NAME¶
zzuf - multiple purpose fuzzer
SYNOPSIS¶
zzuf [
-aAcdimnqSvx] [
-s seed|
-s
start:stop] [
-r ratio|
-r min:max] [
-f fuzzing] [
-D delay] [
-j jobs] [
-C crashes] [
-B bytes] [
-t seconds]
[
-T seconds] [
-U seconds] [
-M
mebibytes] [
-b ranges] [
-p ports]
[
-P protect] [
-R refuse] [
-l list]
[
-I include] [
-E exclude] [
PROGRAM
[
ARGS]...]
zzuf -h |
--help
zzuf -V |
--version
DESCRIPTION¶
zzuf is a transparent application input fuzzer. It works by intercepting
file and network operations and changing random bits in the program's input.
zzuf's behaviour is deterministic, making it easy to reproduce bugs.
USAGE¶
zzuf will run an application specified on its command line, one or
several times, with optional arguments, and will report the application's
relevant behaviour on the standard error channel, eg:
zzuf cat /dev/zero
Flags found after the application name are considered arguments for the
application, not for
zzuf. For instance,
-v below is an argument
for
cat:
zzuf -B 1000 cat -v /dev/zero
When no program is specified,
zzuf simply fuzzes the standard input, as
if the
cat utility had been called:
zzuf < /dev/zero
OPTIONS¶
- -a, --allow=list
- Only fuzz network input for IPs in list, a
comma-separated list of IP addresses. If the list starts with !,
the flag meaning is reversed and all addresses are fuzzed except the ones
in the list.
As of now, this flag only understands INET (IPv4) addresses.
This option requires network fuzzing to be activated using -n.
- -A, --autoinc
- Increment random seed each time a new file is opened. This
is only required if one instance of the application is expected to open
the same file several times and you want to test a different seed each
time.
- -b, --bytes=ranges
- Restrict fuzzing to bytes whose offsets in the file are
within ranges.
Range values start at zero and are inclusive. Use dashes between range
values and commas between ranges. If the right-hand part of a range is
ommited, it means end of file. For instance, to restrict fuzzing to bytes
0, 3, 4, 5 and all bytes after offset 31, use ‘
-b0,3-5,31-’.
This option is useful to preserve file headers or corrupt only a specific
portion of a file.
- -B, --max-bytes=n
- Automatically stop after n bytes have been output.
This either terminates child processes that output more than n bytes
on the standard output and standard error channels, or stop reading from
standard input if no program is being fuzzed.
This is useful to detect infinite loops. See also the -U and
-T flags.
- -c, --cmdline
- Only fuzz files whose name is specified in the target
application's command line. This is mostly a shortcut to avoid specifying
twice the argument:
zzuf -c cat file.txt
has the same effect as
zzuf -I '^file\.txt$' cat file.txt
See the -I flag for more information on restricting fuzzing to
specific files.
- -C, --max-crashes=n
- Stop forking when at least n children have crashed.
The default value is 1, meaning zzuf will stop as soon as one child
has crashed. A value of 0 tells zzuf to never stop.
Note that zzuf will not kill any remaining children once n is
reached. To ensure that processes do not last forever, see the -U
flag.
A process is considered to have crashed if any signal (such as, but not
limited to, SIGSEGV) caused it to exit. If the -x flag is
used, this will also include processes that exit with a non-zero status.
This option is only relevant if the -s flag is used with a range
argument. See also the -t flag.
- -d, --debug
- Activate the display of debug messages. Can be specified
multiple times for increased verbosity.
- -D, --delay=delay
- Do not launch more than one process every delay
seconds. This option should be used together with -j to avoid fork
bombs.
- -E, --exclude=regex
- Do not fuzz files whose name matches the regex
regular expression. This option supersedes anything that is specified by
the -I flag. Use this for instance if you are unsure of what files
your application is going to read and do not want it to fuzz files in the
/etc directory.
Multiple -E flags can be specified, in which case files matching any
one of the regular expressions will be ignored.
