Scribd
Upload
655 views4 pages

Fuzzing and Finding Vulnerabilities With Winafl/Afl

This document provides information about a workshop on fuzzing and finding vulnerabilities with WinAFL/AFL. The workshop will last 3+ hours and cover different types of vulnerabilities, fuzzing techniques on Windows and Linux, debugging crashes, and hands-on exercises fuzzing real-world programs using AFL and WinAFL. Recommended setup instructions are provided for Linux and Windows virtual machines.

Uploaded by

Gyfff
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
655 views4 pages

Fuzzing and Finding Vulnerabilities With Winafl/Afl

This document provides information about a workshop on fuzzing and finding vulnerabilities with WinAFL/AFL. The workshop will last 3+ hours and cover different types of vulnerabilities, fuzzing techniques on Windows and Linux, debugging crashes, and hands-on exercises fuzzing real-world programs using AFL and WinAFL. Recommended setup instructions are provided for Linux and Windows virtual machines.

Uploaded by

Gyfff
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Fuzzing and finding vulnerabilities with WinAFL/AFL

Many people are interested in finding vulnerabilities but don't know where to start. This workshop is
aimed at solving this problem. At first, we will cover different types of vulnerabilities like
Buffer overflow, heap overflow, integer overflow, Use After Free. We will than discuss what is
fuzzing and how it is used to find various vulnerabilities, we will cover different types of fuzzers on
windows and Linux operating systems. we will also cover how to write simple harness program
which we can fuzz to find windows-based vulnerabilities as well Linux based vulnerabilities. we will
also cover some real-life example which we have reported to the various vendors which resulted in
various CVEs.

Training Duration: 3+ hours Approx.

Key Take Aways from this training:

1. Understanding of different types of vulnerabilities.


2. Understanding of different types of fuzzers and how do they work on Linux and
Windows.
3. Understanding of Debugging, Root Cause analysis and crash triage on Linux and
Windows System.
4. Understanding of how to Fuzz real world programs using AFL and WinAFL.

Recommended Linux Setup

Attendees will need to have a Linux VM to follow the exercises and hands on mentioned during the
training. You can download kali linux from here: https://www.kali.org/news/kali-linux-2020-2-
release/

Configuration instructions:

1. Create a folder named “Fuzzing” in you home directory.


2. You need to get AFL, for that follow this steps:
a. Go to command prompt and run this command:

git clone https://github.com/google/AFL.git

this will clone AFL git repository in “fuzzing/AFL” directory.

b. It will look like this:


c. After that run following command:
git clone https://github.com/the-tcpdump-group/tcpdump.git
cd tcpdump
git clone https://github.com/the-tcpdump-group/libpcap.git
git clone https://gitlab.com/libtiff/libtiff.git

above command will clone tcpdump, libpcap and libtiff which we will be using for hands on
exercises and will look like this:

3. You can copy “AFLCrashes” folder inside “Fuzzing” folder. These are the crashes from the
“imgreadafl.c” compiled binary. You can use this to debug the crashes during the workshop
and later on for practice. This will make sure that each attendee is debugging same crash
during the workshop.

Recommended Windows Setup

Attendees need to have a Windows VM[preferably Windows 7] to follow the exercises and hands on
mentioned during the training.

Configuration instruction:

1. Create a folder named “Fuzzing” in your “C:\” drive.


2. Download latest version of winafl from below link, unzip and copy it to “C:\Fuzzing” folder:
a. https://github.com/googleprojectzero/winafl/archive/master.zip
b. It should look like this:

c.
3. Download DynamoRIO from following link,unzip and copyit to “C:\Fuzzing” folder.
a. https://github.com/DynamoRIO/dynamorio/releases/download/release_7.1.0/Dyna
moRIO-Windows-7.1.0-1.zip

Note: DynamoRIO-Windows-7.1.0-1.zip is for windows 7, if you have windows 10 then


download latest version:
https://github.com/DynamoRIO/dynamorio/releases/download/release_8.0.0-
1/DynamoRIO-Windows-8.0.0-1.zip

b. It should look like this:

4. Download and install visual studio 2015 runtime installer from here:
a. https://www.microsoft.com/en-in/download/details.aspx?id=48145
5. Copy “imgread.c” and “imgread_persistent.c” inside “Fuzzing” folder on both linux and
Windows VMs. We will be fuzzing these files during the hands on exercise during the
workshop. In case of any issues with the compilation, you can use compiled binaries which
are also present in “Compiled Binaries” folder.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy