├── LICENSE ├── README.md ├── afl-2.52b.patch ├── cleanup.sh ├── client ├── afl-2.52b.patch ├── codeql_wget │ ├── queries │ │ ├── dummy.ql │ │ ├── macrolearn.ql │ │ ├── qlpack.yml │ │ └── strings.ql │ ├── wget_const_strings_cmp.dict │ └── wget_const_strings_cmp_httponly.dict ├── dockerfile ├── input ├── setup.sh └── variables ├── dockerfile ├── input ├── server ├── dockerfile ├── setup.sh └── variables └── variables /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fuzzminator 2 | 3 | This is a framework for input guided fuzzing using afl for network and docker. 4 | The idea behind this envornment setup is to be able to parallelize 5 | multiple instances of a target server in separate docker images. 6 | 7 | ## Network based afl 8 | https://github.com/liangdzou/afl/tree/afl-2.39b 9 | 10 | ### Port binding problem 11 | In the readme of network afl the chapter "12) Fuzzing network services" 12 | introduce a problem that this environment aims to solve. 13 | 14 | > It is not possible to run two processes under a single operating 15 | > system kernel that bind to (listen to) the same port on the same 16 | > address. Thus, either a special wrapper (such as could be implemented 17 | > using LD_PRELOAD) can be used to remap each target's port to a 18 | > different value, or only one target process can be executed per kernel 19 | > (not per core). Parallel fuzzing of network services can be done using 20 | > several independent hosts (a cluster), or by reconfiguring the code 21 | > running on each core to use a different port. 22 | 23 | We aim to build a generic aproach that does not require code changes 24 | or configuration changes and thus the independent host cluster 25 | approach is what we are going for using docker as a tennant 26 | for each cpu core. 27 | 28 | ### Delay time guidlines 29 | Delay before write and timeout delay are two values that need to be 30 | found using debugging. The timeout_delay is a time in milliseconds that 31 | the entire fuzz run should take before a crash should have occured. 32 | 33 | The delay_before_write value is the time it takes for the server to start 34 | and be ready to receive input. 35 | 36 | From the documentation: 37 | 38 | > A rule of 39 | > thumb is the timeout_delay value should be slightly longer than three 40 | > times the delay_before_write value, and the delay_before_write value 41 | > should be as small as possible while consistent with an acceptable 42 | > fraction of target process executions that time out (for example, 43 | > around 0.1%). 44 | 45 | The afl-fuzz command argument for `timeout_delay` is `-D ms` and 46 | `delay_before_write` is `-t ms`. 47 | 48 | ### Network setup 49 | Afl-net only support fuzzing of localhost. Using the 50 | `-N network_specification` option we can specify what connection 51 | type and destination to use. 52 | Here is an example of a `network_specification`: 53 | ``` 54 | afl-fuzz -i /input -o /output -N tcp://127.0.0.1:80 ./target 55 | ``` 56 | 57 | ## Process thread paralellization 58 | To deal with the port binding problem we utilize a separation between 59 | each proces susing Linux namespaces through docker. 60 | 61 | https://github.com/liangdzou/afl/blob/afl-2.39b/docs/parallel_fuzzing.txt 62 | 63 | *Note!* 64 | We utilize a experimental feature called multi-system paralellization. 