DumbFuzz is my first attempt at writing a fuzzer for finding program errors. DumbFuzz is a mutation based file fuzzer which will modify each of a files bytes one at a time by setting its value to 0x00, 0x11, 0x22...0xff. When done with the first byte its value is reverted to the original and the fuzzer moves on to the next byte.

A command will be executed in between each fuzz cycle and if the process is killed by a signal the fuzzer stops and tells you what happened.

When the fuzzer stops (either by catching ctrl+c, a bug being found or a run on all bytes in the template file has finished) the file is reverted to its original state.

The fuzzer will kill the process itself if it is taking too long to finish. This is so that GUI progams can be fuzzed too. They typically start up and stay, so the fuzzer will need to close it down. This is not optimal, because we cannot detect an endless loop which should be flagged as an error.

DumbFuzz takes four arguments:

  1. The template file
  2. Number of seconds to wait until forcefully exiting the fuzzed command
  3. The first byte to fuzz (to be able to stop and resume a fuzz session).
  4. The command to fuzz.
An environment variable containing the name of the fuzzed file (named $FUZZ_FILE) can be used. In the future I may add support for threading so the original filename cannot necessarily be used.

An example run against a small tool I hacked together:

$ fuzz 
Usage: fuzz <templatefile> <max seconds> <first fuzz byte> <fuzz command>
$ fuzz Test.class 1 0 './ksd $FUZZ_FILE'
Byte 9 of 947 (0 %) Value 0x00
Killed by signal Segmentation fault(11) by setting byte 9 to 0x00
Ending
$

Download the source: dumbfuzz.tar.gz