)$(_UNIQ) 21 | __TARGETS=$(_TARGETS:$(_UNIQ)1$(_UNIQ)=) 22 | TARGETS=$(__TARGETS:$(_UNIQ)$(_UNIQ)=$(TARGETCANDIDATES)) 23 | 24 | all: $(TARGETS) 25 | @if [ "$(AFL_NO_X86)" != "" ]; then echo "[!] Note: skipping compilation of unsigaction (AFL_NO_X86 set)."; fi 26 | 27 | unsigaction32.so: 28 | @if $(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi 29 | 30 | unsigaction64.so: 31 | @if $(CC) -m64 -fPIC -shared unsigaction.c -o unsigaction64.so 2>/dev/null ; then echo "unsigaction64 build success"; else echo "unsigaction64 build failure (that's fine)"; fi 32 | 33 | clean: 34 | rm -f unsigaction32.so unsigaction64.so 35 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/README.md: -------------------------------------------------------------------------------- 1 | # unsigaction 2 | 3 | This library disables sigaction handlers when preloaded. 4 | 5 | Mainly needed by Wine mode but can be used as a separate tool. 6 | 7 | A similar solution can be found in [preeny](https://github.com/zardus/preeny). 8 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/unsigaction.c: -------------------------------------------------------------------------------- 1 | int sigaction(int signum, void *act, void *oldact) { 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /src/README.md: -------------------------------------------------------------------------------- 1 | # Source Folder 2 | 3 | Quick explanation about the files here: 4 | 5 | - `afl-analyze.c` - afl-analyze binary tool 6 | - `afl-as.c` - afl-as binary tool 7 | - `afl-gotcpu.c` - afl-gotcpu binary tool 8 | - `afl-showmap.c` - afl-showmap binary tool 9 | - `afl-tmin.c` - afl-tmin binary tool 10 | - `afl-fuzz.c` - afl-fuzz binary tool (just main() and usage()) 11 | - `afl-fuzz-bitmap.c` - afl-fuzz bitmap handling 12 | - `afl-fuzz-extras.c` - afl-fuzz the *extra* function calls 13 | - `afl-fuzz-state.c` - afl-fuzz state and globals 14 | - `afl-fuzz-init.c` - afl-fuzz initialization 15 | - `afl-fuzz-misc.c` - afl-fuzz misc functions 16 | - `afl-fuzz-one.c` - afl-fuzz fuzzer_one big loop, this is where the mutation is happening 17 | - `afl-fuzz-python.c` - afl-fuzz the python mutator extension 18 | - `afl-fuzz-queue.c` - afl-fuzz handling the queue 19 | - `afl-fuzz-run.c` - afl-fuzz running the target 20 | - `afl-fuzz-stats.c` - afl-fuzz writing the statistics file 21 | - `afl-gcc.c` - afl-gcc binary tool (deprecated) 22 | - `afl-common.c` - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin 23 | - `afl-forkserver.c` - forkserver implementation, used by afl-fuzz and afl-tmin 24 | afl-sharedmem.c - sharedmem implementation, used by afl-fuzz and afl-tmin 25 | -------------------------------------------------------------------------------- /test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | #include <unistd.h> 16 | #include <string.h> 17 | #include <sys/types.h> 18 | #include <sys/stat.h> 19 | #include <fcntl.h> 20 | 21 | int main(int argc, char **argv) { 22 | 23 | int fd = 0; 24 | char buff[8]; 25 | char *buf = buff; 26 | 27 | // we support command line parameter and stdin 28 | if (argc == 2) { 29 | 30 | buf = argv[1]; 31 | printf("Input %s - ", buf); 32 | 33 | } else { 34 | 35 | if (argc >= 3 && strcmp(argv[1], "-f") == 0) 36 | if ((fd = open(argv[2], O_RDONLY)) < 0) { 37 | 38 | fprintf(stderr, "Error: unable to open %s\n", argv[2]); 39 | exit(-1); 40 | 41 | } 42 | 43 | if (read(fd, buf, sizeof(buf)) < 1) { 44 | 45 | printf("Hum?\n"); 46 | return 1; 47 | 48 | } 49 | 50 | } 51 | 52 | // we support three input cases (plus a 4th if stdin is used but there is no 53 | // input) 54 | if (buf[0] == '0') 55 | printf("Looks like a zero to me!\n"); 56 | else if (buf[0] == '1') 57 | printf("Pretty sure that is a one!\n"); 58 | else 59 | printf("Neither one or zero? How quaint!\n"); 60 | 61 | return 0; 62 | 63 | } 64 | 65 | -------------------------------------------------------------------------------- /test/checkcommit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | CMDLINE="/prg/tests/normal/tiff-4.0.4/tools/thumbnail @@ /dev/null" 3 | INDIR="/prg/tests/normal/tiff-4.0.4/in-small" 4 | 5 | test -z "$1" -o -n "$4" && { 6 | echo "Syntax: $0 commit-id <indir> \"<cmdline>\"" 7 | echo 8 | echo "Switches to the defined commit ID, compiles with profiling and runs" 9 | echo "afl-fuzz on a defind target and input directory, saving timing," 10 | echo "fuzzer_stats and profiling output to \"<commit-id>.out\"" 11 | echo "Honors CFLAGS and LDFLAGS" 12 | echo 13 | echo "Defaults:" 14 | echo " indir: \"$INDIR\"" 15 | echo " cmdline: \"$CMDLINE\"" 16 | exit 1 17 | } 18 | 19 | C=$1 20 | test -n "$2" && INDIR=$2 21 | test -n "$3" && CMDLINE=$3 22 | 23 | git checkout "$C" || { echo "CHECKOUT FAIL $C" > $C.out ; exit 1 ; } 24 | export AFL_BENCH_JUST_ONE=1 25 | test -z "$CFLAGS" && CFLAGS="-O3 -funroll-loops" 26 | export CFLAGS="$CFLAGS -pg" 27 | export LDFLAGS="$LDFLAGS -pg" 28 | make >/dev/null 2>&1 || echo ERROR: BUILD FAILURE 29 | test -x ./afl-fuzz || { echo "BUILD FAIL $C" > $C.out ; make clean ; exit 1 ; } 30 | 31 | START=`date +%s` 32 | echo $START > $C.out 33 | time nice -n -20 ./afl-fuzz -i "$INDIR" -s 123 -o out-profile -- $CMDLINE 2>> $C.out 34 | STOP=`date +%s` 35 | echo $STOP >> $C.out 36 | echo RUNTIME: `expr $STOP - $START` >> $C.out 37 | cat out-profile/fuzzer_stats >> $C.out 38 | gprof ./afl-fuzz gmon.out >> $C.out 39 | 40 | make clean >/dev/null 2>&1 41 | rm -rf out-profile gmon.out 42 | -------------------------------------------------------------------------------- /test/test-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | . ./test-pre.sh 4 | 5 | . ./test-basic.sh 6 | 7 | . ./test-llvm.sh 8 | 9 | . ./test-llvm-lto.sh 10 | 11 | . ./test-gcc-plugin.sh 12 | 13 | . ./test-libextensions.sh 14 | 15 | . ./test-qemu-mode.sh 16 | 17 | . ./test-unicorn-mode.sh 18 | 19 | . ./test-custom-mutators.sh 20 | 21 | . ./test-unittests.sh 22 | 23 | . ./test-post.sh 24 | -------------------------------------------------------------------------------- /test/test-cmplog.