- -f, --fuzzing=mode
- Select how the input is fuzzed. Valid values for
mode are:
- xor
- randomly set and unset bits
- set
- only set bits
- unset
- only unset bits
- The default value for mode is xor.
- -j, --jobs=jobs
- Specify the number of simultaneous children that can be
run. By default, zzuf only launches one process at a time.
This option is only relevant if the -s flag is used with a range
argument. See also the -D flag.
- -i, --stdin
- Fuzz the application's standard input. By default
zzuf only fuzzes files.
- -I, --include=regex
- Only fuzz files whose name matches the regex regular
expression. Use this for instance if your application reads configuration
files at startup and you only want specific files to be fuzzed.
Multiple -I flags can be specified, in which case files matching any
one of the regular expressions will be fuzzed. See also the -c
flag.
- -l, --list=list
- Cherry-pick the list of file descriptors that get fuzzed.
The Nth descriptor will really be fuzzed only if N is in list.
Values start at 1 and ranges are inclusive. Use dashes between values and
commas between ranges. If the right-hand part of a range is ommited, it
means all subsequent file descriptors. For instance, to restrict fuzzing
to the first opened descriptor and all descriptors starting from the 10th,
use ‘ -l1,10-’.
Note that this option only affects file descriptors that would otherwise be
fuzzed. Even if 10 write-only descriptors are opened at the beginning of
the program, only the next descriptor with a read flag will be the first
one considered by the -l flag.
- -m, --md5
- Instead of displaying the program's standard output,
just print its MD5 digest to zzuf's standard output. The standard
error channel is left untouched.
- -M, --max-memory=mebibytes
- Specify the maximum amount of memory, in mebibytes (1 MiB =
1,048,576 bytes), that children are allowed to allocate. This is useful to
detect infinite loops that eat up a lot of memory.
The value should be set reasonably high so as not to interfer with normal
program operation. By default, it is set to 1024 MiB in order to avoid
accidental excessive swapping. To disable the limitation, set the maximum
memory usage to -1 instead.
zzuf uses the setrlimit() call to set memory usage
limitations and relies on the operating system's ability to enforce such
limitations.
- -n, --network
- Fuzz the application's network input. By default
zzuf only fuzzes files.
Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
families are not yet supported.
- -p, --ports=ranges
- Only fuzz network ports that are in ranges. By
default zzuf fuzzes all ports. The port considered is the listening
port if the socket is listening and the destination port if the socket is
connecting, because most of the time the source port cannot be predicted.
Range values start at zero and are inclusive. Use dashes between range
values and commas between ranges. If the right-hand part of a range is
ommited, it means end of file. For instance, to restrict fuzzing to the
HTTP and HTTPS ports and to all unprivileged ports, use ‘
-p80,443,1024-’.
This option requires network fuzzing to be activated using -n.
- -P, --protect=list
- Protect a list of characters so that if they appear in
input data that would normally be fuzzed, they are left unmodified
instead.
Characters in list can be expressed verbatim or through escape
sequences. The sequences interpreted by zzuf are:
- \n
- new line
- \r
- return
- \t
- tabulation
- \NNN
- the byte whose octal value is NNN
- \xNN
- the byte whose hexadecimal value is NN
- \\
- backslash (‘\’)
- You can use ‘-’ to specify ranges. For
instance, to protect all bytes from ‘\001’ to ‘/’,
use ‘ -P '\001-/'’.
The statistical outcome of this option should not be overlooked: if
characters are protected, the effect of the ‘ -r’ flag
will vary depending on the data being fuzzed. For instance, asking to fuzz
1% of input bits ( -r0.01) and to protect lowercase characters
(-P a-z) will result in an actual average fuzzing ratio of
0.9% with truly random data, 0.3% with random ASCII data and 0.2% with
standard English text.
See also the -R flag.
- -q, --quiet
- Hide the output of the fuzzed application. This is useful
if the application is very verbose but only its exit code or signaled
status is really useful to you.
