source: zzuf/trunk/doc/zzuf.1 @ 2322

Last change on this file since 2322 was 2322, checked in by Sam Hocevar, 14 years ago
  • Update copyright and homepage in the manual page.
File size: 18.8 KB
[1507]1.TH zzuf 1 "2006-12-22" "zzuf"
3zzuf \- multiple purpose fuzzer
[1705]5\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
[1720]7       [\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
[1860]9       [\fB\-t\fR \fIseconds\fR] [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-p\fR \fIports\fR]
[1860]11       [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR] [\fB\-l\fR \fIlist\fR] [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR]
[1793]13       [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
[1539]15\fBzzuf \-h\fR | \fB\-\-help\fR
[1666]17\fBzzuf \-V\fR | \fB\-\-version\fR
[1656]20\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
[1569]21file and network operations and changing random bits in the program's input.
[1656]22\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
[1507]23.SH USAGE
[1656]25\fBzzuf\fR will run an application specified on its command line, one or
[1539]26several times, with optional arguments, and will report the application's
[1669]27relevant behaviour on the standard error channel, eg:
[1559]29\fB    zzuf cat /dev/zero\fR
[1559]31If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
[1557]32marker before them on the command line (otherwise \fBzzuf\fR will try to
33interpret them as arguments for itself), eg:
[1633]35\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
37When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
38if the \fBcat\fR utility had been called:
40\fB    zzuf < /dev/zero\fR
[1507]41.SH OPTIONS
[1663]43\fB\-A\fR, \fB\-\-autoinc\fR
44Increment random seed each time a new file is opened. This is only required
[1672]45if one instance of the application is expected to open the same file several
46times and you want to test a different seed each time.
[1705]48\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
49Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
51Range values start at zero and are inclusive. Use dashes between range values
52and commas between ranges. If the right-hand part of a range is ommited, it
53means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
[1865]54all bytes after offset 31, use \(oq\fB\-r0,3\-5,31\-\fR\(cq.
56This option is useful to preserve file headers or corrupt only a specific
57portion of a file.
[1633]59\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
60Automatically terminate child processes that output more than \fIn\fR bytes
61on the standard output and standard error channels. This is useful to detect
[1803]62infinite loops. See also the \fB\-t\fR and \fB\-T\fR flags.
[1539]64\fB\-c\fR, \fB\-\-cmdline\fR
[1529]65Only fuzz files whose name is specified in the target application's command
[1647]66line. This is mostly a shortcut to avoid specifying twice the argument:
68\fB    zzuf \-c cat file.txt\fR
70has the same effect as
72\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
[1569]74See the \fB\-I\fR flag for more information on restricting fuzzing to
75specific files.
[1573]77\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
78Stop forking when at least \fIn\fR children have crashed. The default value
79is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
80is considered to have crashed if any signal (such as, but not limited to,
[1634]81\fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
82also include processes that exit with a non-zero status.
[1673]84This option is only relevant if the \fB\-s\fR flag is used with a range
[1539]87\fB\-d\fR, \fB\-\-debug\fR
[1531]88Activate the display of debug messages.
[1660]90\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
91Do not launch more than one process every \fIdelay\fR seconds. This option
92should be used together with \fB\-F\fR to avoid fork bombs.
[1539]94\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
95Do not fuzz files whose name matches the \fIregex\fR regular expression. This
96option supersedes anything that is specified by the \fB\-I\fR flag. Use this
97for instance if you are unsure of what files your application is going to read
98and do not want it to fuzz files in the \fB/etc\fR directory.
[1539]100Multiple \fB\-E\fR flags can be specified, in which case files matching any one
101of the regular expressions will be ignored.
[1720]103\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
104Select how the input is fuzzed. Valid values for \fImode\fR are:
108randomly set and unset bits
111only set bits
114only unset bits
117The default value for \fImode\fR is \fBxor\fR.
[1607]119\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
[1573]120Specify the number of simultaneous children that can be run.
[1673]122This option is only relevant if the \fB\-s\fR flag is used with a range
[1660]123argument. See also the \fB\-D\fR flag.
