Awesome-Fuzzing/README.md
Mohammed A Imran c0ba09bbb1
Merge pull request #85 from Kharos102/patch-1
Update README.md
2023-07-03 18:10:57 +08:00

25 KiB
Raw Blame History

Welcome to Awesome Fuzzing Awesome

A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.

Contents

Awesome Fuzzing Resources

Books

Books on fuzzing

Note: Chapter(s) in the following books are dedicated to fuzzing.

Courses

Courses/Training videos on fuzzing

Free

NYU Poly ( see videos for more ) - Made available freely by Dan Guido.

Samclass.info ( check projects section and chapter 17 ) - by Sam.

Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC.

Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu.

Paid

Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )

SANS 660/760 Advanced Exploit Development for Penetration Testers

Exodus Intelligence - Vulnerability development master class

Ada Logics - Applied Source Code Fuzzing

FuzzingLabs Academy (C/C++, Rust, Go fuzzing)

Signal Labs - Vulnerability Research & Fuzzing

Videos

Videos talking about fuzzing techniques, tools and best practices

NYU Poly Course videos

Fuzzing 101 (Part 1) - by Mike Zusman.

Fuzzing 101 (Part 2) - by Mike Zusman.

Fuzzing 101 (2009) - by Mike Zusman.

Fuzzing - Software Security Course on Coursera - by University of Maryland.

Conference talks and tutorials

Attacking Antivirus Software's Kernel Driver

Fuzzing the Windows Kernel - OffensiveCon 2020

Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos.

Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen

Coverage-based Greybox Fuzzing as Markov Chain

DerbyCon 2016: Fuzzing basics...or how to break software

Fuzz Theory - by Brandon Falk

Tutorials and Blogs

Tutorials and blogs which explain methodology, techniques and best practices of fuzzing

ARMored CoreSight: Towards Efficient Binary-only Fuzzing

Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology

Fuzzing Closed Source PDF Viewers

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory

Fuzzing Image Parsing in Windows, Part Three: RAW and HEIF

Fuzzing the Office Ecosystem

Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London

A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.

A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.

Interesting bugs and resources at fuzzing project - by fuzzing-project.org.

Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.

A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull.

A 15 minute introduction to fuzzing - by folks at MWR Security.

Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info

Fuzzing Blogs and Books - by fuzzing.info

Root Cause Analysis of the Crash during Fuzzing - by Corelan Team.

Root cause analysis of integer flow - by Corelan Team.

Creating custom peach fuzzer publishers - by Open Security Research

7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff.

From Fuzzing to Exploit:

From fuzzing to 0-day - by Harold Rodriguez(@superkojiman).

From crash to exploit - by Corelan Team.

Peach Fuzzer Introductionh

Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team

Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.

Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert.

Creating a fuzzing harness for FoxitReader 9.7 ConvertToPDF Function

50 CVEs in 50 Days: Fuzzing Adobe Reader

Fuzzing sockets, part 1: FTP servers

Fuzzing software: common challenges and potential solutions (Part 1)

Fuzzing software: advanced tricks (Part 2)

Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.

Fuzzing capstone using AFL persistent mode - by @toasted_flakes

RAM disks and saving your SSD from AFL Fuzzing

Bug Hunting with American Fuzzy Lop

Advanced usage of American Fuzzy Lop with real world examples

Segfaulting Python with afl-fuzz

Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )

The Importance of Fuzzing...Emulators?

How Heartbleed could've been found

Filesystem Fuzzing with American Fuzzy lop

Fuzzing Perl/XS modules with AFL

How to fuzz a server with American Fuzzy Lop - by Jonathan Foote

Fuzzing with AFL Workshop - a set of challenges on real vulnerabilities

Fuzzing 101 - PHDays

libFuzzer Tutorial

Hunting for bugs in VirtualBox (First Take)

libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"

Fuzzing ImageIO

Double-Free RCE in VLC. A honggfuzz how-to

Fuzzing with Spike to find overflows

Fuzzing with Spike - by samclass.info

Fuzzing with FOE - by Samclass.info

SMT/SAT solver tutorials

Z3 - A guide - Getting Started with Z3: A Guide

Building a Feedback Fuzzer (for educational purposes)

Building A Feedback Fuzzer - by @fady_othman

Tools

Tools which helps in fuzzing applications

Cloud Fuzzers

Fuzzers which help fuzzing in cloud environments.

Cloudfuzzer - Cloud fuzzing framework which makes it possible to easily run automated fuzz-testing in cloud environments.

ClusterFuzzer - ClusterFuzzer, scalable open source fuzzing infrastructure. It is used by Google for fuzzing Chrome Browser.

Fuzzit - Fuzzit, Continuous fuzzing as a service platform. Free for open source. used by various open-source projects (systemd, radare2) and close-source projects. To join oss program drop a line at oss@fuzzit.dev

File Format Fuzzers

Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,

Jackalope

Rehepapp

Newer version of Rehepapp

pe-afl combines static binary instrumentation on PE binary and WinAFL

MiniFuzz - Wayback Machine link - Basic file format fuzzing tool by Microsoft. (No longer available on Microsoft website).