- -r, --ratio=ratio
- -r, --ratio=min:max
- Specify the proportion of bits that will be randomly
fuzzed. A value of 0 will not fuzz anything. A value of 0.05 will fuzz 5%
of the open files' bits. A value of 1.0 or more will fuzz all the bytes,
theoretically making the input files undiscernible from random data. The
default fuzzing ratio is 0.004 (fuzz 0.4% of the files' bits).
A range can also be specified. When doing so, zzuf will pick ratio
values from the interval. The choice is deterministic and only depends on
the interval bounds and the current seed.
- -R, --refuse=list
- Refuse a list of characters by not fuzzing bytes that would
otherwise be changed to a character that is in list. This does not
prevent characters from appearing in the output if the original byte was
already in list.
See the -P option for a description of list.
- -s, --seed=seed
- -s, --seed=start:stop
- Specify the random seed to use for fuzzing, or a range of
random seeds. Running zzuf twice with the same random seed will
fuzz the files exactly the same way, even with a different target
application. The purpose of this is to use simple utilities such as
cat or cp to generate a file that causes the target
application to crash.
If a range is specified, zzuf will run the application several times,
each time with a different seed, and report the behaviour of each run. If
the ‘:’ character is used but the second part of the range is
omitted, zzuf will increment the seed value indefinitely.
- -S, --signal
- Prevent children from installing signal handlers for
signals that usually cause coredumps. These signals are SIGABRT,
SIGFPE, SIGILL, SIGQUIT, SIGSEGV,
SIGTRAP and, if available on the running platform, SIGSYS,
SIGEMT, SIGBUS, SIGXCPU and SIGXFSZ. Instead
of calling the signal handler, the application will simply crash. If you
do not want core dumps, you should set appropriate limits with the
limit coredumpsize command. See your shell's documentation on how
to set such limits.
- -t, --max-time=n
- Stop forking after n seconds. By default,
zzuf runs until the end of the seed range is reached.
Note that zzuf will not kill any remaining children once n is
reached. To ensure that processes do not last forever, see the -U
flag.
This option is only relevant if the -s flag is used with a range
argument. See also the -C flag.
- -T, --max-cputime=n
- Automatically terminate child processes that use more than
n seconds of CPU time.
zzuf uses the setrlimit() call to set CPU usage limitations
and relies on the operating system's ability to enforce such limitations.
If the system sends SIGXCPU signals and the application catches
that signal, it will receive a SIGKILL signal after 5 seconds.
This is more accurate than -U because the behaviour should be
independent from the system load, but it does not detect processes stuck
into infinite select() calls because they use very little CPU time.
See also the -B and -U flags.
- -U, --max-usertime=n
- Automatically terminate child processes that run for more
than n seconds. This is useful to detect infinite loops or
processes stuck in other situations. See also the -B and -T
flags.
- -v, --verbose
- Print information during the run, such as the current seed,
what processes get run, their exit status, etc.
- -x, --check-exit
- Report processes that exit with a non-zero status. By
default only processes that crash due to a signal are reported.
- -h, --help
- Display a short help message and exit.
- -V, --version
- Output version information and exit.
DIAGNOSTICS¶
Exit status is zero if no child process crashed. If one or several children
crashed,
zzuf exits with status 1.
