diff --git a/doc/zzuf.1 b/doc/zzuf.1 index 80ca166..49fd5c3 100644 --- a/doc/zzuf.1 +++ b/doc/zzuf.1 @@ -2,293 +2,191 @@ .SH NAME zzuf \- multiple purpose fuzzer .SH SYNOPSIS -.B zzuf -[ -.B \-cdhiqSv -] [ -.B \-r -.I ratio -] [ -.B \-s -.I seed -| -.B \-s -.I start:stop -] -.PD 0 -.IP -.PD -[ -.B \-F -.I children -] [ -.B \-B -.I bytes -] [ -.B \-T -.I seconds -] -.PD 0 -.IP -.PD -[ -.B \-I -.I include -] [ -.B \-E -.I exclude -] -.I COMMAND [ARGS]... -.RI +\fBzzuf\fR [\fB\-cdiqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR] +.br + [\fB\-F\fR \fIchildren\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR] +.br + [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fICOMMAND\fR [\fIARGS\fR]... +.br +\fBzzuf \-h\fR | \fB\-\-help\fR +.br +\fBzzuf \-v\fR | \fB\-\-version\fR .SH DESCRIPTION -.B Zzuf -is a transparent application input fuzzer. It works by intercepting -file operations and changing random bits in the program's input. -.B Zzuf's +.PP +\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting +file operations and changing random bits in the program's input. \fBZzuf\fR's behaviour is deterministic, making it easy to reproduce bugs. -.RI .SH USAGE -.B Zzuf -will run an application specified on its command line, one or several times, -with optional arguments, and will report the application's behaviour on -the standard output. - -If you want to specify arguments for your application, put a -.B \-\- -marker before them on the command line, or -.B zzuf -will try to interpret them as arguments for itself. -.RI +.PP +\fBZzuf\fR will run an application specified on its command line, one or +several times, with optional arguments, and will report the application's +behaviour on the standard output. +.PP +If you want to specify arguments for your application, put a \fB\-\-\fR +marker before them on the command line, or \fBzzuf\fR will try to interpret +them as arguments for itself. .SH OPTIONS .TP -.B \-B, \-\-max\-bytes -Automatically terminate child processes that output more than -.B -bytes on the standard output and standard error channels. This is useful to -detect infinite loops. +\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR +Automatically terminate child processes that output more than \fIn\fR bytes +on the standard output and standard error channels. This is useful to detect +infinite loops. See also the \fB\-T\fR flag. .TP -.B \-c, \-\-cmdline +\fB\-c\fR, \fB\-\-cmdline\fR Only fuzz files whose name is specified in the target application's command line. This is mostly a shortcut to avoid specifiying twice the argument: -.B zzuf \-c cat file.txt -has the same effect as -.B zzuf \-I "^file\\.txt$" cat -.BR file.txt . -See the -.B \-I -flag for more information. +\fBzzuf \-c cat file.txt\fR has the same effect as \fBzzuf \-I +\(dq^file\\.txt$\(dq cat file.txt\fR. See the \fB\-I\fR flag for more +information. .TP -.B \-d, \-\-debug +\fB\-d\fR, \fB\-\-debug\fR Activate the display of debug messages. .TP -.B \-E, \-\-exclude -Do not fuzz files whose name matches the -.B -regular expression. This option supersedes anything that is specified by the -.B \-\-include -flag. Use this for instance if you are unsure of what files your -application is going to read and do not want it to fuzz files in the -.B /etc -directory. +\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR +Do not fuzz files whose name matches the \fIregex\fR regular expression. This +option supersedes anything that is specified by the \fB\-I\fR flag. Use this +for instance if you are unsure of what files your application is going to read +and do not want it to fuzz files in the \fB/etc\fR directory. -Multiple -.B \-E -flags can be specified, in which case files matching any one of the regular -expressions will be ignored. +Multiple \fB\-E\fR flags can be specified, in which case files matching any one +of the regular expressions will be ignored. .TP -.B \-F, \-\-fork +\fB\-F\fR, \fB\-\-fork\fR=\fIchildren\fR Specify the number of simultaneous children that can be run. This option is -only useful if the -.B \-s -flag is used with an interval argument. +only useful if the \fB\-s\fR flag is used with an interval argument. .TP -.B \-h, \-\-help +\fB\-h\fR, \fB\-\-help\fR Display a short help message and exit. .TP -.B \-i, \-\-stdin -Fuzz the application's standard input. By default -.B zzuf -only