source: zzuf/trunk/doc/zzuf.1.in @ 4308

Last change on this file since 4308 was 4308, checked in by Sam Hocevar, 11 years ago

Properly document the -a flag.

File size: 19.0 KB
Line 
1.TH zzuf 1 "2010-01-31" "zzuf @PACKAGE_VERSION@"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-aAcdimnqSvx\fR]
6[\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR]
7[\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
8[\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-j\fR \fIjobs\fR]
9[\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-t\fR \fIseconds\fR]
10[\fB\-T\fR \fIseconds\fR] [\fB\-U\fR \fIseconds\fR] [\fB\-M\fR \fImebibytes\fR]
11[\fB\-b\fR \fIranges\fR] [\fB\-p\fR \fIports\fR] [\fB\-P\fR \fIprotect\fR]
12[\fB\-R\fR \fIrefuse\fR] [\fB\-l\fR \fIlist\fR] [\fB\-I\fR \fIinclude\fR]
13[\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fIARGS\fR]...]
14.br
15\fBzzuf \-h\fR | \fB\-\-help\fR
16.br
17\fBzzuf \-V\fR | \fB\-\-version\fR
18.SH DESCRIPTION
19.PP
20\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
21file and network operations and changing random bits in the program's input.
22\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
23.SH USAGE
24.PP
25\fBzzuf\fR will run an application specified on its command line, one or
26several times, with optional arguments, and will report the application's
27relevant behaviour on the standard error channel, eg:
28.PP
29\fB    zzuf cat /dev/zero\fR
30.PP
31Flags found after the application name are considered arguments for the
32application, not for \fBzzuf\fR. For instance, \fB\-v\fR below is an
33argument for \fBcat\fR:
34.PP
35\fB    zzuf \-B 1000 cat \-v /dev/zero\fR
36.PP
37When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
38if the \fBcat\fR utility had been called:
39.PP
40\fB    zzuf < /dev/zero\fR
41.SH OPTIONS
42.TP
43\fB\-a\fR, \fB\-\-allow\fR=\fIlist\fR
44Only fuzz network input for IPs in \fIlist\fR, a comma-separated list of
45IP addresses. If the list starts with \fB!\fR, the flag meaning is reversed
46and all addresses are fuzzed except the ones in the list.
47
48As of now, this flag only understands INET (IPv4) addresses.
49
50This option requires network fuzzing to be activated using \fB\-n\fR.
51.TP
52\fB\-A\fR, \fB\-\-autoinc\fR
53Increment random seed each time a new file is opened. This is only required
54if one instance of the application is expected to open the same file several
55times and you want to test a different seed each time.
56.TP
57\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
58Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
59
60Range values start at zero and are inclusive. Use dashes between range values
61and commas between ranges. If the right-hand part of a range is ommited, it
62means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
63all bytes after offset 31, use \(oq\fB\-b0,3\-5,31\-\fR\(cq.
64
65This option is useful to preserve file headers or corrupt only a specific
66portion of a file.
67.TP
68\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
69Automatically stop after \fIn\fR bytes have been output.
70
71This either terminates child processes that output more than \fIn\fR bytes
72on the standard output and standard error channels, or stop reading from
73standard input if no program is being fuzzed.
74
75This is useful to detect infinite loops. See also the \fB\-U\fR and \fB\-T\fR
76flags.
77.TP
78\fB\-c\fR, \fB\-\-cmdline\fR
79Only fuzz files whose name is specified in the target application's command
80line. This is mostly a shortcut to avoid specifying twice the argument:
81
82\fB    zzuf \-c cat file.txt\fR
83
84has the same effect as
85
86\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
87
88See the \fB\-I\fR flag for more information on restricting fuzzing to
89specific files.
90.TP
91\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
92Stop forking when at least \fIn\fR children have crashed. The default value
93is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A value
94of 0 tells \fBzzuf\fR to never stop.
95
96Note that \fBzzuf\fR will not kill any remaining children once \fIn\fR is
97reached. To ensure that processes do not last forever, see the \fB\-U\fR
98flag.
99
100A process is considered to have crashed if any signal (such as, but not limited
101to, \fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
102also include processes that exit with a non-zero status.
103
104This option is only relevant if the \fB\-s\fR flag is used with a range
105argument. See also the \fB\-t\fR flag.
106.TP
107\fB\-d\fR, \fB\-\-debug\fR
108Activate the display of debug messages. Can be specified multiple times for
109increased verbosity.
110.TP
111\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
112Do not launch more than one process every \fIdelay\fR seconds. This option
113should be used together with \fB\-j\fR to avoid fork bombs.