EXAMPLES¶
Fuzz the input of the
cat program using default settings:
zzuf cat /etc/motd
Fuzz 1% of the input bits of the
cat program using seed 94324:
zzuf -s94324 -r0.01 cat /etc/motd
Fuzz the input of the
cat program but do not fuzz newline characters and
prevent non-ASCII characters from appearing in the output:
zzuf -P '\n' -R '\x00-\x1f\x7f-\xff' cat /etc/motd
Fuzz the input of the
convert program, using file
foo.jpeg as the
original input and excluding
.xml files from fuzzing (because
convert will also open its own XML configuration files and we do not
want
zzuf to fuzz them):
zzuf -E '\.xml$' convert foo.jpeg -format tga /dev/null
Fuzz the input of VLC, using file
movie.avi as the original input and
restricting fuzzing to filenames that appear on the command line (
-c),
then generate
fuzzy-movie.avi which is a file that can be read by VLC
to reproduce the same behaviour without using
zzuf:
zzuf -c -s87423 -r0.01 vlc movie.avi
zzuf -c -s87423 -r0.01 <movie.avi >fuzzy-movie.avi
vlc fuzzy-movie.avi
Fuzz between 0.1% and 2% of MPlayer's input bits (
-r0.001:0.02) with
seeds 0 to 9999 (
-s0:10000), preserving the AVI 4-byte header by
restricting fuzzing to offsets after 4 (
-b4-), disabling its standard
output messages (
-q), launching up to five simultaneous child
processes (
-j5) but waiting at least half a second between launches (
-D0.5), killing MPlayer if it takes more than one minute to read the
file (
-T60) and disabling its
SIGSEGV signal handler (
-S):
zzuf -c -r0.001:0.02 -s0:10000 -b4- -q -j5 -D0.5 -T60 -S \
mplayer -benchmark -vo null -fps 1000 movie.avi
A more advanced VLC fuzzing example, stopping only at the first crash:
zzuf -j4 -vqc -r0.000001:0.01 -s0: vlc -v -I dummy movie.avi \
--sout '#transcode{acodec=s16l,vcodec=I420}:dummy' vlc:quit
Create an HTML-like file that loads 200 times the same
hello.jpg image
and open it in Firefox™ in auto-increment mode (
-A):
seq -f '<img src="hello.jpg#%g">' 1 200 > hello.html
(or:
jot -w '<img src="hello.jpg#%d">' 200 1 >
hello.html)
zzuf -A -I 'hello[.]jpg' -r0.001 firefox hello.html
Run a simple HTTP redirector on the local host using
socat and corrupt
each network connection (
-n) in a different way (
-A) after one
megabyte of data was received on it (
-b1000000-):
zzuf -n -A -b1000000- \ socat TCP4-LISTEN:8080,reuseaddr,fork
TCP4:192.168.1.42:80
Browse the intarweb (
-n) using Firefox™ without fuzzing local
files (
-E.) or non-HTTP connections (
-p80,8010,8080),
preserving the beginning of the data sent with each HTTP response (
-b4000-) and using another seed on each connection (
-A):
zzuf -r 0.0001 -n -E. -p80,8010,8080 -b4000- -A firefox
RESTRICTIONS¶
Due to
zzuf using shared object preloading (
LD_PRELOAD,
_RLD_LIST , DYLD_INSERT_LIBRARIES, etc.) to run its child
processes, it will fail in the presence of any mechanism that disables
preloading. For instance setuid root binaries will not be fuzzed when run as
an unprivileged user.
For the same reasons,
zzuf will also not work with statically linked
binaries. Bear this in mind when using
zzuf on the OpenBSD platform,
where
cat,
cp and
dd are static binaries.
Though best efforts are made, identical behaviour for different versions of
zzuf is not guaranteed. The reproducibility for subsequent calls on
different operating systems and with different target programs is only
guaranteed when the same version of
zzuf is being used.
BUGS¶
zzuf probably does not behave correctly with 64-bit offsets.
It is not yet possible to insert or drop bytes from the input, to fuzz according
to the file format, to swap bytes, etc. More advanced fuzzing methods are
planned.
As of now,
zzuf does not really support multithreaded applications. The
behaviour with multithreaded applications where more than one thread does file
descriptor operations is undefined.
HISTORY¶
zzuf started its life in 2002 as the
streamfucker tool, a small
multimedia stream corrupter used to find bugs in the VLC media player.
SEE ALSO¶
libzzuf(3),
zzat(1)
AUTHOR¶
Copyright © 2002-2010 Sam Hocevar <sam@hocevar.net>.
zzuf and this manual page are free software. They come without any
warranty, to the extent permitted by applicable law. You can redistribute them
and/or modify them under the terms of the Do What The Fuck You Want To Public
License, Version 2, as published by Sam Hocevar. See
http://sam.zoy.org/wtfpl/COPYING for more details.
zzuf's webpage can be found at
http://caca.zoy.org/wiki/zzuf. An
overview of the architecture and inner works is at
http://caca.zoy.org/wiki/zzuf/internals.