source: zzuf/trunk/doc/zzuf.1 @ 1554

Last change on this file since 1554 was 1554, checked in by Sam Hocevar, 14 years ago
  • Implement -P / --protect.
File size: 8.4 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdiqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7              [\fB\-F\fR \fIchildren\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9              [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fICOMMAND\fR [\fIARGS\fR]...
10.br
11\fBzzuf \-h\fR | \fB\-\-help\fR
12.br
13\fBzzuf \-v\fR | \fB\-\-version\fR
14.SH DESCRIPTION
15.PP
16\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
17file operations and changing random bits in the program's input. \fBZzuf\fR's
18behaviour is deterministic, making it easy to reproduce bugs.
19.SH USAGE
20.PP
21\fBZzuf\fR will run an application specified on its command line, one or
22several times, with optional arguments, and will report the application's
23behaviour on the standard output.
24.PP
25If you want to specify arguments for your application, put a \fB\-\-\fR
26marker before them on the command line, or \fBzzuf\fR will try to interpret
27them as arguments for itself.
28.SH OPTIONS
29.TP
30\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
31Automatically terminate child processes that output more than \fIn\fR bytes
32on the standard output and standard error channels. This is useful to detect
33infinite loops. See also the \fB\-T\fR flag.
34.TP
35\fB\-c\fR, \fB\-\-cmdline\fR
36Only fuzz files whose name is specified in the target application's command
37line. This is mostly a shortcut to avoid specifiying twice the argument:
38\fBzzuf \-c cat file.txt\fR has the same effect as \fBzzuf \-I
39\(dq^file\\.txt$\(dq cat file.txt\fR. See the \fB\-I\fR flag for more
40information.
41.TP
42\fB\-d\fR, \fB\-\-debug\fR
43Activate the display of debug messages.
44.TP
45\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
46Do not fuzz files whose name matches the \fIregex\fR regular expression. This
47option supersedes anything that is specified by the \fB\-I\fR flag. Use this
48for instance if you are unsure of what files your application is going to read
49and do not want it to fuzz files in the \fB/etc\fR directory.
50
51Multiple \fB\-E\fR flags can be specified, in which case files matching any one
52of the regular expressions will be ignored.
53.TP
54\fB\-F\fR, \fB\-\-fork\fR=\fIchildren\fR
55Specify the number of simultaneous children that can be run. This option is
56only useful if the \fB\-s\fR flag is used with an interval argument.
57.TP
58\fB\-i\fR, \fB\-\-stdin\fR
59Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
60.TP
61\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
62Only fuzz files whose name matches the \fIregex\fR regular expression. Use
63this for instance if your application reads configuration files at startup
64and you only want specific files to be fuzzed.
65
66Multiple \fB\-I\fR flags can be specified, in which case files matching any one
67of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
68.TP
69\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
70Protect a list of characters so that if they appear in input data that would
71normally be fuzzed, they are left unmodified instead.
72
73Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
74The sequences interpreted by \fBzzuf\fR are:
75.RS
76.TP
77\fB\\n\fR
78new line
79.TP
80\fB\\r\fR
81return
82.TP
83\fB\\t\fR
84tabulation
85.TP
86\fB\\0\fR
87the null character
88.TP
89\fB\\x\fR\fINN\fR
90the byte whose hexadecimal value is \fINN\fR
91.TP
92\fB\\\\\fR
93backslash ('\\')
94.RE
95.IP
96You can use '\fB-\fR' to specify ranges. For instance, to protect all bytes
97from '\fB\\x01\fR' to ' ', use \fB\-P \(dq\\x01- \(dq\fR.
98.TP
99\fB\-q\fR, \fB\-\-quiet\fR
100Hide the output of the fuzzed application. This is useful if the application
101is very verbose but only its exit code or signaled status is really useful to
102you.
103.TP
104\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
105Specify the amount of bits that will be randomly fuzzed. A value of 0
106will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
107bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
108the input files undiscernible from random data. The default fuzzing ratio
109is 0.004 (fuzz 0.4% of the files' bits).