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | #include <stdarg.h> 4 | #include <stdlib.h> 5 | #include <stdint.h> 6 | #include <unistd.h> 7 | int main(int argc, char *argv[]) { 8 | 9 | char buf[1024]; 10 | ssize_t i; 11 | if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0; 12 | buf[i] = 0; 13 | if (buf[0] != 'A') return 0; 14 | if (buf[1] != 'B') return 0; 15 | if (buf[2] != 'C') return 0; 16 | if (buf[3] != 'D') return 0; 17 | if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; 18 | if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) 19 | abort(); 20 | return 0; 21 | 22 | } 23 | 24 | -------------------------------------------------------------------------------- /test/test-compcov.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <unistd.h> 4 | #include <string.h> 5 | 6 | char global_cmpval[] = "GLOBALVARIABLE"; 7 | 8 | int main(int argc, char **argv) { 9 | 10 | char *input = argv[1], *buf, buffer[20]; 11 | char cmpval[] = "LOCALVARIABLE"; 12 | char shortval[4] = "abc"; 13 | 14 | if (argc < 2) { 15 | 16 | ssize_t ret = read(0, buffer, sizeof(buffer) - 1); 17 | buffer[ret] = 0; 18 | input = buffer; 19 | 20 | } 21 | 22 | if (strcmp(input, "LIBTOKENCAP") == 0) 23 | printf("your string was LIBTOKENCAP\n"); 24 | else if (strcmp(input, "BUGMENOT") == 0) 25 | printf("your string was BUGMENOT\n"); 26 | else if (strncmp(input, "BANANA", 3) == 0) 27 | printf("your string started with BAN\n"); 28 | else if (strcmp(input, "APRI\0COT") == 0) 29 | printf("your string was APRI\n"); 30 | else if (strcasecmp(input, "Kiwi") == 0) 31 | printf("your string was Kiwi\n"); 32 | else if (strncasecmp(input, "avocado", 9) == 0) 33 | printf("your string was avocado\n"); 34 | else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0) 35 | printf("your string was a prefix of Grapes\n"); 36 | else if (strcmp(input, "BUFFEROVERFLOW") == 0) { 37 | 38 | buf = (char *)malloc(16); 39 | strcpy(buf, "TEST"); 40 | strcat(buf, input); 41 | printf("This will only crash with libdislocator: %s\n", buf); 42 | 43 | } else if (*(unsigned int *)input == 0xabadcafe) 44 | 45 | printf("GG you eat cmp tokens for breakfast!\n"); 46 | else if (memcmp(cmpval, input, 8) == 0) 47 | printf("local var memcmp works!\n"); 48 | else if (memcmp(shortval, input, 4) == 0) 49 | printf("short local var memcmp works!\n"); 50 | else if (memcmp(global_cmpval, input, sizeof(global_cmpval)) == 0) 51 | printf("global var memcmp works!\n"); 52 | else if (strncasecmp("-h", input, 2) == 0) 53 | printf("this is not the help you are looking for\n"); 54 | else 55 | printf("I do not know your string\n"); 56 | 57 | return 0; 58 | 59 | } 60 | 61 | -------------------------------------------------------------------------------- /test/test-custom-mutator.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Reference: 3 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c 4 | */ 5 | 6 | #include <stdio.h> 7 | #include <string.h> 8 | #include <math.h> 9 | #include <stdlib.h> 10 | #include <unistd.h> 11 | 12 | int main(int argc, char *argv[]) { 13 | 14 | char str[100]; 15 | read(0, str, 100); 16 | if (str[6] == 'A') { abort(); } 17 | return 0; 18 | 19 | } 20 | 21 | -------------------------------------------------------------------------------- /test/test-floatingpoint.c: -------------------------------------------------------------------------------- 1 | #include <stdlib.h> 2 | #include <unistd.h> 3 | #include <limits.h> 4 | #include <stdint.h> 5 | 6 | __AFL_FUZZ_INIT(); 7 | 8 | int main(void) { 9 | 10 | ssize_t bytes_read; 11 | 12 | __AFL_INIT(); 13 | float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF; 14 | 15 | while (__AFL_LOOP(INT_MAX)) { 16 | 17 | int len = __AFL_FUZZ_TESTCASE_LEN; 18 | if (len < sizeof(float)) return 1; 19 | 20 | /* 15 + 1/2 = 15.5 */ 21 | /* 15 + 1/2 + 1/8 = 15.625 */ 22 | /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ 23 | /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ 24 | if ((*magic >= 15.0 + 0.5 + 0.125 + 0.03125) && 25 | (*magic <= 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) 26 | abort(); 27 | 28 | } 29 | 30 | return 0; 31 | 32 | } 33 | 34 | -------------------------------------------------------------------------------- /test/test-libextensions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | . ./test-pre.sh 4 | 5 | test -z "$AFL_CC" && unset AFL_CC 6 | 7 | $ECHO "$BLUE[*] Testing: shared library extensions" 8 | cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 9 | test -e ../libtokencap.so && { 10 | AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 11 | grep -q BUGMENOT token.out > /dev/null 2>&1 && { 12 | $ECHO "$GREEN[+] libtokencap did successfully capture tokens" 13 | } || { 14 | $ECHO "$RED[!] libtokencap did not capture tokens" 15 | CODE=1 16 | } 17 | rm -f token.out 18 | } || { 19 | $ECHO "$YELLOW[-] libtokencap is not compiled, cannot test" 20 | INCOMPLETE=1 21 | } 22 | test -e ../libdislocator.so && { 23 | { 24 | ulimit -c 1 25 | # DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE is used on Darwin/MacOSX 26 | LD_PRELOAD=../libdislocator.so DYLD_INSERT_LIBRARIES=../libdislocator.