zzuf(1)



zzuf(1)                     General Commands Manual                    zzuf(1)

NAME
       zzuf - multiple purpose fuzzer

SYNOPSIS
       zzuf  [-AcdimnqSvxX]  [-s seed|-s start:stop] [-r ratio|-r min:max] [-f
       fuzzing] [-D delay] [-j jobs] [-C crashes] [-B bytes] [-t seconds]  [-T
       seconds]  [-U  seconds]  [-M mebibytes] [-b ranges] [-p ports] [-P pro-
       tect] [-R refuse] [-a list] [-l list] [-I include] [-E exclude] [-O op-
       mode] [PROGRAM [ARGS]...]
       zzuf -h | --help
       zzuf -V | --version

DESCRIPTION
       zzuf  is a transparent application input fuzzer. It works by intercept-
       ing file and network operations and changing random bits  in  the  pro-
       gram's input.  zzuf's behaviour is deterministic, making it easy to re-
       produce bugs.

USAGE
       zzuf will run an application specified on its command line, one or sev-
       eral  times, with optional arguments, and will report the application's
       relevant behaviour on the standard error channel, eg:

           zzuf cat /dev/zero

       Flags found after the application name are considered arguments for the
       application,  not  for  zzuf. For instance, -v below is an argument for
       cat:

           zzuf -B 1000 cat -v /dev/zero

       When no program is specified, zzuf simply fuzzes the standard input, as
       if the cat utility had been called:

           zzuf < /dev/zero

OPTIONS
   Generic program information
       -h, --help
              Display a short help message and exit.

       -V, --version
              Output version information and exit.

   Operating mode
       -f, --fuzzing=mode
              Select how the input is fuzzed. Valid values for mode are:

              xor    randomly set and unset bits

              set    only set bits

              unset  only unset bits

              The default value for mode is xor.

       -O, --opmode=mode
              Use operating mode mode. Valid values for mode are:

              preload
                     override  functions  by  preloading libzzuf into the exe-
                     cutable using the system's dynamic linker

              copy   temporarily copy files that need to be fuzzed

              The default value for mode is preload. copy is useful  on  plat-
              forms that do not support dynamic linker injection, for instance
              when fuzzing a Cocoa application on Mac OS X.

       -s, --seed=seed
       -s, --seed=start:
       -s, --seed=start:stop
              Specify the random seed to use for fuzzing, or a range of random
              seeds.   Running  zzuf twice with the same random seed will fuzz
              the files exactly the same way, even with a different target ap-
              plication.  The  purpose of this is to use simple utilities such
              as cat or cp to generate a file that causes the target  applica-
              tion to crash.

              If  a  range is specified, zzuf will run the application several
              times, each time with a different seed, and report the behaviour
              of  each run. If no 'stop' is specified after ':', zzuf will in-
              crement the seed value indefinitely.

       -r, --ratio=ratio
       -r, --ratio=min:max
              Specify the proportion of bits that will be randomly  fuzzed.  A
              value  of 0 will not fuzz anything. A value of 0.05 will fuzz 5%
              of the open files' bits. A value of 1.0 or more  will  fuzz  all
              the  bytes,  theoretically  making the input files undiscernible
              from random data. The default fuzzing ratio is 0.004 (fuzz  0.4%
              of the files' bits).

              A range can also be specified. When doing so, zzuf will pick ra-
              tio values from the interval. The choice  is  deterministic  and
              only depends on the interval bounds and the current seed.

       -A, --autoinc
              Increment  random  seed  each time a new file is opened. This is
              only required if one instance of the application is expected  to
              open  the same file several times and you want to test a differ-
              ent seed each time.

   Output
       -d, --debug
              Activate the display of debug messages. Can be specified  multi-
              ple times for increased verbosity.

       -q, --quiet
              Hide the output of the fuzzed application. This is useful if the
              application is very verbose but only its exit code  or  signaled
              status is really useful to you.

       -v, --verbose
              Print information during the run, such as the current seed, what
              processes get run, their exit status, etc.

       -m, --md5
              Instead of displaying the program's standard output, just  print
              its  MD5  digest  to  zzuf's standard output. The standard error
              channel is left untouched. See also the -X flag.

       -X, --hex
              Convert the fuzzed program's standard output to hexadecimal. The
              standard error channel is left untouched. See also the -m flag.

   Process control
       -B, --max-bytes=n
              Automatically stop after n bytes have been output.

              This  either  terminates child processes that output more than n
              bytes on the standard output and  standard  error  channels,  or
              stop reading from standard input if no program is being fuzzed.

