I’ve been a fan of lcamtuf for years and recently came across an awesome project of his named “american fuzzy lop“. The basic idea is that it fuzzes input files for the target application, monitoring the execution paths taken – or more importantly crashes detected. Rather than just bruteforcing and hoping for results it ends up navigating different logic paths in the app (eg: after generating a valid image header).
You’re supposed to use “instrumented” binaries, but it seems that might not be necessary if you’re willing to sacrifice performance: https://github.com/mothran/aflpin (useful when you don’t have the source code of the application you’re fuzzing).
Perhaps the easiest way to get started is with the docker image: https://github.com/ozzyjohnson/docker-afl (instructions on the page) – I kept getting an error about terminal size, which I resolved by running “bash” in docker, rather than the “afl” binary, and then running it manually:
sudo docker run -v ~/afl/afl-data:/data -it –rm ozzyjohnson/afl bash
afl-fuzz -i in_dir -o out_dir /opt/libjpeg-turbo/bin/djpeg
As per the documentation, to “instrument” a binary you need to compile the source code with the afl binaries, eg:
CXX=/usr/local/bin/afl-g++ CC=/usr/local/bin/afl-gcc ./configure –disable-shared
I’m yet to find anything interesting, but it is a geeky kind of fun to play with 🙂
Quite a few bugs have already been found by afl: http://lcamtuf.coredump.cx/afl/#bugs