65 | The feature we used was introduced in afl-2.39b this specific combination of network 66 | and paralellization features are only available in this repo 67 | https://github.com/liangdzou/afl/tree/afl-2.39b 68 | 69 | As of March 2020 the 2.39b experimental feature set for deterministic multi masters 70 | was not yet added to the unoficcial repository of github.com/jdbirdwell/afl see: 71 | https://github.com/jdbirdwell/afl/pull/4 72 | 73 | > The difference between the -M and -S modes is that the master instance will 74 | > still perform deterministic checks; while the secondary instances will 75 | > proceed straight to random tweaks. If you don't want to do deterministic 76 | > fuzzing at all, it's OK to run all instances with -S. With very slow or complex 77 | > targets, or when running heavily parallelized jobs, this is usually a good plan. 78 | 79 | > Note that running multiple -M instances is wasteful, although there is an 80 | > experimental support for parallelizing the deterministic checks. To leverage 81 | > that, you need to create -M instances like so: 82 | 83 | ``` 84 | $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterA:1/3 [...] 85 | $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterB:2/3 [...] 86 | $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterC:3/3 [...] 87 | ``` 88 | 89 | > ...where the first value after ':' is the sequential ID of a particular master 90 | > instance (starting at 1), and the second value is the total number of fuzzers to 91 | > distribute the deterministic fuzzing across. Note that if you boot up fewer 92 | > fuzzers than indicated by the second number passed to -M, you may end up with 93 | > poor coverage. 94 | 95 | ### Intercommunication 96 | The processes communicate using a sync directory and a shared master-job. 97 | Set up a shared volume for docker using tmpfs (so we dont ruin our SSD disks with writes). 98 | ``` 99 | $ docker volume create --driver local \ 100 | --opt type=tmpfs \ 101 | --opt device=tmpfs \ 102 | --opt o=size=100m,uid=1000 \ 103 | output 104 | $ docker run -v output:/output --detach fuzzminator:1.0 105 | ``` 106 | Find the shared output directory using the `-o /output` option to `afl-fuzz`. 107 | -------------------------------------------------------------------------------- /afl-2.52b.patch: -------------------------------------------------------------------------------- 1 | --- afl-llvm-pass.so.cc 2017-03-28 09:48:48.000000000 +0200 2 | +++ ../../afl-2.52b/llvm_mode/afl-llvm-pass.so.cc 2017-06-23 00:49:06.000000000 +0200 3 | @@ -22,6 +22,8 @@ 4 | 5 | */ 6 | 7 | +#define AFL_LLVM_PASS 8 | + 9 | #include "../config.h" 10 | #include "../debug.h" 11 | 12 | @@ -112,11 +114,11 @@ 13 | BasicBlock::iterator IP = BB.getFirstInsertionPt(); 14 | IRBuilder<> IRB(&(*IP)); 15 | 16 | - if (R(100) >= inst_ratio) continue; 17 | + if (AFL_R(100) >= inst_ratio) continue; 18 | 19 | /* Make up cur_loc */ 20 | 21 | - unsigned int cur_loc = R(MAP_SIZE); 22 | + unsigned int cur_loc = AFL_R(MAP_SIZE); 23 | 24 | ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc); 25 | 26 | @@ -157,9 +159,9 @@ 27 | 28 | if (!inst_blocks) WARNF("No instrumentation targets found."); 29 | else OKF("Instrumented %u locations (%s mode, ratio %u%%).", 30 | - inst_blocks, 31 | - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", 32 | - inst_ratio); 33 | + inst_blocks, getenv("AFL_HARDEN") ? "hardened" : 34 | + ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ? 35 | + "ASAN/MSAN" : "non-hardened"), inst_ratio); 36 | 37 | } 38 | 39 | -------------------------------------------------------------------------------- /cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | function remove() { 3 | # Remove volume 4 | source variables 5 | # Remove images (Will remove all images that happens to have $NAME in it) 6 | docker rm --force $(docker ps -a | grep $NAME | awk '{print $1}') 7 | docker volume rm $INPUT_VOLUME 8 | docker volume rm $OUTPUT_VOLUME 9 | 10 | } 11 | while true; do 12 | read -p "Are you sure you want to remove all $NAME docker instances and volumes? " yn 13 | case $yn