1 # Honggfuzz - SocketClient 2 3 Implement an external fuzzer to fuzz network servers or similar. 4 5 Tested on Ubuntu 17.04. 6 7 8 ## Protocol 9 10 Simple: 11 12 ``` 13 HonggFuzz <-> FFW 14 "Fuzz" --> 15 <-- "Okay" 16 "New!" --> 17 "Cras" --> 18 <-- "bad!" 19 ``` 20 21 * "Fuzz": HongFuzz tells FFW to send its network messages to the target server 22 * "Okay": FFW tells HonggFuzz that it is finished sending the messages 23 * "New!": HonggFuzz tells FFW that new basic blocks have been reached 24 * "Cras": HonggFuzz tells FFW that the target has crashed 25 * "bad!": FFW tells Honggfuzz that the server is crashed 26 27 ## Overview 28 29 `vulnserver_cov` will listen to localhost:5001 and expect messages starting with "A", "B", "C", 30 "D" or "E". Message "B" can provoke a stack based buffer overflow, while message "C" 31 can provoke a heap based buffer overflow. 32 33 The current `honggfuzz_socketclient` will send one of these messages (decided by the user), 34 after honggfuzz told it that it is ready (the client process is started). Number 0-4 correspond 35 to "A"-"E", while number 5 and 6 will provoke memory corruption overflows. 36 37 `honggfuzz_socketclient` will then proceed to send the messages to `vulnserver_cov` on port 38 5001. After that hongfuzz may send a message to `hongfuzz_client`, indicating that new 39 basic blocks have been reached. 40 41 42 ## Preparation 43 44 Compile the test server, with `make` or: 45 ``` 46 ~/honggfuzz/hfuzz_cc/hfuzz-gcc vulnserver_cov.c -O0 -o vulnserver_cov 47 ``` 48 49 ## How-to 50 51 Start hongfuzz in socket-client mode: 52 53 ``` 54 $ cd ~/honggfuzz 55 $ mkdir test 56 $ cd test 57 $ ../honggfuzz --keep_output --debug --sanitizers --sancov --stdin_input --threads 1 --verbose --logfile log.txt --socket_fuzzer -- ../socketfuzzer/vulnserver_cov 58 Waiting for SocketFuzzer connection on socket: /tmp/honggfuzz_socket.<pid> 59 ``` 60 61 In another terminal, start the socketfuzzer client: 62 ``` 63 $ python ./honggfuzz_socketclient.py interactive 64 connecting to /tmp/honggfuzz_socket 65 --[ Send Msg #: 1 66 Send to target: 1 67 --[ R Adding file to corpus... 68 --[ Send Msg #: 5 69 Send to target: 5 70 --[ R Target crashed 71 --[ Send Msg #: 1 72 Send to target: 1 73 --[ Send Msg #: 5 74 Send to target: 5 75 --[ Send Msg #: 1 76 Send to target: 1 77 --[ Send Msg #: 5 78 Send to target: 5 79 --[ Send Msg #: 2 80 Send to target: 2 81 --[ R Adding file to corpus... 82 --[ Send Msg #: 3 83 Send to target: 3 84 --[ R Adding file to corpus... 85 --[ Send Msg #: 5 86 Send to target: 5 87 ``` 88 89 Automatic test, successful run: 90 ``` 91 $ ./unittest.sh 92 Auto 93 connecting to /tmp/honggfuzz_socket 94 95 Test: 0 - initial 96 ok: Fuzz 97 98 Test: 1 - first new BB 99 ok: New! 100 ok: Fuzz 101 102 Test: 2 - second new BB 103 ok: New! 104 ok: Fuzz 105 106 Test: 3 - repeat second msg, no new BB 107 ok: Fuzz 108 109 Test: 4 - crash stack 110 ok: Cras 111 ok: Fuzz 112 113 Test: 5 - resend second, no new BB 114 ok: Fuzz 115 116 Test: 6 - send three, new BB 117 ok: New! 118 ok: Fuzz 119 120 Test: 7 - send four, new BB 121 ok: New! 122 ok: Fuzz 123 124 Test: 8 - send four again, no new BB 125 ok: Fuzz 126 ``` 127
