afl-launch is a simple program to spawn afl fuzzing instances from the
command line. It provides no compelling features; it is simply my version of
this tool.
All credits to @bnaggy for the tool. Made some modifications to support AFL
Sets the env. variables AFL_AUTORESUME=1 and AFL_DEBUG_CHILD_OUTPUT=1 by default. Remove if not required.
Usage of afl-launch:
-XXX
[HACK] substitute XXX in the target args with an 8 char random string [HACK]
-f string
Filename template (substituted and passed via -f)
-i string
afl-fuzz -i option (input location)
-m string
afl-fuzz -m option (memory limit), 'none' for no limit (defaults to afl)
-n int
Number of instances to launch (default 1)
-name string
Base name for instances. Fuzzers will work in <output>/<BASE>-[M|S]<N>
-no-master
Launch all instances with -S
-o string
afl-fuzz -o option (output location)
-t string
afl-fuzz -t option (timeout)
-x string
afl-fuzz -x option (extras location)
-L string
afl-fuzz -L option (for M0pt Mutation)
-p string
afl-fuzz -p option (for Power schedule, refer AFL Docs)
The launcher DOES NOT CHECK if the afl-fuzz instance errored out. Before
starting a multiple launch, you should start afl-fuzz once manually with your
desired -i -o -x (etc) options to make sure everything works.
If you don't supply a base name, the launcher will pick a random one.
Example:
./afl-launch -i ~/testcases/pdf -o ~/fuzzing/pdf -n 4 -- pdftoppm @@
Launches AFL in Power schedule fast mode and M0pt mutator mode.
./afl-launch -L 0 -p fast -i ~/testcases/pdf -o ~/fuzzing/pdf -n 4 -- pdftoppm @@
A note on the -f flag - the idea is that you pass a template like
/dev/shm/whatever.xml and the launcher will substitute it as -f /dev/shm/<BASENAME>-S12.xml when it invokes afl-fuzz. This is so that you can
have AFL create testcase files on a ramdisk, and avoid stressing your disks.
Queue entries and crashes are still saved as usual in the location specified
by -o. Don't be an idiot like me and run everything on a ramdisk.
Another note about ttys - this tool just spawns all the processes and then
exits. If you want them to stay running unattended then the easiest and (IMHO)
best way is just to run it inside a screen session (man screen).
There is a hacky option that can be used for a few things. If you pass -XXX
then the literal string XXX anywhere in the target command (after the --
in the command line) will be replaced with a random 8 character string. I use
this for targets that require a -o flag for output filename, like
stupidprogram -i @@ -out /dev/shm/XXX.jpg.
Use afl-whatsup <LOCATION> with the same location you used for -o to get the
afl-fuzz summary output. For bonus points, be a unix nerd and do like watch -n 60 afl-whatsup -s ~/fuzzing/targetname
This is what that looks like:
Every 60.0s: afl-whatsup -s ~/fuzzing/targetname Sun Jun 7 10:40:36 2015
status check tool for afl-fuzz by <[email protected]>
Summary stats
=============
Fuzzers alive : 40
Total run time : 161 days, 22 hours
Total execs : 4513 million
Cumulative speed : 12904 execs/sec
Pending paths : 75 faves, 29250 total
Pending per fuzzer : 1 faves, 731 total (on average)
Crashes found : 9806 locally unique
You should follow the instructions to install Go, if you haven't already done so.
Download, build and install afl-launch:
$ go get -u github.com/bnagy/afl-launchNothing on the list. Open an issue if you want something.
- Fork and send a pull request
- Report issues
BSD style, see LICENSE file for details.