in 14 | [Yy]* ) remove; break;; 15 | [Nn]* ) exit;; 16 | * ) echo "Please answer yes or no.";; 17 | esac 18 | done 19 | -------------------------------------------------------------------------------- /client/afl-2.52b.patch: -------------------------------------------------------------------------------- 1 | diff -rupN ./types.h ../afl-2.52b/types.h 2 | --- ./types.h 2017-03-28 09:48:48.000000000 +0200 3 | +++ ../afl-2.52b/types.h 2017-11-05 03:24:47.000000000 +0100 4 | @@ -68,7 +68,11 @@ typedef int64_t s64; 5 | ((_ret >> 8) & 0x0000FF00)); \ 6 | }) 7 | 8 | -#define R(x) (random() % (x)) 9 | +#ifdef AFL_LLVM_PASS 10 | +# define AFL_R(x) (random() % (x)) 11 | +#else 12 | +# define R(x) (random() % (x)) 13 | +#endif /* ^AFL_LLVM_PASS */ 14 | 15 | #define STRINGIFY_INTERNAL(x) #x 16 | #define STRINGIFY(x) STRINGIFY_INTERNAL(x) 17 | diff -rupN ./llvm_mode/afl-llvm-pass.so.cc ../afl-2.52b/llvm_mode/afl-llvm-pass.so.cc 18 | --- ./llvm_mode/afl-llvm-pass.so.cc 2017-03-28 09:48:48.000000000 +0200 19 | +++ ../afl-2.52b/llvm_mode/afl-llvm-pass.so.cc 2017-06-23 00:49:06.000000000 +0200 20 | @@ -22,6 +22,8 @@ 21 | 22 | */ 23 | 24 | +#define AFL_LLVM_PASS 25 | + 26 | #include "../config.h" 27 | #include "../debug.h" 28 | 29 | @@ -112,11 +114,11 @@ bool AFLCoverage::runOnModule(Module &M) 30 | BasicBlock::iterator IP = BB.getFirstInsertionPt(); 31 | IRBuilder<> IRB(&(*IP)); 32 | 33 | - if (R(100) >= inst_ratio) continue; 34 | + if (AFL_R(100) >= inst_ratio) continue; 35 | 36 | /* Make up cur_loc */ 37 | 38 | - unsigned int cur_loc = R(MAP_SIZE); 39 | + unsigned int cur_loc = AFL_R(MAP_SIZE); 40 | 41 | ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc); 42 | 43 | @@ -157,9 +159,9 @@ bool AFLCoverage::runOnModule(Module &M) 44 | 45 | if (!inst_blocks) WARNF("No instrumentation targets found."); 46 | else OKF("Instrumented %u locations (%s mode, ratio %u%%).", 47 | - inst_blocks, 48 | - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", 49 | - inst_ratio); 50 | + inst_blocks, getenv("AFL_HARDEN") ? "hardened" : 51 | + ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ? 52 | + "ASAN/MSAN" : "non-hardened"), inst_ratio); 53 | 54 | } 55 | 56 | -------------------------------------------------------------------------------- /client/codeql_wget/queries/dummy.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | 3 | from IfStmt ifstmt, Block block 4 | where ifstmt.getThen() = block 5 | and block.getNumStmt() = 0 6 | select ifstmt.getLocation(),ifstmt, "This 'if' statement is redundant." 7 | -------------------------------------------------------------------------------- /client/codeql_wget/queries/macrolearn.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | from MacroInvocation i 3 | where i.getMacroName().matches("BOUNDED_EQUAL_NO_CASE") 4 | select i.toString(), i.getLocation(), i.getAnExpandedElement() 5 | -------------------------------------------------------------------------------- /client/codeql_wget/queries/qlpack.yml: -------------------------------------------------------------------------------- 1 | name: wgetqueries 2 | version: 0.0.0 3 | libraryPathDependencies: codeql-cpp 4 | -------------------------------------------------------------------------------- /client/codeql_wget/queries/strings.