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov BUFFEROVERFLOW > test.out 2>/dev/null 27 | } > /dev/null 2>&1 28 | grep -q BUFFEROVERFLOW test.out > /dev/null 2>&1 && { 29 | $ECHO "$RED[!] libdislocator did not detect the memory corruption" 30 | CODE=1 31 | } || { 32 | $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" 33 | } 34 | rm -f test.out core test-compcov.core core.test-compcov 35 | } || { 36 | $ECHO "$YELLOW[-] libdislocator is not compiled, cannot test" 37 | INCOMPLETE=1 38 | } 39 | rm -f test-compcov 40 | 41 | test -z "$AFL_CC" && { 42 | if type gcc >/dev/null; then 43 | export AFL_CC=gcc 44 | else 45 | if type clang >/dev/null; then 46 | export AFL_CC=clang 47 | fi 48 | fi 49 | } 50 | 51 | . ./test-post.sh 52 | -------------------------------------------------------------------------------- /test/test-multiple-mutators.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Test-Case for multiple custom mutators in C 3 | * Reference: 4 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c 5 | */ 6 | 7 | #include <stdio.h> 8 | #include <stdlib.h> 9 | #include <string.h> 10 | #include <unistd.h> 11 | 12 | int main(int argc, char **argv) { 13 | 14 | int a = 0; 15 | char s[100]; 16 | read(0, s, 100); 17 | 18 | if (s[7] == 'B') { abort(); } 19 | 20 | return 0; 21 | 22 | } 23 | 24 | -------------------------------------------------------------------------------- /test/test-post.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | AFL_TEST_DEPTH=$((AFL_TEST_DEPTH-1)) 3 | 4 | if [ $AFL_TEST_DEPTH = 0 ]; then 5 | # All runs done :) 6 | 7 | $ECHO "$GREY[*] $AFL_TEST_COUNT test cases completed.$RESET" 8 | test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" 9 | test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" 10 | test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET" 11 | test "$CODE" = "0" || $ECHO "$RED[!] failure in tests :-($RESET" 12 | exit $CODE 13 | 14 | fi 15 | -------------------------------------------------------------------------------- /test/test-unittests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | . ./test-pre.sh 4 | 5 | $ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY" 6 | unset AFL_CC 7 | make -C .. unit || CODE=1 INCOMPLETE=1 : 8 | 9 | . ./test-post.sh 10 | -------------------------------------------------------------------------------- /test/test-unsigaction.c: -------------------------------------------------------------------------------- 1 | #include <signal.h> /* sigemptyset(), sigaction(), kill(), SIGUSR1 */ 2 | #include <stdlib.h> /* exit() */ 3 | #include <unistd.h> /* getpid() */ 4 | #include <errno.h> /* errno */ 5 | #include <stdio.h> /* fprintf() */ 6 | 7 | static void mysig_handler(int sig) { 8 | 9 | exit(2); 10 | 11 | } 12 | 13 | int main() { 14 | 15 | /* setup sig handler */ 16 | struct sigaction sa; 17 | sa.sa_handler = mysig_handler; 18 | sigemptyset(&sa.sa_mask); 19 | sa.sa_flags = 0; 20 | if (sigaction(SIGCHLD, &sa, NULL)) { 21 | 22 | fprintf(stderr, "could not set signal handler %d, aborted\n", errno); 23 | exit(1); 24 | 25 | } 26 | 27 | kill(getpid(), SIGCHLD); 28 | return 0; 29 | 30 | } 31 | 32 | -------------------------------------------------------------------------------- /test/travis/bionic/Dockerfile: -------------------------------------------------------------------------------- 1 | # This is the Dockerfile for testing problems in Travis build 2 | # configuration #1. 3 | # This needs not to be rebuild everytime, most of the time it needs just to 4 | # be build once and then started when debugging issues and execute: 5 | # cd /AFLplusplus/ 6 | # git pull 7 | # make distrib 8 | # 9 | FROM ubuntu:bionic 10 | LABEL "about"="travis image 1" 11 | RUN apt-get update && apt-get -y install \ 12 | automake \ 13 | bison \ 14 | build-essential \ 15 | clang \ 16 | flex \ 17 | git \ 18 | python3.7 python3.7-dev \ 19 | python3-setuptools \ 20 | libtool libtool-bin \ 21 | libglib2.0-dev \ 22 | python-setuptools \ 23 | wget \ 24 | ca-certificates \ 25 | libpixman-1-dev \ 26 | gcc-7 gcc-7-plugin-dev libc++-7-dev \ 27 | findutils \ 28 | libcmocka-dev \ 29 | joe nano vim locate \ 30 | && rm -rf /var/lib/apt/lists/* 31 | 32 | ENV AFL_NO_UI=1 33 | ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 34 | ENV LLVM_CONFIG=llvm-config-6.0 35 | 36 | RUN cd / && \ 37 | git clone https://github.com/AFLplusplus/AFLplusplus && \ 38 | cd AFLplusplus && \ 39 | git checkout dev && \ 40 | cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ 41 | cd ../unicorn_mode && git submodule init && git submodule update || true && \ 42 | cd /AFLplusplus && ASAN_BUILD=1 make source-only || true 43 | 44 | WORKDIR /AFLplusplus 45 | CMD ["/bin/bash"] 46 | -------------------------------------------------------------------------------- /test/travis/focal/Dockerfile: -------------------------------------------------------------------------------- 1 | # This is the Dockerfile for testing problems in Travis build 2 | # configuration #1. 3 | # This needs not to be rebuild everytime, most of the time it needs just to 4 | # be build once and then started when debugging issues and execute: 5 | # cd /AFLplusplus/ 6 | # git pull 7 | # make distrib 8 | # 9 | FROM ubuntu:focal 10 | LABEL "about"="travis image 4" 11 | ARG DEBIAN_FRONTEND=noninteractive 12 | RUN apt-get update && apt-get -y install \ 13 | automake \ 14 | bison \ 15 | build-essential \ 16 | clang \ 17 | flex \ 18 | git \ 19 | python3 python3-dev \ 20 | python3-setuptools \ 21 | libtool libtool-bin \ 22 | libglib2.0-dev \ 23 | python-setuptools \ 24 | wget \ 25 | ca-certificates \ 26 | libpixman-1-dev \ 27 | gcc-9 gcc-9-plugin-dev libc++-9-dev \ 28 | findutils \ 29 | libcmocka-dev \ 30 | joe nano vim locate \ 31 | && rm -rf /var/lib/apt/lists/* 32 | 33 | ENV AFL_NO_UI=1 34 | ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 35 | 36 | RUN cd / && \ 37 | git clone https://github.com/AFLplusplus/AFLplusplus && \ 38 | cd AFLplusplus && \ 39 | git checkout dev && \ 40 | cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ 41 | cd ../unicorn_mode && git submodule init && git submodule update || true && \ 42 | cd /AFLplusplus && ASAN_BUILD=1 make source-only || true 43 | 44 | WORKDIR /AFLplusplus 45 | CMD ["/bin/bash"] 46 | -------------------------------------------------------------------------------- /test/travis/trusty/Dockerfile: -------------------------------------------------------------------------------- 1 | # This is the Dockerfile for testing problems in Travis builds 2 | # configuration #3. 3 | # This needs not to be rebuild everytime, most of the time it needs just to 4 | # be build once and then started when debugging issues and execute: 5 | # cd /AFLplusplus/ 6 | # git pull 7 | # make distrib 8 | # 9 | FROM ubuntu:trusty 10 | LABEL "about"="travis image 3" 11 | RUN apt-get update && apt-get -y install \ 12 | automake \ 13 | bison \ 14 | build-essential \ 15 | clang \ 16 | flex \ 17 | git \ 18 | python2.7 python2.7-dev \ 19 | python3-setuptools \ 20 | libtool \ 21 | libglib2.0-dev \ 22 | python-setuptools \ 23 | wget \ 24 | ca-certificates \ 25 | libpixman-1-dev \ 26 | gcc-4.8 gcc-4.8-plugin-dev \ 27 | libc++-dev \ 28 | findutils \ 29 | libcmocka-dev \ 30 | joe nano vim locate \ 31 | && rm -rf /var/lib/apt/lists/* 32 | 33 | ENV TERM linux 34 | ENV DEBIAN_FRONTEND noninteractive 35 | ENV LLVM_CONFIG=llvm-config-3.4 36 | ENV AFL_NO_UI=1 37 | ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 38 | 39 | RUN cd / && \ 40 | git clone https://github.com/AFLplusplus/AFLplusplus && \ 41 | cd AFLplusplus && \ 42 | git checkout dev && \ 43 | cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ 44 | cd ../unicorn_mode && git submodule init && git submodule update || true && \ 45 | cd /AFLplusplus && ASAN_BUILD=1 make source-only || true 46 | 47 | WORKDIR /AFLplusplus 48 | CMD ["/bin/bash"] 49 | 50 | -------------------------------------------------------------------------------- /test/travis/xenial/Dockerfile: -------------------------------------------------------------------------------- 1 | # This is the Dockerfile for testing problems in Travis builds 2 | # configuration #2. 3 | # This needs not to be rebuild everytime, most of the time it needs just to 4 | # be build once and then started when debugging issues and execute: 5 | # cd /AFLplusplus/ 6 | # git pull 7 | # make distrib 8 | # 9 | FROM ubuntu:xenial 10 | LABEL "about"="travis image 2" 11 | RUN apt-get update && apt-get -y install \ 12 | automake \ 13 | bison \ 14 | build-essential \ 15 | clang-6.0 \ 16 | flex \ 17 | git \ 18 | python3 python3-dev \ 19 | python3-setuptools \ 20 | libtool libtool-bin \ 21 | libglib2.0-dev \ 22 | python-setuptools \ 23 | wget \ 24 | ca-certificates \ 25 | libpixman-1-dev \ 26 | gcc-5 gcc-5-plugin-dev \ 27 | libc++-dev \ 28 | findutils \ 29 | libcmocka-dev \ 30 | joe nano vim locate \ 31 | && rm -rf /var/lib/apt/lists/* 32 | 33 | ENV LLVM_CONFIG=llvm-config-6.0 34 | ENV AFL_NO_UI=1 35 | ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 36 | 37 | RUN cd / && \ 38 | git clone https://github.com/AFLplusplus/AFLplusplus && \ 39 | cd AFLplusplus && \ 40 | git checkout dev && \ 41 | cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ 42 | cd ../unicorn_mode && git submodule init && git submodule update || true && \ 43 | cd /AFLplusplus && ASAN_BUILD=1 make source-only || true 44 | 45 | WORKDIR /AFLplusplus 46 | CMD ["/bin/bash"] 47 | -------------------------------------------------------------------------------- /testcases/README.md: -------------------------------------------------------------------------------- 1 | # AFL starting test cases 2 | 3 | (See [../README.md](../README.md) for the general instruction manual.) 4 | 5 | The archives/, images/, multimedia/, and others/ subdirectories contain small, 6 | standalone files that can be used to seed afl-fuzz when testing parsers for a 7 | variety of common data formats. 8 | 9 | There is probably not much to be said about these files, except that they were 10 | optimized for size and stripped of any non-essential fluff. Some directories 11 | contain several examples that exercise various features of the underlying format. 12 | For example, there is a PNG file with and without a color profile. 