├── lib ├── __init__.py └── OsxProbe.py ├── formulas ├── __init__.py ├── lzip.py ├── mediainfo.py ├── gzip.py ├── rtmpdump.py ├── libwebm.py ├── poppler.py ├── udis86.py ├── libogg.py ├── libvpx.py ├── lzo.py ├── wladx.py ├── gnupg.py ├── theora.py ├── bzip2.py ├── tcpdump.py ├── gettext.py ├── ijgjpeg.py ├── jansson.py ├── libexif.py ├── libpng.py ├── imagemagick.py ├── opus.py ├── freetype2.py ├── libarchive.py ├── yasm.py ├── libxml2.py ├── giflib.py ├── xzembedded.py ├── lodepng.py ├── nasm.py ├── patch.py ├── vorbis.py ├── libwebp.py ├── xz.py ├── cppcheck.py ├── libjpegturbo.py ├── elfutils.py ├── flac.py ├── zlib.py ├── tar.py ├── opustools.py ├── libmspack.py ├── libtiff.py ├── speex.py └── pdfium.py ├── testcases ├── others │ ├── text │ │ └── hello.txt │ ├── xml │ │ ├── small_document.xml │ │ └── base2.xml │ ├── rtf │ │ └── small_document.rtf │ ├── elf │ │ └── small_exec.elf │ ├── pcap │ │ └── small_capture.pcap │ └── c │ │ └── boottest.c ├── audio │ ├── wave │ │ └── sound.wav │ ├── opus │ │ └── sound.opus │ ├── flac │ │ └── flac_001.flac │ ├── speex │ │ └── speex_001.spx │ └── vorbis │ │ └── vorbis_001.oga ├── fonts │ └── ttf │ │ └── ttf_001.ttf ├── executables │ └── elf │ │ ├── hello.elf │ │ └── hello.elf-obj ├── archives │ ├── cab │ │ ├── bad_nofiles.cab │ │ ├── reserve_---.cab │ │ ├── reserve_--D.cab │ │ ├── reserve_-F-.cab │ │ ├── reserve_-FD.cab │ │ ├── reserve_H--.cab │ │ ├── reserve_H-D.cab │ │ ├── reserve_HF-.cab │ │ ├── reserve_HFD.cab │ │ ├── bad_nofolders.cab │ │ ├── bad_signature.cab │ │ ├── search_basic.cab │ │ ├── bad_folderindex.cab │ │ ├── multi_basic_pt1.cab │ │ ├── multi_basic_pt2.cab │ │ ├── multi_basic_pt3.cab │ │ ├── multi_basic_pt4.cab │ │ ├── multi_basic_pt5.cab │ │ ├── partial_nodata.cab │ │ ├── partial_nofiles.cab │ │ ├── partial_nofolder.cab │ │ ├── search_tricky1.cab │ │ ├── partial_shortfile1.cab │ │ ├── partial_shortfile2.cab │ │ ├── normal_255c_filename.cab │ │ ├── normal_2files_1folder.cab │ │ ├── partial_shortfolder.cab │ │ ├── partial_shortheader.cab │ │ ├── partial_str_nofname.cab │ │ ├── partial_str_noninfo.cab │ │ ├── partial_str_nonname.cab │ │ ├── partial_str_nopinfo.cab │ │ ├── partial_str_nopname.cab │ │ ├── partial_shortextheader.cab │ │ ├── partial_str_shortfname.cab │ │ ├── partial_str_shortninfo.cab │ │ ├── partial_str_shortnname.cab │ │ ├── partial_str_shortpinfo.cab │ │ └── partial_str_shortpname.cab │ ├── xz │ │ └── small_archive.xz │ ├── gzip │ │ └── small_archive.gz │ ├── lzo │ │ └── small_achive.lzo │ ├── zip │ │ └── small_archive.zip │ ├── deflate │ │ └── small_archive.deflate │ └── tar │ │ └── small_archive.tar └── images │ ├── bmp │ └── hello_kitty.bmp │ ├── gif │ └── hello_kitty.gif │ ├── ico │ └── hello_kitty.ico │ ├── jp2 │ └── hello_kitty.jp2 │ ├── jpeg │ └── hello_kitty.jpg │ ├── png │ └── hello_kitty.png │ ├── tiff │ └── hello_kitty.tif │ └── webp │ └── hello_kitty_lossless.webp ├── .gitignore ├── TODO.md ├── README.md ├── triage └── fuzz /lib/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /formulas/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /testcases/others/text/hello.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | d 2 | -------------------------------------------------------------------------------- /testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | __pycache__ 3 | .cache 4 | .fuzz-afl 5 | test.* 6 | -------------------------------------------------------------------------------- /testcases/audio/wave/sound.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/audio/wave/sound.wav -------------------------------------------------------------------------------- /testcases/audio/opus/sound.opus: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/audio/opus/sound.opus -------------------------------------------------------------------------------- /testcases/fonts/ttf/ttf_001.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/fonts/ttf/ttf_001.ttf -------------------------------------------------------------------------------- /testcases/audio/flac/flac_001.flac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/audio/flac/flac_001.flac -------------------------------------------------------------------------------- /testcases/audio/speex/speex_001.spx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/audio/speex/speex_001.spx -------------------------------------------------------------------------------- /testcases/executables/elf/hello.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/executables/elf/hello.elf -------------------------------------------------------------------------------- /testcases/others/elf/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/others/elf/small_exec.elf -------------------------------------------------------------------------------- /testcases/archives/cab/bad_nofiles.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/bad_nofiles.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_---.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_---.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_--D.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_--D.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_-F-.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_-F-.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_-FD.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_-FD.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_H--.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_H--.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_H-D.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_H-D.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_HF-.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_HF-.cab -------------------------------------------------------------------------------- /testcases/archives/cab/reserve_HFD.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/reserve_HFD.cab -------------------------------------------------------------------------------- /testcases/archives/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/xz/small_archive.xz -------------------------------------------------------------------------------- /testcases/audio/vorbis/vorbis_001.oga: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/audio/vorbis/vorbis_001.oga -------------------------------------------------------------------------------- /testcases/images/bmp/hello_kitty.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/bmp/hello_kitty.bmp -------------------------------------------------------------------------------- /testcases/images/gif/hello_kitty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/gif/hello_kitty.gif -------------------------------------------------------------------------------- /testcases/images/ico/hello_kitty.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/ico/hello_kitty.ico -------------------------------------------------------------------------------- /testcases/images/jp2/hello_kitty.jp2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/jp2/hello_kitty.jp2 -------------------------------------------------------------------------------- /testcases/images/jpeg/hello_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/jpeg/hello_kitty.jpg -------------------------------------------------------------------------------- /testcases/images/png/hello_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/png/hello_kitty.png -------------------------------------------------------------------------------- /testcases/images/tiff/hello_kitty.tif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/tiff/hello_kitty.tif -------------------------------------------------------------------------------- /testcases/archives/cab/bad_nofolders.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/bad_nofolders.cab -------------------------------------------------------------------------------- /testcases/archives/cab/bad_signature.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/bad_signature.cab -------------------------------------------------------------------------------- /testcases/archives/cab/search_basic.