[1539]125\fB\-i\fR, \fB\-\-stdin\fR
126Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
[1539]128\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
129Only fuzz files whose name matches the \fIregex\fR regular expression. Use
130this for instance if your application reads configuration files at startup
131and you only want specific files to be fuzzed.
[1539]133Multiple \fB\-I\fR flags can be specified, in which case files matching any one
134of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
[1860]136\fB\-l\fR, \fB\-\-list\fR=\fIlist\fR
137Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor
138will really be fuzzed only if N is in \fIlist\fR.
140Values start at one and ranges are inclusive. Use dashes between values and
141commas between ranges. If the right-hand part of a range is ommited, it means
142all subsequent file descriptors. For instance, to restrict fuzzing to the
143first opened descriptor and all descriptors starting from the 10th, use
146Note that this option only affects file descriptors that would otherwise be
147fuzzed. Even if 10 write-only descriptors are opened at the beginning of the
148program, only the next descriptor with a read flag will be the first one
[1865]149considered by the \fB\-l\fR flag.
[1640]151\fB\-m\fR, \fB\-\-md5\fR
[1680]152Instead of displaying the program's \fIstandard output\fR, just print its MD5
153digest to \fBzzuf\fR's standard output. The standard error channel is left
[1865]156\fB\-M\fR, \fB\-\-max\-memory\fR=\fImegabytes\fR
[1641]157Specify the maximum amount of memory, in megabytes, that children are allowed
158to allocate. This is useful to detect infinite loops that eat up a lot of
159memory. The value should set reasonably high so as not to interfer with normal
160program operation.
[1656]162\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
[1741]163relies on the operating system's ability to enforce such limitations.
[1562]165\fB\-n\fR, \fB\-\-network\fR
[1560]166Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
168Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
169families are not yet supported.
[1860]171\fB\-p\fR, \fB\-\-ports\fR=\fIranges\fR
172Only fuzz network ports that are in \fIranges\fR. By default \fBzzuf\fR
173fuzzes all ports. The port considered is the listening port if the socket
174is listening and the destination port if the socket is connecting, because
175most of the time the source port cannot be predicted.
[1860]177Range values start at zero and are inclusive. Use dashes between range values
178and commas between ranges. If the right-hand part of a range is ommited, it
179means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS
[1865]180ports and to all unprivileged ports, use \(oq\fB\-p80,443,1024\-\fR\(cq.
[1860]182This option requires network fuzzing to be activated using \fB\-n\fR.
[1554]184\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
185Protect a list of characters so that if they appear in input data that would
186normally be fuzzed, they are left unmodified instead.
188Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
189The sequences interpreted by \fBzzuf\fR are:
193new line
202the byte whose octal value is \fINNN\fR
205the byte whose hexadecimal value is \fINN\fR
[1559]208backslash (\(oq\\\(cq)
[1607]211You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
[1705]212bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
[1563]214The statistical outcome of this option should not be overlooked: if characters
215are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
216on the data being fuzzed. For instance, asking to fuzz 1% of input bits
[1705]217(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
[1563]218result in an actual average fuzzing ratio of 0.9% with truly random data,
2190.3% with random ASCII data and 0.2% with standard English text.
[1555]221See also the \fB\-R\fR flag.
[1539]223\fB\-q\fR, \fB\-\-quiet\fR
[1531]224Hide the output of the fuzzed application. This is useful if the application
[1532]225is very verbose but only its exit code or signaled status is really useful to
[1539]228\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
[1672]229.PD 0
[1698]231\fB\-r\fR, \fB\-\-ratio\fR=\fImin:max\fR
[1557]233Specify the proportion of bits that will be randomly fuzzed. A value of 0
[1531]234will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
235bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
236the input files undiscernible from random data. The default fuzzing ratio
237is 0.004 (fuzz 0.4% of the files' bits).
[1673]239A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
[1698]240values from the interval. The choice is deterministic and only depends on
241the interval bounds and the current seed.
