0

I am attempting to fuzz a proprietary binary with no source code that accepts a config file. So the typical use case would be:

./File --config file.config

The config is a bunch of different parameters that are required to run the rest of the program, and runs fine if I run it by itself. Additionally, the config file is within the input directory.

I am attempting to fuzz it utilizing the following command with AFL:

./afl-fuzz -Q -i input/ -o output/ -m 400 ./File --configfile

However, once I run the command, everything looks fine, but as soon as I get to the first iteration of 'havoc', I get an 'odd, check syntax!' error. If I add a @@ at the end, the afl will give me a timeout error. I'm assuming that once afl-fuzz starts to mutate that input file, it breaks the binary, but I'm not sure and I'm not sure what else to try - any ideas? Thanks!

Dijitaljedi
  • 1
  • 2
  • You wrote that your tested binary command line should be like `./File --config file.config`, but you set it to `./File --configfile` in afl command line. Typo? – nevilad Nov 20 '21 at 11:34
  • Kind of? So the original command is the first line. The second line was the thought that the config file in the input directory would be used. If I use the entire command ```./File --config file.config```, AFL hangs, regardless of what I set -T to. – Dijitaljedi Nov 21 '21 at 15:50
  • Does this command line work: `./afl-fuzz -Q -i input/ -o output/ -m 400 ./File --config @@` ? What's the exact error output, if any? – nevilad Nov 23 '21 at 11:12
  • That works, but it does not use the config file. – Dijitaljedi Nov 23 '21 at 15:37
  • How did you check that it does not use the config file? This command line should replace @@ with the actual file name with fuzzed data and run `./File --config fuzzed_input_file_name`. – nevilad Nov 23 '21 at 16:30
  • Maybe I am not understanding something, but I'm assuming its not using the config file because it wasn't called as part of the parameters. I'm not sure how AFL would know to use the config. – Dijitaljedi Nov 23 '21 at 18:10
  • AFL input folder should contain at least one initial input file (this is called seed). In your case this should be an example config file. AFL takes this seed, modifies it and runs the fuzzed binary. – nevilad Nov 23 '21 at 18:55
  • Right, so thats how I initially had it "the config file is within the input directory", and thats what caused my problem in the first place. – Dijitaljedi Nov 23 '21 at 18:57
  • You put the seed in the input directory and say AFL how to provide the file's name to the fuzzed binary - in your case by using `@@` to mark the location in the command line. AFL will convert `./File --config @@` to `./File --config real_file_name`. Your binary should read it. How did you check that the binary does not use the provided config? – nevilad Nov 23 '21 at 19:15

0 Answers0