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/search_basic.cab -------------------------------------------------------------------------------- /testcases/archives/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/gzip/small_archive.gz -------------------------------------------------------------------------------- /testcases/archives/lzo/small_achive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/lzo/small_achive.lzo -------------------------------------------------------------------------------- /testcases/archives/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/zip/small_archive.zip -------------------------------------------------------------------------------- /testcases/executables/elf/hello.elf-obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/executables/elf/hello.elf-obj -------------------------------------------------------------------------------- /testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /testcases/archives/cab/bad_folderindex.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/bad_folderindex.cab -------------------------------------------------------------------------------- /testcases/archives/cab/multi_basic_pt1.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/multi_basic_pt1.cab -------------------------------------------------------------------------------- /testcases/archives/cab/multi_basic_pt2.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/multi_basic_pt2.cab -------------------------------------------------------------------------------- /testcases/archives/cab/multi_basic_pt3.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/multi_basic_pt3.cab -------------------------------------------------------------------------------- /testcases/archives/cab/multi_basic_pt4.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/multi_basic_pt4.cab -------------------------------------------------------------------------------- /testcases/archives/cab/multi_basic_pt5.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/multi_basic_pt5.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_nodata.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_nodata.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_nofiles.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_nofiles.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_nofolder.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_nofolder.cab -------------------------------------------------------------------------------- /testcases/archives/cab/search_tricky1.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/search_tricky1.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_shortfile1.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_shortfile1.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_shortfile2.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_shortfile2.cab -------------------------------------------------------------------------------- /testcases/archives/cab/normal_255c_filename.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/normal_255c_filename.cab -------------------------------------------------------------------------------- /testcases/archives/cab/normal_2files_1folder.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/normal_2files_1folder.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_shortfolder.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_shortfolder.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_shortheader.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_shortheader.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_nofname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_nofname.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_noninfo.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_noninfo.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_nonname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_nonname.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_nopinfo.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_nopinfo.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_nopname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_nopname.cab -------------------------------------------------------------------------------- /testcases/archives/deflate/small_archive.deflate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/deflate/small_archive.deflate -------------------------------------------------------------------------------- /testcases/images/webp/hello_kitty_lossless.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/images/webp/hello_kitty_lossless.webp -------------------------------------------------------------------------------- /testcases/archives/cab/partial_shortextheader.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_shortextheader.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_shortfname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_shortfname.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_shortninfo.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_shortninfo.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_shortnname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_shortnname.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_shortpinfo.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_shortpinfo.cab -------------------------------------------------------------------------------- /testcases/archives/cab/partial_str_shortpname.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/martinlindhe/autofuzz/HEAD/testcases/archives/cab/partial_str_shortpname.cab -------------------------------------------------------------------------------- /testcases/others/xml/base2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | SETUP: 2 | pip3 install psutil 3 | 4 | TODO 5 | support building with asan 6 | 7 | 8 | TODO formulas 9 | vlc, wireshark, ffmpeg, libav, sqlite 10 | 11 | Compression and archive formats: tar, zip 12 | Non-web images: jp2, jbig, tiff 13 | Audio and video: mp3, aac, h264 14 | Miscellaneous tools & libraries: file, lcms 15 | 16 | http://lcamtuf.coredump.cx/afl_demo/ 17 | -------------------------------------------------------------------------------- /formulas/lzip.py: -------------------------------------------------------------------------------- 1 | # STATUS xxx 2 | 3 | # TODO only release tarballs 4 | 5 | class lzip: 6 | name = __name__ 7 | home = "http://www.nongnu.org/lzip/lzip.html" 8 | scmOrigin = "" 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "xxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "xxx" 23 | ] 24 | -------------------------------------------------------------------------------- /formulas/mediainfo.py: -------------------------------------------------------------------------------- 1 | # STATUS borked 2 | 3 | class mediainfo: 4 | name = __name__ 5 | home = "http://mediaarea.net/en/MediaInfo" 6 | scmOrigin = "svn co http://svn.code.sf.net/p/mediainfo/code/ {destination}" 7 | dataTypes = [ 8 | "xxx" 9 | ] 10 | 11 | target = "xxx" 12 | targetParam = "" 13 | aflFuzzParam = "" 14 | 15 | clean = [ 16 | "" 17 | ] 18 | 19 | build = [ 20 | "" 21 | ] 22 | -------------------------------------------------------------------------------- /formulas/gzip.py: -------------------------------------------------------------------------------- 1 | # STATUS xxxx 2 | 3 | class gzip: 4 | name = __name__ 5 | home = "http://www.gzip.org/" 6 | 7 | scmOrigin = "git clone http://git.savannah.gnu.org/r/gzip.git {destination}" 8 | dataTypes = [ 9 | "gz" 10 | ] 11 | 12 | target = "xxxx" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "./bootstrap", 22 | "CC={AFL_CC} ./configure --disable-shared", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/rtmpdump.py: -------------------------------------------------------------------------------- 1 | # STATUS builds, no target to fuzz 2 | 3 | class rtmpdump: 4 | name = __name__ 5 | home = "https://rtmpdump.mplayerhq.hu/" 6 | scmOrigin = "git clone git://git.ffmpeg.org/rtmpdump {destination}" 7 | dataTypes = [ 8 | "xxx" 9 | ] 10 | 11 | target = "xxx" 12 | targetParam = "" 13 | aflFuzzParam = "" 14 | 15 | clean = [ 16 | "make distclean" 17 | ] 18 | 19 | build = [ 20 | "make SYS=darwin CC={AFL_CC}" ### XXXX SYS=posix on Linux! !!! 