1 # Introduction # 2 3 This page described how to use honggfuzz in batch mode. The simplest example would be Apache Web Server, which cannot be restarted every time we want to send new input (for performance reasons). 4 5 _Note: This currently works with Linux OS only_ 6 7 # What do we need? # 8 9 We need to choose what we actually want to fuzz. In this example it'd be HTTP header parser of Apache WS. We need to create a fuzzing tool which will create those headers and then we'll use netcat (_/bin/nc_) to send it to Apache. I had created my own tool (_headfuzz_), it will create output which looks like: 10 11 ``` 12 GET (Orig-Uri) HTTP/1.0 13 private: expires=application/x-zip-compressed 14 Proxy-Authorization: HTTP/144444444444444444444444444.2 15 Date: "application/x-gzip" 16 17 ABC 18 ``` 19 20 In order to attach to a given PID we'll use the **-p** flag. Note that honggfuzz supports attaching to threads as well; in other words, it will attach to every thread in the same thread group (_ls /proc/pid/task_). 21 22 # Start Apache WS # 23 24 We need to run in debug mode, so it doesn't spawn child processes (-X flag) 25 26 ``` 27 # APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data apache2 -k start -X 28 ``` 29 30 # Run honggfuzz # 31 32 We'll use _-s_ flag to send contents of the fuzz to the standard input of _/bin/nc_ 33 34 ``` 35 # ./honggfuzz -c ./headfuzz -s -p "`pidof apache2`" -- /bin/nc -q2 -w2 127.0.0.1 80 36 honggfuzz version 0.3 Robert Swiecki <swiecki (a] google.com>, Copyright 2010 by Google Inc. All Rights Reserved. 37 [INFO] External PID specified, concurrency disabled 38 [INFO] debugLevel: 3, inputFile '(null)', nullifyStdio: 0, fuzzStdin: 1, saveUnique: 0, flipRate: 0.001000, flipMode: 'B', externalCommand: './headfuzz', tmOut: 3, threadsMax: 1, fileExtn 'fuzz', ignoreAddr: (nil), memoryLimit: 0 (MiB), fuzzExe: '/bin/nc', fuzzedPid: 9378 39 [INFO] No input file corpus specified, the external command './headfuzz' is responsible for creating the fuzz files 40 [INFO] Successfully attached to pid/tid: 9378 41 [INFO] Launched new process, pid: 9983, (1/1) 42 .... 43 ``` 44 45 If Apache crashes we will see: 46 47 ``` 48 [INFO] Ok, that's interesting, saved '.honggfuzz.10014.1310049998.834508.645006950.fuzz' as 'SIGSEGV.PC.0x7f45942f1c20.CODE.0.ADDR.0x288d.INSTR.cmp_rax,_0xfffff001.2011-07-07.16.46.38.9378.fuzz' 49 [WARNING] Monitored process PID: 9378 finished 50 ``` 51 52 And we'll find the following file in the current directory 53 54 ``` 55 SIGSEGV.PC.0x7f45942f1c20.CODE.0.ADDR.0x288d.INSTR.cmp_rax,_0xfffff001.2011-07-07.16.46.38.9378.fuzz 56 ``` 57 58 Happy fuzzing! 59