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | import semmle.code.cpp.dataflow.DataFlow 3 | class StringTaint extends DataFlow::Configuration { 4 | StringTaint() { this = "StringTaint" } 5 | 6 | override predicate isSource(DataFlow::Node source) { 7 | source.asExpr() instanceof StringLiteral 8 | } 9 | 10 | override predicate isSink(DataFlow::Node sink) { 11 | exists (FunctionCall fc | 12 | sink.asExpr() = fc.getAnArgument() and 13 | ( 14 | fc.getTarget().getQualifiedName().toLowerCase().matches("%str%") or 15 | fc.getTarget().getQualifiedName().toLowerCase().matches("%cmp%") or 16 | fc.getTarget().getQualifiedName().toLowerCase().matches("%header%") or 17 | fc.getTarget().getQualifiedName().toLowerCase().matches("%parse_content_disposition%") 18 | 19 | ) 20 | ) or 21 | exists (MacroInvocation i | ( 22 | i.getMacroName().toLowerCase().matches("%equal%") or 23 | i.getMacroName().toLowerCase().matches("%cmp%") or 24 | i.getMacroName().toLowerCase().matches("%str%") or 25 | i.getMacroName().toLowerCase().matches("%starts%") 26 | ) 27 | and ( 28 | sink.asExpr() = i.getExpr() or 29 | sink.asExpr() = i.getExpr().getAChild() or 30 | sink.asExpr() = i.getAnExpandedElement() 31 | ) 32 | ) 33 | } 34 | } 35 | 36 | from StringLiteral srcStr, Expr strcmp, StringTaint config 37 | where config.hasFlow(DataFlow::exprNode(srcStr), DataFlow::exprNode(strcmp)) 38 | select srcStr.toString(), strcmp.getLocation() 39 | -------------------------------------------------------------------------------- /client/codeql_wget/wget_const_strings_cmp.dict: -------------------------------------------------------------------------------- 1 | 2 | > 3 | 4 | 5 | -> 6 | 7 | 8 | - 9 | , 10 | , ... 11 | , 12 | : 13 | : 14 | : < 15 | :/ 16 | ¡¯ 17 | ? 18 | ?#%; 19 | / 20 | /: 21 | . 22 | .. 23 | ../ 24 | ' 25 | "" 26 | [] 27 | @ 28 | @/?#; 29 | *?[] 30 | */* 31 | 32 | 33 | , 34 | 35 | 0 36 | 0123456789 37 | 1 38 | 2 39 | 215 UNIX MultiNet Unix Emulation V5.3(93) 40 | 215 UNIX Type: L8 41 | %2E%2E 42 | 425 43 | 8 44 | ‘ 45 | ’ 46 | Accept 47 | Accept-Encoding 48 | account 49 | action 50 | addhostdir 51 | allow 52 | alnum 53 | alpha 54 | anonymous 55 | application/http;msgtype=request 56 | application/http;msgtype=response 57 | application/octet-stream 58 | application/warc-fields 59 | application/xhtml+xml 60 | application/x-www-form-urlencoded 61 | ascii 62 | ASCII 63 | auth 64 | AUTH 65 | Authorization 66 | ==> AUTH TLS ... 67 | bar 68 | Basic 69 | Basic 70 | -----BEGIN PUBLIC KEY----- 71 | BIG5 72 | binary 73 | bits 74 | blank 75 | bodydata 76 | body-data 77 | bodyfile 78 | body-file 79 | br 80 | .br 81 | byte 82 | bytes 83 | C 84 | Cache-Control 85 | CDX 86 | charset= 87 | chunked 88 | Close 89 | cntrl 90 | col0 91 | compress 92 | config 93 | CONNECT 94 | Connection 95 | content 96 | Content-Disposition 97 | Content-Encoding 98 | Content-Length 99 | Content-Range 100 | content-type 101 | Content-Type 102 | Cookie 103 | Could not perform SSL handshake. 104 | CP949 105 | .css 106 | CWD 107 | %d-%b-%Y %H:%M:%S 108 | default 109 | deflate 110 | Digest 111 | digit 112 | .DIR 113 | .DIR;1 114 | dirstruct 115 | disallow 116 | domain 117 | done. 118 | done. 119 | dot 120 | ¡e 121 | -----END PUBLIC KEY----- 122 | EPRT 123 | ==> EPRT ... 124 | EPSV 125 | ==> EPSV ... 126 | Error in server response. Closing. 127 | /etc/ssl/certs 128 | EUC-JP 129 | EUC-KR 130 | EUC-TW 131 | expires 132 | filename 133 | force 134 | FTPS server rejects new SSL sessions in the data connection. 135 | GB18030 136 | GB2312 137 | GBK 138 | GET 139 | giga 140 | graph 141 | .gz 142 | gzip 143 | HEAD 144 | %H:%M:%S 145 | Host 146 | href 147 | htm 148 | html 149 | .html 150 | HTTP 151 | http-equiv 152 | http://netpreserve.org/warc/1.0/revisit/identical-payload-digest 153 | https 154 | identity 155 | If-Modified-Since 156 | includeSubDomains 157 | /index.html 158 | index.html 159 | inf 160 | JOHAB 161 | Keep-Alive 162 | Last-Modified 163 | length 164 | ==> LIST ... 165 | .listing 166 | Location 167 | logfile 168 | login 169 | lower 170 | lowercase 171 | LPRT 172 | ==> LPRT ... 173 | LPSV 174 | ==> LPSV ... 175 | M 176 | macdef 177 | machine 178 | MACOS 179 | max-age 180 | md5 181 | MD5 182 | MD5-sess 183 | mega 184 | metadata 185 | metadata://gnu.org/software/wget/warc/MANIFEST.txt 186 | metadata://gnu.org/software/wget/warc/wget_arguments.txt 187 | metadata://gnu.org/software/wget/warc/wget.log 188 | method 189 | name 190 | .netrc 191 | no-cache 192 | noclobber 193 | no-config 194 | nocontrol 195 | nofollow 196 | none 197 | noparent 198 | noscroll 199 | NTLM 200 | NTLM 201 | orig 202 | .orig 203 | OS/400 204 | PASS 205 | --> PASS Turtle Power! 206 | password 207 | *password* 208 | PASV 209 | ==> PASV ... 210 | patch 211 | path 212 | PBSZ 213 | ==> PBSZ 0 ... 214 | port 215 | PORT 216 | ==> PORT ... 217 | POSIX 218 | post 219 | Pragma 220 | print 221 | PROT 222 | Proxy-Authorization 223 | Proxy-Connection 224 | punct 225 | put 226 | PWD 227 | quiet 228 | Range 229 | Referer 230 | refresh 231 | rel 232 | removelisting 233 | request 234 | resource 235 | response 236 | REST 237 | Resuming SSL session in data connection. 238 | RETR 239 | revisit 240 | robots 241 | /robots.txt 242 | secure 243 | Server does not like implicit FTPS connections. 244 | Server does not support AUTH TLS. 245 | Server does not support AUTH TLS. Falling back to FTP. 246 | Server does not want to resume the SSL session. Trying with a new one. 247 | Set-Cookie 248 | sha1 249 | sha224 250 | sha256 251 | ;sha256// 252 | sha256// 253 | sha384 254 | sha512 255 | shortcut icon 256 | SIZE 257 | space 258 | spider 259 | srcset 260 | SSL session has already been resumed. Continuing. 261 | STDOUT 262 | Strict-Transport-Security 263 | style 264 | stylesheet 265 | SYST 266 | text/css 267 | text/html 268 | text/plain 269 | .tgz 270 | Thu, 01 Jan 1970 00:00:00 GMT 271 | TLS 272 | /tmp 273 | total 274 | Total of 275 | Transfer-Encoding 276 | TRUE 277 | type 278 | type= 279 | TYPE 280 | unix 281 | UNIX 282 | upper 283 | uppercase 284 | url( 285 | USER 286 | user-agent 287 | User-Agent 288 | user.xdg.origin.url 289 | user.xdg.referrer.url 290 | /usr/etc/wgetrc 291 | /usr/share/locale 292 | utf-8 293 | UTF-8 294 | verbose 295 | vms 296 | VMS 297 | WARC/1.0 298 | WARC-Block-Digest 299 | WARC-Concurrent-To 300 | WARC-Date 301 | WARC-Filename 302 | warcinfo 303 | WARC-IP-Address 304 | WARC-Payload-Digest 305 | WARC-Profile 306 | WARC-Record-ID 307 | WARC-Refers-To 308 | WARC-Target-URI 309 | WARC-Truncated 310 | WARC-Type 311 | WARC-Warcinfo-ID 312 | wget 313 | -wget@ 314 | wget-log 315 | windows 316 | WINDOWS2000 317 | WINDOWS_NT 318 | WWW-Authenticate 319 | X-Archive-Orig-last-modified 320 | x-compress 321 | xdigit 322 | x-gzip 323 | XXXXXX 324 | %Y-%m-%d %H:%M:%S 325 | %Y-%m-%dT%H:%M:%SZ 326 | .Z 327 | .zlib 328 | -------------------------------------------------------------------------------- /client/codeql_wget/wget_const_strings_cmp_httponly.dict: -------------------------------------------------------------------------------- 1 | dict10="0" 2 | dict11="Accept" 3 | dict12="Accept-Encoding" 4 | dict13="application/http;msgtype=request" 5 | dict14="application/http;msgtype=response" 6 | dict15="application/xhtml+xml" 7 | dict16="application/x-www-form-urlencoded" 8 | dict17="auth" 9 | dict18="Authorization" 10 | dict19="Basic" 11 | dict20="Basic" 12 | dict21="br" 13 | dict22=".br" 14 | dict23="bytes" 15 | dict24="Cache-Control" 16 | dict25="chunked" 17 | dict26="Close" 18 | dict27="compress" 19 | dict28="CONNECT" 20 | dict29="Connection" 21 | dict30="Content-Disposition" 22 | dict31="Content-Encoding" 23 | dict32="Content-Length" 24 | dict33="Content-Range" 25 | dict34="Content-Type" 26 | dict35="Cookie" 27 | dict36=".css" 28 | dict37="deflate" 29 | dict38="Digest" 30 | dict39="filename" 31 | dict40="GET" 32 | dict41=".gz" 33 | dict42="gzip" 34 | dict43="HEAD" 