13 | 14 | Additional test cases are always welcome. 15 | 16 | In addition to well-chosen starting files, many fuzzing jobs benefit from a 17 | small and concise dictionary. See [../dictionaries/README.md](../dictionaries/README.md) for more. 18 | -------------------------------------------------------------------------------- /testcases/archives/common/ar/small_archive.a: -------------------------------------------------------------------------------- 1 | !<arch> 2 | limerick/ 1415337776 500 500 100640 191 ` 3 | There was a young man from Japan 4 | Whose limericks never would scan. 5 | When asked why that was, 6 | He replied "It's because 7 | I always try to cram as many words into the last line as I possibly can." 8 | 9 | -------------------------------------------------------------------------------- /testcases/archives/common/bzip2/small_archive.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/bzip2/small_archive.bz2 -------------------------------------------------------------------------------- /testcases/archives/common/cab/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/cab/small_archive.cab -------------------------------------------------------------------------------- /testcases/archives/common/compress/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/compress/small_archive.Z -------------------------------------------------------------------------------- /testcases/archives/common/cpio/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/cpio/small_archive.cpio -------------------------------------------------------------------------------- /testcases/archives/common/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/gzip/small_archive.gz -------------------------------------------------------------------------------- /testcases/archives/common/lzo/small_archive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/lzo/small_archive.lzo -------------------------------------------------------------------------------- /testcases/archives/common/rar/small_archive.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/rar/small_archive.rar -------------------------------------------------------------------------------- /testcases/archives/common/tar/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick��������������������������������������������������������������������������������������������0000640�0000764�0000764�00000000277�12427053460�012465� 0����������������������������������������������������������������������������������������������������ustar �lcamtuf�������������������������lcamtuf����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������There was a young man from Japan 2 | Whose limericks never would scan. 3 | When asked why that was, 4 | He replied "It's because 5 | I always try to cram as many words into the last line as I possibly can." 6 | ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� -------------------------------------------------------------------------------- /testcases/archives/common/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/xz/small_archive.xz -------------------------------------------------------------------------------- /testcases/archives/common/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/common/zip/small_archive.zip -------------------------------------------------------------------------------- /testcases/archives/exotic/arj/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/arj/small_archive.arj -------------------------------------------------------------------------------- /testcases/archives/exotic/lha/small_archive.lha: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/lha/small_archive.lha -------------------------------------------------------------------------------- /testcases/archives/exotic/lrzip/small_archive.lrz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/lrzip/small_archive.lrz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzip/small_archive.lz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/lzip/small_archive.lz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzma/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/lzma/small_archive.lzma -------------------------------------------------------------------------------- /testcases/archives/exotic/rzip/small_archive.rz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/rzip/small_archive.rz -------------------------------------------------------------------------------- /testcases/archives/exotic/zoo/small_archive.zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/archives/exotic/zoo/small_archive.zoo -------------------------------------------------------------------------------- /testcases/images/bmp/not_kitty.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/bmp/not_kitty.bmp -------------------------------------------------------------------------------- /testcases/images/gif/not_kitty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/gif/not_kitty.gif -------------------------------------------------------------------------------- /testcases/images/ico/not_kitty.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/ico/not_kitty.ico -------------------------------------------------------------------------------- /testcases/images/jp2/not_kitty.jp2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/jp2/not_kitty.jp2 -------------------------------------------------------------------------------- /testcases/images/jpeg/not_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/jpeg/not_kitty.jpg -------------------------------------------------------------------------------- /testcases/images/jxr/not_kitty.