21 | ] 22 | -------------------------------------------------------------------------------- /formulas/libwebm.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # XXX need sample, and dont know how to test it... 4 | 5 | class libwebm: 6 | name = __name__ 7 | home = "http://www.webmproject.org/code/" 8 | scmOrigin = "git clone https://chromium.googlesource.com/webm/libwebm {destination}" 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "xxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make clean" 19 | ] 20 | 21 | build = [ 22 | "make CXX={AFL_CXX}" 23 | ] 24 | -------------------------------------------------------------------------------- /formulas/poppler.py: -------------------------------------------------------------------------------- 1 | # STATUS borked 2 | 3 | 4 | class poppler: 5 | name = __name__ 6 | home = "http://poppler.freedesktop.org/" 7 | scmOrigin = "git clone git://git.freedesktop.org/git/poppler/poppler {destination}" 8 | dataTypes = [ 9 | "pdf" 10 | ] 11 | 12 | target = "xxx" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "CC={AFL_CC} CXX={AFL_CXX} ./autogen.sh --disable-shared", 22 | "make" 23 | ] 24 | -------------------------------------------------------------------------------- /formulas/udis86.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | 4 | class udis86: 5 | name = __name__ 6 | home = "http://udis86.sourceforge.net/" 7 | scmOrigin = "git clone https://github.com/vmt/udis86.git {destination}" 8 | dataTypes = [ 9 | "elf" 10 | ] 11 | 12 | target = "udcli/udcli" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "./autogen.sh", 22 | "./configure --disable-shared CC={AFL_CC}", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/libogg.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # XXX need a target binary, the supplied ones is useless 4 | 5 | class libogg: 6 | name = __name__ 7 | home = "http://xiph.org/ogg/" 8 | scmOrigin = "git clone https://git.xiph.org/mirrors/ogg.git {destination}" 9 | dataTypes = [ 10 | "ogg" 11 | ] 12 | 13 | target = "" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "CC={AFL_CC} ./autogen.sh --disable-shared", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/libvpx.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # XXX need sample 4 | 5 | class libvpx: 6 | name = __name__ 7 | home = "http://www.webmproject.org/code/" 8 | scmOrigin = "git clone https://chromium.googlesource.com/webm/libvpx {destination}" 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "vpxdec" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "CC={AFL_CC} CXX={AFL_CXX} ./configure --disable-shared", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/lzo.py: -------------------------------------------------------------------------------- 1 | # STATUS borked 2 | 3 | class lzo: 4 | name = __name__ 5 | home = "http://www.oberhumer.com/opensource/lzo/" 6 | 7 | # XXX http://www.oberhumer.com/opensource/lzo/download/lzo-2.08.tar.gz 8 | scmOrigin = "" 9 | dataTypes = [ 10 | "lzo" 11 | ] 12 | 13 | target = "xxxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "./bootstrap", 23 | "CC={AFL_CC} ./configure --disable-shared", 24 | "make" 25 | ] 26 | -------------------------------------------------------------------------------- /formulas/wladx.py: -------------------------------------------------------------------------------- 1 | # STATUS: works 2 | 3 | # Jul 2015: xxx 4 | 5 | 6 | class wladx: 7 | name = __name__ 8 | home = "https://github.com/vhelin/wla-dx" 9 | scmOrigin = "git clone https://github.com/vhelin/wla-dx.git {destination}" 10 | dataTypes = [ 11 | "txt" 12 | ] 13 | 14 | target = "build/binaries/wla-gb" 15 | targetParam = "-o" 16 | aflFuzzParam = "" 17 | 18 | clean = [ 19 | ] 20 | 21 | build = [ 22 | "mkdir -p build", 23 | "cd build && CC={AFL_CC} cmake -DCMAKE_BUILD_TYPE=Debug .. && make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/gnupg.py: -------------------------------------------------------------------------------- 1 | # STATUS xxx 2 | 3 | # TODO osx: gettext is not available, build fails 4 | 5 | class gnupg: 6 | name = __name__ 7 | home = "https://gnupg.org/" 8 | scmOrigin = "git clone git://git.gnupg.org/gnupg.git {destination}" 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "xxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "./autogen.sh", 23 | "CC={AFL_CC} ./configure --disable-shared", 24 | "make" 25 | ] 26 | -------------------------------------------------------------------------------- /formulas/theora.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # XXX need sample & target binary 4 | 5 | class theora: 6 | name = __name__ 7 | home = "http://www.theora.org/" 8 | scmOrigin = "https://git.xiph.org/mirrors/theora.git {destination}" 9 | dataTypes = [ 10 | "theora" 11 | ] 12 | 13 | target = "examples/dump_video" # XXX not sure its a fuzzable target 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "CC={AFL_CC} ./autogen.sh --disable-shared", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/bzip2.py: -------------------------------------------------------------------------------- 1 | # STATUS xxxx, no scm exists ??? 2 | 3 | class bzip2: 4 | name = __name__ 5 | home = "http://www.bzip.org/" 6 | scmOrigin = "" 7 | ## http://www.bzip.org/1.0.6/bzip2-1.0.6.tar.gz md5 = 00b516f4704d4a7cb50a1d97e6e8e15b, sha1 = ???, mailade bzip snubben om han kan supplya sha1 & gpg sign file 8 | dataTypes = [ 9 | "bz2" 10 | ] 11 | 12 | target = "xxx" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "CC={AFL_CC} ./configure", 22 | "make" 23 | ] 24 | -------------------------------------------------------------------------------- /formulas/tcpdump.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # NOTE uses system libpcap-dev 4 | 5 | # XXXX how to fuzz using pcap file?!?!?! 6 | 7 | class tcpdump: 8 | name = __name__ 9 | home = "http://www.tcpdump.org/" 10 | scmOrigin = "git clone https://github.com/the-tcpdump-group/tcpdump.git {destination}" 11 | dataTypes = [ 12 | "pcap" 13 | ] 14 | 15 | target = "tcpdump" 16 | targetParam = "" 17 | aflFuzzParam = "" 18 | 19 | clean = [ 20 | "make distclean" 21 | ] 22 | 23 | build = [ 24 | "CC={AFL_CC} ./configure --disable-shared", 25 | "make" 26 | ] 27 | -------------------------------------------------------------------------------- /formulas/gettext.py: -------------------------------------------------------------------------------- 1 | # STATUS xxx 2 | 3 | # XXX autogen.sh fails (osx): sed: RE error: illegal byte sequence 4 | 5 | class gettext: 6 | name = __name__ 7 | home = "https://www.gnu.org/software/gettext/" 8 | scmOrigin = "git clone git://git.savannah.gnu.org/gettext.git {destination}" 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "xxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "./autogen.sh", 23 | "CC={AFL_CC} ./configure --disable-shared", 24 | "make" 25 | ] 26 | -------------------------------------------------------------------------------- /formulas/ijgjpeg.py: -------------------------------------------------------------------------------- 1 | # STATUS no scm exists, only tarballs, need tarball support + sha1 support, also fix formula! 