35 | dict44="Host" 36 | dict45=".html" 37 | dict46="HTTP" 38 | dict47="http-equiv" 39 | dict48="http://netpreserve.org/warc/1.0/revisit/identical-payload-digest" 40 | dict49="https" 41 | dict50="identity" 42 | dict51="If-Modified-Since" 43 | dict52="includeSubDomains" 44 | dict53="Keep-Alive" 45 | dict54="Last-Modified" 46 | dict55="Location" 47 | dict56="max-age" 48 | dict57="MD5" 49 | dict58="MD5-sess" 50 | dict59="no-cache" 51 | dict60="NTLM" 52 | dict61="NTLM" 53 | dict62="patch" 54 | dict63="post" 55 | dict64="Pragma" 56 | dict65="Proxy-Authorization" 57 | dict66="Proxy-Connection" 58 | dict67="put" 59 | dict68="Range" 60 | dict69="Referer" 61 | dict70="Set-Cookie" 62 | dict71="Strict-Transport-Security" 63 | dict72="text/css" 64 | dict73="text/html" 65 | dict74=".tgz" 66 | dict75="Thu," 67 | dict76="01" 68 | dict77="Jan" 69 | dict78="1970" 70 | dict79="00:00:00" 71 | dict80="GMT" 72 | dict81="Transfer-Encoding" 73 | dict82="User-Agent" 74 | dict83="WWW-Authenticate" 75 | dict84="X-Archive-Orig-last-modified" 76 | dict85="x-compress" 77 | dict86="x-gzip" 78 | dict87=".Z" 79 | dict88=".zlib" 80 | -------------------------------------------------------------------------------- /client/dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:testing 2 | 3 | ARG URL 4 | 5 | # Standard setup 6 | RUN apt-get update && apt-get -y install \ 7 | wget \ 8 | gcc \ 9 | git \ 10 | make \ 11 | strace \ 12 | tcpdump \ 13 | procps \ 14 | nano \ 15 | build-essential \ 16 | autoconf \ 17 | automake \ 18 | libtool \ 19 | autotools-dev \ 20 | clang-6.0 \ 21 | screen \ 22 | graphviz-dev 23 | 24 | # Compiling th LLVM compiler needed for the afl compiler. 25 | # If this dockerfile is running inside a ubuntu 18 image clang needs to be compiled. 26 | # WARNING: Doing this takes up to 60GB disk space (consider running debian or precompile on host) 27 | #RUN git clone https://github.com/llvm/llvm-project.git \ 28 | # && cd llvm-project \ 29 | # && mkdir build \ 30 | # && cmake -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles" ../llvm \ 31 | # && make 32 | # && make install 33 | 34 | # Installing the fuzer 35 | RUN git clone https://github.com/liangdzou/afl 36 | WORKDIR "/afl" 37 | RUN git checkout afl-2.39b 38 | # This patch fizes a LLVM comiler bug. 39 | COPY afl-2.52b.patch /afl/ 40 | RUN patch -p1 < afl-2.52b.patch 41 | RUN make && make -C llvm_mode LLVM_CONFIG=llvm-config-6.0 CC=clang-6.0 CXX=g++ 42 | RUN make install 43 | 44 | # Target setup 45 | RUN apt-get -y install libgpgme-dev autopoint 46 | WORKDIR "/" 47 | RUN wget $URL \ 48 | && dirname=$(tar -zxvf `basename ${URL}`| tail -n 1 | cut -f 1 -d '/') \ 49 | && echo "DIR=$dirname" >> ./.env \ 50 | && cd $dirname \ 51 | && autoreconf -vif \ 52 | && export CC="/afl/afl-clang-fast" AFL_CC="clang-6.0" \ 53 | && ./configure \ 54 | && make \ 55 | && make install 56 | 57 | # Make locally compiled libraries available 58 | RUN echo "LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib" >> ./.env 59 | 60 | # Test case setup 61 | COPY ./input /input/ 62 | COPY codeql_wget/wget_const_strings_cmp_httponly.dict ./ 63 | 64 | # Fuzzer user setup 65 | RUN groupadd -r fuzz && useradd --no-log-init -g fuzz fuzz 66 | RUN . ./.env && chown fuzz:fuzz -R $DIR 67 | USER fuzz:fuzz 68 | 69 | #ENTRYPOINT bash 70 | CMD set -a \ 71 | && . ./.env \ 72 | && screen -dm -S fuzzer \ 73 | afl-fuzz $JOB -i /input/ -x ./wget_const_strings_cmp_httponly.dict -o /output -t 90 -L -N tcp://127.0.0.1:$PORT $TARGET $TARGET_ARGS \ 74 | && read blocking 75 | -------------------------------------------------------------------------------- /client/input: -------------------------------------------------------------------------------- 1 | HTTP/1.1 