AFL Basics - 2


This is a short post that serves as the extension of the previous fuzzing post.

Fuzzing without the source?

In many cases, we are more interested in fuzzing binaries, whose source code is not available. This can be for various reasons. For example, a malware analyst may want to fuzz a complicated malware sample to either find bugs or find more interesting code paths. Luckily, this can be done using QEMU. The readme file includes instructions on building QEMU support.

Taken directly from AFL’s readme file:


  • libtool
  • automake
  • bison


We can test this now using the same program from the previous post.

Instead of the compiling using AFL’s gcc, we can use our system’s gcc (or whatever other compiler). We will name this file as hello_uninstrumented for clarity. We will run afl-fuzz using the same command as before, but now with a -Q flag.

afl-fuzz -i /path/to/afl/testcases/others/text -o output/ -Q ./hello_uninstrumented

Now, watch those crashes (1 unique) come rolling in!