Provided by: zzuf_0.13.svn20100215-4_amd64 
NAME
zzuf - multiple purpose fuzzer
SYNOPSIS
zzuf [-aAcdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max] [-f fuzzing] [-D delay]
[-j jobs] [-C crashes] [-B bytes] [-t seconds] [-T seconds] [-U seconds] [-M mebibytes]
[-b ranges] [-p ports] [-P protect] [-R refuse] [-l list] [-I include] [-E exclude]
[PROGRAM [ARGS]...]
zzuf -h | --help
zzuf -V | --version
DESCRIPTION
zzuf is a transparent application input fuzzer. It works by intercepting file and network
operations and changing random bits in the program's input. zzuf's behaviour is
deterministic, making it easy to reproduce bugs.
USAGE
zzuf will run an application specified on its command line, one or several times, with
optional arguments, and will report the application's relevant behaviour on the standard
error channel, eg:
zzuf cat /dev/zero
Flags found after the application name are considered arguments for the application, not
for zzuf. For instance, -v below is an argument for cat:
zzuf -B 1000 cat -v /dev/zero
When no program is specified, zzuf simply fuzzes the standard input, as if the cat utility
had been called:
zzuf < /dev/zero
OPTIONS
-a, --allow=list
Only fuzz network input for IPs in list, a comma-separated list of IP addresses. If
the list starts with !, the flag meaning is reversed and all addresses are fuzzed
except the ones in the list.
As of now, this flag only understands INET (IPv4) addresses.
This option requires network fuzzing to be activated using -n.
-A, --autoinc
Increment random seed each time a new file is opened. This is only required if one
instance of the application is expected to open the same file several times and you
want to test a different seed each time.
-b, --bytes=ranges
Restrict fuzzing to bytes whose offsets in the file are within ranges.
Range values start at zero and are inclusive. Use dashes between range values and
commas between ranges. If the right-hand part of a range is ommited, it means end
of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and all bytes after
offset 31, use ‘-b0,3-5,31-’.
This option is useful to preserve file headers or corrupt only a specific portion
of a file.
-B, --max-bytes=n
Automatically stop after n bytes have been output.
This either terminates child processes that output more than n bytes on the
standard output and standard error channels, or stop reading from standard input if
no program is being fuzzed.
This is useful to detect infinite loops. See also the -U and -T flags.
-c, --cmdline
Only fuzz files whose name is specified in the target application's command line.
This is mostly a shortcut to avoid specifying twice the argument:
zzuf -c cat file.txt
has the same effect as
zzuf -I '^file\.txt$' cat file.txt
See the -I flag for more information on restricting fuzzing to specific files.
-C, --max-crashes=n
Stop forking when at least n children have crashed. The default value is 1, meaning
zzuf will stop as soon as one child has crashed. A value of 0 tells zzuf to never
stop.
Note that zzuf will not kill any remaining children once n is reached. To ensure
that processes do not last forever, see the -U flag.
A process is considered to have crashed if any signal (such as, but not limited to,
SIGSEGV) caused it to exit. If the -x flag is used, this will also include
processes that exit with a non-zero status.
This option is only relevant if the -s flag is used with a range argument. See also
the -t flag.
-d, --debug
Activate the display of debug messages. Can be specified multiple times for
increased verbosity.
-D, --delay=delay
Do not launch more than one process every delay seconds. This option should be used
together with -j to avoid fork bombs.
-E, --exclude=regex
Do not fuzz files whose name matches the regex regular expression. This option
supersedes anything that is specified by the -I flag. Use this for instance if you
are unsure of what files your application is going to read and do not want it to
fuzz files in the /etc directory.
Multiple -E flags can be specified, in which case files matching any one of the
regular expressions will be ignored.
-f, --fuzzing=mode
Select how the input is fuzzed. Valid values for mode are:
xor randomly set and unset bits
set only set bits
unset only unset bits
The default value for mode is xor.
-j, --jobs=jobs
Specify the number of simultaneous children that can be run. By default, zzuf only
launches one process at a time.
This option is only relevant if the -s flag is used with a range argument. See also
the -D flag.
-i, --stdin
Fuzz the application's standard input. By default zzuf only fuzzes files.
-I, --include=regex
Only fuzz files whose name matches the regex regular expression. Use this for
instance if your application reads configuration files at startup and you only want
specific files to be fuzzed.
Multiple -I flags can be specified, in which case files matching any one of the
regular expressions will be fuzzed. See also the -c flag.
-l, --list=list
Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor will
really be fuzzed only if N is in list.
Values start at 1 and ranges are inclusive. Use dashes between values and commas
between ranges. If the right-hand part of a range is ommited, it means all
subsequent file descriptors. For instance, to restrict fuzzing to the first opened
descriptor and all descriptors starting from the 10th, use ‘-l1,10-’.
Note that this option only affects file descriptors that would otherwise be fuzzed.
Even if 10 write-only descriptors are opened at the beginning of the program, only
the next descriptor with a read flag will be the first one considered by the -l
flag.
-m, --md5
Instead of displaying the program's standard output, just print its MD5 digest to
zzuf's standard output. The standard error channel is left untouched.
