1# Honggfuzz - SocketClient 2 3Implement an external fuzzer to fuzz network servers or similar. 4 5Tested on Ubuntu 17.04. 6 7 8## Protocol 9 10Simple: 11 12``` 13HonggFuzz <-> FFW 14 "Fuzz" --> 15 <-- "Okay" 16 "New!" --> 17 "Cras" --> 18 <-- "bad!" 19``` 20 21* "Fuzz": HongFuzz tells FFW to send its network messages to the target server 22* "Okay": FFW tells HonggFuzz that it is finished sending the messages 23* "New!": HonggFuzz tells FFW that new basic blocks have been reached 24* "Cras": HonggFuzz tells FFW that the target has crashed 25* "bad!": FFW tells Honggfuzz that the server is crashed 26 27## Overview 28 29`vulnserver_cov` will listen to localhost:5001 and expect messages starting with "A", "B", "C", 30"D" or "E". Message "B" can provoke a stack based buffer overflow, while message "C" 31can provoke a heap based buffer overflow. 32 33The current `honggfuzz_socketclient` will send one of these messages (decided by the user), 34after honggfuzz told it that it is ready (the client process is started). Number 0-4 correspond 35to "A"-"E", while number 5 and 6 will provoke memory corruption overflows. 36 37`honggfuzz_socketclient` will then proceed to send the messages to `vulnserver_cov` on port 385001. After that hongfuzz may send a message to `hongfuzz_client`, indicating that new 39basic blocks have been reached. 40 41 42## Preparation 43 44Compile the test server, with `make` or: 45``` 46~/honggfuzz/hfuzz_cc/hfuzz-gcc vulnserver_cov.c -O0 -o vulnserver_cov 47``` 48 49## How-to 50 51Start hongfuzz in socket-client mode: 52 53``` 54$ cd ~/honggfuzz 55$ mkdir test 56$ cd test 57$ ../honggfuzz --keep_output --debug --sanitizers --sancov --stdin_input --threads 1 --verbose --logfile log.txt --socket_fuzzer -- ../socketfuzzer/vulnserver_cov 58Waiting for SocketFuzzer connection on socket: /tmp/honggfuzz_socket.<pid> 59``` 60 61In another terminal, start the socketfuzzer client: 62``` 63$ python ./honggfuzz_socketclient.py interactive 64connecting to /tmp/honggfuzz_socket 65--[ Send Msg #: 1 66Send to target: 1 67--[ R Adding file to corpus... 68--[ Send Msg #: 5 69Send to target: 5 70--[ R Target crashed 71--[ Send Msg #: 1 72Send to target: 1 73--[ Send Msg #: 5 74Send to target: 5 75--[ Send Msg #: 1 76Send to target: 1 77--[ Send Msg #: 5 78Send to target: 5 79--[ Send Msg #: 2 80Send to target: 2 81--[ R Adding file to corpus... 82--[ Send Msg #: 3 83Send to target: 3 84--[ R Adding file to corpus... 85--[ Send Msg #: 5 86Send to target: 5 87``` 88 89Automatic test, successful run: 90``` 91$ ./unittest.sh 92Auto 93connecting to /tmp/honggfuzz_socket 94 95Test: 0 - initial 96 ok: Fuzz 97 98Test: 1 - first new BB 99 ok: New! 100 ok: Fuzz 101 102Test: 2 - second new BB 103 ok: New! 104 ok: Fuzz 105 106Test: 3 - repeat second msg, no new BB 107 ok: Fuzz 108 109Test: 4 - crash stack 110 ok: Cras 111 ok: Fuzz 112 113Test: 5 - resend second, no new BB 114 ok: Fuzz 115 116Test: 6 - send three, new BB 117 ok: New! 118 ok: Fuzz 119 120Test: 7 - send four, new BB 121 ok: New! 122 ok: Fuzz 123 124Test: 8 - send four again, no new BB 125 ok: Fuzz 126``` 127