ifratric
commented
5 years ago +@mxmssh FYI
I think in theory it should be possible with some modifications to the code, but probably wouldn't work as is because:
- WinAFL expects the target function to return normally. Since main() in test_netmode.cpp has an infinite loop (https://github.com/googleprojectzero/winafl/blob/master/test_netmode.cpp#L107) it is actually never going to return
- Calling
bind(https://github.com/googleprojectzero/winafl/blob/master/test_netmode.cpp#L105) twice with the same arguments won't work, so the server would need to cleanup the socket (so that it can be created again for the next iteration). While this would work it wouldn't be exactly optimal. - If socket is (re)created for each iteration, there might be race issues between afl-fuzz and the server, specifically afl-fuzz might try to connect to the server while the server isn't listening yet.
xinyile
Hi,
I have a question on network fuzzing. Can I choose the target function that calls the receive data function? For example, I tried to fuzz test_netmode.exe (provided by WinAFL). When I set the target function as recv_func(), winafl works and can find crash. But if I set the target function as main(), It seems that winafl cannot work.
So my question is that does winafl allows us to fuzz function that calls the receive data function.
Thanks.