200 OK 2 | Date: Mon, 27 Jul 2009 12:28:53 GMT 3 | Server: Apache/2.2.14 (Win32) 4 | Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 5 | Content-Length: 50 6 | Content-Type: text/html 7 | Connection: Closed 8 | 9 | 10 | -------------------------------------------------------------------------------- /client/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | pushd /sys/devices/system/cpu 3 | echo performance | tee cpu*/cpufreq/scaling_governor 4 | popd 5 | echo core >/proc/sys/kernel/core_pattern 6 | source variables 7 | 8 | docker volume create --driver local \ 9 | --opt type=tmpfs \ 10 | --opt device=tmpfs \ 11 | --opt o=size=100m,uid=1000 \ 12 | $INPUT_VOLUME 13 | 14 | docker volume create --driver local \ 15 | --opt type=tmpfs \ 16 | --opt device=tmpfs \ 17 | --opt o=size=100m,uid=1000 \ 18 | $OUTPUT_VOLUME 19 | 20 | docker build --build-arg URL=$URL --tag $NAME:$VERSION . 21 | # Set up env variables using --env-file ./variables instead 22 | for id in `seq 2 $(nproc)`; do 23 | docker run -it -v $OUTPUT_VOLUME:/$OUTPUT_VOLUME --name $NAME.$id --env-file ./variables --env JOB="-S $id" --env ID=$id --detach $NAME:$VERSION 24 | #docker run -it -v $OUTPUT_VOLUME:/$OUTPUT_VOLUME --name $NAME.$id --env TARGET=$TARGET --env URL=$URL --env JOB="-S $id" --env ID=$id --detach $NAME:$VERSION 25 | done 26 | docker run -it -v $OUTPUT_VOLUME:/$OUTPUT_VOLUME --name $NAME.1 --env-file ./variables --env JOB="-M master" --env ID=$id --detach $NAME:$VERSION 27 | 28 | # Post installation fix for a bug in rsyslog caused by systemd. 29 | # for id in `seq 1 $(nproc)`; do 30 | # docker exec -d --user root $NAME.$id /etc/init.d/rsyslog restart 31 | # done 32 | -------------------------------------------------------------------------------- /client/variables: -------------------------------------------------------------------------------- 1 | NAME=client_fuzzer 2 | VERSION=0.1 3 | OUTPUT_VOLUME=output 4 | INPUT_VOLUME=input 5 | TARGET=curl 6 | URL=https://github.com/curl/curl/archive/master.tar.gz 7 | PORT=1337 8 | TARGET_ARGS=http://127.0.0.1:1337 9 | LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib 10 | -------------------------------------------------------------------------------- /dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:stretch-slim 2 | 3 | ARG URL=https://github.com/kugg/fuzzample/archive/demo.tar.gz 4 | 5 | # Standard setup 6 | RUN apt-get update && apt-get -y install \ 7 | libpcre++-dev \ 8 | libssl-dev \ 9 | zlib1g-dev \ 10 | wget \ 11 | gcc \ 12 | git \ 13 | make \ 14 | strace \ 15 | tcpdump \ 16 | procps \ 17 | nano \ 18 | autoconf \ 19 | automake \ 20 | autotools-dev \ 21 | && git clone https://github.com/liangdzou/afl \ 22 | && cd afl \ 23 | && git checkout afl-2.39b \ 24 | && make \ 25 | && make install 26 | 27 | # Target setup 28 | RUN wget ${URL} \ 29 | && dirname=$(tar -zxvf `basename ${URL}`| tail -n 1 | cut -f 1 -d '/') \ 30 | && echo "DIR=$dirname" >> ./env \ 31 | && cd $dirname \ 32 | && autoreconf -vif \ 33 | && ./configure CC="afl-gcc" CXX="afl-g++" \ 34 | && make \ 35 | && make install 36 | 37 | # Fuzzer setup 38 | COPY ./input /input/ 39 | RUN groupadd -r fuzz && useradd --no-log-init -r -g fuzz fuzz 40 | RUN . ./env && chown fuzz:fuzz -R $DIR 41 | USER fuzz:fuzz 42 | CMD afl-fuzz $JOB -i /input -o /output -D 10 -t 90 -N tcp://127.0.0.1:9034 server 43 | -------------------------------------------------------------------------------- /input: -------------------------------------------------------------------------------- 1 | a 2 | -------------------------------------------------------------------------------- /server/dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:testing 2 | 3 | ARG URL=https://github.com/kugg/fuzzample/archive/demo.tar.gz 4 | 5 | # Standard setup 6 | RUN apt-get update && apt-get -y install \ 7 | wget \ 8 | gcc \ 9 | git \ 10 | make \ 11 | strace \ 12 | tcpdump \ 13 | procps \ 14 | nano \ 15 | build-essential \ 16 | autoconf \ 17 | automake \ 18 | autotools-dev \ 19 | clang-6.0 \ 20 | graphviz-dev 21 | 22 | # Compiling th LLVM compiler needed for the afl compiler. 