Skip to content

3. The software

Jump to bottom
Fernando Arnaboldi edited this page Apr 9, 2018 · 4 revisions

In here you will find information about how to define pieces of software in the file software.ini.

This defines pieces of data in three columns:

  1. The first column defines the software category between brackets. Lets suppose that you want to fuzz command shells, so we can name the software category shells.
[shells]

  1. The second column has four predefined possibilities:

    2.1. Type: how the information is going to be read by the programs. By default if you don't specify anything is going to be CLI, which means that the input to be fuzzed is grabbed from the command line. Another possibility is File, which means that the contents of what's going to be fuzzed will be written into a file first. Moreover, whenever you're fuzzing files, you may want to specify what is the suffix of that file (please see below in 2.3). Finally, one last possibility for the input is Stdin, as you would use it when piping information to another program.

    2.2. OS: it could either be darwin, linux2, freebsd11 or win32

    2.3. Suffix: the suffix used for files when the input type is set to File. We can easily fuzz command shells without files and suffixes, but to illustrate the point let's use them:

     Type = ["File"]
 OS = ["darwin", "linux2", "freebsd11"]
 Suffix = [".sh"]

    2.4. Filename: if the software to be fuzzed reads information from a certain static filename, you can define it in here. Don't forget to run the fuzzer with only 1 thread when using this.

  2. The third column defines the pieces of software to be fuzzed. If you want to fuzz mp3 files using mpg321 and mpg123, you can do it like this:

         Bash = ["bash", "-c", "-fuzzdata=echo $(([[test]]))"]
     Ksh = ["ksh",  "-c", "-fuzzdata=echo $(([[test]]))"]

    First we set the name of the software to be fuzzed (bash, dash, or ksh). Then, we defined in an array the command and options to be executed. There is a special option named -fuzzdata= that indicates the fuzzer that the next piece of information is where we will be placed our fuzzed test case. The test will be replaced by a temporary file name containing a weird mp3 to fuzz the software on this example.

Putting all the pieces together

This is how you could define the software category shells to be fuzzed using the CLI:

# Sample fuzzing of shells
[shells]
    OS = ["darwin", "linux2", "freebsd11"]
        Bash = ["bash", "-c", "-fuzzdata=echo $(([[test]]))"]
        Ksh  = ["ksh",  "-c", "-fuzzdata=echo $(([[test]]))"]

What's next?

You want to run the fuzzer

Home

  1. Install

  2. The input

  3. The software

  4. The fuzzer

  5. The output

Changelog

Clone this wiki locally