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/jxr/not_kitty.jxr -------------------------------------------------------------------------------- /testcases/images/png/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/png/not_kitty.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/png/not_kitty_alpha.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/png/not_kitty_gamma.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/png/not_kitty_icc.png -------------------------------------------------------------------------------- /testcases/images/tiff/not_kitty.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/tiff/not_kitty.tiff -------------------------------------------------------------------------------- /testcases/images/webp/not_kitty.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/images/webp/not_kitty.webp -------------------------------------------------------------------------------- /testcases/multimedia/h264/small_movie.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/multimedia/h264/small_movie.mp4 -------------------------------------------------------------------------------- /testcases/others/elf/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/others/elf/small_exec.elf -------------------------------------------------------------------------------- /testcases/others/js/small_script.js: -------------------------------------------------------------------------------- 1 | if (1==1) eval('1'); -------------------------------------------------------------------------------- /testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /testcases/others/pdf/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 2 | 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj 3 0 obj<</Type/Page/MediaBox[0 0 3 3]>>endobj trailer<</Size 4/Root 1 0 R>> -------------------------------------------------------------------------------- /testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /testcases/others/sql/simple_queries.sql: -------------------------------------------------------------------------------- 1 | create table t1(one smallint); 2 | insert into t1 values(1); 3 | select * from t1; 4 | -------------------------------------------------------------------------------- /testcases/others/text/hello_world.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | <a b="c">d</a> 2 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | include/types.h -------------------------------------------------------------------------------- /unicorn_mode/UNICORNAFL_VERSION: -------------------------------------------------------------------------------- 1 | c6d66471 2 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple harness for unicornafl in C 4 | 5 | ## Compiling sample.c 6 | 7 | The target can be built using the `make` command. 8 | Just make sure you have built unicorn support first: 9 | ```bash 10 | cd /path/to/afl/unicorn_mode 11 | ./build_unicorn_support.sh 12 | ``` 13 | 14 | ## Compiling simple_target.c 15 | 16 | You shouldn't need to compile simple_target.c since a X86_64 binary version is 17 | pre-built and shipped in this sample folder. This file documents how the binary 18 | was built in case you want to rebuild it or recompile it for any reason. 19 | 20 | The pre-built binary (simple_target_x86_64.bin) was built using -g -O0 in gcc. 21 | 22 | We then load the binary and execute the main function directly. 23 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/Makefile: -------------------------------------------------------------------------------- 1 | # UnicornAFL Usage 2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh <aquynh@gmail.com>, 2015 3 | # Adapted for AFL++ by domenukk <domenukk@gmail.com>, 2020 4 | .POSIX: 5 | UNAME_S =$(shell uname -s)# GNU make 6 | UNAME_S:sh=uname -s # BSD make 7 | _UNIQ=_QINU_ 8 | 9 | LIBDIR = ../../unicornafl 10 | BIN_EXT = 11 | AR_EXT = a 12 | 13 | # Verbose output? 14 | V ?= 0 15 | 16 | CFLAGS += -Wall -Werror -I../../unicornafl/include 17 | 18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm 19 | 20 | _LRT = $(_UNIQ)$(UNAME_S:Linux=) 21 | __LRT = $(_LRT:$(_UNIQ)=-lrt) 22 | LRT = $(__LRT:$(_UNIQ)=) 23 | 24 | LDFLAGS += $(LRT) 25 | 26 | _CC = $(_UNIQ)$(CROSS) 27 | __CC = $(_CC:$(_UNIQ)=$(CC)) 28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc) 29 | 30 | .PHONY: all clean 31 | 32 | all: harness 33 | 34 | clean: 35 | rm -rf *.o harness harness-debug 36 | 37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h 38 | ${MYCC} ${CFLAGS} -O3 -c harness.c 39 | 40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h 41 | ${MYCC} ${CFLAGS} -g -c harness.c -o $@ 42 | 43 | harness: harness.o 44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ 45 | 46 | debug: harness-debug.o 47 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug 48 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/persistent_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de> 12 | */ 13 | #include <stdint.h> 14 | #include <string.h> 15 | 16 | 17 | int main(int argc, char** argv) { 18 | if (argc < 2) return -1; 19 | 20 | char *data_buf = argv[1]; 21 | uint64_t data_len = strlen(data_buf); 22 | if (data_len < 20) return -2; 23 | 24 | for (; data_len --> 0 ;) { 25 | if (data_len >= 18) continue; 26 | if (data_len > 2 && data_len < 18) { 27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1]; 28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) { 29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 30 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 31 | } 32 | } 33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 35 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/c/persistent_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/c/simple_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/COMPILE.md: -------------------------------------------------------------------------------- 1 | # Compiling compcov_target.c 2 | 3 | compcov_target.c was compiled without optimization, position-independent, 4 | and without standard libraries using the following command line: 5 | 6 | ``` 7 | gcc -o compcov_target.elf compcov_target.c -fPIC -O0 -nostdlib 8 | ``` 9 | 10 | The .text section from the resulting ELF binary was then extracted to create 11 | the raw binary blob that is loaded and emulated by compcov_test_harness.py: 12 | 13 | ``` 14 | objcopy -O binary --only-section=.text compcov_target.elf compcov_target.bin 15 | ``` 16 | 17 | Note that the output of this is padded with nulls for 16-byte alignment. This is 18 | important when emulating it, as NOPs will be added after the return of main() 19 | as necessary. 20 | -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/compcov_x64/compcov_target.bin -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Andrea Fioraldi 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; 18 | 19 | if (((unsigned short*)data_buf)[0] == 0x0100) { 20 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 21 | } else if (data_buf[1] == data_buf[2] + 0xfffe) { 22 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/compcov_x64/compcov_target.elf -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000 -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | out 4 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple persistent harness for unicornafl in C. 4 | In contrast to the normal c harness, this harness manually resets the unicorn state on each new input. 5 | Thanks to this, we can rerun the testcase in unicorn multiple times, without the need to fork again. 6 | 7 | ## Compiling sample.c 8 | 9 | The target can be built using the `make` command. 10 | Just make sure you have built unicorn support first: 11 | ```bash 12 | cd /path/to/afl/unicorn_mode 13 | ./build_unicorn_support.sh 14 | ``` 15 | 16 | ## Compiling persistent_target.c 17 | 18 | You don't need to compile persistent_target.c since a X86_64 binary version is 19 | pre-built and shipped in this sample folder. This file documents how the binary 20 | was built in case you want to rebuild it or recompile it for any reason. 21 | 22 | The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in gcc. 23 | 24 | We then load the binary and we execute the main function directly. 25 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/Makefile: -------------------------------------------------------------------------------- 1 | # UnicornAFL Usage 2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh <aquynh@gmail.com>, 2015 3 | # Adapted for AFL++ by domenukk <domenukk@gmail.com>, 2020 4 | .POSIX: 5 | UNAME_S =$(shell uname -s)# GNU make 6 | UNAME_S:sh=uname -s # BSD make 7 | _UNIQ=_QINU_ 8 | 9 | LIBDIR = ../../unicornafl 10 | BIN_EXT = 11 | AR_EXT = a 12 | 13 | # Verbose output? 14 | V ?= 0 15 | 16 | CFLAGS += -Wall -Werror -I../../unicornafl/include 17 | 18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm 19 | 20 | _LRT = $(_UNIQ)$(UNAME_S) 21 | __LRT = $(_LRT:$(_UNIQ)Linux=-lrt) 22 | LRT = $(__LRT:$(_UNIQ)$(UNAME_S)=) 23 | 24 | LDFLAGS += $(LRT) 25 | 26 | _CC = $(_UNIQ)$(CROSS) 27 | __CC = $(_CC:$(_UNIQ)=$(CC)) 28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc) 29 | 30 | .PHONY: all clean 31 | 32 | all: harness 33 | 34 | clean: 35 | rm -rf *.o harness harness-debug 36 | 37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h 38 | ${MYCC} ${CFLAGS} -O3 -c harness.c 39 | 40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h 41 | ${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@ 42 | 43 | harness: harness.o 44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ 45 | 46 | debug: harness-debug.o 47 | ${MYCC} -L${LIBDIR} harness-debug.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug 48 | 49 | fuzz: harness 50 | ../../../afl-fuzz -m none -i sample_inputs -o out -- ./harness @@ 51 | 52 | debugmake: 53 | @echo UNAME_S=$(UNAME_S), _LRT=$(_LRT), __LRT=$(__LRT), LRT=$(LRT) 54 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/persistent_target: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/persistent/persistent_target -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/persistent_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de> 12 | */ 13 | #include <stdint.h> 14 | #include <string.h> 15 | 16 | 17 | int main(int argc, char** argv) { 18 | if (argc < 2) return -1; 19 | 20 | char *data_buf = argv[1]; 21 | uint64_t data_len = strlen(data_buf); 22 | if (data_len < 20) return -2; 23 | 24 | for (; data_len --> 0 ;) { 25 | if (data_len >= 18) continue; 26 | if (data_len > 2 && data_len < 18) { 27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1]; 28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) { 29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 30 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 31 | } 32 | } 33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 35 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/persistent/persistent_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/simple_target_noncrashing.