Skip to content

Ayrx/atriage

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

atriage

atriage is an extensible triage tool written in Python 3. It currently supports afl-fuzz.

Usage: atriage [OPTIONS] COMMAND [ARGS]...

  A dumb afl-fuzz triage tool.

Options:
  --help  Show this message and exit.

Commands:
  asan            Capture ASAN exploitable output of latest...
  exploitable     Capture GDB exploitable output of latest...
  gather          Gather latest triaged crash files.
  gather-samples  Gather all generated samples.
  info            Print information about the provided database...
  list            List latest triaged crash files.
  triage          Triage crash files from afl output directory.

How To Use

We first need to triage the crashes generated by the fuzzer.

Assuming that the fuzzer generates output in findings, we can run atriage triage to gather the crashes.

By default, atriage uses the afl-collector to collect samples and would expect findings to be an afl sync or instance dir. In this scenario, the command to run will be picked up by atriage automatically from afl's fuzzer_stats:

$ atriage triage findings/
Reading findings...
afl-fuzz command: ./harness @@
Parsing fuzzer pkkez-M0...
Adding 20 crashes.

Otherwise, an alternative collector needs to be specified. The list of available collectors can be retrieved using the list-collectors command.

$ atriage list-collectors
afl-collector (default)
flat-dir-collector

If findings is simply an ordinary directory with sample files, one can use the flat-dir-collector. Now the command to run also needs to be specified:

$ atriage triage -c flat-dir-collector --command './harness @@' findings/
Reading findings...
Adding 20 crashes.

If the command does not contain @@, it is assumed to accept input through stdin.

We can query this data with atriage info. Each index represents the crashes collected each time atriage triage is ran. Only the new crash cases generated since the last invocation of atriage triage is collected.

$ atriage info atriage.db
Command: ./harness @@

  index    crashes
-------  ---------
      0         20

Total crashes: 20

Once the crashes have been triaged. You can use the various commands like asan and exploitable to gather the ASAN and GDB exploitable outputs respectively.

Check --help for each command individually to find out the various options.