110.TP
111\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
112.PD 0
113.TP
114\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
115.PD
116Specify the random seed to use for fuzzing, or an interval of random seeds.
117Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
118the same way, even with a different target application. The purpose of this is
119to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
120causes the target application to crash.
121
122If an interval is specified, \fBzzuf\fR will run the application several times,
123each time with a different seed, and report the behaviour of each run.
124.TP
125\fB\-S\fR, \fB\-\-signal\fR
126Prevent children from installing signal handlers for signals that usually
127cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
128\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
129platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
130\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
131simply crash. If you do not want core dumps, you should set appropriate limits
132with the \fBlimit coredumpsize\fR command. See your shell's documentation on
133how to set such limits.
134.TP
135\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
136Automatically terminate child processes that run for more than \fIn\fR
137seconds. This is useful to detect infinite loops or processes stuck in other
138situations. See also the \fB\-B\fR flag.
139.TP
140\fB\-h\fR, \fB\-\-help\fR
141Display a short help message and exit.
142.TP
143\fB\-v\fR, \fB\-\-version\fR
144Output version information and exit.
145.SH EXAMPLES
146.PP
147Fuzz the input of the \fBcat\fR program using default settings:
148.PP
149.RS
150.nf
151\fB# zzuf cat /etc/motd\fR
152.fi
153.RE
154.PP
155Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
156.PP
157.RS
158.nf
159\fB# zzuf -s 94324 -r 0.01 cat /etc/motd\fR
160.fi
161.RE
162.PP
163Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
164original input and excluding \fB.xml\fR files from fuzzing (because
165\fBconvert\fR will also open its own XML configuration files and we do not
166want \fBzzuf\fR to fuzz them):
167.PP
168.RS
169.nf
170\fB# zzuf -E \(dq\\.xml$\(dq convert -- foo.jpeg -format tga /dev/null\fR
171.fi
172.RE
173.PP
174Fuzz the input of \fBvlc\fR, using file \fBmovie.avi\fR as the original input
175and restricting fuzzing to filenames that appear on the command line
176(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that can
177be read by \fBvlc\fR to reproduce the same behaviour without using \fBzzuf\fR:
178.PP
179.RS
180.nf
181\fB# zzuf -c -s 87423 -r 0.01 vlc movie.avi\fR
182\fB# zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR
183\fB# vlc fuzzy-movie.avi\fR
184.fi
185.RE
186.PP
187Fuzz 2% of \fBmplayer\fR's input bits (\fB\-r 0.02\fR) with seeds 0 to 9999
188(\fB\-s 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
189launching up to three simultaneous child processes (\fB\-F 3\fR), killing
190\fBmplayer\fR if it takes more than one minute to read the file (\fB\-T 60\fR)
191and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
192.PP
193.RS
194.nf
195\fB# zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR
196\fB    mplayer movie.avi -- -benchmark -vo null -fps 1000\fR
197.fi
198.RE
199.SH BUGS
200.PP
201Only the most common file operations are implemented as of now: \fBopen\fR(),
202\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented
203function is \fBfscanf\fR().
204.PP
205Network fuzzing is not implemented. It is not yet possible to insert or
206drop bytes from the input, to fuzz according to the file format, or to do
207all these complicated operations. They are planned, though.
208.PP
209Due to \fBzzuf\fR using \fBLD_PRELOAD\fR to run its child processes, it will
210fail in the presence of any mechanism that disables preloading. For instance
211setuid root binaries will not be fuzzed when run as an unprivileged user.
212.PP
213As of now, \fBzzuf\fR does not really support multithreaded applications. The
214behaviour with multithreaded applications where more than one thread do file
215descriptor operations is undefined.
216.SH AUTHOR
217.PP
218Copyright \(co 2006, 2007 Sam Hocevar <sam@zoy.org>.
219.PP
220\fBZzuf\fR and this manual page are free software. They come without any
221warranty, to the extent permitted by applicable law. You can redistribute
222them and/or modify them under the terms of the Do What The Fuck You Want
223To Public License, Version 2, as published by Sam Hocevar. See
224\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
225.PP
226\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.