source: zzuf/trunk/doc/zzuf.1 @ 2345

Last change on this file since 2345 was 2345, checked in by sam, 6 years ago
  • Change -M to mean mebibytes instead of megabytes, because I'm a fucking pedant.
File size: 19.1 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
6.br
7       [\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-j\fR \fIjobs\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
8.br
9       [\fB\-t\fR \fIseconds\fR] [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImebibytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-p\fR \fIports\fR]
10.br
11       [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR] [\fB\-l\fR \fIlist\fR] [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR]
12.br
13       [\fIPROGRAM\fR [\fIARGS\fR]...]
14.br
15\fBzzuf \-h\fR | \fB\-\-help\fR
16.br
17\fBzzuf \-V\fR | \fB\-\-version\fR
18.SH DESCRIPTION
19.PP
20\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
21file and network operations and changing random bits in the program's input.
22\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
23.SH USAGE
24.PP
25\fBzzuf\fR will run an application specified on its command line, one or
26several times, with optional arguments, and will report the application's
27relevant behaviour on the standard error channel, eg:
28.PP
29\fB    zzuf cat /dev/zero\fR
30.PP
31Flags found after the application name are considered arguments for the
32application, not for \fBzzuf\fR. For instance, \fB\-v\fR below is an
33argument for \fBcat\fR:
34.PP
35\fB    zzuf \-B 1000 cat \-v /dev/zero\fR
36.PP
37When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
38if the \fBcat\fR utility had been called:
39.PP
40\fB    zzuf < /dev/zero\fR
41.SH OPTIONS
42.TP
43\fB\-A\fR, \fB\-\-autoinc\fR
44Increment random seed each time a new file is opened. This is only required
45if one instance of the application is expected to open the same file several
46times and you want to test a different seed each time.
47.TP
48\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
49Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
50
51Range values start at zero and are inclusive. Use dashes between range values
52and commas between ranges. If the right-hand part of a range is ommited, it
53means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
54all bytes after offset 31, use \(oq\fB\-r0,3\-5,31\-\fR\(cq.
55
56This option is useful to preserve file headers or corrupt only a specific
57portion of a file.
58.TP
59\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
60Automatically terminate child processes that output more than \fIn\fR bytes
61on the standard output and standard error channels. This is useful to detect
62infinite loops. See also the \fB\-t\fR and \fB\-T\fR flags.
63.TP
64\fB\-c\fR, \fB\-\-cmdline\fR
65Only fuzz files whose name is specified in the target application's command
66line. This is mostly a shortcut to avoid specifying twice the argument:
67
68\fB    zzuf \-c cat file.txt\fR
69
70has the same effect as
71
72\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
73
74See the \fB\-I\fR flag for more information on restricting fuzzing to
75specific files.
76.TP
77\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
78Stop forking when at least \fIn\fR children have crashed. The default value
79is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A value
80of 0 tells \fBzzuf\fR to never stop.
81
82A process is considered to have crashed if any signal (such as, but not limited
83to, \fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
84also include processes that exit with a non-zero status.
85
86This option is only relevant if the \fB\-s\fR flag is used with a range
87argument.
88.TP
89\fB\-d\fR, \fB\-\-debug\fR
90Activate the display of debug messages.
91.TP
92\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
93Do not launch more than one process every \fIdelay\fR seconds. This option
94should be used together with \fB\-j\fR to avoid fork bombs.
95.TP
96\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
97Do not fuzz files whose name matches the \fIregex\fR regular expression. This
98option supersedes anything that is specified by the \fB\-I\fR flag. Use this
99for instance if you are unsure of what files your application is going to read
100and do not want it to fuzz files in the \fB/etc\fR directory.
101
102Multiple \fB\-E\fR flags can be specified, in which case files matching any one
103of the regular expressions will be ignored.
104.TP
105\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
106Select how the input is fuzzed. Valid values for \fImode\fR are:
107.RS
108.TP
109\fBxor\fR
110randomly set and unset bits
111.TP
112\fBset\fR
113only set bits
114.TP
115\fBunset\fR
116only unset bits
117.RE
118.IP
119The default value for \fImode\fR is \fBxor\fR.
120.TP
121\fB\-j\fR, \fB\-\-jobs\fR=\fIjobs\fR
122Specify the number of simultaneous children that can be run. By default,
123\fBzzuf\fR only launches one process at a time.
124
125This option is only relevant if the \fB\-s\fR flag is used with a range
126argument. See also the \fB\-D\fR flag.
