googleprojectzero/Jackalope

Input file extension

hdbreaker opened this issue · 4 comments

hdbreaker commented

Hey guys how are you? My fuzzing target needs the file extension in "input_ {{ThreadID}}" to determinate which dll must load to parse the content.

I was trying to modify the fuzzer.cpp code to add this functionality but I didn't find the correct function/line to add this functionality.

Can you help me to improve/add this feature to the app? In which part of the code the file input_ is written? and how can I add the file extension to that input file?

Thank you ahead!

ifratric commented

Hi, the filename is constructed here:

Jackalope/fuzzer.cpp

Line 959 in 9e9dfa5

string outfile = DirJoin(out_dir, string("input_") + std::to_string(tc->thread_id));

So you can change that line to something like
string outfile = DirJoin(out_dir, string("input_") + std::to_string(tc->thread_id) + string(".ext"));

hdbreaker commented

I already identify the line but the problem is that I’m fuzzing multi format file extensions, so I need a way to dynamically change the extension, and not fixed to an specific extension

ifratric commented

In that case, you can try, before DeliverSample() call here:

Jackalope/fuzzer.cpp

Line 224 in 9e9dfa5

if (!tc->sampleDelivery->DeliverSample(sample)) {

do the following:

  • compute the new file name with extension (based on content of the sample?)
  • call ((FileSampleDelivery*)(tc->sampleDelivery))->SetFilename(...)
  • replace the filename in the correct place in tc->target_argv

An easier option though would be to have one fuzzer instance per extension. If you want them to share corpus/coverage set, you can have all instances connect to the same coverage server.

hdbreaker commented

I was able to fix it just adding a dumb extension! thank you so much!