[1555]243\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
244Refuse a list of characters by not fuzzing bytes that would otherwise be
[1865]245changed to a character that is in \fIlist\fR. This does not prevent characters
246from appearing in the output if the original byte was already in \fIlist\fR.
248See the \fB\-P\fR option for a description of \fIlist\fR.
[1539]250\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
[1531]251.PD 0
[1539]253\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
[1673]255Specify the random seed to use for fuzzing, or a range of random seeds.
[1539]256Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
257the same way, even with a different target application. The purpose of this is
258to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
259causes the target application to crash.
[1673]261If a range is specified, \fBzzuf\fR will run the application several times,
[1539]262each time with a different seed, and report the behaviour of each run.
[1539]264\fB\-S\fR, \fB\-\-signal\fR
[1532]265Prevent children from installing signal handlers for signals that usually
[1539]266cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
267\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
268platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
269\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
270simply crash. If you do not want core dumps, you should set appropriate limits
271with the \fBlimit coredumpsize\fR command. See your shell's documentation on
272how to set such limits.
[1800]274\fB\-t\fR, \fB\-\-max\-time\fR=\fIn\fR
[1539]275Automatically terminate child processes that run for more than \fIn\fR
[1531]276seconds. This is useful to detect infinite loops or processes stuck in other
[1803]277situations. See also the \fB\-B\fR and \fB\-T\fR flags.
[1803]279\fB\-T\fR, \fB\-\-max\-cpu\fR=\fIn\fR
280Automatically terminate child processes that use more than \fIn\fR seconds
281of CPU time.
283\fBzzuf\fR uses the \fBsetrlimit\fR() call to set CPU usage limitations and
284relies on the operating system's ability to enforce such limitations. If the
285system sends \fBSIGXCPU\fR signals and the application catches that signal,
286it will receive a \fBSIGKILL\fR signal after 5 seconds.
288This is more accurate than \fB\-t\fR because the behaviour should be
289independent from the system load, but it does not detect processes stuck into
290infinite \fBselect\fR() calls because they use very little CPU time. See also
291the \fB\-B\fR and \fB\-t\fR flags.
[1667]293\fB\-v\fR, \fB\-\-verbose\fR
294Print information during the run, such as the current seed, what processes
295get run, their exit status, etc.
[1634]297\fB\-x\fR, \fB\-\-check\-exit\fR
298Report processes that exit with a non-zero status. By default only processes
299that crash due to a signal are reported.
[1554]301\fB\-h\fR, \fB\-\-help\fR
302Display a short help message and exit.
[1666]304\fB\-V\fR, \fB\-\-version\fR
[1507]305Output version information and exit.
308Exit status is zero if no child process crashed. If one or several children
309crashed, \fBzzuf\fR exits with status 1.
[1507]310.SH EXAMPLES
312Fuzz the input of the \fBcat\fR program using default settings:
[1559]314\fB    zzuf cat /etc/motd\fR
316Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
[1705]318\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
[1569]320Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
[1555]321and prevent non-ASCII characters from appearing in the output:
[1607]323\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
[1539]325Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
326original input and excluding \fB.xml\fR files from fuzzing (because
327\fBconvert\fR will also open its own XML configuration files and we do not
328want \fBzzuf\fR to fuzz them):
[1607]330\fB    zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR
[1682]332Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
[1539]333and restricting fuzzing to filenames that appear on the command line
[1607]334(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
[1682]335can be read by VLC to reproduce the same behaviour without using
[1705]338\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
[1705]340\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
[1607]342\fB    vlc fuzzy\-movie.avi\fR
[1705]344Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
345with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
346by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
347standard output messages (\fB\-q\fR), launching up to five simultaneous child
348processes (\fB\-F5\fR) but waiting at least half a second between launches
349(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
350read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
[1705]353\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-F5 \-D0.5 \-T60 \-S \\\fR
[1607]355\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
[1682]357Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
358and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
[1865]360\fB    seq \-f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
[1865]362      (or: \fBjot \-w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
[1865]364\fB    zzuf \-A \-I \(aqhello[.]jpg\(aq \-r0.001 firefox hello.html\fR
366Run a simple HTTP redirector on the local host using \fBsocat\fR and
367corrupt each network connection (\fB\-n\fR) in a different way (\fB\-A\fR)
368after one megabyte of data was received on it (\fB\-b1000000\-\fR):
370\fB     zzuf \-n \-A \-b1000000\- \\\fR
[1865]371\fB       socat TCP4\-LISTEN:8080,reuseaddr,fork TCP4:\fR
373Browse the intarweb (\fB\-n\fR) using Firefox\(tm without fuzzing local files
374(\fB\-E.\fR) or non-HTTP connections (\fB\-p80,8010,8080\fR), preserving
375the beginning of the data sent with each HTTP response (\fB\-b4000\-\fR)
376and using another seed on each connection (\fB\-A\fR):
378\fB    zzuf \-r 0.0001 \-n \-E. \-p80,8010,8080 \-b4000\- \-A firefox\fR
[1641]381Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
382\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
[1557]383processes, it will fail in the presence of any mechanism that disables
384preloading. For instance setuid root binaries will not be fuzzed when run
[1569]385as an unprivileged user.