BFF from CERT - Basic Fuzzing Framework for file formats.

AFL Fuzzer (Linux only) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf

Win AFL - A fork of AFL for fuzzing Windows binaries

Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.

TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available.

AFLGo - Directed Greybox Fuzzing with AFL, to fuzz targeted locations of a program.

Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.

MozPeach - A fork of peach 2.7 by Mozilla Security.

Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications.

rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.

honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.

zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.

radamsa - A general purpose fuzzer and test case generator.

binspector - A binary format analysis and fuzzing tool

grammarinator - Fuzzing tool for file formats based on ANTLR v4 grammars (lots of grammars already available from the ANTLR project).

Network Protocol Fuzzers

Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,

Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.

Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Pedram Amini.

boofuzz - A fork and successor of Sulley framework.

Spike - A fuzzer development framework like sulley, a predecessor of sulley.

Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules.

Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.

rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer.

Fuzzotron - A simple network fuzzer supporting TCP, UDP and multithreading.

Mutiny - The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer.

Fuzzing For Worms - A fuzzing framework for network servers.

AFL (w/ networking patch) - An unofficial american fuzzy lop capable of network fuzzing.

AFLNet - A Greybox Fuzzer for Network Protocols (an extention of AFL).

Pulsar - Protocol Learning, Simulation and Stateful Fuzzer.

Browser Fuzzing

BFuzz - An input based, browser fuzzing framework.

Misc

Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,

Choronzon - An evolutionary knowledge-based fuzzer

QuickFuzz - A tool written in Haskell designed for testing un-expected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers.

gramfuzz - A grammar-based fuzzer that lets one define complex grammars to model text and binary data formats

KernelFuzzer - Cross Platform Kernel Fuzzer Framework.

honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options.

Hodor Fuzzer - Yet Another general purpose fuzzer.

libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.

syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.

ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.

Tribble - Easy-to-use, coverage-guided JVM fuzzing framework.

go-fuzz - Coverage-guided testing of go packages.

FExM - Automated Large-Scale Fuzzing Framework

Jazzer - A coverage-guided, in-process fuzzer for the Java Virtual Machine based on libFuzzer.

fast-check - A fuzzer tool written in TypeScript and designed to run un-expected inputs against JavaScript code.

Taint Analysis

How user input affects the execution

PANDA ( Platform for Architecture-Neutral Dynamic Analysis )

QIRA (QEMU Interactive Runtime Analyser)

kfetch-toolkit - Tool to perform advanced logging of memory references performed by operating systems kernels

moflow - A software security framework containing tools for vulnerability, discovery, and triage.

Symbolic Execution SAT and SMT Solvers

Z3 - A theorem prover from Microsoft Research.

SMT-LIB - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT)

Symbolic execution with KLEE: From installation and introduction to bug-finding in open source software - A set of four instructional videos introducing KLEE, starting with how to get started with KLEE and ending with a demo that finds memory corruption bugs in real code.

References

I haven't included some of the legends like AxMan, please refer the following link for more information. https://www.ee.oulu.fi/research/ouspg/Fuzzers

Essential Tools

Tools of the trade for exploit developers, reverse engineers

Debuggers

Windbg - The preferred debugger by exploit writers.

Immunity Debugger - Immunity Debugger by Immunity Sec.

OllyDbg - The debugger of choice by reverse engineers and exploit writers alike.

Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.

x64dbg - An open-source x64/x32 debugger for windows.

Evan's Debugger (EDB) - Front end for gdb.

GDB - Gnu Debugger - The favorite linux debugger.

PEDA - Python Exploit Development Assistance for GDB.

Radare2 - Framework for reverse-engineering and analyzing binaries.

Disassemblers and some more

Dissemblers, disassembly frameworks etc.,

IDA Pro - The best disassembler

binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.

Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Others

ltrace - Intercepts library calls

strace - Intercepts system calls

Vulnerable Applications

Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)

PacketStorm - https://packetstormsecurity.com/files/tags/exploit/

Fuzzgoat - Vulnerable C program for testing fuzzers.

vulnserver - A vulnerable server for testing fuzzers.

Samples files for seeding during fuzzing:

https://files.fuzzing-project.org/

PDF Test Corpus from Mozilla

MS Office file format documentation

Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.

Fuzzing Corpus - A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.

Anti Fuzzing

Introduction to Anti-Fuzzing: A Defence In-Depth Aid

Fuzzification: Anti-Fuzzing Techniques

AntiFuzz: Impeding Fuzzing Audits of Binary Executables

Directed Fuzzing

Awesome Directed Fuzzing: A curated list of awesome directed fuzzing research papers.

Contributing

Please refer the guidelines at contributing.md for details.

Thanks to the following folks who made contributions to this project.