Fuzzing command line arguments [argv]

Question

I have a binary I've been trying to fuzz with AFL, the only thing is AFL only fuzzes STDIN, and File inputs and this binary takes input through its arguments pass_read [input1] [input2]. I was wondering if there are any methods/fuzzers that allow fuzzing in this manner?

I don't not have the source code so making a harness is not really applicable.

Answer 1

Michal Zalewski, the creator of AFL, states in this post:

AFL doesn't support argv fuzzing, because TBH, it's just not horribly useful in practice. There is an example in experimental/argv_fuzzing/ showing how to do it in a general case if you really want to.

Link to the mentioned example on GitHub: https://github.com/google/AFL/tree/master/experimental/argv_fuzzing

There are some instructions in the file argv-fuzz-inl.h (haven't tried myself).

Answer 2

Bash only Solution

As an example, lets generate 10 random strings and store them in a file

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 10 > string-file.txt

Next, lets read 2 lines from string-file and pass it into our application

exec handle< string-file.txt

while read string1 <&handle ; do
        read string2 <&handle

        pass_read $line1 $line2 >> crash_file.txt
done

exec handle<&-

We then have any crashes stored within crash_file.txt for further analysis.

This may not be the most elegant solution, but perhaps you gives you an idea of some other possibilities if no tool necessarily fulfills the current requirements

Answer 3

I looked at the AFLplusplus repo on GitHub. Inside AFLplusplus/utils/argv_fuzzing/, there is a Makefile. If you run it, you will get a .so file (a shared library) that you can use to do argv fuzzing, even if you only have the binary. Obviously, you must use AFL_PRELOAD. You can read more in the README.