2 | 3 | class ijgjpeg: 4 | name = "IJG jpeg" 5 | home = "http://www.ijg.org/" 6 | # TODO stable: http://www.ijg.org/files/jpegsrc.v9a.tar.gz 7 | scmOrigin = "" 8 | dataTypes = [ 9 | "jpeg" 10 | ] 11 | 12 | target = "djpeg" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "autoreconf -fiv", 22 | "CC={AFL_CC} ./configure --disable-shared", 23 | "make" 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/jansson.py: -------------------------------------------------------------------------------- 1 | # STATUS builds, need sample 2 | 3 | 4 | class jansson: 5 | name = __name__ 6 | home = "http://www.digip.org/jansson/" 7 | scmOrigin = "git clone https://github.com/akheron/jansson {destination}" 8 | dataTypes = [ 9 | "json" 10 | ] 11 | 12 | target = "test/bin/json_process" 13 | targetParam = "" 14 | aflFuzzParam = "" 15 | 16 | clean = [ 17 | "make distclean" 18 | ] 19 | 20 | build = [ 21 | "autoreconf -i", 22 | "./configure --disable-shared CC={AFL_CC}", 23 | "make", 24 | "cd test/bin && make json_process", 25 | ] 26 | -------------------------------------------------------------------------------- /formulas/libexif.py: -------------------------------------------------------------------------------- 1 | # STATUS borked, problems with the cvs checkout 2 | 3 | 4 | class libexif: 5 | name = __name__ 6 | home = "http://libexif.sourceforge.net/" 7 | scmOrigin = "cvs -d :pserver:anonymous:@libexif.cvs.sourceforge.net:/cvsroot/libexif login && cvs -z3 -d :pserver:anonymous:@libexif.cvs.sourceforge.net:/cvsroot/libexif co -d {destination} -P libexif" 8 | 9 | dataTypes = [ 10 | "xxx" 11 | ] 12 | 13 | target = "xxx" 14 | targetParam = "" 15 | aflFuzzParam = "" 16 | 17 | clean = [ 18 | "make distclean" 19 | ] 20 | 21 | build = [ 22 | "xxx" 23 | ] 24 | -------------------------------------------------------------------------------- /formulas/libpng.py: -------------------------------------------------------------------------------- 1 | # STATUS: builds, but dont build readpng 2 | 3 | class libpng: 4 | name = __name__ 5 | home = "http://www.libpng.org/pub/png/libpng.html" 6 | scmOrigin = "git clone git://git.code.sf.net/p/libpng/code {destination}" 7 | dataTypes = [ 8 | "png" 9 | ] 10 | 11 | target = "readpng" 12 | targetParam = "" 13 | aflFuzzParam = "" 14 | 15 | clean = [ 16 | "make distclean" 17 | ] 18 | 19 | build = [ 20 | "./autogen.sh", 21 | "CC={AFL_CC} ./configure --disable-shared", 22 | "make", 23 | "make contrib/libtests/readpng" # XXX not enough 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/imagemagick.py: -------------------------------------------------------------------------------- 1 | # STATUS builds, but dont build "convert" tool ??? 2 | 3 | class imagemagick: 4 | name = __name__ 5 | home = "http://www.imagemagick.org/" 6 | scmOrigin = "svn co https://subversion.imagemagick.org/subversion/ImageMagick/trunk/ {destination}" 7 | dataTypes = [ 8 | "bmp", "ico" # XXX care of mutliple types 9 | ] 10 | 11 | target = "utilities/magick" 12 | targetParam = "" 13 | aflFuzzParam = "" 14 | 15 | clean = [ 16 | "make distclean" 17 | ] 18 | 19 | build = [ 20 | "CC={AFL_CC} CXX={AFL_CXX} ./configure --disable-shared --enable-delegate-build --with-modules=yes", 21 | "make" 22 | ] 23 | -------------------------------------------------------------------------------- /formulas/opus.py: -------------------------------------------------------------------------------- 1 | # STATUS builds, need good sample? 2 | 3 | # XXX errorr with sample, Invalid payload length: 1332176723 4 | # NOTE trying opustools instead 5 | 6 | class opus: 7 | name = __name__ 8 | home = "http://opus-codec.org/" 9 | scmOrigin = "git clone git://git.opus-codec.org/opus.git {destination}" 10 | dataTypes = [ 11 | "opus" 12 | ] 13 | 14 | target = "opus_demo" 15 | targetParam = "-d 8000 1 in.opus test.raw-from-opus" 16 | aflFuzzParam = "-f in.opus" 17 | 18 | clean = [ 19 | "make distclean" 20 | ] 21 | 22 | build = [ 23 | "./autogen.sh", 24 | "CC={AFL_CC} ./configure --disable-shared", 25 | "make" 26 | ] 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## autofuzz 2 | 3 | This project aims to help people get started with fuzzing. 4 | 5 | Fuzzing a lib/tool already described in a formula (see "formulas" folder), 6 | is as simple as: 7 | 8 | ./fuzz xz 9 | 10 | This will pull the xz library, from git master, build with afl instrumentation 11 | and start fuzzing using a supplied xz sample (see "testcases" folder). 12 | 13 | It is currently built around american-fuzzy-lop, with the intention of expanding 14 | to include other fuzzers. 15 | 16 | 17 | This runs on Debian/amd64, and assumes the following is installed 18 | 19 | sudo apt-get install build-essential module-assistant git cvs automake libtool shtool gettext texinfo bison pkg-config 20 | -------------------------------------------------------------------------------- /formulas/freetype2.py: -------------------------------------------------------------------------------- 1 | # STATUS builds 2 | 3 | # TODO fuzzable binaries are in freetype2-demos repository: git clone git://git.sv.nongnu.org/freetype/freetype2-demos.git 4 | # XXX the freetype2-demos need X11 display to run 5 | 6 | class freetype2: 7 | name = __name__ 8 | home = "http://www.freetype.org/" 9 | scmOrigin = "git clone git://git.sv.nongnu.org/freetype/freetype2.git {destination}" 10 | dataTypes = [ 11 | "ttf" 12 | ] 13 | 14 | target = "xxx" 15 | targetParam = "" 16 | aflFuzzParam = "" 17 | 18 | clean = [ 19 | "make distclean" 20 | ] 21 | 22 | build = [ 23 | "./autogen.sh", 24 | "CC={AFL_CC} ./configure --disable-shared", 25 | "make" 26 | ] 27 | -------------------------------------------------------------------------------- /formulas/libarchive.py: -------------------------------------------------------------------------------- 1 | # STATUS broken, minitar dont compile 2 | 3 | class libarchive: 4 | name = __name__ 5 | home = "http://libarchive.org/" 6 | scmOrigin = "git clone https://github.com/libarchive/libarchive {destination}" 7 | dataTypes = [ 8 | "deflate" # XXXX 9 | ] 10 | 11 | target = "examples/minitar/minitar" 12 | targetParam = "" 13 | aflFuzzParam = "" 14 | 15 | clean = [ 16 | "make distclean" 17 | ] 18 | 19 | build = [ 20 | "build/autogen.sh", 21 | "CC={AFL_CC} ./configure --disable-shared", 22 | "make", 23 | "{AFL_CC} -I libarchive -o examples/minitar/minitar examples/minitar/minitar.c .libs/libarchive.a -lz -lbz2" # XXX dont compile 24 | ] 25 | -------------------------------------------------------------------------------- /formulas/yasm.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Dec 2014: 4 | # run time : 24 days, 21 hrs, 21 min, 40 sec cycles done : 0 5 | # last new path : 0 days, 4 hrs, 25 min, 10 sec total paths : 11.5k 6 | # last uniq crash : 1 days, 12 hrs, 31 min, 44 sec uniq crashes : 17 7 | # last uniq hang : 0 days, 11 hrs, 5 min, 20 sec uniq hangs : 95 8 | 9 | class yasm: 10 | name = __name__ 11 | home = "http://yasm.tortall.net/" 12 | scmOrigin = "git clone https://github.com/yasm/yasm.git {destination}" 13 | dataTypes = [ 14 | "txt" 15 | ] 16 | 17 | target = "yasm" 18 | targetParam = "test.asm" 19 | aflFuzzParam = "-f test.asm" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "CC={AFL_CC} ./autogen.sh", 27 | "make" 28 | ] 29 | -------------------------------------------------------------------------------- /formulas/libxml2.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014: 4 | # run time : 8 days, 0 hrs, 6 min, 28 sec cycles done : 0 5 | # last new path : 0 days, 3 hrs, 28 min, 41 sec total paths : 3426 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : 0 days, 23 hrs, 15 min, 58 sec uniq hangs : 3 8 | 9 | class libxml2: 10 | name = __name__ 11 | home = "http://xmlsoft.org/" 12 | scmOrigin = "git clone git://git.gnome.org/libxml2 {destination}" 13 | dataTypes = [ 14 | "xml" 15 | ] 16 | 17 | target = "testReader" 18 | targetParam = "test.xml" 19 | aflFuzzParam = "-f test.xml" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "CC={AFL_CC} ./autogen.sh --disable-shared", 27 | "make" 28 | ] 29 | -------------------------------------------------------------------------------- /formulas/giflib.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014: 4 | # run time : 12 days, 10 hrs, 9 min, 51 sec cycles done : 641 5 | # last new path : 3 days, 17 hrs, 33 min, 40 sec total paths : 220 6 | # last uniq crash : 0 days, 0 hrs, 16 min, 13 sec uniq crashes : 1431 7 | # last uniq hang : none seen yet uniq hangs : 0 8 | 9 | 10 | class giflib: 11 | name = __name__ 12 | home = "http://giflib.sourceforge.net/" 13 | scmOrigin = "git clone git://git.code.sf.net/p/giflib/code {destination}" 14 | dataTypes = [ 15 | "gif" 16 | ] 17 | 18 | target = "util/giftext" 19 | targetParam = "" 20 | aflFuzzParam = "" 21 | 22 | clean = [ 23 | "make distclean" 24 | ] 25 | 26 | build = [ 27 | "CC={AFL_CC} ./autogen.sh --disable-shared", 28 | "make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/xzembedded.