23 | # If this dockerfile is running inside a ubuntu 18 image clang needs to be compiled. 24 | #RUN git clone https://github.com/llvm/llvm-project.git \ 25 | # && cd llvm-project \ 26 | # && mkdir build \ 27 | # && cmake -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles" ../llvm \ 28 | # && make 29 | # && make install 30 | 31 | #RUN git clone https://github.com/liangdzou/afl 32 | RUN git clone https://github.com/aflnet/aflnet 33 | WORKDIR "/aflnet" 34 | #RUN git checkout afl-2.39b 35 | # This patch fizes a LLVM comiler bug. 36 | #COPY afl-2.52b.patch /afl/ 37 | #RUN patch -p1 < afl-2.52b.patch 38 | RUN make && make -C llvm_mode LLVM_CONFIG=llvm-config-6.0 CC=clang-6.0 CXX=g++ 39 | RUN make install 40 | 41 | # Target setup 42 | WORKDIR "/" 43 | RUN wget ${URL} \ 44 | && dirname=$(tar -zxvf `basename ${URL}`| tail -n 1 | cut -f 1 -d '/') \ 45 | && echo "DIR=$dirname" >> ./env \ 46 | && cd $dirname \ 47 | && autoreconf -vif \ 48 | && export CC="/aflnet/afl-clang-fast" AFL_CC="clang-6.0" \ 49 | && ./configure \ 50 | && make \ 51 | && make install 52 | 53 | # Fuzzer setup 54 | COPY ./input /input/ 55 | RUN groupadd -r fuzz && useradd --no-log-init -r -g fuzz fuzz 56 | RUN . ./env && chown fuzz:fuzz -R $DIR 57 | USER fuzz:fuzz 58 | ENTRYPOINT bash 59 | #CMD afl-fuzz $JOB -i /input/ -o /output -D 10 -t 90 -N tcp://127.0.0.1:9034 server 60 | -------------------------------------------------------------------------------- /server/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | pushd /sys/devices/system/cpu 3 | echo performance | tee cpu*/cpufreq/scaling_governor 4 | popd 5 | echo core >/proc/sys/kernel/core_pattern 6 | source variables 7 | 8 | docker volume create --driver local \ 9 | --opt type=tmpfs \ 10 | --opt device=tmpfs \ 11 | --opt o=size=100m,uid=1000 \ 12 | $INPUT_VOLUME 13 | 14 | docker volume create --driver local \ 15 | --opt type=tmpfs \ 16 | --opt device=tmpfs \ 17 | --opt o=size=100m,uid=1000 \ 18 | $OUTPUT_VOLUME 19 | 20 | docker build --tag $NAME:$VERSION . 21 | 22 | #for id in `seq 2 $(nproc)`; do 23 | # docker run -v $INPUT_VOLUME:/$INPUT_VOLUME -v $OUTPUT_VOLUME:/$OUTPUT_VOLUME --name $NAME.$id --env URL=$url --env JOB="-S $id" --env ID=$id --detach $NAME:$VERSION 24 | #done 25 | docker run -v $INPUT_VOLUME:/$INPUT_VOLUME -v $OUTPUT_VOLUME:/$OUTPUT_VOLUME --name $NAME.1 --env URL=$url --env JOB='-M master' --env ID=$id --detach $NAME:$VERSION 26 | 27 | # Post installation fix for a bug in rsyslog caused by systemd. 28 | # for id in `seq 1 $(nproc)`; do 29 | # docker exec -d --user root $NAME.$id /etc/init.d/rsyslog restart 30 | # done 31 | -------------------------------------------------------------------------------- /server/variables: -------------------------------------------------------------------------------- 1 | NAME=demo 2 | VERSION=0.1 3 | OUTPUT_VOLUME=output 4 | INPUT_VOLUME=input 5 | URL=https://github.com/kugg/fuzzample/archive/demo.tar.gz 6 | -------------------------------------------------------------------------------- /variables: -------------------------------------------------------------------------------- 1 | NAME=demo 2 | VERSION=0.1 3 | OUTPUT_VOLUME=output 4 | INPUT_VOLUME=input 5 | URL=https://github.com/kugg/fuzzample/archive/demo.tar.gz 6 | --------------------------------------------------------------------------------