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de> 12 | */ 13 | 14 | 15 | int main(int argc, char** argv) { 16 | if(argc < 2){ 17 | return -1; 18 | } 19 | 20 | char *data_buf = argv[1]; 21 | 22 | if len(data_buf < 20) { 23 | if (data_buf[20] != 0) { 24 | printf("Not crashing"); 25 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 26 | printf("Also not crashing with databuf[0] == %c", data_buf[0]) 27 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 28 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 29 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/persistent/simple_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/COMPILE.md: -------------------------------------------------------------------------------- 1 | # Compiling simple_target.c 2 | 3 | You shouldn't need to compile simple_target.c since a MIPS binary version is 4 | pre-built and shipped with afl-unicorn. This file documents how the binary 5 | was built in case you want to rebuild it or recompile it for any reason. 6 | 7 | The pre-built binary (simple_target.bin) was built by cross-compiling 8 | simple_target.c for MIPS using the mips-linux-gnu-gcc package on an Ubuntu 9 | 16.04 LTS system. This cross compiler (and associated binutils) was installed 10 | from apt-get packages: 11 | 12 | ``` 13 | sudo apt-get install gcc-mips-linux-gnu 14 | ``` 15 | 16 | simple_target.c was compiled without optimization, position-independent, 17 | and without standard libraries using the following command line: 18 | 19 | ``` 20 | mips-linux-gnu-gcc -o simple_target.elf simple_target.c -fPIC -O0 -nostdlib 21 | ``` 22 | 23 | The .text section from the resulting ELF binary was then extracted to create 24 | the raw binary blob that is loaded and emulated by simple_test_harness.py: 25 | 26 | ``` 27 | mips-linux-gnu-objcopy -O binary --only-section=.text simple_target.elf simple_target.bin 28 | ``` 29 | 30 | In summary, to recreate simple_taget.bin execute the following: 31 | 32 | ``` 33 | mips-linux-gnu-gcc -o simple_target.elf simple_target.c -fPIC -O0 -nostdlib 34 | && mips-linux-gnu-objcopy -O binary --only-section=.text simple_target.elf simple_target.bin 35 | && rm simple_target.elf 36 | ``` 37 | 38 | Note that the output of this is padded with nulls for 16-byte alignment. This is 39 | important when emulating it, as NOPs will be added after the return of main() 40 | as necessary. 41 | -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/simple_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitsecurerlab/aflplusplus-hier/5ee7a2a8ac67742c3d79eeba3dfbb3ff8beea399/unicorn_mode/samples/simple/simple_target.bin -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/simple_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned char *data_buf = (unsigned char *) DATA_ADDRESS; 18 | 19 | if (data_buf[20] != 0) { 20 | // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' 21 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 22 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 23 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 24 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 25 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 26 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 27 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 28 | } 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /unicorn_mode/update_uc_ref.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | ################################################## 4 | # AFL++ internal tool to update unicornafl ref. 5 | # Usage: ./update_uc_ref.sh <new commit hash> 6 | # If no commit hash was provided, it'll take HEAD. 7 | ################################################## 8 | 9 | UC_VERSION_FILE='./UNICORNAFL_VERSION' 10 | 11 | NEW_VERSION="$1" 12 | 13 | if [ "$NEW_VERSION" = "-h" ]; then 14 | echo "Internal script to update bound unicornafl version." 15 | echo 16 | echo "Usage: ./update_uc_ref.sh <new commit hash>" 17 | echo "If no commit hash is provided, will use HEAD." 18 | echo "-h to show this help screen." 19 | exit 1 20 | fi 21 | 22 | git submodule init && git submodule update || exit 1 23 | cd ./unicornafl || exit 1 24 | git fetch origin dev 1>/dev/null || exit 1 25 | git stash 1>/dev/null 2>/dev/null 26 | git stash drop 1>/dev/null 2>/dev/null 27 | git checkout dev 28 | 29 | if [ -z "$NEW_VERSION" ]; then 30 | # No version provided, take HEAD. 31 | NEW_VERSION=$(git rev-parse --short HEAD) 32 | fi 33 | 34 | if [ -z "$NEW_VERSION" ]; then 35 | echo "Error getting version." 36 | exit 1 37 | fi 38 | 39 | git checkout "$NEW_VERSION" || exit 1 40 | 41 | cd .. 42 | 43 | rm "$UC_VERSION_FILE" 44 | echo "$NEW_VERSION" > "$UC_VERSION_FILE" 45 | 46 | echo "Done. New unicornafl version is $NEW_VERSION." 47 | --------------------------------------------------------------------------------