17 KiB
Welcome to Awesome Fuzzing
A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
Table of Contents
Awesome Fuzzing Resources
Books
Books on fuzzing
-
Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini.
-
Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Charles Miller, and Jared D Demott.
-
Open Source Fuzzing Tools by by Gadi Evron and Noam Rathaus.
-
Gray Hat Python by Justin Seitz.
Note: Chapter(s) in the following books are dedicated to fuzzing.
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 ) by Chris Anley, Dave Aitel, David Litchfield and others.
- iOS Hacker's Handbook - Chapter 1 Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser.
Courses
Courses/Training videos on fuzzing
Free
NYU Poly ( see videos for more ) - Made available freely by Dan Guido.
Samclass.info ( check projects section and chapter 17 ) - by Sam.
Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC.
Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu.
Paid
Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )
SANS 660/760 Advanced Exploit Development for Penetration Testers
Exodus Intelligence - Vulnerability development master class
Videos
Videos talking about fuzzing techniques, tools and best practices
NYU Poly Course videos
Fuzzing 101 (Part 1) - by Mike Zusman.
Fuzzing 101 (Part 2) - by Mike Zusman.
Fuzzing 101 (2009) - by Mike Zusman.
Fuzzing - Software Security Course on Coursera - by University of Maryland.
Conference talks and tutorials
Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos.
Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen
Coverage-based Greybox Fuzzing as Markov Chain
Tutorials and Blogs
Tutorials and blogs which explain methodology, techniques and best practices of fuzzing
[2016 articles]
Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London
A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
Interesting bugs and resources at fuzzing project - by fuzzing-project.org.
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull.
A 15 minute introduction to fuzzing - by folks at MWR Security.
Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info
Fuzzing Blogs - by fuzzing.info
Root Cause Analysis of the Crash during Fuzzing - by Corelan Team. Root cause analysis of integer flow - by Corelan Team.
Creating custom peach fuzzer publishers - by Open Security Research
7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff.
From Fuzzing to Exploit:
From fuzzing to 0-day - by Harold Rodriguez(@superkojiman).
From crash to exploit - by Corelan Team.
Peach Fuzzer related tutorials
Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team
Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.
Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert.
AFL Fuzzer related tutorials
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
Fuzzing capstone using AFL persistent mode - by @toasted_flakes
RAM disks and saving your SSD from AFL Fuzzing
Bug Hunting with American Fuzzy Lop
Advanced usage of American Fuzzy Lop with real world examples
Segfaulting Python with afl-fuzz
Fuzzing Perl: A Tale of Two American Fuzzy Lops
Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )
The Importance of Fuzzing...Emulators?
How Heartbleed could've been found
Filesystem Fuzzing with American Fuzzy lop
libFuzzer Fuzzer related tutorials
libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"
Spike Fuzzer related tutorials
Fuzzing with Spike to find overflows
Fuzzing with Spike - by samclass.info
FOE Fuzzer related tutorials
Fuzzing with FOE - by Samclass.info
SMT/SAT solver tutorials
Z3 - A guide - Getting Started with Z3: A Guide
Tools
Tools which helps in fuzzing applications
File Format Fuzzers
Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,
MiniFuzz - Basic file format fuzzing tool by Microsoft.
BFF from CERT - Basic Fuzzing Framework for file formats.
AFL Fuzzer (Linux only) - American Fuzzy Loop Fuzzer by Michal Zalewski aka lcamtuf
Win AFL - A fork of AFL for fuzzing Windows binaries by Ivan Fratic
Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.
TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available.
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
MozPeach - A fork of peach 2.7 by Mozilla Security.
Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications.
rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.
zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.
radamsa - A general purpose fuzzer and test case generator.
Network Protocol Fuzzers
Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Michael Sutton.
boofuzz - A fork and successor of Sulley framework.
Spike - A fuzzer development framework like sulley, a predecessor of sulley.
Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules.
Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer.
Misc
Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,
KernelFuzzer - Cross Platform Kernel Fuzzer Framework.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options.
Hodor Fuzzer - Yet Another general purpose fuzzer.
libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.
ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
Taint Analysis
How user input affects the execution
PANDA ( Platform for Architecture-Neutral Dynamic Analysis )
QIRA (QEMU Interactive Runtime Analyser)
Symbolic Execution SAT and SMT Solvers
References
I haven't included some of the legends like AxMan, please refer the following link for more information. https://www.ee.oulu.fi/research/ouspg/Fuzzers
Essential Tools
Tools of the trade for exploit developers, reverse engineers
Debuggers
Windbg - The preferred debugger by exploit writers.
Immunity Debugger - Immunity Debugger by Immunity Sec.
OllyDbg - The debugger of choice by reverse engineers and exploit writers alike.
Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.
x64dbg - An open-source x64/x32 debugger for windows.
Evan's Debugger (EDB) - Front end for gdb.
GDB - Gnu Debugger - The favorite linux debugger.
PEDA - Python Exploit Development Assistance for GDB.
Radare2 - Framework for reverse-engineering and analyzing binaries.
Disassemblers and some more
Dissemblers, disassembly frameworks etc.,
IDA Pro - The best disassembler
binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
Others
ltrace - Intercepts library calls
strace - Intercepts system calls
Vulnerable Applications
Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)
PacketStorm - https://packetstormsecurity.com/files/tags/exploit/
Fuzzgoat - Vulnerable C program for testing fuzzers.
Samples files for seeding during fuzzing:
https://files.fuzzing-project.org/
MS Office file format documentation
Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.
Anti Fuzzing
Introduction to Anti-Fuzzing: A Defence In-Depth Aid
Contributing
Please refer the guidelines at contributing.md for details.
Thanks to the following folks who made contributions to this project.