-M, --max-memory=mebibytes
Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes), that
children are allowed to allocate. This is useful to detect infinite loops that eat
up a lot of memory.
The value should be set reasonably high so as not to interfer with normal program
operation. By default, it is set to 1024 MiB in order to avoid accidental excessive
swapping. To disable the limitation, set the maximum memory usage to -1 instead.
zzuf uses the setrlimit() call to set memory usage limitations and relies on the
operating system's ability to enforce such limitations.
-n, --network
Fuzz the application's network input. By default zzuf only fuzzes files.
Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol families
are not yet supported.
-p, --ports=ranges
Only fuzz network ports that are in ranges. By default zzuf fuzzes all ports. The
port considered is the listening port if the socket is listening and the
destination port if the socket is connecting, because most of the time the source
port cannot be predicted.
Range values start at zero and are inclusive. Use dashes between range values and
commas between ranges. If the right-hand part of a range is ommited, it means end
of file. For instance, to restrict fuzzing to the HTTP and HTTPS ports and to all
unprivileged ports, use ‘-p80,443,1024-’.
This option requires network fuzzing to be activated using -n.
-P, --protect=list
Protect a list of characters so that if they appear in input data that would
normally be fuzzed, they are left unmodified instead.
Characters in list can be expressed verbatim or through escape sequences. The
sequences interpreted by zzuf are:
\n new line
\r return
\t tabulation
\NNN the byte whose octal value is NNN
\xNN the byte whose hexadecimal value is NN
\\ backslash (‘\’)
You can use ‘-’ to specify ranges. For instance, to protect all bytes from ‘\001’
to ‘/’, use ‘-P '\001-/'’.
The statistical outcome of this option should not be overlooked: if characters are
protected, the effect of the ‘-r’ flag will vary depending on the data being
fuzzed. For instance, asking to fuzz 1% of input bits (-r0.01) and to protect
lowercase characters (-P a-z) will result in an actual average fuzzing ratio of
0.9% with truly random data, 0.3% with random ASCII data and 0.2% with standard
English text.
See also the -R flag.
-q, --quiet
Hide the output of the fuzzed application. This is useful if the application is
very verbose but only its exit code or signaled status is really useful to you.
-r, --ratio=ratio
-r, --ratio=min:max
Specify the proportion of bits that will be randomly fuzzed. A value of 0 will not
fuzz anything. A value of 0.05 will fuzz 5% of the open files' bits. A value of 1.0
or more will fuzz all the bytes, theoretically making the input files undiscernible
from random data. The default fuzzing ratio is 0.004 (fuzz 0.4% of the files'
bits).
A range can also be specified. When doing so, zzuf will pick ratio values from the
interval. The choice is deterministic and only depends on the interval bounds and
the current seed.
-R, --refuse=list
Refuse a list of characters by not fuzzing bytes that would otherwise be changed to
a character that is in list. This does not prevent characters from appearing in the
output if the original byte was already in list.
See the -P option for a description of list.
-s, --seed=seed
-s, --seed=start:stop
Specify the random seed to use for fuzzing, or a range of random seeds. Running
zzuf twice with the same random seed will fuzz the files exactly the same way, even
with a different target application. The purpose of this is to use simple utilities
such as cat or cp to generate a file that causes the target application to crash.
If a range is specified, zzuf will run the application several times, each time
with a different seed, and report the behaviour of each run. If the ‘:’ character
is used but the second part of the range is omitted, zzuf will increment the seed
value indefinitely.
-S, --signal
Prevent children from installing signal handlers for signals that usually cause
coredumps. These signals are SIGABRT, SIGFPE, SIGILL, SIGQUIT, SIGSEGV, SIGTRAP
and, if available on the running platform, SIGSYS, SIGEMT, SIGBUS, SIGXCPU and
SIGXFSZ. Instead of calling the signal handler, the application will simply crash.
If you do not want core dumps, you should set appropriate limits with the limit
coredumpsize command. See your shell's documentation on how to set such limits.
-t, --max-time=n
Stop forking after n seconds. By default, zzuf runs until the end of the seed range
is reached.
Note that zzuf will not kill any remaining children once n is reached. To ensure
that processes do not last forever, see the -U flag.
This option is only relevant if the -s flag is used with a range argument. See also
the -C flag.
-T, --max-cputime=n
Automatically terminate child processes that use more than n seconds of CPU time.
zzuf uses the setrlimit() call to set CPU usage limitations and relies on the
operating system's ability to enforce such limitations. If the system sends SIGXCPU
signals and the application catches that signal, it will receive a SIGKILL signal
after 5 seconds.
This is more accurate than -U because the behaviour should be independent from the
system load, but it does not detect processes stuck into infinite select() calls
because they use very little CPU time. See also the -B and -U flags.
-U, --max-usertime=n
Automatically terminate child processes that run for more than n seconds. This is
useful to detect infinite loops or processes stuck in other situations. See also
the -B and -T flags.
-v, --verbose
Print information during the run, such as the current seed, what processes get run,
their exit status, etc.