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014 - no problems found: 4 | # run time : 8 days, 3 hrs, 52 min, 41 sec cycles done : 3087 5 | # last new path : 5 days, 22 hrs, 29 min, 25 sec total paths : 33 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : none seen yet uniq hangs : 0 8 | 9 | class xzembedded: 10 | name = __name__ 11 | home = "http://tukaani.org/xz/" 12 | scmOrigin = "git clone http://git.tukaani.org/xz-embedded.git {destination}" 13 | dataTypes = [ 14 | "xz" 15 | ] 16 | 17 | target = "userspace/xzminidec" 18 | targetParam = "" 19 | aflFuzzParam = "" 20 | 21 | clean = [ 22 | "cd userspace; make clean" 23 | ] 24 | 25 | build = [ 26 | "cd userspace; make CC={AFL_CC}" 27 | ] 28 | -------------------------------------------------------------------------------- /formulas/lodepng.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014: 4 | # run time : 9 days, 11 hrs, 22 min, 47 sec cycles done : 318 5 | # last new path : 0 days, 3 hrs, 29 min, 26 sec total paths : 370 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : 3 days, 15 hrs, 39 min, 8 sec uniq hangs : 1 8 | 9 | 10 | class lodepng: 11 | name = __name__ 12 | home = "http://lodev.org/lodepng/" 13 | scmOrigin = "git clone https://github.com/lvandeve/lodepng {destination}" 14 | dataTypes = [ 15 | "png" 16 | ] 17 | 18 | target = "example_decode" 19 | targetParam = "" 20 | aflFuzzParam = "-f test.png" 21 | 22 | clean = [ 23 | "rm -f example_decode" 24 | ] 25 | 26 | build = [ 27 | "{AFL_CC} -x c lodepng.cpp example_decode.c -o example_decode" 28 | ] 29 | -------------------------------------------------------------------------------- /formulas/nasm.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Dec 2014: 4 | # run time : 12 days, 0 hrs, 2 min, 42 sec cycles done : 0 5 | # last new path : 0 days, 8 hrs, 41 min, 53 sec total paths : 1687 6 | # last uniq crash : 2 days, 6 hrs, 38 min, 47 sec uniq crashes : 168 7 | # last uniq hang : 0 days, 20 hrs, 31 min, 49 sec uniq hangs : 7 8 | 9 | 10 | class nasm: 11 | name = __name__ 12 | home = "http://www.nasm.us/" 13 | scmOrigin = "git clone git://repo.or.cz/nasm.git {destination}" 14 | dataTypes = [ 15 | "elf" 16 | ] 17 | 18 | target = "ndisasm" # XXX also nasm target exists 19 | targetParam = "-" 20 | aflFuzzParam = "" 21 | 22 | clean = [ 23 | "make distclean" 24 | ] 25 | 26 | build = [ 27 | "./autogen.sh", 28 | "CC={AFL_CC} ./configure", 29 | "make" 30 | ] 31 | -------------------------------------------------------------------------------- /formulas/patch.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | 4 | # Dec 2014 5 | # run time : 11 days, 21 hrs, 1 min, 56 sec cycles done : 0 6 | # last new path : 0 days, 6 hrs, 55 min, 29 sec total paths : 1957 7 | # last uniq crash : 4 days, 12 hrs, 4 min, 23 sec uniq crashes : 36 8 | # last uniq hang : 0 days, 16 hrs, 27 min, 48 sec uniq hangs : 110 9 | 10 | 11 | class patch: 12 | name = __name__ 13 | home = "https://savannah.gnu.org/projects/patch/" 14 | scmOrigin = "git clone git://git.savannah.gnu.org/patch.git {destination}" 15 | dataTypes = [ 16 | "txt" 17 | ] 18 | 19 | target = "src/patch" 20 | targetParam = "" 21 | aflFuzzParam = "" 22 | 23 | clean = [ 24 | "make distclean" 25 | ] 26 | 27 | build = [ 28 | "./bootstrap", 29 | "CC={AFL_CC} ./configure", 30 | "make" 31 | ] 32 | -------------------------------------------------------------------------------- /formulas/vorbis.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014 - no problems found: 4 | # run time : 8 days, 2 hrs, 19 min, 59 sec cycles done : 155 5 | # last new path : 1 days, 12 hrs, 19 min, 42 sec total paths : 45 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : none seen yet uniq hangs : 0 8 | 9 | class vorbis: 10 | name = __name__ 11 | home = "http://wwwxxxxxx" 12 | scmOrigin = "https://git.xiph.org/mirrors/vorbis.git {destination}" 13 | dataTypes = [ 14 | "vorbis" 15 | ] 16 | 17 | target = "examples/decoder_example" 18 | targetParam = "" 19 | aflFuzzParam = "" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "CC={AFL_CC} ./autogen.sh --disable-shared", 27 | "make", 28 | "cd examples; make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/libwebp.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014: 4 | # run time : 9 days, 11 hrs, 20 min, 23 sec cycles done : 0 5 | # last new path : 0 days, 0 hrs, 39 min, 51 sec total paths : 3469 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : 9 days, 6 hrs, 2 min, 19 sec uniq hangs : 500+ 8 | 9 | class libwebp: 10 | name = __name__ 11 | home = "https://developers.google.com/speed/webp/" 12 | scmOrigin = "git clone https://chromium.googlesource.com/webm/libwebp {destination}" 13 | dataTypes = [ 14 | "webp" 15 | ] 16 | 17 | target = "examples/dwebp" 18 | targetParam = "-- -" 19 | aflFuzzParam = "" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "./autogen.sh", 27 | "CC={AFL_CC} ./configure --disable-shared", 28 | "make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/xz.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014 - no problems found: 4 | # run time : 9 days, 6 hrs, 54 min, 57 sec cycles done : 2352 5 | # last new path : 8 days, 22 hrs, 51 min, 38 sec total paths : 37 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : 3 days, 15 hrs, 30 min, 54 sec uniq hangs : 2 8 | 9 | 10 | class xz: 11 | name = __name__ 12 | home = "http://tukaani.org/xz/" 13 | scmOrigin = "git clone http://git.tukaani.org/xz.git {destination}" 14 | dataTypes = [ 15 | "xz" 16 | ] 17 | 18 | target = "src/xzdec/xzdec" # TODO theres also lzmadec 19 | targetParam = "" 20 | aflFuzzParam = "" 21 | 22 | clean = [ 23 | "make distclean" 24 | ] 25 | 26 | build = [ 27 | "./autogen.sh", 28 | "CC={AFL_CC} ./configure --disable-shared", 29 | "make" 30 | ] 31 | -------------------------------------------------------------------------------- /formulas/cppcheck.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # NOTE is very slow (7/sec) 4 | 5 | # Nov 2014 - no problems found: 6 | # run time : 8 days, 3 hrs, 55 min, 58 sec cycles done : 0 7 | # last new path : 0 days, 6 hrs, 36 min, 25 sec total paths : 6382 8 | # last uniq crash : none seen yet uniq crashes : 0 9 | # last uniq hang : 1 days, 6 hrs, 5 min, 50 sec uniq hangs : 6 10 | 11 | class cppcheck: 12 | name = __name__ 13 | home = "http://cppcheck.sourceforge.net/" 14 | scmOrigin = "git clone https://github.com/danmar/cppcheck.git {destination}" 15 | dataTypes = [ 16 | "c" # XXX also use cpp input sample 17 | ] 18 | 19 | target = "cppcheck" 20 | targetParam = "test.c" 21 | aflFuzzParam = "-f test.c" 22 | 23 | clean = [ 24 | "make clean" 25 | ] 26 | 27 | build = [ 28 | "CXX={AFL_CXX} make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/libjpegturbo.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Nov 2014: 4 | # run time : 9 days, 11 hrs, 18 min, 34 sec cycles done : 0 5 | # last new path : 0 days, 6 hrs, 31 min, 29 sec total paths : 2776 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : 9 days, 3 hrs, 44 min, 38 sec uniq hangs : 500+ 8 | 9 | class libjpegturbo: 10 | name = "libjpeg-turbo" 11 | home = "http://libjpeg-turbo.virtualgl.org/" 12 | scmOrigin = "svn checkout svn://svn.code.sf.net/p/libjpeg-turbo/code/trunk {destination}" 13 | dataTypes = [ 14 | "jpeg" 15 | ] 16 | 17 | target = "djpeg" 18 | targetParam = "" 19 | aflFuzzParam = "" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "autoreconf -fiv", 27 | "CC={AFL_CC} ./configure --disable-shared", 28 | "make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/elfutils.