Download JRSFuzz-0.2.7 [sig]

Git repository: git clone https://www.altsci.com/repo/jrsfuzz.git
@Javantea | jvoss@altsci.com

Examples

HTTP Fuzzer: http_jrsfuzz1.py
SMTP Fuzzer: smtp_jrsfuzz1.py
DNS Fuzzer: dns_jrsfuzz1.py
HTTPS Fuzzer: https_jrsfuzz1.py
PDF Fuzzer: pdf_jrsfuzz1.py

Documentation

JRSFuzz is a ridiculously simple dumb fuzzer. It aims for coverage in TLV and single-byte token grammars. It obviously cannot attempt to fuzz word-based grammars without heavy modification. If you wish to add JRSFuzz to a smart fuzzer like Peach, it should take very little effort. Its method is bound to 256 * len(data) which means that it will finish very quickly with short data and will take linearally longer for longer data. Its method is to increment each byte separately from 0 to 255. For example, fuzzing the first line of the canonical HTTP request line would look like:

\x00ET / HTTP/1.1\r\n
\x01ET / HTTP/1.1\r\n
\x02ET / HTTP/1.1\r\n
\x03ET / HTTP/1.1\r\n
...
0ET / HTTP/1.1\r\n
1ET / HTTP/1.1\r\n
2ET / HTTP/1.1\r\n
3ET / HTTP/1.1\r\n
4ET / HTTP/1.1\r\n
...
\xfdET / HTTP/1.1\r\n
\xfeET / HTTP/1.1\r\n
\xffET / HTTP/1.1\r\n
G\x00T / HTTP/1.1\r\n
G\x01T / HTTP/1.1\r\n
G\x02T / HTTP/1.1\r\n
G\x03T / HTTP/1.1\r\n
...

And so on. A graphic for the same:

To write a new file format fuzzer, use pdf_jrsfuzz1.py as a base.
If you want gdb to catch crashes or first chance exceptions, see gpg_jrsfuzz1.py as a base.
To write a new HTTP-alike fuzzer, use http_jrsfuzz1.py as a base.
To write a new TLS-wrapped fuzzer, use https_jrsfuzz1.py as a base.
To write a new SMTP-alike fuzzer, use smtp_jrsfuzz1.py as a base.
To write a completely new fuzzer, use the following code:

from __future__ import print_function
import jrsfuzz
import sys

def main():
	filename = 'fuzz_input.bin'
	if len(sys.argv) > 1:
		filename = sys.argv[1]
	#end if
	# Your file
	data = open(filename, 'rb').read()
	lines_output = len(data) * 256
	print("%i outputs, %3.3f MB" % (lines_output, lines_output*len(data)/(1<<20)), file=sys.stderr)
	for i in range(lines_output):
		x = jrsfuzz.JRSFuzz(data, i)
		# Your consumer
		consumer(x)
	#next i
#end def main()

if __name__ == '__main__':
	main()
#end if

Screenshots

HTTP fuzzer found bugs in werkzeug:


HTTP fuzzer running smoothly:

Repros

Heap buffer overflow read in openjpeg imagetopnm [reported]

valgrind -v opj_decompress -i fuzzfile0kqh22_c.jp2 -o fuzzfile0kqh22_c.jp2.ppm

Null Dereference in tcd_malloc_decode_tile [reported]

openjpeg-1.5.2/build/bin/j2k_to_image -i ./jp2/fuzzfile8_76ff.jp2 -o ./jp2/fuzzfile8_76ff.jp2.test.ppm

Frequently Asked Questions

• Q: Why not just use Peach Fuzzer?
  A: Peach Fuzzer is a smart fuzzer which means that you have to spend a lot of time developing a Peach pit to get results. Many of those results could have been found by JRSFuzz without the same development time. This is the case for dumb fuzzers. However, not all dumb fuzzers have the same algorithm. Also, JRSFuzz has been effectively used to find vulnerabilities. Another reason not to use Peach Fuzzer is the size and language. It contains a large amount of logic and a lot of code that you don't have time to debug, so you will have to assume that it works as intended. JRSFuzz can be audited in less than five minutes. Peach Fuzzer cannot.
• Q: JRSFuzz doesn't work. Who do I complain to?
  A: Send me an e-mail preferrably encrypted and signed with the issue you're having and I'll respond. If you want the question to be public, use Twitter.
• Q: How many bugs has JRSFuzz found?
  A: 3 or 4 so far. The number keeps changing.
• Q: Will you change your licence to fit my business case?
  A: The code is so simple that it's practically public domain. E-mail me with your request.
• Q: How difficult is it to modify JRSFuzz?
  A: Much easier than any other fuzzer I've used. Modify it and go!

Computer Journal