AFL_Runner
is a modern CLI tool designed to streamline running efficient multi-coreAFLPlusPluscampaigns. The default configuration is based on the sectionUsing multiple coresof the official documentation.
Currently, this tool should work on all *NIX flavor operating-systems.
- Rust (nightly) toolchain🦀
- AFLPlusPlus
- pgrep
- TMUX||screen(Optional)
You can compileAFL_Runner
yourself...:
git clone https://github /0xricksanchez/AFL_Runner.git
cdAFL_Runner
cargo build --release
./target/release/aflr --help
...or install directly viacrates.io:
cargo install afl_runner
aflr --help
AFL_Runner
allows you to set the most necessary AFLPlusplus flags and mimics the AFLplusplus syntax for these options:
-
Supported AFLplusplus flags:
- Corpus directory
- Output directory
- Dictionary file
- Custom
afl-fuzz
binary path for all instances - Supply arguments to target binary (including @@)
- Amount of runner commands to generate
- Support for *SAN, CMPLOG, CMPCOV binaries
-
Other features:
Tmux
orscreen
option to automatically create an appropriate layout for all runners- TUI
- Provide a configuration file via
--config
to make sharing/storing per project configurations easier- Automatically read out a configuration named
aflr_cfg.toml
in theCWD
when no--config
was supplied
- Automatically read out a configuration named
Note:Arguments supplied over the command-line take precedence over any configuration file options.
AFL_Runner
aims to be a plug & play solution for when you're at a stage of fuzzing campaign where all that is left is running a multi-core setup.
So, this tool isnot(yet) a helper for:
- Compiling a target in multiple flavors
- Preparing a good initial seed corpus
- Providing a decent dictionary to boost code-coverage
- Debugging a fuzzing campaign
- Add remote option 🌐
- Native integration forstatsd
- Add more configuration options
- Add more sensible defaults for other options
- Allow AFLPlusPlus forks to be used on some amount of runners
Here's an example of generating AFL++ commands withAFL_Runner
:
Note:Supplying the *SAN, CMPLOG, or CMPCOV binaries is optional and if omitted all invocations just contain the (mandatory) instrumented target instead.
AFL_Runner
also includes a terminal user interface (TUI) for monitoring the fuzzing campaign progress.
The following demo can be found inexamples/
and can be build locally by runningcargo make
from the root directory of the project.
The example builds a recent version oflibxml2four times with different compile-time instrumentations:
- plain AFL++ instrumentation
- Address-Sanitizer (ASan)
- CMPCOV, and
- CMPLOG.
Afterwards, the necessary commands for 16 instances are being generated, which then are executed in a dedicated TMUX session. Finally, a custom TUI offered by *AFL Runneris tracking the progress of the fuzzing campaign in a centralized space:
Note:The TUI can be used as afullreplacement forafl-whatsup
by usingafl_runner tui <afl_output_dir>
!
Contributions are welcome! Please feel free to submit a pull request or open an issue for any bugs, feature requests, or improvements. Any other support is also more than welcome:).
This project is licensed under the Apache License. See theLICENSEfile for details.
🔼 Back to top