Feature request: format string mutator (%n, %s)

[GoogleCodeExporter]

Introducing sequences of printf format string specifiers, principally %n and 
%s, would be a useful mutator that would help expose insecure use of functions 
from the printf family.

Original issue reported on code.google.com by MMacn...@gmail.com on 29 Oct 2014 at 7:07

[GoogleCodeExporter]

Thanks for the suggestion :) 

I'll probably have time to add these tomorrow. At least null termination issues 
and aaaaaaaaaaaaaaaaaaa's should also be added to stringish data change 
heuristics.

Original comment by aohelin on 29 Oct 2014 at 7:16

• Changed state: Accepted
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Currently in trunk:
$ echo 'foooooooooooo' | radamsa -n 10000 | grep "%" | head -n 1
foooooooo%s%n%s%s%noooo

ab mutation now partitions the data to stringish things, within binary or 
delimited ones in textual data, and inserts extra null termination or inserts 
or overwrites a sequence of format string parameters somewhere in there. It is 
enabled by default with a low priority, since the set of changes it can make is 
relatively low, but definitely worth including.

Original comment by aohelin on 31 Oct 2014 at 3:16

• Changed state: Fixed
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Excellent, thanks.

Original comment by MMacn...@gmail.com on 31 Oct 2014 at 3:59

• Added labels: ****
• Removed labels: ****