Re: AUTODAFE: an Act of Software Torture [FUZZER]

[Dan B <dan-fd () f-box org>]

Hi Martin,

Martin Vuagnoux wrote:
> Dear list,
>
> let me present you the public release of a fuzzer presented at 22c3:
>
> Autodafé is a fuzzing framework able to uncover buffer overflows by
> using the fuzzing by weighting attacks with markers technique.
>
> http://autodafe.sourceforge.net
>
> You will find a paper explaining the technique used, the slides of the
> presentation and the source code. It uses a script language largely
> inspired by Spike (btw: thanks Dave). The major improvement is the use
> of a debugger in order to reduce the test space. There is a tutorial
> (based on real cases) which explains how to use it, to fuzz network
> based (TCP/UDP) protocols (client and server side) and files (lps,
> pdf, jpeg, etc.) The second major improvement is the use of dissector
> (etheral, wireshark) to automatically recognize 750 network based
> protocols.
>
> Feel free to give feedback, it's a beta release.

Ok so all looks good, but --prefix is not respected by Makefiles or the
bins so I wanted to install in my home dir/Programs/Autodafe but when I
try and execute autodafe it's looking in /usr/local/etc/autodafe for the
.fuzz files.

(I had to modify the Makefiles in each dir to cp to the correct dir.)

I'm too tired ATM to look at modifications. But if you're using a
configure script it should respect the --prefix argument.

> Enjoy 8^P
I will once I'm more awake! And sorry if this seems like a petty thing.

> Martin Vuagnoux
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Cheers,
DanB.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/