              This  is useful to detect infinite loops. See also the -U and -T
              flags.

       -C, --max-crashes=n
              Stop forking when at least n children have crashed. The  default
              value  is  1,  meaning  zzuf  will stop as soon as one child has
              crashed. A value of 0 tells zzuf to never stop.

              Note that zzuf will not kill any remaining children  once  n  is
              reached.  To  ensure that processes do not last forever, see the
              -U flag.

              A process is considered to have crashed if any signal (such  as,
              but  not  limited to, SIGSEGV) caused it to exit. If the -x flag
              is used, this will also include processes that exit with a  non-
              zero status.

              This option is only relevant if the -s flag is used with a range
              argument. See also the -t flag.

       -D, --delay=delay
              Do not launch more than one process every  delay  seconds.  This
              option should be used together with -j to avoid fork bombs.

       -j, --jobs=jobs
              Specify  the number of simultaneous children that can be run. By
              default, zzuf only launches one process at a time.

              This option is only relevant if the -s flag is used with a range
              argument. See also the -D flag.

       -M, --max-memory=mebibytes
              Specify  the  maximum  amount  of  memory, in mebibytes (1 MiB =
              1,048,576 bytes), that children are allowed to allocate. This is
              useful to detect infinite loops that eat up a lot of memory.

              The  value  should  be set reasonably high so as not to interfer
              with normal program operation. By default, it is set to 1024 MiB
              in  order to avoid accidental excessive swapping. To disable the
              limitation, set the maximum memory usage to -1 instead.

              zzuf uses the setrlimit() call to set memory  usage  limitations
              and  relies  on  the  operating system's ability to enforce such
              limitations.

       -S, --signal
              Prevent children from installing  signal  handlers  for  signals
              that usually cause coredumps. These signals are SIGABRT, SIGFPE,
              SIGILL, SIGQUIT, SIGSEGV, SIGTRAP and, if available on the  run-
              ning  platform, SIGSYS, SIGEMT, SIGBUS, SIGXCPU and SIGXFSZ. In-
              stead of calling the signal handler, the application will simply
              crash. If you do not want core dumps, you should set appropriate
              limits with the limit coredumpsize  command.  See  your  shell's
              documentation on how to set such limits.

       -t, --max-time=n
              Stop  forking  after  n seconds. By default, zzuf runs until the
              end of the seed range is reached.

              Note that zzuf will not kill any remaining children  once  n  is
              reached.  To  ensure that processes do not last forever, see the
              -U flag.

              This option is only relevant if the -s flag is used with a range
              argument. See also the -C flag.

       -T, --max-cputime=n
              Automatically  terminate  child  processes  that use more than n
              seconds of CPU time.

              zzuf uses the setrlimit() call to set CPU usage limitations  and
              relies on the operating system's ability to enforce such limita-
              tions. If the system sends SIGXCPU signals and  the  application
              catches  that  signal,  it will receive a SIGKILL signal after 5
              seconds.

              This is more accurate than -U because the  behaviour  should  be
              independent  from  the  system load, but it does not detect pro-
              cesses stuck into infinite select() calls because they use  very
              little CPU time. See also the -B and -U flags.

       -U, --max-usertime=n
              Automatically terminate child processes that run for more than n
              seconds. This is useful to detect infinite  loops  or  processes
              stuck in other situations. See also the -B and -T flags.

       -x, --check-exit
              Report  processes  that  exit with a non-zero status. By default
              only processes that crash due to a signal are reported.

   Filtering
       -a, --allow=list
              Only fuzz network input for IPs in list, a comma-separated  list
              of  IP addresses. If the list starts with !, the flag meaning is
              reversed and all addresses are fuzzed except  the  ones  in  the
              list.

              As of now, this flag only understands INET (IPv4) addresses.

              This option requires network fuzzing to be activated using -n.

       -b, --bytes=ranges
              Restrict  fuzzing  to bytes whose offsets in the file are within
              ranges.

              Range values start at zero and are inclusive. Use dashes between
              range  values  and commas between ranges. If the right-hand part
              of a range is ommited, it means end of file.  For  instance,  to
              restrict  fuzzing to bytes 0, 3, 4, 5 and all bytes after offset
              31, use '-b0,3-5,31-'.

              This option is useful to preserve file headers or corrupt only a
              specific portion of a file.

       -c, --cmdline
              Only  fuzz  files whose name is specified in the target applica-
              tion's command line. This is mostly a shortcut to avoid specify-
              ing the argument twice:

                  zzuf -c cat file.txt

              has the same effect as

                  zzuf -I '^file\.txt$' cat file.txt

              See  the  -I flag for more information on restricting fuzzing to
              specific files.