-x, --check-exit
Report processes that exit with a non-zero status. By default only processes that
crash due to a signal are reported.
-h, --help
Display a short help message and exit.
-V, --version
Output version information and exit.
DIAGNOSTICS
Exit status is zero if no child process crashed. If one or several children crashed, zzuf
exits with status 1.
EXAMPLES
Fuzz the input of the cat program using default settings:
zzuf cat /etc/motd
Fuzz 1% of the input bits of the cat program using seed 94324:
zzuf -s94324 -r0.01 cat /etc/motd
Fuzz the input of the cat program but do not fuzz newline characters and prevent non-ASCII
characters from appearing in the output:
zzuf -P '\n' -R '\x00-\x1f\x7f-\xff' cat /etc/motd
Fuzz the input of the convert program, using file foo.jpeg as the original input and
excluding .xml files from fuzzing (because convert will also open its own XML
configuration files and we do not want zzuf to fuzz them):
zzuf -E '\.xml$' convert foo.jpeg -format tga /dev/null
Fuzz the input of VLC, using file movie.avi as the original input and restricting fuzzing
to filenames that appear on the command line (-c), then generate fuzzy-movie.avi which is
a file that can be read by VLC to reproduce the same behaviour without using zzuf:
zzuf -c -s87423 -r0.01 vlc movie.avi
zzuf -c -s87423 -r0.01 <movie.avi >fuzzy-movie.avi
vlc fuzzy-movie.avi
Fuzz between 0.1% and 2% of MPlayer's input bits (-r0.001:0.02) with seeds 0 to 9999
(-s0:10000), preserving the AVI 4-byte header by restricting fuzzing to offsets after 4
(-b4-), disabling its standard output messages (-q), launching up to five simultaneous
child processes (-j5) but waiting at least half a second between launches (-D0.5), killing
MPlayer if it takes more than one minute to read the file (-T60) and disabling its SIGSEGV
signal handler (-S):
zzuf -c -r0.001:0.02 -s0:10000 -b4- -q -j5 -D0.5 -T60 -S \
mplayer -benchmark -vo null -fps 1000 movie.avi
A more advanced VLC fuzzing example, stopping only at the first crash:
zzuf -j4 -vqc -r0.000001:0.01 -s0: vlc -v -I dummy movie.avi \
--sout '#transcode{acodec=s16l,vcodec=I420}:dummy' vlc:quit
Create an HTML-like file that loads 200 times the same hello.jpg image and open it in
Firefox™ in auto-increment mode (-A):
seq -f '<img src="hello.jpg#%g">' 1 200 > hello.html
(or: jot -w '<img src="hello.jpg#%d">' 200 1 > hello.html)
zzuf -A -I 'hello[.]jpg' -r0.001 firefox hello.html
Run a simple HTTP redirector on the local host using socat and corrupt each network
connection (-n) in a different way (-A) after one megabyte of data was received on it
(-b1000000-):
zzuf -n -A -b1000000- \
socat TCP4-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80
Browse the intarweb (-n) using Firefox™ without fuzzing local files (-E.) or non-HTTP
connections (-p80,8010,8080), preserving the beginning of the data sent with each HTTP
response (-b4000-) and using another seed on each connection (-A):
zzuf -r 0.0001 -n -E. -p80,8010,8080 -b4000- -A firefox
RESTRICTIONS
Due to zzuf using shared object preloading (LD_PRELOAD, _RLD_LIST, DYLD_INSERT_LIBRARIES,
etc.) to run its child processes, it will fail in the presence of any mechanism that
disables preloading. For instance setuid root binaries will not be fuzzed when run as an
unprivileged user.
For the same reasons, zzuf will also not work with statically linked binaries. Bear this
in mind when using zzuf on the OpenBSD platform, where cat, cp and dd are static binaries.
Though best efforts are made, identical behaviour for different versions of zzuf is not
guaranteed. The reproducibility for subsequent calls on different operating systems and
with different target programs is only guaranteed when the same version of zzuf is being
used.
BUGS
zzuf probably does not behave correctly with 64-bit offsets.
It is not yet possible to insert or drop bytes from the input, to fuzz according to the
file format, to swap bytes, etc. More advanced fuzzing methods are planned.
As of now, zzuf does not really support multithreaded applications. The behaviour with
multithreaded applications where more than one thread does file descriptor operations is
undefined.
HISTORY
zzuf started its life in 2002 as the streamfucker tool, a small multimedia stream
corrupter used to find bugs in the VLC media player.
SEE ALSO
libzzuf(3), zzat(1)
AUTHOR
Copyright © 2002-2010 Sam Hocevar <sam@hocevar.net>.
zzuf and this manual page are free software. They come without any warranty, to the extent
permitted by applicable law. You can redistribute them and/or modify them under the terms
of the Do What The Fuck You Want To Public License, Version 2, as published by Sam
Hocevar. See http://sam.zoy.org/wtfpl/COPYING for more details.
zzuf's webpage can be found at http://caca.zoy.org/wiki/zzuf. An overview of the
architecture and inner works is at http://caca.zoy.org/wiki/zzuf/internals.