114.TP
115\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
116Do not fuzz files whose name matches the \fIregex\fR regular expression. This
117option supersedes anything that is specified by the \fB\-I\fR flag. Use this
118for instance if you are unsure of what files your application is going to read
119and do not want it to fuzz files in the \fB/etc\fR directory.
120
121Multiple \fB\-E\fR flags can be specified, in which case files matching any one
122of the regular expressions will be ignored.
123.TP
124\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
125Select how the input is fuzzed. Valid values for \fImode\fR are:
126.RS
127.TP
128\fBxor\fR
129randomly set and unset bits
130.TP
131\fBset\fR
132only set bits
133.TP
134\fBunset\fR
135only unset bits
136.RE
137.IP
138The default value for \fImode\fR is \fBxor\fR.
139.TP
140\fB\-j\fR, \fB\-\-jobs\fR=\fIjobs\fR
141Specify the number of simultaneous children that can be run. By default,
142\fBzzuf\fR only launches one process at a time.
143
144This option is only relevant if the \fB\-s\fR flag is used with a range
145argument. See also the \fB\-D\fR flag.
146.TP
147\fB\-i\fR, \fB\-\-stdin\fR
148Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
149.TP
150\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
151Only fuzz files whose name matches the \fIregex\fR regular expression. Use
152this for instance if your application reads configuration files at startup
153and you only want specific files to be fuzzed.
154
155Multiple \fB\-I\fR flags can be specified, in which case files matching any one
156of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
157.TP
158\fB\-l\fR, \fB\-\-list\fR=\fIlist\fR
159Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor
160will really be fuzzed only if N is in \fIlist\fR.
161
162Values start at 1 and ranges are inclusive. Use dashes between values and
163commas between ranges. If the right-hand part of a range is ommited, it means
164all subsequent file descriptors. For instance, to restrict fuzzing to the
165first opened descriptor and all descriptors starting from the 10th, use
166\(oq\fB\-l1,10\-\fR\(cq.
167
168Note that this option only affects file descriptors that would otherwise be
169fuzzed. Even if 10 write-only descriptors are opened at the beginning of the
170program, only the next descriptor with a read flag will be the first one
171considered by the \fB\-l\fR flag.
172.TP
173\fB\-m\fR, \fB\-\-md5\fR
174Instead of displaying the program's \fIstandard output\fR, just print its MD5
175digest to \fBzzuf\fR's standard output. The standard error channel is left
176untouched.
177.TP
178\fB\-M\fR, \fB\-\-max\-memory\fR=\fImebibytes\fR
179Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes),
180that children are allowed to allocate. This is useful to detect infinite loops
181that eat up a lot of memory.
182
183The value should be set reasonably high so as not to interfer with normal
184program operation. By default, it is set to 1024 MiB in order to avoid
185accidental excessive swapping. To disable the limitation, set the maximum
186memory usage to -1 instead.
187
188\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
189relies on the operating system's ability to enforce such limitations.
190.TP
191\fB\-n\fR, \fB\-\-network\fR
192Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
193
194Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
195families are not yet supported.
196.TP
197\fB\-p\fR, \fB\-\-ports\fR=\fIranges\fR
198Only fuzz network ports that are in \fIranges\fR. By default \fBzzuf\fR
199fuzzes all ports. The port considered is the listening port if the socket
200is listening and the destination port if the socket is connecting, because
201most of the time the source port cannot be predicted.
202
203Range values start at zero and are inclusive. Use dashes between range values
204and commas between ranges. If the right-hand part of a range is ommited, it
205means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS
206ports and to all unprivileged ports, use \(oq\fB\-p80,443,1024\-\fR\(cq.
207
208This option requires network fuzzing to be activated using \fB\-n\fR.
209.TP
210\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
211Protect a list of characters so that if they appear in input data that would
212normally be fuzzed, they are left unmodified instead.
213
214Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
215The sequences interpreted by \fBzzuf\fR are:
216.RS
217.TP
218\fB\\n\fR
219new line
220.TP
221\fB\\r\fR
222return
223.TP
224\fB\\t\fR
225tabulation
226.TP
227\fB\\\fR\fINNN\fR
228the byte whose octal value is \fINNN\fR
229.TP
230\fB\\x\fR\fINN\fR
231the byte whose hexadecimal value is \fINN\fR
232.TP
233\fB\\\\\fR
234backslash (\(oq\\\(cq)
235.RE
236.IP
237You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
238bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
239
240The statistical outcome of this option should not be overlooked: if characters
241are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
242on the data being fuzzed. For instance, asking to fuzz 1% of input bits
243(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
244result in an actual average fuzzing ratio of 0.9% with truly random data,
2450.3% with random ASCII data and 0.2% with standard English text.
