Chapter 15. Tool: Command-Line Fuzzer

Fuzzing is a technique that is used to identify possible vulnerabilities in executables, protocols, and systems. Fuzzing is particularly useful in identifying applications that have poor user-input validation which could result in a vulnerability such as a buffer overflow. Bash is ideal for fuzzing command-line programs that accept arguments, because running programs in the shell is the exact purpose of bash.

In this chapter, we create the tool fuzzer.sh, which fuzzes the command-line arguments of an executable. In other words, it will run a given executable over and over again, each time increasing the length of one of the arguments by one character. Here are the requirements:

• The argument that is to be fuzzed will be identified using a question mark (?).

• The fuzzed argument will begin with a single character, and each time the target program is executed, one additional character will be added.

• The fuzzer will stop after the argument length is 10,000 characters.

• If the program crashes, the fuzzer will output the exact command that caused the crash, and any output from the program, including errors.

For example, if you want to use fuzzer.sh to fuzz the second argument of fuzzme.exe, you would do so as follows:

./fuzzer.sh fuzzme.exe arg1 ?

The argument you want to fuzz is designated by the question mark (?). Fuzzer.sh will execute the fuzzme.exe program over and over, adding another character to the second argument each time. Done ...