JRSFuzz Logo

Download JRSFuzz-0.2.7 [sig]
Git repository: git clone https://www.altsci.com/repo/jrsfuzz.git
| jvoss@altsci.com


HTTP Fuzzer: http_jrsfuzz1.py
SMTP Fuzzer: smtp_jrsfuzz1.py
DNS Fuzzer: dns_jrsfuzz1.py
HTTPS Fuzzer: https_jrsfuzz1.py
PDF Fuzzer: pdf_jrsfuzz1.py


JRSFuzz is a ridiculously simple dumb fuzzer. It aims for coverage in TLV and single-byte token grammars. It obviously cannot attempt to fuzz word-based grammars without heavy modification. If you wish to add JRSFuzz to a smart fuzzer like Peach, it should take very little effort. Its method is bound to 256 * len(data) which means that it will finish very quickly with short data and will take linearally longer for longer data. Its method is to increment each byte separately from 0 to 255. For example, fuzzing the first line of the canonical HTTP request line would look like:

\x00ET / HTTP/1.1\r\n
\x01ET / HTTP/1.1\r\n
\x02ET / HTTP/1.1\r\n
\x03ET / HTTP/1.1\r\n
0ET / HTTP/1.1\r\n
1ET / HTTP/1.1\r\n
2ET / HTTP/1.1\r\n
3ET / HTTP/1.1\r\n
4ET / HTTP/1.1\r\n
\xfdET / HTTP/1.1\r\n
\xfeET / HTTP/1.1\r\n
\xffET / HTTP/1.1\r\n
G\x00T / HTTP/1.1\r\n
G\x01T / HTTP/1.1\r\n
G\x02T / HTTP/1.1\r\n
G\x03T / HTTP/1.1\r\n
And so on. A graphic for the same:

To write a new file format fuzzer, use pdf_jrsfuzz1.py as a base.
If you want gdb to catch crashes or first chance exceptions, see gpg_jrsfuzz1.py as a base.
To write a new HTTP-alike fuzzer, use http_jrsfuzz1.py as a base.
To write a new TLS-wrapped fuzzer, use https_jrsfuzz1.py as a base.
To write a new SMTP-alike fuzzer, use smtp_jrsfuzz1.py as a base.
To write a completely new fuzzer, use the following code:

from __future__ import print_function
import jrsfuzz
import sys

def main():
	filename = 'fuzz_input.bin'
	if len(sys.argv) > 1:
		filename = sys.argv[1]
	#end if
	# Your file
	data = open(filename, 'rb').read()
	lines_output = len(data) * 256
	print("%i outputs, %3.3f MB" % (lines_output, lines_output*len(data)/(1<<20)), file=sys.stderr)
	for i in range(lines_output):
		x = jrsfuzz.JRSFuzz(data, i)
		# Your consumer
	#next i
#end def main()

if __name__ == '__main__':
#end if


HTTP fuzzer found bugs in werkzeug:

HTTP fuzzer running smoothly:


Heap buffer overflow read in openjpeg imagetopnm [reported]

valgrind -v opj_decompress -i fuzzfile0kqh22_c.jp2 -o fuzzfile0kqh22_c.jp2.ppm
Null Dereference in tcd_malloc_decode_tile [reported]
openjpeg-1.5.2/build/bin/j2k_to_image -i ./jp2/fuzzfile8_76ff.jp2 -o ./jp2/fuzzfile8_76ff.jp2.test.ppm

Frequently Asked Questions

AltSci Concepts

Computer Journal