246
247See also the \fB\-R\fR flag.
248.TP
249\fB\-q\fR, \fB\-\-quiet\fR
250Hide the output of the fuzzed application. This is useful if the application
251is very verbose but only its exit code or signaled status is really useful to
252you.
253.TP
254\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
255.PD 0
256.TP
257\fB\-r\fR, \fB\-\-ratio\fR=\fImin:max\fR
258.PD
259Specify the proportion of bits that will be randomly fuzzed. A value of 0
260will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
261bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
262the input files undiscernible from random data. The default fuzzing ratio
263is 0.004 (fuzz 0.4% of the files' bits).
264
265A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
266values from the interval. The choice is deterministic and only depends on
267the interval bounds and the current seed.
268.TP
269\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
270Refuse a list of characters by not fuzzing bytes that would otherwise be
271changed to a character that is in \fIlist\fR. This does not prevent characters
272from appearing in the output if the original byte was already in \fIlist\fR.
273
274See the \fB\-P\fR option for a description of \fIlist\fR.
275.TP
276\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
277.PD 0
278.TP
279\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
280.PD
281Specify the random seed to use for fuzzing, or a range of random seeds.
282Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
283the same way, even with a different target application. The purpose of this is
284to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
285causes the target application to crash.
286
287If a range is specified, \fBzzuf\fR will run the application several times,
288each time with a different seed, and report the behaviour of each run. If the
289\(oq:\(cq character is used but the second part of the range is omitted,
290\fBzzuf\fR will increment the seed value indefinitely.
291.TP
292\fB\-S\fR, \fB\-\-signal\fR
293Prevent children from installing signal handlers for signals that usually
294cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
295\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
296platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
297\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
298simply crash. If you do not want core dumps, you should set appropriate limits
299with the \fBlimit coredumpsize\fR command. See your shell's documentation on
300how to set such limits.
301.TP
302\fB\-t\fR, \fB\-\-max\-time\fR=\fIn\fR
303Stop forking after \fIn\fR seconds. By default, \fBzzuf\fR runs until the
304end of the seed range is reached.
305
306Note that \fBzzuf\fR will not kill any remaining children once \fIn\fR is
307reached. To ensure that processes do not last forever, see the \fB\-U\fR
308flag.
309
310This option is only relevant if the \fB\-s\fR flag is used with a range
311argument. See also the \fB\-C\fR flag.
312.TP
313\fB\-T\fR, \fB\-\-max\-cputime\fR=\fIn\fR
314Automatically terminate child processes that use more than \fIn\fR seconds
315of CPU time.
316
317\fBzzuf\fR uses the \fBsetrlimit\fR() call to set CPU usage limitations and
318relies on the operating system's ability to enforce such limitations. If the
319system sends \fBSIGXCPU\fR signals and the application catches that signal,
320it will receive a \fBSIGKILL\fR signal after 5 seconds.
321
322This is more accurate than \fB\-U\fR because the behaviour should be
323independent from the system load, but it does not detect processes stuck into
324infinite \fBselect\fR() calls because they use very little CPU time. See also
325the \fB\-B\fR and \fB\-U\fR flags.
326.TP
327\fB\-U\fR, \fB\-\-max\-usertime\fR=\fIn\fR
328Automatically terminate child processes that run for more than \fIn\fR
329seconds. This is useful to detect infinite loops or processes stuck in other
330situations. See also the \fB\-B\fR and \fB\-T\fR flags.
331.TP
332\fB\-v\fR, \fB\-\-verbose\fR
333Print information during the run, such as the current seed, what processes
334get run, their exit status, etc.
335.TP
336\fB\-x\fR, \fB\-\-check\-exit\fR
337Report processes that exit with a non-zero status. By default only processes
338that crash due to a signal are reported.
339.TP
340\fB\-h\fR, \fB\-\-help\fR
341Display a short help message and exit.
342.TP
343\fB\-V\fR, \fB\-\-version\fR
344Output version information and exit.
345.SH DIAGNOSTICS
346.PP
347Exit status is zero if no child process crashed. If one or several children
348crashed, \fBzzuf\fR exits with status 1.