fuzzes files. +\fB\-i\fR, \fB\-\-stdin\fR +Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files. .TP -.B \-I, \-\-include -Only fuzz files whose name matches the -.B -regular expression. Use this for instance if your application reads -configuration files at startup and you only want specific files to be fuzzed. +\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR +Only fuzz files whose name matches the \fIregex\fR regular expression. Use +this for instance if your application reads configuration files at startup +and you only want specific files to be fuzzed. -Multiple -.B \-I -flags can be specified, in which case files matching any one of the regular -expressions will be fuzzed. See also the -.B \-c -flag. +Multiple \fB\-I\fR flags can be specified, in which case files matching any one +of the regular expressions will be fuzzed. See also the \fB\-c\fR flag. .TP -.B \-q, \-\-quiet +\fB\-q\fR, \fB\-\-quiet\fR Hide the output of the fuzzed application. This is useful if the application is very verbose but only its exit code or signaled status is really useful to you. .TP -.B \-r, \-\-ratio +\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR Specify the amount of bits that will be randomly fuzzed. A value of 0 will not fuzz anything. A value of 0.05 will fuzz 5% of the open files' bits. A value of 1.0 or more will fuzz all the bytes, theoretically making the input files undiscernible from random data. The default fuzzing ratio is 0.004 (fuzz 0.4% of the files' bits). .TP -.B \-s, \-\-seed +\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR .PD 0 .TP -.B \-s, \-\-seed +\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR .PD Specify the random seed to use for fuzzing, or an interval of random seeds. -Running -.B zzuf -twice with the same random seed will fuzz the files exactly the same way, -even with a different target application. The purpose of this is to use -simple utilities such as -.B cat -or -.B cp -to generate a file that causes the target application to crash. +Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly +the same way, even with a different target application. The purpose of this is +to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that +causes the target application to crash. -If an interval is specified, -.B zzuf -will run the application several times, each time with a different seed, and -report the behaviour of each run. +If an interval is specified, \fBzzuf\fR will run the application several times, +each time with a different seed, and report the behaviour of each run. .TP -.B \-S, \-\-signal +\fB\-S\fR, \fB\-\-signal\fR Prevent children from installing signal handlers for signals that usually -cause coredumps. These signals are -.BR SIGABRT , -.BR SIGFPE , -.BR SIGILL , -.BR SIGQUIT , -.BR SIGSEGV , -.B SIGTRAP -and, if available on the running platform, -.BR SIGSYS , -.BR SIGEMT , -.BR SIGBUS , -.B SIGXCPU -and -.BR SIGXFSZ . -Instead of calling the signal handler, the application will simply crash. If -you do not want core dumps, you should set appropriate limits with the -.B limit coredumpsize -command. See your shell's documentation on how to set such limits. +cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR, +\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running +platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and +\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will +simply crash. If you do not want core dumps, you should set appropriate limits +with the \fBlimit coredumpsize\fR command. See your shell's documentation on +how to set such limits. .TP -.B \-T, \-\-max\-time -Automatically terminate child processes that run for more than -.B +\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR +Automatically terminate child processes that run for more than \fIn\fR seconds. This is useful to detect infinite loops or processes stuck in other -situations. +situations. See also the \fB\-B\fR flag. .TP -.B \-v, \-\-version +\fB\-v\fR, \fB\-\-version\fR Output version information and exit. -.RI .SH EXAMPLES -Fuzz the input of the -.B cat -program using default settings: +.PP +Fuzz the input of the \fBcat\fR program using default settings: +.PP +.RS .nf - -.B % zzuf cat /etc/motd - +\fB# zzuf cat /etc/motd\fR .fi -Fuzz 1% of the input bits of the -.B cat -program using seed 94324: +.RE +.PP +Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324: +.PP +.RS .nf - -.B % zzuf -s 94324 -r 0.01 cat /etc/motd - +\fB# zzuf -s 94324 -r 0.01 cat /etc/motd\fR .fi -Fuzz the input of the -.B convert -program, using file -.B foo.jpeg -as the original input and excluding -.B .xml -files from fuzzing (because -.B convert -will also open its own XML configuration files and we do not want -.B zzuf -to fuzz them): +.RE +.PP +Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the +original input and excluding \fB.xml\fR files from fuzzing (because +\fBconvert\fR will also open its own XML configuration files and we do not +want \fBzzuf\fR to fuzz them): +.PP +.RS .nf - -.B % zzuf -E "\\.xml$" convert -- foo.jpeg -format tga /dev/null - +\fB# zzuf -E \(dq\\.xml$\(dq convert -- foo.jpeg -format tga /dev/null\fR .fi -Fuzz the input of -.BR vlc , -using file -.B movie.avi -as the original input and restricting fuzzing to filenames that appear on -the command line, then generate -.B fuzzy-movie.avi -which is a file that can be fed to -.B vlc -to reproduce the same behaviour without using -.BR zzuf : -.fn - -.B % zzuf -c -s 87423 -r 0.01 vlc movie.avi - -.B % zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi - -.B % vlc fuzzy-movie.avi - +.RE +.PP +Fuzz the input of \fBvlc\fR, using file \fBmovie.avi\fR as the original input +and restricting fuzzing to filenames that appear on the command line +(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that can +be read by \fBvlc\fR to reproduce the same behaviour without using \fBzzuf\fR: +.PP +.RS +.nf +\fB# zzuf -c -s 87423 -r 0.01 vlc movie.avi\fR +\fB# zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR +\fB# vlc fuzzy-movie.avi\fR .fi -Fuzz 2% of -.BR mplayer 's -input bits -.RB ( \-r -.BR 0.02 ) -with seeds 0 to 9999 -.RB ( \-s -.BR 0:10000 ), -disabling its standard output messages -.RB ( \-q ), -launching up to three simultaneous child processes -.RB ( \-F -.BR 3 ), -killing -.B mplayer -if it takes more than one minute to read the file -.RB ( \-T -.BR 60 ) -and disabling its -.B SIGSEGV -signal handler -.RB ( \-S ): -.fn - -.B % zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 mplayer movie.avi -- -benchmark -vo null -fps 1000 - +.RE +.PP +Fuzz 2% of \fBmplayer\fR's input bits (\fB\-r 0.02\fR) with seeds 0 to 9999 +(\fB\-s 0:10000\fR), disabling its standard output messages (\fB\-q\fR), +launching up to three simultaneous child processes (\fB\-F 3\fR), killing +\fBmplayer\fR if it takes more than one minute to read the file (\fB\-T 60\fR) +and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR): +.PP +.RS +.nf +\fB# zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR +\fB mplayer movie.avi -- -benchmark -vo null -fps 1000\fR .fi -.RI +.RE .SH BUGS -Only the most common file operations are implemented as of now: -.BR open (), -.BR read (), -.BR fopen (), -.BR fseek (), -etc. One important unimplemented function is -.BR fscanf (). - +.PP +Only the most common file operations are implemented as of now: \fBopen\fR(), +\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented +function is \fBfscanf\fR(). +.PP Network fuzzing is not implemented. It is not yet possible to insert or drop bytes from the input, to fuzz according to the file format, or to do all these complicated operations. They are planned, though. - -Due to -.B zzuf -using -.B LD_PRELOAD -to run its child processes, it will fail in the presence of any mechanism -that disables preloading. For instance setuid root binaries will not be -fuzzed. -.RI +.PP +Due to \fBzzuf\fR using \fBLD_PRELOAD\fR to run its child processes, it will +fail in the presence of any mechanism that disables preloading. For instance +setuid root binaries will not be fuzzed when run as an unprivileged user. .SH AUTHOR -.B Zzuf -and this manual page were written by Sam Hocevar . There is a -webpage available at http://sam.zoy.org/zzuf/ +.PP +Copyright \(co 2006, 2007 Sam Hocevar . +.PP +\fBZzuf\fR and this manual page are free software. They come without any +warranty, to the extent permitted by applicable law. You can redistribute +them and/or modify them under the terms of the Do What The Fuck You Want +To Public License, Version 2, as published by Sam Hocevar. See +\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details. +.PP +\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.