[1597]387For the same reasons, \fBzzuf\fR will also not work with statically linked
388binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
389where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
[1569]391Though best efforts are made, identical behaviour for different versions of
392\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
393different operating systems and with different target programs is only
394guaranteed when the same version of \fBzzuf\fR is being used.
[1656]397\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
[1557]399It is not yet possible to insert or drop bytes from the input, to fuzz
[1569]400according to the file format, to swap bytes, etc. More advanced fuzzing
401methods are planned.
403As of now, \fBzzuf\fR does not really support multithreaded applications. The
[1557]404behaviour with multithreaded applications where more than one thread does file
[1569]405descriptor operations is undefined.
[1641]407In order to intercept file and network operations, signal handlers and memory
408allocations, \fBzzuf\fR diverts and reimplements the following functions,
409which can be private libc symbols, too:
[1579]411Unix file descriptor handling:
[2320]412\fBopen\fR(), \fBdup\fR(), \fBdup2\fR(), \fBlseek\fR(), \fBread\fR(),
413\fBreadv\fR(), \fBpread\fR(), \fBaccept\fR(), \fBsocket\fR(), \fBrecv\fR(),
414\fBrecvfrom\fR(), \fBrecvmsg\fR(), \fBaio_read\fR(), \fBaio_return\fR(),
417Standard IO streams:
[1619]418\fBfopen\fR(), \fBfreopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(),
419\fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(),
[1641]422Memory management:
423\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
[1645]424\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR()
427\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
428\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR()
[1616]431\fBfgetln\fR(), \fB__srefill\fR()
[1631]433Mac OS X-specific:
[1570]436Signal handling:
437\fBsignal\fR(), \fBsigaction\fR()
[1575]439If an application manipulates file descriptors (reading data, seeking around)
440using functions that are not in that list, \fBzzuf\fR will not fuzz its
441input consistently and the results should not be trusted. You can use a tool
442such as \fBltrace(1)\fR on Linux to know the missing functions.
[1620]444On BSD systems, such as FreeBSD or Mac OS X, \fB__srefill\fR() is enough to
445monitor all standard IO streams functions. On other systems, such as Linux,
446each function is reimplemented on a case by case basis. One important
447unimplemented function is \fBfscanf\fR(), because of its complexity. Missing
448functions will be added upon user request.
[1563]449.SH HISTORY
[1656]451\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
[1682]452multimedia stream corrupter used to find bugs in the VLC media player.
[1507]453.SH AUTHOR
[2322]455Copyright \(co 2002, 2007\-2008 Sam Hocevar <>.
[1656]457\fBzzuf\fR and this manual page are free software. They come without any
[1539]458warranty, to the extent permitted by applicable law. You can redistribute
459them and/or modify them under the terms of the Do What The Fuck You Want
460To Public License, Version 2, as published by Sam Hocevar. See
461\fB\fR for more details.
[2322]463\fBzzuf\fR's webpage can be found at \fB\fR.
Note: See TracBrowser for help on using the repository browser.