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Dec 2014: 4 | # run time : 11 days, 21 hrs, 17 min, 30 sec cycles done : 0 5 | # last new path : 0 days, 0 hrs, 28 min, 38 sec total paths : 2773 6 | # last uniq crash : 0 days, 0 hrs, 29 min, 37 sec uniq crashes : 515 7 | # last uniq hang : 0 days, 3 hrs, 13 min, 31 sec uniq hangs : 383 8 | 9 | class elfutils: 10 | name = __name__ 11 | home = "https://fedorahosted.org/elfutils/" 12 | scmOrigin = "git clone git://git.fedorahosted.org/git/elfutils.git {destination}" 13 | dataTypes = [ 14 | "elf" 15 | ] 16 | 17 | target = "src/elflint" 18 | targetParam = "test.elf" 19 | aflFuzzParam = "-f test.elf" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "autoreconf -fiv", 27 | "CC={AFL_CC} ./configure --enable-maintainer-mode", 28 | "make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/flac.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # Dec 2014: 4 | # run time : 12 days, 21 hrs, 11 min, 33 sec cycles done : 0 5 | # last new path : 0 days, 4 hrs, 51 min, 27 sec total paths : 1733 6 | # last uniq crash : none seen yet uniq crashes : 0 7 | # last uniq hang : none seen yet uniq hangs : 0 8 | 9 | class flac: 10 | name = __name__ 11 | home = "http://xiph.org/flac/" 12 | scmOrigin = "git clone https://git.xiph.org/flac.git {destination}" 13 | dataTypes = [ 14 | "flac" 15 | ] 16 | 17 | target = "src/flac/flac" 18 | targetParam = "-d -f -" # reads from stdin, writes to stdout 19 | aflFuzzParam = "" 20 | 21 | clean = [ 22 | "make distclean" 23 | ] 24 | 25 | build = [ 26 | "./autogen.sh", 27 | "CC={AFL_CC} CXX={AFL_CXX} ./configure --disable-shared --disable-doxygen-docs", 28 | "make" 29 | ] 30 | -------------------------------------------------------------------------------- /formulas/zlib.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # XXX unsure if its proper, only found 4 paths 4 | 5 | # Nov 2014: 6 | # run time : 9 days, 9 hrs, 59 min, 30 sec cycles done : 61.1k 7 | # last new path : 9 days, 9 hrs, 59 min, 29 sec total paths : 4 8 | # last uniq crash : none seen yet uniq crashes : 0 9 | # last uniq hang : 8 days, 3 hrs, 37 min, 13 sec uniq hangs : 1 10 | 11 | class zlib: 12 | name = __name__ 13 | home = "http://www.zlib.net/" 14 | scmOrigin = "git clone https://github.com/madler/zlib {destination}" 15 | dataTypes = [ 16 | "deflate" 17 | ] 18 | 19 | target = "examples/zpipe" 20 | targetParam = "-d" 21 | aflFuzzParam = "" 22 | 23 | clean = [ 24 | "make distclean" 25 | ] 26 | 27 | build = [ 28 | "CC={AFL_CC} ./configure", 29 | "make", 30 | "{AFL_CC} -L. libz.so examples/zpipe.c -o examples/zpipe" 31 | ] 32 | -------------------------------------------------------------------------------- /formulas/tar.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # NOTE: needs --disable-gcc-warnings to build with gcc 4.7.2/Debian 4 | 5 | # Dec 2014: 6 | # run time : 24 days, 20 hrs, 20 min, 22 sec cycles done : 225 7 | # last new path : 0 days, 1 hrs, 34 min, 55 sec total paths : 1141 8 | # last uniq crash : none seen yet uniq crashes : 0 9 | # last uniq hang : 13 days, 17 hrs, 50 min, 14 sec uniq hangs : 4 10 | 11 | class tar: 12 | name = __name__ 13 | home = "https://www.gnu.org/software/tar/" 14 | scmOrigin = "git clone git://git.savannah.gnu.org/tar.git {destination}" 15 | dataTypes = [ 16 | "tar" 17 | ] 18 | 19 | target = "src/tar" 20 | targetParam = "x" 21 | aflFuzzParam = "" 22 | 23 | clean = [ 24 | "make distclean" 25 | ] 26 | 27 | build = [ 28 | "./bootstrap", 29 | "./configure CC={AFL_CC} --disable-gcc-warnings", 30 | "make" 31 | ] 32 | -------------------------------------------------------------------------------- /formulas/opustools.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # NOTE this uses system libopus-dev and libflac-dev 4 | 5 | # Nov 2014: 6 | # run time : 8 days, 22 hrs, 8 min, 23 sec cycles done : 1285 7 | # last new path : 5 days, 12 hrs, 52 min, 40 sec total paths : 44 8 | # last uniq crash : none seen yet uniq crashes : 0 9 | # last uniq hang : 3 days, 15 hrs, 33 min, 0 sec uniq hangs : 2 10 | 11 | class opustools: 12 | name = __name__ 13 | home = "http://opus-codec.org/" 14 | scmOrigin = "git clone git://git.opus-codec.org/opus-tools.git {destination}" 15 | dataTypes = [ 16 | "opus" 17 | ] 18 | 19 | target = "opusdec" 20 | targetParam = "- -" # from stdin, to stdout 21 | aflFuzzParam = "" 22 | 23 | clean = [ 24 | "make distclean" 25 | ] 26 | 27 | build = [ 28 | "./autogen.sh", 29 | "CC={AFL_CC} ./configure --disable-shared", 30 | "make" 31 | ] 32 | -------------------------------------------------------------------------------- /formulas/libmspack.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | 4 | # Dec 2014: 5 | # run time : 12 days, 21 hrs, 27 min, 17 sec cycles done : 541 6 | # last new path : 9 days, 16 hrs, 56 min, 8 sec total paths : 118 7 | # last uniq crash : none seen yet uniq crashes : 0 8 | # last uniq hang : 10 days, 9 hrs, 37 min, 34 sec uniq hangs : 10 9 | 10 | class libmspack: 11 | name = __name__ 12 | home = "http://www.cabextract.org.uk/libmspack/" 13 | scmOrigin = "svn checkout svn://svn.code.sf.net/p/libmspack/code/libmspack/trunk/ {destination}" 14 | 15 | dataTypes = [ 16 | "cab" # XXX also handles other formats 17 | ] 18 | 19 | target = "test/expand" 20 | targetParam = "test.cab test.out" 21 | aflFuzzParam = "-f test.cab" 22 | 23 | clean = [ 24 | "make distclean" 25 | ] 26 | 27 | build = [ 28 | "./configure --disable-shared CC={AFL_CC} CXX={AFL_CXX}", 29 | "make" 30 | ] 31 | -------------------------------------------------------------------------------- /formulas/libtiff.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | 4 | # Dec 2014 5 | # run time : 24 days, 21 hrs, 33 min, 17 sec cycles done : 86 6 | # last new path : 0 days, 5 hrs, 59 min, 32 sec total paths : 1250 7 | # last uniq crash : 1 days, 12 hrs, 43 min, 12 sec uniq crashes : 12 8 | # last uniq hang : 13 days, 17 hrs, 59 min, 48 sec uniq hangs : 4 9 | 10 | class libtiff: 11 | name = __name__ 12 | home = "http://www.remotesensing.org/libtiff/" 13 | scmOrigin = "cvs -d :pserver:cvsanon:@cvs.maptools.org:/cvs/maptools/cvsroot login && cvs -z3 -d :pserver:cvsanon:@cvs.maptools.org:/cvs/maptools/cvsroot co -d {destination} -P libtiff" 14 | dataTypes = [ 15 | "tiff" 16 | ] 17 | 18 | target = "tools/tiffdump" 19 | targetParam = "test.tif" 20 | aflFuzzParam = "-f test.tif" 21 | 22 | clean = [ 23 | "make distclean" 24 | ] 25 | 26 | build = [ 27 | "./autogen.sh", 28 | "./configure CC={AFL_CC} CXX={AFL_CXX} --disable-shared", 29 | "make" 30 | ] 31 | -------------------------------------------------------------------------------- /formulas/speex.py: -------------------------------------------------------------------------------- 1 | # STATUS runs 2 | 3 | # NOTE: uses system libogg-dev 4 | 5 | # NOTE: on Linux, if errror Cannot open /dev/dsp: No such file or directory: 6 | # sudo modprobe snd-pcm-oss 7 | 8 | # Dec 2014 - runs super slow! 9 | # run time : 7 days, 7 hrs, 52 min, 54 sec cycles done : 0 10 | # last new path : 5 days, 4 hrs, 34 min, 37 sec total paths : 14 11 | # last uniq crash : none seen yet uniq crashes : 0 12 | # last uniq hang : none seen yet uniq hangs : 0 13 | 14 | 15 | class speex: 16 | name = __name__ 17 | home = "http://www.speex.org/" 18 | scmOrigin = "git clone http://git.xiph.org/speex.git {destination}" 19 | dataTypes = [ 20 | "speex" 21 | ] 22 | 23 | target = "src/speexdec" 24 | targetParam = "-" # stdin 25 | aflFuzzParam = "-t 10000" 26 | 27 | clean = [ 28 | "make distclean" 29 | ] 30 | 31 | build = [ 32 | "./autogen.sh", 33 | "CC={AFL_CC} ./configure --disable-shared --enable-binaries", 34 | "make" 35 | ] 36 | -------------------------------------------------------------------------------- /formulas/pdfium.py: -------------------------------------------------------------------------------- 1 | # STATUS borked 2 | 3 | # XXX wont build, seems v8 files are assumed to be in path... 4 | 5 | #Updating projects from gyp files... 