Hacking the CERT FOE
Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy to modify them to do what you like.
The particular target application that I encountered does not take a filename as a command-line parameter. Instead, this application takes a parameter that is a directory that contains a configuration file that specifies the file to open.
FOE assumes that the fuzzed file is a command-line parameter, and every invocation of the target application uses a different path to the fuzzed file somewhere in the configured
fuzzdir. With this particular target application, I'd like for FOE to put the fuzzed file in a fixed location for every iteration. As it turns out, this change takes just one additional line of code!
To patch FOE to behave as we like, we modify the
Fuzzer object to write a copy of the fuzzed output to a location that we specify. In particular, find the
_postfuzz() function in
certfuzz\fuzzers\fuzzer_base.py and add this statement to the beginning:
For example, in my case I have
logger.info('Copying fuzzed file to temp folder...')
if self.options.get('fuzz_zip_container') or not self.sf.is_zip:
And in my
foe.yaml file, I have
cmdline_template: $PROGRAM c:/temp
_postfuzz() function is what happens after the file contents are mutated. This architecture is how FOE is able to reconstruct a valid zip file with fuzzed contents, for example. In this case, we use
write_file, which is part of the CERT
fuzztools package. The byte array of the mutated file is
self.fuzzed, and the second parameter is the output filename.
And that's it! One line of code added and FOE is now behaving as I want. Getting other FOE functionality, such as minimization, working with this scheme may require additional changes, but just the above changes are enough to start fuzzing. This is only one example of what can be done with FOE, but, really, your imagination is the limit!
FOE is open source, so if it doesn't do exactly what you want, feel free to change it. If you've got a good idea for how to make FOE better, please let us know.