Manul: coverage-guided parallel fuzzer for open-source and blackbox binaries
Manul
Manul is a coverage-guided parallel fuzzer for open-source and blackbox binaries on Windows, Linux and MacOS (beta) written in pure Python.
Manul is distributed with default manul.config file where user can find all supported options and usage examples. Options should be specified in the following format Format: <option_name> = <value>. Symbol # can be used to ignore a line.
Dictionary
dict = /home/max/dictionaries/test.dict. AFL mutation strategy allows a user to specify a list of custom tokens that can be inserted at random places in the fuzzed file. Manul supports this functionality via this option (absolute paths preferred).
Mutator weights
mutator_weights=afl:7,radamsa:2,my_mutator:1. Mutator weights allow a user to tell Manul how many mutations per 10 executions should be performed by certain fuzzer. In this example, AFL mutator will be executed in 7/10 mutations, Radamsa 2/10 and some custom my_mutator will get 1/10. If you want to disable certain mutator, the weight should be assigned to 0 (e.g. mutator_weights=afl:0,radamsa:1,my_mutator:9).
Determenistic Seed (Radamsa Option)
determenistic_seed = False|True. By providing True, Radamsa mutations will become determentistic thereby each run of Manul will lead to the same outputs.
Print Summary per Thread
print_per_thread = False|True. By enabling this option, Manul will print summary for each thread being executed instead of a total summary.
Disable Volatile Paths
disable_volatile_bytes = False|True By enabling this option, Manul will not blacklist volatile paths.
DBI Options
dbi = dynamorio|pin. This option tells Manul which DBI framework will be used to instrument the target.
dbi_root = <path>. This option tells Manul where to find DBI framework main launcher.
dbi_client_root = <path>. This option tells Manul where to find DBI client to perform instrumentation.
dbi_client_libs = name_#1,name_#2|None. This option can be used to specify a list of libraries that need to be instrumented along with the main target (e.g. you have executable that loads the target library where you want to find bugs).
Timeout
timeout = 10. Time to wait before killing the target and send the next test case.
Netslave and Netmaster Options
The options net_config_master and net_config_slave are used to distribute manul instances over the network. You have to perform the following 3 steps to run distributed fuzzing.
- Create a file with a list of hosts in the following format: IP:port where your slaves will be executed.
- Start all Manul slave instances on remote machines (with all required options and path to target binary) and enable the following option: net_config_slave = 0.0.0.0:1337. Manul will launch the instance and will wait for an incoming connection from the master instance on port 1337.
- Start the master instance and provide the file with a list of slave instances created in Step 1 using net_config_master = file_name.
Debug Mode
debug = False|True – print debug info.
logging_enable = False|True – save debug info in the log.
Logo
manul_logo = False|True – print Manul logo at the beginning.
Disable Stats
no_stats = False|True – save statistics.
Bitmap Synchronization Frequency (5000 recommended for DBI mode)
sync_freq = 10000. Allows user to change coverage bitmap synchronization frequency. This option tells Manul how often it should synchronize coverage between parallel fuzzing instances. Lower value decreases performance but increases coordination between instances.
Custom Path to Save Output
#custom_path = test_path – this option allows to save the test case in the custom folder (if the target wants to load it from some predefined place).
Command Line Fuzzing (experimental)
cmd_fuzzing = True|False. If this option is enabled, Manul will provide the input in the target via command line instead of saving in the file.
Ignore Signals
user_signals = 6,2,1|None. User can tell Manul which signals from the target should be ignored (not considered as a crash).
Network Fuzzing (experimental)
target_ip_port = 127.0.0.1:7715|None– used to specify target IP and PORT. target_protocol = tcp|tcp – used to specify the protocol to send input in the target over the network. net_init_wait = 1. This option can be used to wait while the target is launching before actually start sending test cases. net_sleep_between_cases = 0.0. This option can be used to define a delay between test cases being sent in the target.
Currently, network fuzzing is an experimental feature.
Download & Use
Copyright (C) 2019 mxmssh
