csocketsfuzzingcustom-protocol

Patching a closed source network application to read from file


So let me explain, I want to fuzz a closed source application named Y that implements a custom protocol let's name the protocol X. Y is written in C.
Is there a way to patch the send/read family functions to read from file instead of the socket?
Could this potentially work for the AFL/AFL++ fuzzer?
Keep in mind the application is developed for UNIX-like ecosystems.


Solution

  • Yes, you can do that easily by making bridges between named pipes (fifos) and TCP connections through netcat.

    Create two files (named pipes):

    mkfifo /tmp/program_input /tmp/program_output
    

    Now, make a bridge between these files and the application.

    In case the application is a TCP/IP Client, your bridge will be a TCP/IP Server:

    tail -f /tmp/program_input | nc -kl 127.0.0.1 50000 | tee /tmp/program_output > /dev/null
    

    Then you'll have to configure the application's peer IP address as the IP of the host where your bridge runs. Port also must match and is arbitrary. ("50000" in the example above.)

    In case you can't change the IP address/TCP port the application uses, you'll have to map these on your router to the IP/port of your bridge application (see "port forwarding").

    If the application is a TCP/IP Server, create a TCP/IP client as a bridge:

    tail -f /tmp/program_input | nc <application_ip_address> <application_port> | tee /tmp/program_output > /dev/null
    

    If you want to write something to the networking application you're analyzing, write to /tmp/program_input. Read /tmp/program_output to see its output.

    I'm not too familiar with AFL/AFL++, but you can certainly communicate with the application directly or also make socket/file bridges for the fuzzer as well.