cfuzzingamerican-fuzzy-lopafl-fuzz

AFL-fuzz not finding any crashes


I am trying AFL for the first time, and for that reason i found a very simple vulnerable C code that i could use to test AFL.

The C code in questions is

#include <stdio.h>
#include <string.h>

int main(int argc, char * argv[]){
        char name[10];

        if ( argc > 1 ){
                strcpy(name, argv[1]);
                printf("HELLO %s\n", name);
        }

        return 0;
}

I compile that code by running afl-gcc test.c -o test and i tested it just to make sure it crashes when it was suppose to (running ./test $(python3 -c "print('A'*26)") will give a segmentation fault as expected)

The problem here is, i created a testcase echo -en "test\x00" > input/testcase and run AFL afl-fuzz -i afl_in -o afl_out -- ./test but after a day it still hasn't found any crashes.

I also tried to create a test case that would force it crash python3 -c "print('A'*26)" > input/testcase but it still runs and does not find anything.

This was suppose to be the easiest example so i could get to know AFL a bit better but it is proving to be a challege. Can anyone help?


Solution

  • Just as Nick ODell post it in the comments

    Seems like AFL expects the program under test to read from STDIN rather than an argument. github.com/google/AFL#6-fuzzing-binaries

    Following that URL shows an experimental module that allows for AFL to read from an argument, and for that to work i just had to add 2 lines to my existing code:

    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #include "argv-fuzz-inl.h" // <-- Argv fuzz module
    
    
    int main(int argc, char * argv[]){
            AFL_INIT_ARGV(); // <-- needed near the very beginning of main().
            char name[10];
    
            if ( argc > 1 ){
                    strcpy(name, argv[1]);
                    printf("HELLO %s\n", name);
            }
    
            return 0;
    }
    

    After that i just compiled it again and everything worked as expected.