6 | #gyp: /home/ml/dev/autofuzz/.cache/pdfium/v8/tools/gyp/v8.gyp not found (cwd: /home/ml/dev/autofuzz/.cache/pdfium) while loading dependencies of /home/ml/dev/autofuzz/.cache/pdfium/pdfium.gyp while loading dependencies of /home/ml/dev/autofuzz/.cache/pdfium/samples/samples.gyp while loading dependencies of /home/ml/dev/autofuzz/.cache/pdfium/build/all.gyp while trying to load /home/ml/dev/autofuzz/.cache/pdfium/build/all.gyp 7 | #Error running GYP 8 | 9 | # XX more is needed: 10 | #$ git clone https://pdfium.googlesource.com/pdfium.git 11 | #$ cd pdfium/ 12 | #$ svn co http://gyp.googlecode.com/svn/trunk build/gyp 13 | #$ svn co http://v8.googlecode.com/svn/trunk v8 14 | #$ svn co https://src.chromium.org/chrome/trunk/deps/third_party/icu46 v8/third_party/icu 15 | #$ build/gyp_pdfium 16 | #$ make 17 | #$ make BUILDTYPE=Release 18 | 19 | # from : https://code.google.com/p/pdfium/wiki/Build 20 | 21 | 22 | class pdfium: 23 | name = __name__ 24 | home = "https://code.google.com/p/pdfium/" 25 | scmOrigin = "git clone https://pdfium.googlesource.com/pdfium {destination}" 26 | dataTypes = [ 27 | "pdf" 28 | ] 29 | 30 | target = "xxx" 31 | targetParam = "" 32 | aflFuzzParam = "" 33 | 34 | clean = [ 35 | "make clean" 36 | ] 37 | 38 | build = [ 39 | "CC={AFL_CC} CXX={AFL_CXX} build/gyp_pdfium", 40 | "make pdfium_test" 41 | ] 42 | -------------------------------------------------------------------------------- /testcases/archives/tar/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick0000640000076400007640000000027712427053460012465 0ustar lcamtuflcamtufThere was a young man from Japan 2 | Whose limericks never would scan. 3 | When asked why that was, 4 | He replied "It's because 5 | I always try to cram as many words into the last line as I possibly can." 6 | -------------------------------------------------------------------------------- /testcases/others/c/boottest.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Test application for xz_boot.c 3 | * 4 | * Author: Lasse Collin 5 | * 6 | * This file has been put into the public domain. 7 | * You can do whatever you want with this file. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #define STATIC static 15 | #define INIT 16 | 17 | static void error(/*const*/ char *msg) 18 | { 19 | fprintf(stderr, "%s\n", msg); 20 | } 21 | 22 | /* Disable the CRC64 support even if it was enabled in the Makefile. */ 23 | #undef XZ_USE_CRC64 24 | 25 | #include "../linux/lib/decompress_unxz.c" 26 | 27 | static uint8_t in[1024 * 1024]; 28 | static uint8_t out[1024 * 1024]; 29 | 30 | static int fill(void *buf, unsigned int size) 31 | { 32 | return fread(buf, 1, size, stdin); 33 | } 34 | 35 | static int flush(/*const*/ void *buf, unsigned int size) 36 | { 37 | return fwrite(buf, 1, size, stdout); 38 | } 39 | 40 | static void test_buf_to_buf(void) 41 | { 42 | size_t in_size; 43 | int ret; 44 | in_size = fread(in, 1, sizeof(in), stdin); 45 | ret = decompress(in, in_size, NULL, NULL, out, NULL, &error); 46 | /* fwrite(out, 1, FIXME, stdout); */ 47 | fprintf(stderr, "ret = %d\n", ret); 48 | } 49 | 50 | static void test_buf_to_cb(void) 51 | { 52 | size_t in_size; 53 | int in_used; 54 | int ret; 55 | in_size = fread(in, 1, sizeof(in), stdin); 56 | ret = decompress(in, in_size, NULL, &flush, NULL, &in_used, &error); 57 | fprintf(stderr, "ret = %d; in_used = %d\n", ret, in_used); 58 | } 59 | 60 | static void test_cb_to_cb(void) 61 | { 62 | int ret; 63 | ret = decompress(NULL, 0, &fill, &flush, NULL, NULL, &error); 64 | fprintf(stderr, "ret = %d\n", ret); 65 | } 66 | 67 | /* 68 | * Not used by Linux <= 2.6.37-rc4 and newer probably won't use it either, 69 | * but this kind of use case is still required to be supported by the API. 70 | */ 71 | static void test_cb_to_buf(void) 72 | { 73 | int in_used; 74 | int ret; 75 | ret = decompress(in, 0, &fill, NULL, out, &in_used, &error); 76 | /* fwrite(out, 1, FIXME, stdout); */ 77 | fprintf(stderr, "ret = %d; in_used = %d\n", ret, in_used); 78 | } 79 | 80 | int main(int argc, char **argv) 81 | { 82 | if (argc != 2) 83 | fprintf(stderr, "Usage: %s [bb|bc|cc|cb]\n", argv[0]); 84 | else if (strcmp(argv[1], "bb") == 0) 85 | test_buf_to_buf(); 86 | else if (strcmp(argv[1], "bc") == 0) 87 | test_buf_to_cb(); 88 | else if (strcmp(argv[1], "cc") == 0) 89 | test_cb_to_cb(); 90 | else if (strcmp(argv[1], "cb") == 0) 91 | test_cb_to_buf(); 92 | else 93 | fprintf(stderr, "Usage: %s [bb|bc|cc|cb]\n", argv[0]); 94 | 95 | return 0; 96 | } 97 | -------------------------------------------------------------------------------- /lib/OsxProbe.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | import sys 4 | import psutil 5 | 6 | from distutils.version import StrictVersion 7 | 8 | 9 | class OsxProbe: 10 | def RunCommand(self, command): 11 | # TODO move to util class 12 | return subprocess.check_output( 13 | command, 14 | shell=True, 15 | stderr=subprocess.STDOUT) 16 | 17 | def GetOsVersionNumber(self): 18 | raw = self.RunCommand("sw_vers -productVersion") 19 | return raw.decode('ascii').strip("\n") 20 | 21 | def GetApplicationVersionNumber(self, appName): 22 | raw = self.RunCommand("plutil -p /Applications/" + appName + ".app/Contents/Info.plist | grep 'CFBundleShortVersionString' | grep -o '\"[[:digit:].]*\"'") 23 | return raw.decode('ascii').strip("\"\n") 24 | 25 | def KillProcessAndChildren(proc_pid): 26 | # TODO move to util class 27 | process = psutil.Process(proc_pid) 28 | for proc in process.get_children(recursive=True): 29 | proc.kill() 30 | process.kill() 31 | return 32 | 33 | def Is64Bit(self): 34 | if os.uname().machine == "x86_64": 35 | return True 36 | return False 37 | 38 | def IsSupported(self): 39 | if not self.IsDetected(): 40 | print("ERROR - only OSX is supported") 41 | return False 42 | 43 | if not self.Is64Bit(): 44 | print("ERROR - not 64bit") 45 | return False 46 | 47 | if StrictVersion(self.GetOsVersionNumber()) < StrictVersion("10.9.5"): 48 | print("ERROR - too old osx version") 49 | return False 50 | 51 | if StrictVersion(self.GetApplicationVersionNumber("Xcode")) < StrictVersion("5.1.1"): 52 | print("ERROR - Xcode is too old") 53 | return False 54 | 55 | return True 56 | 57 | def IsDetected(self): 58 | if sys.platform == "darwin": 59 | return True 60 | return False 61 | 62 | def GetOsVersionName(self): 63 | ''' @return eg "Mavericks" ''' 64 | ver = self.GetOsVersionNumber() 65 | 66 | if StrictVersion(ver) >= StrictVersion("10.10.0"): 67 | return "Yosemite" 68 | 69 | if StrictVersion(ver) >= StrictVersion("10.9.0"): 70 | return "Mavericks" 71 | 72 | if StrictVersion(ver) >= StrictVersion("10.8.0"): 73 | return "Mountain Lion" 74 | 75 | if StrictVersion(ver) >= StrictVersion("10.7.0"): 76 | return "Lion" 77 | 78 | if StrictVersion(ver) >= StrictVersion("10.6.0"): 79 | return "Snow Leopard" 80 | 81 | return "Unrecognized" 82 | -------------------------------------------------------------------------------- /triage: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # example: ./triage --dir .fuzz-afl/wladx-0003 --executable .cache/wladx/build/binaries/wla-gb 4 | 5 | # NOTE this is similar to afl-0.45b/experimental/crash_triage/triage_crashes.sh 6 | 7 | # TODO abort if Q or ESC is pressed 8 | 9 | 10 | 11 | 12 | import os 13 | import sys 14 | import argparse 15 | import subprocess 16 | 17 | 18 | def run_command(command): 19 | try: 20 | res = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True) 21 | except subprocess.CalledProcessError as e: 22 | print("command returned error code " + str(e.returncode)) 23 | res = e.output 24 | 25 | return res 26 | 27 | versionString = "afl-triage 0.1 (c) Martin Lindhe 2014" 28 | 29 | 30 | parser = argparse.ArgumentParser(description='Lookup subdomains of given domain(s)') 31 | parser.add_argument('-V', '--version', action='version', 32 | version=versionString) 33 | parser.add_argument('--dir', required=True, help='output directory from afl run') 34 | 35 | parser.add_argument('--executable', required=True, help='afl-instrumented binary') 36 | parser.add_argument('--stats', help='show stats', action='store_true') 37 | 38 | 39 | args = parser.parse_args() 40 | 41 | print(versionString) 42 | print("") 43 | 44 | showStats = args.stats 45 | 46 | execFile = args.executable 47 | 48 | fileSet = set() 49 | 50 | 51 | crashDir = args.dir + "/crashes" 52 | 53 | if not os.path.isdir(crashDir): 54 | print("ERROR: provided directory is not a afl dir, missing dir " + crashDir) 55 | sys.exit() 56 | 57 | for fileName in os.listdir(crashDir): 58 | if (fileName[0] == "."): 59 | continue 60 | 61 | if (fileName in ("fuzz_bitmap", "fuzzer_stats", "README.txt")): 62 | continue 63 | 64 | fileSet.add(fileName) 65 | 66 | if showStats: 67 | print("### stats") 68 | print("number of files: " + str(len(fileSet))) 69 | sys.exit() 70 | 71 | print("processing files: " + str(len(fileSet))) 72 | 73 | is64Bit = False 74 | execType = run_command("file " + execFile) 75 | if "Mach-O 64-bit executable x86_64" in execType: 76 | is64Bit = True 77 | else: 78 | print("WARNING: unexpected file type (expected a executable), assuming 32-bit: " + execType) 79 | 80 | for f in fileSet: 81 | fullFile = crashDir + "/" + f 82 | #print(fullFile) 83 | 84 | if is64Bit: 85 | disasm = '--ex "disass \$rip, \$rip+16"' 86 | else: 87 | disasm = '--ex "disass $eip, $eip+16"' 88 | 89 | regdump = '--ex "info reg"' 90 | regdump = '' 91 | 92 | ## XXX get params from formula?!!11 93 | execParams = "-o" 94 | cmd = 'gdb --batch -q --ex "run" --ex "back" ' + disasm + ' ' + regdump + ' --ex "quit" --args "' + execFile + '" ' + execParams + ' "' + fullFile + '"' 95 | out = run_command(cmd) 96 | print(cmd) 97 | 98 | print("### RAW:") 99 | print(out) 100 | 101 | s1 = "Program received signal" 102 | s2 = "A debugging session is active." 103 | start = out.find(s1) 104 | end = out.find(s2, start) 105 | 106 | # HACK fragile way to get only crash signature & backtrace 107 | stripped = out[start:end] 108 | print("### stripped:") 109 | print(stripped) 110 | 111 | 112 | # TODO only check one file from each subdir, since they have the same "crash signature" (???) 113 | # TODO extract crash signal & hash from path 114 | 115 | 116 | # sig=`basename -- "$crash_dir" | cut -d, -f1 | cut -d: -f2` 117 | # hash=`basename -- "$crash_dir" | cut -d, -f2 | cut -d: -f2` 118 | # count=`ls -- "$crash_dir" | wc -l` 119 | 120 | # echo "+++ HASH $hash, SIGNAL $sig ($count samples) +++" 121 | # echo 122 | 123 | # first=`ls -- "$crash_dir" | head -1` 124 | 125 | # gdb --batch -q --ex "r <$crash_dir/$first" --ex 'back' --ex 'disass $eip, $eip+16' --ex 'info reg' --ex 'quit' "$BIN" 126 | -------------------------------------------------------------------------------- /fuzz: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import sys 5 | import subprocess 6 | 7 | 8 | def get_class(kls): 9 | parts = kls.split('.') 10 | module = ".".join(parts[:-1]) 11 | m = __import__(module) 12 | for comp in parts[1:]: 13 | m = getattr(m, comp) 14 | return m 15 | 16 | 17 | def capture_command(command): 18 | ''' run command and captures output ''' 19 | try: 20 | res = subprocess.check_output( 21 | command, 22 | stderr=subprocess.STDOUT, 23 | shell=True 24 | ) 25 | except subprocess.CalledProcessError as e: 26 | print("command returned error code " + str(e.returncode)) 27 | print(" - output: " + e.output) 28 | res = e.output 29 | 30 | return res 31 | 32 | 33 | def passthru_command(command): 34 | ''' run command and output on screen ''' 35 | subprocess.call(command, shell=True) 36 | 37 | 38 | rootDir = os.path.dirname(os.path.realpath(__file__)) 39 | 40 | if not os.path.isdir(rootDir + "/.fuzz-afl"): 41 | os.mkdir(rootDir + "/.fuzz-afl") 42 | 43 | if len(sys.argv) < 2: 44 | print("Syntax: " + sys.argv[0] + " formula ") 45 | print(" --clang=1 instrument with afl-gcc / afl-g++ (default)") 46 | print(" --gcc=1 instrument with afl-gcc / afl-g++") 47 | sys.exit() 48 | 49 | formulaName = sys.argv[1] 50 | 51 | useClang = True 52 | if len(sys.argv) > 2 and sys.argv[2] == "--gcc=1": 53 | useClang = False 54 | 55 | try: 56 | formula = get_class("formulas." + formulaName + "." + formulaName) 57 | except ImportError: 58 | print("ERROR: No such formula " + formulaName) 59 | sys.exit() 60 | 61 | print("### " + formulaName) 62 | 63 | formulaPath = ".cache/" + formulaName 64 | 65 | # TODO remove assumption of git repository, need svn support, etc 66 | gitPath = formulaPath + "/.git" 67 | svnPath = formulaPath + "/.svn" 68 | cvsPath = formulaPath + "/CVS" 69 | if os.path.isdir(gitPath) or os.path.isdir(svnPath) or os.path.isdir(cvsPath): 70 | # TODO if dir exist, do a "git pull" ? also make sure it is pristine 71 | print("Checkout found at " + gitPath + " or " + svnPath + " or " + cvsPath + ", TODO do update?") 72 | else: 73 | 74 | getScm = formula.scmOrigin.replace("{destination}", ".cache/" + formulaName) 75 | print("### CHECKOUT " + getScm) 76 | passthru_command(getScm) 77 | 78 | # set current working dir to formulaPath 79 | os.chdir(formulaPath) 80 | 81 | fuzzTarget = formula.target 82 | 83 | if not os.path.isfile(fuzzTarget): # TODO cli switch to force rebuild 84 | # if target not found, perform clean + build 85 | for cleanCmd in formula.clean: 86 | print("CLEAN # " + cleanCmd) 87 | capture_command(cleanCmd) 88 | 89 | for buildCmd in formula.build: 90 | if useClang: 91 | buildCmd = buildCmd.replace("{AFL_CC}", "afl-clang") 92 | buildCmd = buildCmd.replace("{AFL_CXX}", "afl-clang++") 93 | else: 94 | buildCmd = buildCmd.replace("{AFL_CC}", "afl-gcc") 95 | buildCmd = buildCmd.replace("{AFL_CXX}", "afl-g++") 96 | 97 | print("BUILD # " + buildCmd) 98 | passthru_command(buildCmd) 99 | 100 | if not os.path.isfile(fuzzTarget): 101 | print("ERROR cant find target " + fuzzTarget + ", giving up") 102 | sys.exit() 103 | 104 | print("Found " + fuzzTarget + ", ready to fuzz") 105 | 106 | # find a nonexisting out dir 107 | outCounter = 1 108 | while True: 109 | aflOutDir = rootDir + "/.fuzz-afl/" + formulaName + "-%04d" % outCounter 110 | if not os.path.isdir(aflOutDir): 111 | break 112 | outCounter += 1 113 | 114 | 115 | # XXX dataTypes, move to function 116 | dataType = formula.dataTypes[0] # XXX care of the rest of the array??? 117 | if dataType == "gif": 118 | aflInDir = rootDir + "/testcases/images/gif" 119 | elif dataType == "jpeg": 120 | aflInDir = rootDir + "/testcases/images/jpeg" 121 | elif dataType == "png": 122 | aflInDir = rootDir + "/testcases/images/png" 123 | elif dataType == "webp": 124 | aflInDir = rootDir + "/testcases/images/webp" 125 | elif dataType == "tiff": 126 | aflInDir = rootDir + "/testcases/images/tiff" 127 | elif dataType == "ttf": 128 | aflInDir = rootDir + "/testcases/fonts/ttf" 129 | elif dataType == "deflate": 130 | aflInDir = rootDir + "/testcases/archives/deflate" 131 | elif dataType == "xz": 132 | aflInDir = rootDir + "/testcases/archives/xz" 133 | elif dataType == "tar": 134 | aflInDir = rootDir + "/testcases/archives/tar" 135 | elif dataType == "cab": 136 | aflInDir = rootDir + "/testcases/archives/cab" 137 | elif dataType == "speex": 138 | aflInDir = rootDir + "/testcases/audio/speex" 139 | elif dataType == "opus": 140 | aflInDir = rootDir + "/testcases/audio/opus" 141 | elif dataType == "vorbis": 142 | aflInDir = rootDir + "/testcases/audio/vorbis" 143 | elif dataType == "ogg": # container format 144 | aflInDir = rootDir + "/testcases/audio/vorbis" 145 | elif dataType == "flac": 146 | aflInDir = rootDir + "/testcases/audio/flac" 147 | elif dataType == "elf": 148 | aflInDir = rootDir + "/testcases/executables/elf" 149 | elif dataType == "c": 150 | aflInDir = rootDir + "/testcases/others/c" 151 | elif dataType == "xml": 152 | aflInDir = rootDir + "/testcases/others/xml" 153 | elif dataType == "txt": 154 | aflInDir = rootDir + "/testcases/others/text" 155 | elif dataType == "pcap": 156 | aflInDir = rootDir + "/testcases/others/pcap" 157 | else: 158 | print("ERROR: unknown data type: " + dataType) 159 | sys.exit() 160 | 161 | # TODO prepare test cases from dataTypes list 162 | aflFuzzTarget = rootDir + "/" + formulaPath + "/" + fuzzTarget 163 | aflFuzzTargetParam = formula.targetParam + " @@" # NOTE: afl replaces @@ with input file name 164 | aflFuzzParam = formula.aflFuzzParam # XXX faillback to empty string if unset (?) or rather, extend formulas from base formula? 165 | fuzzCmd = "afl-fuzz -i " + aflInDir + " -o " + aflOutDir + " " + aflFuzzParam + " " + aflFuzzTarget + " " + aflFuzzTargetParam 166 | 167 | print("FUZZ # " + fuzzCmd) 168 | passthru_command(fuzzCmd) 169 | --------------------------------------------------------------------------------