127.TP
128\fB\-i\fR, \fB\-\-stdin\fR
129Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
130.TP
131\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
132Only fuzz files whose name matches the \fIregex\fR regular expression. Use
133this for instance if your application reads configuration files at startup
134and you only want specific files to be fuzzed.
135
136Multiple \fB\-I\fR flags can be specified, in which case files matching any one
137of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
138.TP
139\fB\-l\fR, \fB\-\-list\fR=\fIlist\fR
140Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor
141will really be fuzzed only if N is in \fIlist\fR.
142
143Values start at 1 and ranges are inclusive. Use dashes between values and
144commas between ranges. If the right-hand part of a range is ommited, it means
145all subsequent file descriptors. For instance, to restrict fuzzing to the
146first opened descriptor and all descriptors starting from the 10th, use
147\(oq\fB\-l1,10\-\fR\(cq.
148
149Note that this option only affects file descriptors that would otherwise be
150fuzzed. Even if 10 write-only descriptors are opened at the beginning of the
151program, only the next descriptor with a read flag will be the first one
152considered by the \fB\-l\fR flag.
153.TP
154\fB\-m\fR, \fB\-\-md5\fR
155Instead of displaying the program's \fIstandard output\fR, just print its MD5
156digest to \fBzzuf\fR's standard output. The standard error channel is left
157untouched.
158.TP
159\fB\-M\fR, \fB\-\-max\-memory\fR=\fImebibytes\fR
160Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes),
161that children are allowed to allocate. This is useful to detect infinite loops
162that eat up a lot of memory. The value should be set reasonably high so as not
163to interfer with normal program operation.
164
165\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
166relies on the operating system's ability to enforce such limitations.
167.TP
168\fB\-n\fR, \fB\-\-network\fR
169Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
170
171Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
172families are not yet supported.
173.TP
174\fB\-p\fR, \fB\-\-ports\fR=\fIranges\fR
175Only fuzz network ports that are in \fIranges\fR. By default \fBzzuf\fR
176fuzzes all ports. The port considered is the listening port if the socket
177is listening and the destination port if the socket is connecting, because
178most of the time the source port cannot be predicted.
179
180Range values start at zero and are inclusive. Use dashes between range values
181and commas between ranges. If the right-hand part of a range is ommited, it
182means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS
183ports and to all unprivileged ports, use \(oq\fB\-p80,443,1024\-\fR\(cq.
184
185This option requires network fuzzing to be activated using \fB\-n\fR.
186.TP
187\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
188Protect a list of characters so that if they appear in input data that would
189normally be fuzzed, they are left unmodified instead.
190
191Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
192The sequences interpreted by \fBzzuf\fR are:
193.RS
194.TP
195\fB\\n\fR
196new line
197.TP
198\fB\\r\fR
199return
200.TP
201\fB\\t\fR
202tabulation
203.TP
204\fB\\\fR\fINNN\fR
205the byte whose octal value is \fINNN\fR
206.TP
207\fB\\x\fR\fINN\fR
208the byte whose hexadecimal value is \fINN\fR
209.TP
210\fB\\\\\fR
211backslash (\(oq\\\(cq)
212.RE
213.IP
214You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
215bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
216
217The statistical outcome of this option should not be overlooked: if characters
218are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
219on the data being fuzzed. For instance, asking to fuzz 1% of input bits
220(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
221result in an actual average fuzzing ratio of 0.9% with truly random data,
2220.3% with random ASCII data and 0.2% with standard English text.
223
224See also the \fB\-R\fR flag.
225.TP
226\fB\-q\fR, \fB\-\-quiet\fR
227Hide the output of the fuzzed application. This is useful if the application
228is very verbose but only its exit code or signaled status is really useful to
229you.
230.TP
231\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
232.PD 0
233.TP
234\fB\-r\fR, \fB\-\-ratio\fR=\fImin:max\fR
235.PD
236Specify the proportion of bits that will be randomly fuzzed. A value of 0
237will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
238bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
239the input files undiscernible from random data. The default fuzzing ratio
240is 0.004 (fuzz 0.4% of the files' bits).
241
242A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
243values from the interval. The choice is deterministic and only depends on
244the interval bounds and the current seed.
245.TP
246\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
247Refuse a list of characters by not fuzzing bytes that would otherwise be
248changed to a character that is in \fIlist\fR. This does not prevent characters
249from appearing in the output if the original byte was already in \fIlist\fR.
