1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# Honggfuzz - SocketClient
Use Honggfuzz as Code-Coverage tool, and implement an external fuzzer which
interacts with the target (usually a network server). The actual fuzzer and
honggfuzz communicate via a local socket.
Tested on Ubuntu 17.04, 18.04.
## Protocol
Simple:
```
HonggFuzz <-> FFW
"Fuzz" -->
<-- "Okay"
"New!" -->
"Cras" -->
<-- "bad!"
...
<-- "halt"
```
* "Fuzz": HongFuzz tells FFW to send its network messages to the target server
* "Okay": FFW tells HonggFuzz that it is finished sending the messages
* "New!": HonggFuzz tells FFW that new basic blocks have been reached
* "Cras": HonggFuzz tells FFW that the target has crashed
* "bad!": FFW tells Honggfuzz that the server is crashed
* "halt": Fuzzing finished, shutdown HonggFuzz in an orderly manner.
## Overview
`vulnserver_cov` will listen to localhost:5001 and expect messages starting with "A", "B", "C",
"D" or "E". Message "B" can provoke a stack based buffer overflow, while message "C"
can provoke a heap based buffer overflow.
The current `honggfuzz_socketclient` will send one of these messages (decided by the user),
after honggfuzz told it that it is ready (the client process is started). Number 0-4 correspond
to "A"-"E", while number 5 and 6 will provoke memory corruption overflows.
`honggfuzz_socketclient` will then proceed to send the messages to `vulnserver_cov` on port
5001. After that hongfuzz may send a message to `hongfuzz_client`, indicating that new
basic blocks have been reached.
## Preparation
Compile the test server, with `make` or:
```
~/honggfuzz/hfuzz_cc/hfuzz-gcc vulnserver_cov.c -O0 -o vulnserver_cov
```
## How-to
Start hongfuzz in socket-client mode:
```
$ cd ~/honggfuzz
$ mkdir test
$ cd test
$ ../honggfuzz --keep_output --debug --sanitizers --stdin_input --threads 1 --verbose --logfile log.txt --socket_fuzzer -- ../socketfuzzer/vulnserver_cov
Waiting for SocketFuzzer connection on socket: /tmp/honggfuzz_socket.<pid>
```
In another terminal, start the socketfuzzer client:
```
$ python ./honggfuzz_socketclient.py interactive
connecting to /tmp/honggfuzz_socket
--[ Send Msg #: 1
Send to target: 1
--[ R Adding file to corpus...
--[ Send Msg #: 5
Send to target: 5
--[ R Target crashed
--[ Send Msg #: 1
Send to target: 1
--[ Send Msg #: 5
Send to target: 5
--[ Send Msg #: 1
Send to target: 1
--[ Send Msg #: 5
Send to target: 5
--[ Send Msg #: 2
Send to target: 2
--[ R Adding file to corpus...
--[ Send Msg #: 3
Send to target: 3
--[ R Adding file to corpus...
--[ Send Msg #: 5
Send to target: 5
```
Automatic test, successful run:
```
$ ./unittest.sh
Auto Test
connecting to /tmp/honggfuzz_socket.24916
Test: 0 - initial
A SocketFuzzer client connected. Continuing.
ok: Fuzz
Test: 1 - expecting first new BB
# vulnserver_cov: Listening on port: 5001
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Auth success
# vulnserver_cov: Closing...
ok: New!
ok: Fuzz
Test: 2 - expecting second new BB
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Handledata1: BBBBBB
# vulnserver_cov: Closing...
ok: New!
ok: Fuzz
Test: 3 - repeat second msg, expecting no new BB
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Handledata1: BBBBBB
# vulnserver_cov: Closing...
ok: Fuzz
Test: 4 - crash stack, expect new BB, then crash notification
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 128 on state: 0
# vulnserver_cov: Handledata1: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB�
ok: New!
ok: Cras
ok: Fuzz
Test: 5 - resend second, expecting no new BB
# vulnserver_cov: Listening on port: 5001
ok: Fuzz
Test: 6 - send three, expecting new BB
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Handledata2: CCCCCC
# vulnserver_cov: Closing...
ok: New!
ok: Fuzz
Test: 7 - send four, new BB
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Handledata3: 6
# vulnserver_cov: Closing...
ok: New!
ok: Fuzz
Test: 8 - fake unresponsive server
ok: Fuzz
Test: 9 - send four again, no new BB
# vulnserver_cov: New client connected
# vulnserver_cov: Received data with len: 6 on state: 0
# vulnserver_cov: Handledata3: 6
# vulnserver_cov: Closing...
# vulnserver_cov: Listening on port: 5001
ok: Fuzz
```
|
