Index: third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff |
diff --git a/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff b/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff |
new file mode 100644 |
index 0000000000000000000000000000000000000000..3fa05bf814c38ecdaa962ec521fa45b1a9f668b9 |
--- /dev/null |
+++ b/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff |
@@ -0,0 +1,59 @@ |
+This patch shows a very simple way to find post-Shellshock bugs in bash, as |
+discussed here: |
+ |
+ http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html |
+ |
+In essence, it shows a way to fuzz environmental variables. Instructions: |
+ |
+1) Download bash 4.3, apply this patch, compile with: |
+ |
+ CC=/path/to/afl-gcc ./configure |
+ make clean all |
+ |
+ Note that the harness puts the fuzzed output in $TEST_VARIABLE. With |
+ Florian's Shellshock patch (bash43-028), this is no longer passed down |
+ to the parser. |
+ |
+2) Create and cd to an empty directory, put the compiled bash binary in |
+ there, and run these commands: |
+ |
+ mkdir in_dir |
+ echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt |
+ |
+3) Run the fuzzer with: |
+ |
+ /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : |
+ |
+ The -d parameter is advisable only if the tested shell is fairly slow |
+ or if you are in a hurry; will cover more ground faster, but |
+ less systematically. |
+ |
+4) Watch for crashes in out_dir/crashes/. Also watch for any new files |
+ created in cwd if you're interested in non-crash RCEs (files will be |
+ created whenever the shell executes "foo>bar" or something like |
+ that). You can correlate their creation date with new entries in |
+ out_dir/queue/. |
+ |
+ You can also modify the bash binary to directly check for more subtle |
+ fault conditions, or use the synthesized entries in out_dir/queue/ |
+ as a seed for other, possibly slower or more involved testing regimes. |
+ |
+ Expect several hours to get decent coverage. |
+ |
+--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 |
++++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 |
+@@ -371,6 +371,14 @@ |
+ env = environ; |
+ #endif /* __OPENNT */ |
+ |
++ { |
++ |
++ static char val[1024 * 16]; |
++ read(0, val, sizeof(val) - 1); |
++ setenv("TEST_VARIABLE", val, 1); |
++ |
++ } |
++ |
+ USE_VAR(argc); |
+ USE_VAR(argv); |
+ USE_VAR(env); |