Changeset 1705 for zzuf/trunk/doc


Ignore:
Timestamp:
Jan 25, 2007, 12:40:27 PM (14 years ago)
Author:
Sam Hocevar
Message:
  • Implemented -b/--bytes to restrict fuzzing to specific offsets.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • zzuf/trunk/doc/zzuf.1

    r1698 r1705  
    33zzuf \- multiple purpose fuzzer
    44.SH SYNOPSIS
    5 \fBzzuf\fR [\fB\-AcdiMnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
    6 .br
    7                    [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
    8 .br
    9                    [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
    10 .br
    11                    [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
     5\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
     6.br
     7           [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
     8.br
     9           [\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
     10.br
     11           [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
    1212.br
    1313\fBzzuf \-h\fR | \fB\-\-help\fR
     
    4343if one instance of the application is expected to open the same file several
    4444times and you want to test a different seed each time.
     45.TP
     46\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
     47Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
     48
     49Range values start at zero and are inclusive. Use dashes between range values
     50and commas between ranges. If the right-hand part of a range is ommited, it
     51means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
     52all bytes after offset 31, use \(oq\fB\-r0,3-5,31-\fR\(cq.
     53
     54This option is useful to preserve file headers or corrupt only a specific
     55portion of a file.
    4556.TP
    4657\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
     
    150161.IP
    151162You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
    152 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq.
     163bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
    153164
    154165The statistical outcome of this option should not be overlooked: if characters
    155166are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
    156167on the data being fuzzed. For instance, asking to fuzz 1% of input bits
    157 (\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
     168(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
    158169result in an actual average fuzzing ratio of 0.9% with truly random data,
    1591700.3% with random ASCII data and 0.2% with standard English text.
     
    242253Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
    243254.PP
    244 \fB    zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR
     255\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
    245256.PP
    246257Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
     
    262273\fBzzuf\fR:
    263274.PP
    264 \fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
    265 .br
    266 \fB    zzuf \-c \-s 87423 \-r 0.01 <movie.avi >fuzzy\-movie.avi\fR
     275\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
     276.br
     277\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
    267278.br
    268279\fB    vlc fuzzy\-movie.avi\fR
    269280.PP
    270 Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r\ 0.001:0.02\fR)
    271 with seeds 0 to 9999 (\fB\-s\ 0:10000\fR), disabling its standard output
    272 messages (\fB\-q\fR), launching up to five simultaneous child processes
    273 (\fB\-F\ 5\fR) but wait at least half a second between launches
    274 (\fB\-D\ 0.5\fR), killing MPlayer if it takes more than one minute to
    275 read the file (\fB\-T\ 60\fR) and disabling its \fBSIGSEGV\fR signal handler
     281Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
     282with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
     283by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
     284standard output messages (\fB\-q\fR), launching up to five simultaneous child
     285processes (\fB\-F5\fR) but waiting at least half a second between launches
     286(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
     287read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
    276288(\fB\-S\fR):
    277289.PP
    278 \fB    zzuf \-c \-r 0.001:0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
     290\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-F5 \-D0.5 \-T60 \-S \\\fR
    279291.br
    280292\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
     
    287299      (or: \fBjot -w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
    288300.br
    289 \fB    zzuf -A -I \(aqhello[.]jpg\(aq -r 0.001 firefox hello.html\fR
     301\fB    zzuf -A -I \(aqhello[.]jpg\(aq -r0.001 firefox hello.html\fR
    290302.SH RESTRICTIONS
    291303.PP
Note: See TracChangeset for help on using the changeset viewer.