349.SH EXAMPLES
350.PP
351Fuzz the input of the \fBcat\fR program using default settings:
352.PP
353\fB    zzuf cat /etc/motd\fR
354.PP
355Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
356.PP
357\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
358.PP
359Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
360and prevent non-ASCII characters from appearing in the output:
361.PP
362\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
363.PP
364Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
365original input and excluding \fB.xml\fR files from fuzzing (because
366\fBconvert\fR will also open its own XML configuration files and we do not
367want \fBzzuf\fR to fuzz them):
368.PP
369\fB    zzuf \-E \(aq\\.xml$\(aq convert foo.jpeg \-format tga /dev/null\fR
370.PP
371Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
372and restricting fuzzing to filenames that appear on the command line
373(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
374can be read by VLC to reproduce the same behaviour without using
375\fBzzuf\fR:
376.PP
377\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
378.br
379\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
380.br
381\fB    vlc fuzzy\-movie.avi\fR
382.PP
383Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
384with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
385by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
386standard output messages (\fB\-q\fR), launching up to five simultaneous child
387processes (\fB\-j5\fR) but waiting at least half a second between launches
388(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
389read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
390(\fB\-S\fR):
391.PP
392\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-j5 \-D0.5 \-T60 \-S \\\fR
393.br
394\fB      mplayer \-benchmark \-vo null \-fps 1000 movie.avi\fR
395.PP
396A more advanced VLC fuzzing example, stopping only at the first crash:
397.PP
398\fB    zzuf \-j4 \-vqc \-r0.000001:0.01 \-s0: vlc \-v \-I dummy movie.avi \\\fR
399.br
400\fB       \-\-sout \(aq#transcode{acodec=s16l,vcodec=I420}:dummy\(aq vlc:quit
401.PP
402Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
403and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
404.PP
405\fB    seq \-f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
406.br
407      (or: \fBjot \-w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
408.br
409\fB    zzuf \-A \-I \(aqhello[.]jpg\(aq \-r0.001 firefox hello.html\fR
410.PP
411Run a simple HTTP redirector on the local host using \fBsocat\fR and
412corrupt each network connection (\fB\-n\fR) in a different way (\fB\-A\fR)
413after one megabyte of data was received on it (\fB\-b1000000\-\fR):
414.PP
415\fB     zzuf \-n \-A \-b1000000\- \\\fR
416\fB       socat TCP4\-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80\fR
417.PP
418Browse the intarweb (\fB\-n\fR) using Firefox\(tm without fuzzing local files
419(\fB\-E.\fR) or non-HTTP connections (\fB\-p80,8010,8080\fR), preserving
420the beginning of the data sent with each HTTP response (\fB\-b4000\-\fR)
421and using another seed on each connection (\fB\-A\fR):
422.PP
423\fB    zzuf \-r 0.0001 \-n \-E. \-p80,8010,8080 \-b4000\- \-A firefox\fR
424.SH RESTRICTIONS
425.PP
426Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
427\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
428processes, it will fail in the presence of any mechanism that disables
429preloading. For instance setuid root binaries will not be fuzzed when run
430as an unprivileged user.
431.PP
432For the same reasons, \fBzzuf\fR will also not work with statically linked
433binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
434where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
435.PP
436Though best efforts are made, identical behaviour for different versions of
437\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
438different operating systems and with different target programs is only
439guaranteed when the same version of \fBzzuf\fR is being used.
440.SH BUGS
441.PP
442\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
443.PP
444It is not yet possible to insert or drop bytes from the input, to fuzz
445according to the file format, to swap bytes, etc. More advanced fuzzing
446methods are planned.
447.PP
448As of now, \fBzzuf\fR does not really support multithreaded applications. The
449behaviour with multithreaded applications where more than one thread does file
450descriptor operations is undefined.
451.SH HISTORY
452.PP
453\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
454multimedia stream corrupter used to find bugs in the VLC media player.
455.SH SEE ALSO
456.PP
457\fBlibzzuf(3)\fR, \fBzzcat(1)\fR
458.SH AUTHOR
459.PP
460Copyright \(co 2002\-2010 Sam Hocevar <sam@hocevar.net>.
461.PP
462\fBzzuf\fR and this manual page are free software. They come without any
463warranty, to the extent permitted by applicable law. You can redistribute
464them and/or modify them under the terms of the Do What The Fuck You Want
465To Public License, Version 2, as published by Sam Hocevar. See
466\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
467.PP
468\fBzzuf\fR's webpage can be found at \fBhttp://caca.zoy.org/wiki/zzuf\fR.
469An overview of the architecture and inner works is at
470\fBhttp://caca.zoy.org/wiki/zzuf/internals\fR.
Note: See TracBrowser for help on using the repository browser.