250
251See the \fB\-P\fR option for a description of \fIlist\fR.
252.TP
253\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
254.PD 0
255.TP
256\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
257.PD
258Specify the random seed to use for fuzzing, or a range of random seeds.
259Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
260the same way, even with a different target application. The purpose of this is
261to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
262causes the target application to crash.
263
264If a range is specified, \fBzzuf\fR will run the application several times,
265each time with a different seed, and report the behaviour of each run. If the
266\(oq:\(cq character is used but the second part of the range is omitted,
267\fBzzuf\fR will increment the seed value indefinitely.
268.TP
269\fB\-S\fR, \fB\-\-signal\fR
270Prevent children from installing signal handlers for signals that usually
271cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
272\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
273platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
274\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
275simply crash. If you do not want core dumps, you should set appropriate limits
276with the \fBlimit coredumpsize\fR command. See your shell's documentation on
277how to set such limits.
278.TP
279\fB\-t\fR, \fB\-\-max\-time\fR=\fIn\fR
280Automatically terminate child processes that run for more than \fIn\fR
281seconds. This is useful to detect infinite loops or processes stuck in other
282situations. See also the \fB\-B\fR and \fB\-T\fR flags.
283.TP
284\fB\-T\fR, \fB\-\-max\-cpu\fR=\fIn\fR
285Automatically terminate child processes that use more than \fIn\fR seconds
286of CPU time.
287
288\fBzzuf\fR uses the \fBsetrlimit\fR() call to set CPU usage limitations and
289relies on the operating system's ability to enforce such limitations. If the
290system sends \fBSIGXCPU\fR signals and the application catches that signal,
291it will receive a \fBSIGKILL\fR signal after 5 seconds.
292
293This is more accurate than \fB\-t\fR because the behaviour should be
294independent from the system load, but it does not detect processes stuck into
295infinite \fBselect\fR() calls because they use very little CPU time. See also
296the \fB\-B\fR and \fB\-t\fR flags.
297.TP
298\fB\-v\fR, \fB\-\-verbose\fR
299Print information during the run, such as the current seed, what processes
300get run, their exit status, etc.
301.TP
302\fB\-x\fR, \fB\-\-check\-exit\fR
303Report processes that exit with a non-zero status. By default only processes
304that crash due to a signal are reported.
305.TP
306\fB\-h\fR, \fB\-\-help\fR
307Display a short help message and exit.
308.TP
309\fB\-V\fR, \fB\-\-version\fR
310Output version information and exit.
311.SH DIAGNOSTICS
312.PP
313Exit status is zero if no child process crashed. If one or several children
314crashed, \fBzzuf\fR exits with status 1.
315.SH EXAMPLES
316.PP
317Fuzz the input of the \fBcat\fR program using default settings:
318.PP
319\fB    zzuf cat /etc/motd\fR
320.PP
321Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
322.PP
323\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
324.PP
325Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
326and prevent non-ASCII characters from appearing in the output:
327.PP
328\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
329.PP
330Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
331original input and excluding \fB.xml\fR files from fuzzing (because
332\fBconvert\fR will also open its own XML configuration files and we do not
333want \fBzzuf\fR to fuzz them):
334.PP
335\fB    zzuf \-E \(aq\\.xml$\(aq convert foo.jpeg \-format tga /dev/null\fR
336.PP
337Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
338and restricting fuzzing to filenames that appear on the command line
339(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
340can be read by VLC to reproduce the same behaviour without using
341\fBzzuf\fR:
342.PP
343\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
344.br
345\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
346.br
347\fB    vlc fuzzy\-movie.avi\fR
348.PP
349Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
350with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
351by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
352standard output messages (\fB\-q\fR), launching up to five simultaneous child
353processes (\fB\-j5\fR) but waiting at least half a second between launches
354(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
355read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
356(\fB\-S\fR):
357.PP
358\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-j5 \-D0.5 \-T60 \-S \\\fR
359.br
360\fB      mplayer \-benchmark \-vo null \-fps 1000 movie.avi\fR
361.PP
362Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
363and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
364.PP
365\fB    seq \-f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
366.br
367      (or: \fBjot \-w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
368.br
369\fB    zzuf \-A \-I \(aqhello[.]jpg\(aq \-r0.001 firefox hello.html\fR
370.PP
371Run a simple HTTP redirector on the local host using \fBsocat\fR and
372corrupt each network connection (\fB\-n\fR) in a different way (\fB\-A\fR)
373after one megabyte of data was received on it (\fB\-b1000000\-\fR):
374.PP
375\fB     zzuf \-n \-A \-b1000000\- \\\fR
376\fB       socat TCP4\-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80\fR
377.PP
378Browse the intarweb (\fB\-n\fR) using Firefox\(tm without fuzzing local files
379(\fB\-E.\fR) or non-HTTP connections (\fB\-p80,8010,8080\fR), preserving
380the beginning of the data sent with each HTTP response (\fB\-b4000\-\fR)
381and using another seed on each connection (\fB\-A\fR):
382.PP
383\fB    zzuf \-r 0.0001 \-n \-E. \-p80,8010,8080 \-b4000\- \-A firefox\fR
384.SH RESTRICTIONS
385.PP
386Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
387\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
388processes, it will fail in the presence of any mechanism that disables
389preloading. For instance setuid root binaries will not be fuzzed when run
390as an unprivileged user.
391.PP
392For the same reasons, \fBzzuf\fR will also not work with statically linked
393binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
394where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
395.PP
396Though best efforts are made, identical behaviour for different versions of
397\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
398different operating systems and with different target programs is only
399guaranteed when the same version of \fBzzuf\fR is being used.
400.SH BUGS
401.PP
402\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
403.PP
404It is not yet possible to insert or drop bytes from the input, to fuzz
405according to the file format, to swap bytes, etc. More advanced fuzzing
406methods are planned.
407.PP
408As of now, \fBzzuf\fR does not really support multithreaded applications. The
409behaviour with multithreaded applications where more than one thread does file
410descriptor operations is undefined.
411.SH NOTES
412In order to intercept file and network operations, signal handlers and memory
413allocations, \fBzzuf\fR diverts and reimplements the following functions,
414which can be private libc symbols, too:
415.TP
416Unix file descriptor handling:
417\fBopen\fR(), \fBdup\fR(), \fBdup2\fR(), \fBlseek\fR(), \fBread\fR(),
418\fBreadv\fR(), \fBpread\fR(), \fBaccept\fR(), \fBsocket\fR(), \fBrecv\fR(),
419\fBrecvfrom\fR(), \fBrecvmsg\fR(), \fBaio_read\fR(), \fBaio_return\fR(),
420\fBclose\fR()
421.TP
422Standard IO streams:
423\fBfopen\fR(), \fBfreopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(),
424\fBfread\fR(), \fBgetc\fR(), \fBgetchar\fR(), \fBfgetc\fR(), \fBfgets\fR(),
425\fBungetc\fR(), \fBfclose\fR()
426.TP
427Memory management:
428\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
429\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR()
430.TP
431Linux-specific:
432\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
433\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR(), \fBgetc_unlocked\fR(),
434\fBgetchar_unlocked\fR(), \fBfgetc_unlocked\fR(), \fBfgets_unlocked\fR(),
435\fBfread_unlocked\fR()
436.TP
437BSD-specific:
438\fBfgetln\fR(), \fB__srefill\fR()
439.TP
440Mac OS X-specific:
441\fBmap_fd\fR()
442.TP
443Signal handling:
444\fBsignal\fR(), \fBsigaction\fR()
445.PP
446If an application manipulates file descriptors (reading data, seeking around)
447using functions that are not in that list, \fBzzuf\fR will not fuzz its
448input consistently and the results should not be trusted. You can use a tool
449such as \fBltrace(1)\fR on Linux to know the missing functions.
450.PP
451On BSD systems, such as FreeBSD or Mac OS X, \fB__srefill\fR() is enough to
452monitor all standard IO streams functions. On other systems, such as Linux,
453each function is reimplemented on a case by case basis. One important
454unimplemented function is \fBfscanf\fR(), because of its complexity. Missing
455functions will be added upon user request.
456.SH HISTORY
457.PP
458\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
459multimedia stream corrupter used to find bugs in the VLC media player.
460.SH AUTHOR
461.PP
462Copyright \(co 2002, 2007\-2008 Sam Hocevar <sam@zoy.org>.
463.PP
464\fBzzuf\fR and this manual page are free software. They come without any
465warranty, to the extent permitted by applicable law. You can redistribute
466them and/or modify them under the terms of the Do What The Fuck You Want
467To Public License, Version 2, as published by Sam Hocevar. See
468\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
469.PP
470\fBzzuf\fR's webpage can be found at \fBhttp://libcaca.zoy.org/wiki/zzuf\fR.
Note: See TracBrowser for help on using the repository browser.