This is gurthang, my web server fuzzing harness, composed of an LD_PRELOAD library and AFL++ custom mutator module. Turin Turambar wielded Gurthang, the sword called the "Iron of Death", and slayed Glaurung the dragon. Maybe, just maybe, AFL++ can wield this harness to slay some web servers.
Gurthang was developed for my MS thesis of Computer Science at Virginia Tech. My thesis is archived at this link.
The source files are organized like so:
src/contains the AFL++ mutator, theLD_PRELOADlibrary, and the implementation of the connection-multiplexing file format.tests/contains a unit testing header file, along with a series of testing modules I've written to test smaller parts of my code.scripts/contains any scripts I wanted to save to make development and fuzzing easier.dicts/contains example dictionaries that can be plugged into gurthang in order to make use of dictionary-based mutations.docs/contains markdown documentation and images.
To set things up, pull and build AFL++. Copy the file path to its include/ directory (for example: /home/cwshugg/AFLplusplus/include), and drop it into the AFLPP_INCLUDE makefile variable:
# ... in the makefile ...
# AFL++ variables
AFLPP_INCLUDE=/home/cwshugg/AFLplusplus/include
# ...After that, build your web server and use the following environment variables to utilize gurthang to fuzz it:
AFL_PRELOAD=${gurthang_repo}/gurthang-preload.so \
AFL_CUSTOM_MUTATOR_LIBRARY=${gurthang_repo}/gurthang-mutator.so \
AFL_CUSTOM_MUTATOR_ONLY=1 \
${afl_fuzz} # ... other AFL arguments go hereSee this document for additional environment variables gurthang supports.
To enable the fuzzing of web servers via AFL++, this project has two components: the library and the mutator. The first of these is a shared object (.so) library that is passed to the server via the LD_PRELOAD environment variable. Simply put, its job is to read a comux file from stdin, use it to establish internal connections to the server, and feed the input through those connections.
More details on the library can be found here.
The LD_PRELOAD library controls the reading and parsing of these comux files (described below), whereas gurthang's AFL++ custom mutator module is responsible for performing mutations on those comux files. Such mutations might be:
- Typical AFL++ bit/byte operations on comux payloads (bitflip, byte swap, byte reversal, etc.)
- Change the order in which the connections are established
- Change the order in which the payloads are sent
- Split up the payloads to send less data at one time
- Combine two payloads to send more data at one time
In essence, this special file format allows the mutator to decide not only what is getting sent to the target server, but how it is sent to the server. More details on the mutator can be found here.
The Connection Multiplexing protocol implemented in src/comux/ allows you to format a single file in a way that defines the content to be sent to a remote web server across multiple concurrent socket connections. As mentioned above, the AFL++ mutator and LD_PRELOAD library use this protocol enable AFL++ to establish multiple connections to the target web server, and send multiple payloads through those connections, in a single execution of the fuzzer.
See this page for a full description.