winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

When doing network fuzzing, does winafl allows us to fuzz function that calls the receive data function?

Open xinyile opened this issue 6 years ago • 2 comments

Hi,

I have a question on network fuzzing. Can I choose the target function that calls the receive data function? For example, I tried to fuzz test_netmode.exe (provided by WinAFL). When I set the target function as recv_func(), winafl works and can find crash. But if I set the target function as main(), It seems that winafl cannot work.

So my question is that does winafl allows us to fuzz function that calls the receive data function.

Thanks.

xinyile avatar Jun 24 '19 17:06 xinyile

+@mxmssh FYI

I think in theory it should be possible with some modifications to the code, but probably wouldn't work as is because:

  • WinAFL expects the target function to return normally. Since main() in test_netmode.cpp has an infinite loop (https://github.com/googleprojectzero/winafl/blob/master/test_netmode.cpp#L107) it is actually never going to return
  • Calling bind (https://github.com/googleprojectzero/winafl/blob/master/test_netmode.cpp#L105) twice with the same arguments won't work, so the server would need to cleanup the socket (so that it can be created again for the next iteration). While this would work it wouldn't be exactly optimal.
  • If socket is (re)created for each iteration, there might be race issues between afl-fuzz and the server, specifically afl-fuzz might try to connect to the server while the server isn't listening yet.

ifratric avatar Jun 25 '19 19:06 ifratric

Thanks for your answer. Another question in my mind is that does winafl allow us to fuzz event-driven server.

xinyile avatar Jul 08 '19 21:07 xinyile