zzuf(1) General Commands Manual zzuf(1)
NAME
zzuf - multiple purpose fuzzer
SYNOPSIS
zzuf [-aAcdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max] [-f fuzzing] [-D delay] [-j jobs] [-C crashes] [-B bytes] [-t seconds]
[-T seconds] [-U seconds] [-M mebibytes] [-b ranges] [-p ports] [-P protect] [-R refuse] [-l list] [-I include] [-E exclude] [PROGRAM
[ARGS]...]
zzuf -h | --help
zzuf -V | --version
DESCRIPTION
zzuf is a transparent application input fuzzer. It works by intercepting file and network operations and changing random bits in the pro-
gram's input. zzuf's behaviour is deterministic, making it easy to reproduce bugs.
USAGE
zzuf will run an application specified on its command line, one or several times, with optional arguments, and will report the applica-
tion's relevant behaviour on the standard error channel, eg:
zzuf cat /dev/zero
Flags found after the application name are considered arguments for the application, not for zzuf. For instance, -v below is an argument
for cat:
zzuf -B 1000 cat -v /dev/zero
When no program is specified, zzuf simply fuzzes the standard input, as if the cat utility had been called:
zzuf < /dev/zero
OPTIONS
-a, --allow=list
Only fuzz network input for IPs in list, a comma-separated list of IP addresses. If the list starts with !, the flag meaning is
reversed and all addresses are fuzzed except the ones in the list.
As of now, this flag only understands INET (IPv4) addresses.
This option requires network fuzzing to be activated using -n.
-A, --autoinc
Increment random seed each time a new file is opened. This is only required if one instance of the application is expected to open
the same file several times and you want to test a different seed each time.
-b, --bytes=ranges
Restrict fuzzing to bytes whose offsets in the file are within ranges.
Range values start at zero and are inclusive. Use dashes between range values and commas between ranges. If the right-hand part of a
range is ommited, it means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and all bytes after offset 31, use
'-b0,3-5,31-'.
This option is useful to preserve file headers or corrupt only a specific portion of a file.
-B, --max-bytes=n
Automatically stop after n bytes have been output.
This either terminates child processes that output more than n bytes on the standard output and standard error channels, or stop
reading from standard input if no program is being fuzzed.
This is useful to detect infinite loops. See also the -U and -T flags.
-c, --cmdline
Only fuzz files whose name is specified in the target application's command line. This is mostly a shortcut to avoid specifying
twice the argument:
zzuf -c cat file.txt
has the same effect as
zzuf -I '^file.txt$' cat file.txt
See the -I flag for more information on restricting fuzzing to specific files.
-C, --max-crashes=n
Stop forking when at least n children have crashed. The default value is 1, meaning zzuf will stop as soon as one child has crashed.
A value of 0 tells zzuf to never stop.
Note that zzuf will not kill any remaining children once n is reached. To ensure that processes do not last forever, see the -U
flag.
A process is considered to have crashed if any signal (such as, but not limited to, SIGSEGV) caused it to exit. If the -x flag is
used, this will also include processes that exit with a non-zero status.
This option is only relevant if the -s flag is used with a range argument. See also the -t flag.
-d, --debug
Activate the display of debug messages. Can be specified multiple times for increased verbosity.
-D, --delay=delay
Do not launch more than one process every delay seconds. This option should be used together with -j to avoid fork bombs.
-E, --exclude=regex
Do not fuzz files whose name matches the regex regular expression. This option supersedes anything that is specified by the -I flag.
Use this for instance if you are unsure of what files your application is going to read and do not want it to fuzz files in the /etc
directory.
Multiple -E flags can be specified, in which case files matching any one of the regular expressions will be ignored.
-f, --fuzzing=mode
Select how the input is fuzzed. Valid values for mode are:
xor randomly set and unset bits
set only set bits
unset only unset bits
The default value for mode is xor.
-j, --jobs=jobs
Specify the number of simultaneous children that can be run. By default, zzuf only launches one process at a time.
This option is only relevant if the -s flag is used with a range argument. See also the -D flag.
-i, --stdin
Fuzz the application's standard input. By default zzuf only fuzzes files.
-I, --include=regex
Only fuzz files whose name matches the regex regular expression. Use this for instance if your application reads configuration files
at startup and you only want specific files to be fuzzed.
Multiple -I flags can be specified, in which case files matching any one of the regular expressions will be fuzzed. See also the -c
flag.
-l, --list=list
Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor will really be fuzzed only if N is in list.
Values start at 1 and ranges are inclusive. Use dashes between values and commas between ranges. If the right-hand part of a range
is ommited, it means all subsequent file descriptors. For instance, to restrict fuzzing to the first opened descriptor and all
descriptors starting from the 10th, use '-l1,10-'.
Note that this option only affects file descriptors that would otherwise be fuzzed. Even if 10 write-only descriptors are opened at
the beginning of the program, only the next descriptor with a read flag will be the first one considered by the -l flag.
-m, --md5
Instead of displaying the program's standard output, just print its MD5 digest to zzuf's standard output. The standard error channel
is left untouched.
-M, --max-memory=mebibytes
Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes), that children are allowed to allocate. This is useful
to detect infinite loops that eat up a lot of memory.
The value should be set reasonably high so as not to interfer with normal program operation. By default, it is set to 1024 MiB in
order to avoid accidental excessive swapping. To disable the limitation, set the maximum memory usage to -1 instead.
zzuf uses the setrlimit() call to set memory usage limitations and relies on the operating system's ability to enforce such limita-
tions.
-n, --network
Fuzz the application's network input. By default zzuf only fuzzes files.
Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol families are not yet supported.
-p, --ports=ranges
Only fuzz network ports that are in ranges. By default zzuf fuzzes all ports. The port considered is the listening port if the
socket is listening and the destination port if the socket is connecting, because most of the time the source port cannot be pre-
dicted.
Range values start at zero and are inclusive. Use dashes between range values and commas between ranges. If the right-hand part of a
range is ommited, it means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS ports and to all unprivileged ports,
use '-p80,443,1024-'.
This option requires network fuzzing to be activated using -n.
-P, --protect=list
Protect a list of characters so that if they appear in input data that would normally be fuzzed, they are left unmodified instead.
Characters in list can be expressed verbatim or through escape sequences. The sequences interpreted by zzuf are:
new line
return
tabulation
NNN the byte whose octal value is NNN
xNN the byte whose hexadecimal value is NN
\ backslash ('')
You can use '-' to specify ranges. For instance, to protect all bytes from '