Release Version: 1.1
TinyAFL is built on top of AFL and TinyInst.
It can be fuzz on windows user-mode application without source (supports both x32 and x64) but it is not so reliable and dirty. It still has some instrument bugs, I will fix it when I fully understand TinyInst :P
I have reported some MediaFoundations bugs using this tool. * [Microsoft] CVE-2020-1319, CVE-2020-17105, CVE-2020-17109 ...
Although TinyAFL x64 can run both for 32bit and 64bit targets, I still recommend TinyAFL 32bit for 32bit targets and TinyAFL 64bit for 64bit targets.
mkdir build32 cd build32 cmake -G"Visual Studio 15 2017" .. cmake --build . --config Release#### For a 64-bit build
mkdir build64 cd build64 cmake -G"Visual Studio 15 2017 Win64" .. cmake --build . --config Release## How to fuzz with TinyAFL The command line for TinyAFL:
AFL.exe [ afl options ] -- target_cmd_lineThe following TinyAFL options are supported: ``` Required parameters:
-i dir - input directory with test cases -o dir - output directory for fuzzer findings
Execution control settings:
-p schedule - power schedules recompute a seed's performance score. -f file - location read by the fuzzed program (stdin) -t msec - timeout for each run -Q - use binary-only instrumentation (QEMU mode)
-L minutes - use MOpt(imize) mode and set the time limit for entering the pacemaker mode (minutes of no new paths). 0 = immediately, -1 = immediately and together with normal mutation).
Fuzzing behavior settings:
-x dir - optional fuzzer dictionary (see README)
-M / -S id - distributed mode (see parallelfuzzing.txt) -C - crash exploration mode (the peruvian rabbit thing) -e ext - file extension for the fuzz test input file (if needed) -headeronly - mutate only header of testcase (if needed) -sizeofheader - size of header will mutate when use option -header_only (default: 0x200)
-instrument_module path - path to instrumented PE ``` I add the feature to only mutate the test case header when fuzz (depending on the file format). I believe that some file format exceptions only happen when fields in the header change. To see the supported instrument flags, please refer to the mode-specific documentation at TinyInst.
AFL.exe -i in -o out -p fast -t 10000 -callconv fastcall -target_offset 0x1260 -nargs 2 -loop -persist -iterations 10000 -instrument_module demo.dll -target_module test.exe -- test.exe @@
python winafl-cmin.py -h [...] Examples of use: * Typical use afl-cmin.py -t 5000 -i in -o min -p demo.dll -- test.exe * Dry-run, keep crashes only with 4 workers with a working directory: afl-cmin.py -C --dry-run -w 4 --working-dir D:\dir -i in -i C:\fuzz\in -o min -p demo.dll -- test.exe @@ * Read specific file on specific location afl-cmin.py -t 5000 -i in -o min -f foo.ext -p m.dll -- test.exe @@ * Read from specific file with pattern afl-cmin.py -t 5000 -i in -o min -f [email protected]@-foo.ext -p demo.dll -- test.exe @@
afl-tmin.exe -h [...] afl-tmin.exe [ options ] -- /path/to/target_app [ ... ]
-i file - input test case to be shrunk by the tool -o file - final output location for the minimized data -instrument_module module - target module to test
Execution control settings:
-t msec - timeout for each run (10000 ms)
Special thanks to Ivan Fratric "ifsecure" security researcher of Google Project Zero has published a great tool for coverage-guided