       -E, --exclude=regex
              Do not fuzz files whose name matches the regex  regular  expres-
              sion.  This  option supersedes anything that is specified by the
              -I flag. Use this for instance if you are unsure of  what  files
              your  application  is  going  to read and do not want it to fuzz
              files in the /etc directory.

              Multiple -E flags can be specified, in which case files matching
              any one of the regular expressions will be ignored.

       -i, --stdin
              Fuzz  the  application's  standard  input.  By default zzuf only
              fuzzes files.

       -I, --include=regex
              Only fuzz files whose name matches the regex regular expression.
              Use  this  for  instance if your application reads configuration
              files at startup and you only want specific files to be fuzzed.

              Multiple -I flags can be specified, in which case files matching
              any  one of the regular expressions will be fuzzed. See also the
              -c flag.

       -l, --list=list
              Cherry-pick the list of file descriptors that  get  fuzzed.  The
              Nth descriptor will really be fuzzed only if N is in list.

              Values  start  at 1 and ranges are inclusive. Use dashes between
              values and commas between ranges. If the right-hand  part  of  a
              range  is ommited, it means all subsequent file descriptors. For
              instance, to restrict fuzzing to the first opened descriptor and
              all descriptors starting from the 10th, use '-l1,10-'.

              Note  that  this option only affects file descriptors that would
              otherwise be fuzzed.  Even  if  10  write-only  descriptors  are
              opened at the beginning of the program, only the next descriptor
              with a read flag will be the first  one  considered  by  the  -l
              flag.

       -P, --protect=list
              Protect  a  list  of  characters so that if they appear in input
              data that would normally be fuzzed, they are left unmodified in-
              stead.

              Characters  in  list can be expressed verbatim or through escape
              sequences.  The sequences interpreted by zzuf are:

              \n     new line

              \r     return

              \t     tabulation

              \NNN   the byte whose octal value is NNN

              \xNN   the byte whose hexadecimal value is NN

              \\     backslash ('\')

              You can use '-' to specify ranges. For instance, to protect  all
              bytes from '\001' to '/', use '-P '\001-/''.

              The statistical outcome of this option should not be overlooked:
              if characters are protected, the effect of the  '-r'  flag  will
              vary depending on the data being fuzzed. For instance, asking to
              fuzz 1% of input bits (-r0.01) and to protect lowercase  charac-
              ters  (-P a-z) will result in an actual average fuzzing ratio of
              0.9% with truly random data, 0.3% with  random  ASCII  data  and
              0.2% with standard English text.

              See also the -R flag.

       -R, --refuse=list
              Refuse a list of characters by not fuzzing bytes that would oth-
              erwise be changed to a character that is in list. This does  not
              prevent  characters from appearing in the output if the original
              byte was already in list.

              See the -P option for a description of list.

   Network
       -n, --network
              Fuzz the application's  network  input.  By  default  zzuf  only
              fuzzes files.

              Only  INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other
              protocol families are not yet supported.

       -p, --ports=ranges
              Only fuzz network ports that are  in  ranges.  By  default  zzuf
              fuzzes  all  ports. The port considered is the listening port if
              the socket is listening and the destination port if  the  socket
              is  connecting,  because most of the time the source port cannot
              be predicted.

              Range values start at zero and are inclusive. Use dashes between
              range  values  and commas between ranges. If the right-hand part
              of a range is ommited, it means end of file.  For  instance,  to
              restrict fuzzing to the HTTP and HTTPS ports and to all unprivi-
              leged ports, use '-p80,443,1024-'.

              This option requires network fuzzing to be activated using -n.

DIAGNOSTICS
       Exit status is zero if no child process  crashed.  If  one  or  several
       children crashed, zzuf exits with status 1.

EXAMPLES
       Fuzz the input of the cat program using default settings:

           zzuf cat /etc/motd

       Fuzz 1% of the input bits of the cat program using seed 94324:

           zzuf -s94324 -r0.01 cat /etc/motd

       Fuzz  the  input  of the cat program but do not fuzz newline characters
       and prevent non-ASCII characters from appearing in the output:

           zzuf -P '\n' -R '\x00-\x1f\x7f-\xff' cat /etc/motd

       Fuzz the input of the convert program, using file foo.jpeg as the orig-
       inal  input and excluding .xml files from fuzzing (because convert will
       also open its own XML configuration files and we do not  want  zzuf  to
       fuzz them):

           zzuf -E '\.xml$' convert foo.jpeg -format tga /dev/null

       Fuzz  the  input of VLC, using file movie.avi as the original input and
       restricting fuzzing to filenames that appear on the command line  (-c),
       then  generate  fuzzy-movie.avi which is a file that can be read by VLC
       to reproduce the same behaviour without using zzuf:

           zzuf -c -s87423 -r0.01 vlc movie.avi
           zzuf -c -s87423 -r0.01 <movie.avi >fuzzy-movie.avi
           vlc fuzzy-movie.avi

       Fuzz between 0.1% and 2% of MPlayer's input  bits  (-r0.001:0.02)  with
       seeds  0  to  9999 (-s0:10000), preserving the AVI 4-byte header by re-
       stricting fuzzing to offsets after 4  (-b4-),  disabling  its  standard
       output messages (-q), launching up to five simultaneous child processes
       (-j5) but waiting at least half  a  second  between  launches  (-D0.5),
       killing  MPlayer  if  it  takes  more  than one minute to read the file
       (-T60) and disabling its SIGSEGV signal handler (-S):

           zzuf -c -r0.001:0.02 -s0:10000 -b4- -q -j5 -D0.5 -T60 -S \
             mplayer -benchmark -vo null -fps 1000 movie.avi

       A more advanced VLC fuzzing example, stopping only at the first crash:

           zzuf -j4 -vqc -r0.000001:0.01 -s0: vlc -v -I dummy movie.avi \
              --sout '#transcode{acodec=s16l,vcodec=I420}:dummy' vlc:quit

       Create an HTML-like file that loads 200 times the same hello.jpg  image
       and open it in Firefoxtm in auto-increment mode (-A):

           seq -f '<img src="hello.jpg#%g">' 1 200 > hello.html
             (or: jot -w '<img src="hello.jpg#%d">' 200 1 > hello.html)
           zzuf -A -I 'hello[.]jpg' -r0.001 firefox hello.html

       Run  a simple HTTP redirector on the local host using socat and corrupt
       each network connection (-n) in a different way (-A) after one megabyte
       of data was received on it (-b1000000-):

            zzuf -n -A -b1000000- \
              socat TCP4-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80

       Browse  the  intarweb  (-n) using Firefoxtm without fuzzing local files
       (-E.) or non-HTTP connections (-p80,8010,8080), preserving  the  begin-
       ning  of  the data sent with each HTTP response (-b4000-) and using an-
       other seed on each connection (-A):

           zzuf -r 0.0001 -n -E. -p80,8010,8080 -b4000- -A firefox

RESTRICTIONS
       Due to zzuf using  shared  object  preloading  (LD_PRELOAD,  _RLD_LIST,
       DYLD_INSERT_LIBRARIES,  etc.)  to run its child processes, it will fail
       in the presence of any mechanism that disables preloading. For instance
       setuid  root  binaries  will  not be fuzzed when run as an unprivileged
       user.

       For the same reasons, zzuf will also not work  with  statically  linked
       binaries.  Bear  this  in mind when using zzuf on the OpenBSD platform,
       where cat, cp and dd are static binaries.

       Though best efforts are made, identical behaviour  for  different  ver-
       sions  of  zzuf  is  not guaranteed. The reproducibility for subsequent
       calls on different operating systems and with different target programs
       is only guaranteed when the same version of zzuf is being used.

BUGS
       zzuf probably does not behave correctly with 64-bit offsets.

       It  is not yet possible to insert or drop bytes from the input, to fuzz
       according to the file format, to swap bytes, etc. More advanced fuzzing
       methods are planned.

       As of now, zzuf does not really support multithreaded applications. The
       behaviour with multithreaded applications where more  than  one  thread
       does file descriptor operations is undefined.

HISTORY
       zzuf  started its life in 2002 as the streamfucker tool, a small multi-
       media stream corrupter used to find bugs in the VLC media player.

SEE ALSO
       libzzuf(3), zzat(1)

AUTHOR
       Copyright (C) 2002-2015 Sam Hocevar <sam@hocevar.net>.

       zzuf and this manual page are free software. They come without any war-
       ranty,  to the extent permitted by applicable law. You can redistribute
       them and/or modify them under the terms of the Do  What  the  Fuck  You
       Want  to  Public  License,  Version  2,  as published by the WTFPL Task
       Force. See http://www.wtfpl.net/ for more details.

       zzuf's webpage can be found at http://caca.zoy.org/wiki/zzuf.  An over-
       view     of    the    architecture    and    inner    works    is    at
       http://caca.zoy.org/wiki/zzuf/internals.

zzuf 0.15                         2015-01-06                           zzuf(1)

Man(1) output converted with man2html
list of all man pages