source: zzuf/trunk/doc/zzuf.1 @ 1555

Last change on this file since 1555 was 1555, checked in by Sam Hocevar, 14 years ago
  • Implemented -R / --refuse.
File size: 9.0 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdiqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7              [\fB\-F\fR \fIchildren\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9              [\fB\-P\fR \fIlist\fR] [\fB\-R\fR \fIlist\fR]
10.br
11              [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fICOMMAND\fR [\fIARGS\fR]...
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
19file operations and changing random bits in the program's input. \fBZzuf\fR's
20behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBZzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25behaviour on the standard output.
26.PP
27If you want to specify arguments for your application, put a \fB\-\-\fR
28marker before them on the command line, or \fBzzuf\fR will try to interpret
29them as arguments for itself.
30.SH OPTIONS
31.TP
32\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
33Automatically terminate child processes that output more than \fIn\fR bytes
34on the standard output and standard error channels. This is useful to detect
35infinite loops. See also the \fB\-T\fR flag.
36.TP
37\fB\-c\fR, \fB\-\-cmdline\fR
38Only fuzz files whose name is specified in the target application's command
39line. This is mostly a shortcut to avoid specifiying twice the argument:
40\fBzzuf \-c cat file.txt\fR has the same effect as \fBzzuf \-I
41\(dq^file\\.txt$\(dq cat file.txt\fR. See the \fB\-I\fR flag for more
42information.
43.TP
44\fB\-d\fR, \fB\-\-debug\fR
45Activate the display of debug messages.
46.TP
47\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
48Do not fuzz files whose name matches the \fIregex\fR regular expression. This
49option supersedes anything that is specified by the \fB\-I\fR flag. Use this
50for instance if you are unsure of what files your application is going to read
51and do not want it to fuzz files in the \fB/etc\fR directory.
52
53Multiple \fB\-E\fR flags can be specified, in which case files matching any one
54of the regular expressions will be ignored.
55.TP
56\fB\-F\fR, \fB\-\-fork\fR=\fIchildren\fR
57Specify the number of simultaneous children that can be run. This option is
58only useful if the \fB\-s\fR flag is used with an interval argument.
59.TP
60\fB\-i\fR, \fB\-\-stdin\fR
61Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
62.TP
63\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
64Only fuzz files whose name matches the \fIregex\fR regular expression. Use
65this for instance if your application reads configuration files at startup
66and you only want specific files to be fuzzed.
67
68Multiple \fB\-I\fR flags can be specified, in which case files matching any one
69of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
70.TP
71\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
72Protect a list of characters so that if they appear in input data that would
73normally be fuzzed, they are left unmodified instead.
74
75Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
76The sequences interpreted by \fBzzuf\fR are:
77.RS
78.TP
79\fB\\n\fR
80new line
81.TP
82\fB\\r\fR
83return
84.TP
85\fB\\t\fR
86tabulation
87.TP
88\fB\\0\fR
89the null character
90.TP
91\fB\\x\fR\fINN\fR
92the byte whose hexadecimal value is \fINN\fR
93.TP
94\fB\\\\\fR
95backslash ('\\')
96.RE
97.IP
98You can use '\fB-\fR' to specify ranges. For instance, to protect all bytes
99from '\fB\\x01\fR' to ' ', use \fB\-P \(dq\\x01- \(dq\fR.
100
101See also the \fB\-R\fR flag.
102.TP
103\fB\-q\fR, \fB\-\-quiet\fR
104Hide the output of the fuzzed application. This is useful if the application
105is very verbose but only its exit code or signaled status is really useful to
106you.
107.TP
108\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
109Specify the amount of bits that will be randomly fuzzed. A value of 0
110will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
111bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
112the input files undiscernible from random data. The default fuzzing ratio
113is 0.004 (fuzz 0.4% of the files' bits).
114.TP
115\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
116Refuse a list of characters by not fuzzing bytes that would otherwise be
117changed to a character that is in \fIlist\fR. If the original byte is already
118in \fIlist\fR, it is left unchanged.
119
120See the \fB\-P\fR option for a description of \fIlist\fR.
121.TP
122\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
123.PD 0
124.TP
125\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
126.PD
127Specify the random seed to use for fuzzing, or an interval of random seeds.
128Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
129the same way, even with a different target application. The purpose of this is
130to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
131causes the target application to crash.
132
133If an interval is specified, \fBzzuf\fR will run the application several times,
134each time with a different seed, and report the behaviour of each run.
135.TP
136\fB\-S\fR, \fB\-\-signal\fR
137Prevent children from installing signal handlers for signals that usually
138cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
139\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
140platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
141\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
142simply crash. If you do not want core dumps, you should set appropriate limits
143with the \fBlimit coredumpsize\fR command. See your shell's documentation on
144how to set such limits.
145.TP
146\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
147Automatically terminate child processes that run for more than \fIn\fR
148seconds. This is useful to detect infinite loops or processes stuck in other
149situations. See also the \fB\-B\fR flag.
150.TP
151\fB\-h\fR, \fB\-\-help\fR
152Display a short help message and exit.
153.TP
154\fB\-v\fR, \fB\-\-version\fR
155Output version information and exit.
156.SH EXAMPLES
157.PP
158Fuzz the input of the \fBcat\fR program using default settings:
159.PP
160.RS
161.nf
162\fB# zzuf cat /etc/motd\fR
163.fi
164.RE
165.PP
166Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
167.PP
168.RS
169.nf
170\fB# zzuf -s 94324 -r 0.01 cat /etc/motd\fR
171.fi
172.RE
173.PP
174Fuzz the input of the \fBcat\fR program but do not fuzz the newline character
175and prevent non-ASCII characters from appearing in the output:
176.PP
177.RS
178.nf
179\fB# zzuf -P \(dq\\n\(dq -R \(dq\\0-\\x1f\\x7f-\\xff\(dq cat /etc/motd\fR
180.fi
181.RE
182.PP
183Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
184original input and excluding \fB.xml\fR files from fuzzing (because
185\fBconvert\fR will also open its own XML configuration files and we do not
186want \fBzzuf\fR to fuzz them):
187.PP
188.RS
189.nf
190\fB# zzuf -E \(dq\\.xml$\(dq convert -- foo.jpeg -format tga /dev/null\fR
191.fi
192.RE
193.PP
194Fuzz the input of \fBvlc\fR, using file \fBmovie.avi\fR as the original input
195and restricting fuzzing to filenames that appear on the command line
196(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that can
197be read by \fBvlc\fR to reproduce the same behaviour without using \fBzzuf\fR:
198.PP
199.RS
200.nf
201\fB# zzuf -c -s 87423 -r 0.01 vlc movie.avi\fR
202\fB# zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR
203\fB# vlc fuzzy-movie.avi\fR
204.fi
205.RE
206.PP
207Fuzz 2% of \fBmplayer\fR's input bits (\fB\-r 0.02\fR) with seeds 0 to 9999
208(\fB\-s 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
209launching up to three simultaneous child processes (\fB\-F 3\fR), killing
210\fBmplayer\fR if it takes more than one minute to read the file (\fB\-T 60\fR)
211and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
212.PP
213.RS
214.nf
215\fB# zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR
216\fB    mplayer movie.avi -- -benchmark -vo null -fps 1000\fR
217.fi
218.RE
219.SH BUGS
220.PP
221Only the most common file operations are implemented as of now: \fBopen\fR(),
222\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented
223function is \fBfscanf\fR().
224.PP
225Network fuzzing is not implemented. It is not yet possible to insert or
226drop bytes from the input, to fuzz according to the file format, or to do
227all these complicated operations. They are planned, though.
228.PP
229Due to \fBzzuf\fR using \fBLD_PRELOAD\fR to run its child processes, it will
230fail in the presence of any mechanism that disables preloading. For instance
231setuid root binaries will not be fuzzed when run as an unprivileged user.
232.PP
233As of now, \fBzzuf\fR does not really support multithreaded applications. The
234behaviour with multithreaded applications where more than one thread do file
235descriptor operations is undefined.
236.SH AUTHOR
237.PP
238Copyright \(co 2006, 2007 Sam Hocevar <sam@zoy.org>.
239.PP
240\fBZzuf\fR and this manual page are free software. They come without any
241warranty, to the extent permitted by applicable law. You can redistribute
242them and/or modify them under the terms of the Do What The Fuck You Want
243To Public License, Version 2, as published by Sam Hocevar. See
244\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
245.PP
246\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.