Agent SkillsSnailSploit/Claude-Red › offensive-fuzzing

offensive-fuzzing

GitHub

提供实战级漏洞模糊测试方法论,涵盖目标识别、工具选型(AFL++等)、Harness编写、种子库构建及崩溃分析。适用于文件解析器、网络协议、内核驱动等目标的自动化安全测试与漏洞挖掘。

Skills/fuzzing/offensive-fuzzing/SKILL.md SnailSploit/Claude-Red

Trigger Scenarios

需要针对特定软件或协议进行模糊测试 询问如何配置和运行 AFL++、libFuzzer 等模糊测试工具 寻求漏洞挖掘或安全测试的工作流指导

Install

npx skills add SnailSploit/Claude-Red --skill offensive-fuzzing -g -y
More Options

Non-standard path

npx skills add https://github.com/SnailSploit/Claude-Red/tree/main/Skills/fuzzing/offensive-fuzzing -g -y

Use without installing

npx skills use SnailSploit/Claude-Red@offensive-fuzzing

指定 Agent (Claude Code)

npx skills add SnailSploit/Claude-Red --skill offensive-fuzzing -a claude-code -g -y

安装 repo 全部 skill

npx skills add SnailSploit/Claude-Red --all -g -y

预览 repo 内 skill

npx skills add SnailSploit/Claude-Red --list

SKILL.md

Frontmatter
{
    "name": "offensive-fuzzing",
    "description": "Practical offensive fuzzing methodology covering target identification, fuzzer selection (AFL++, libFuzzer, Honggfuzz, Boofuzz, syzkaller), harness writing, corpus curation, mutation strategies, coverage measurement, and crash triage. Use when setting up or running fuzz campaigns against any target: file parsers, network protocols, kernel drivers, EDR engines, embedded firmware, or language runtimes."
}

Offensive Fuzzing

Fuzzer Types

Type Coverage Speed Tools
BlackBox Poor Fast Peach, Boofuzz
GreyBox Good Fast AFL++, Honggfuzz, libFuzzer, WinAFL
Snapshot Good Fastest Nyx, wtf, Snapchange
WhiteBox Best Slow KLEE, QSYM, SymSan
Ensemble Best Fast AFL++ + Honggfuzz + libFuzzer

GreyBox sub-variants: Directed (AFLGo, UAFuzz), Grammar (AFLSmart, Tlspuffin), Concolic (QSYM, Driller), Kernel (syzkaller, kAFL, wtf).

Core Workflow

Research target → Choose analyses → Build harness → Seed corpus → Instrument → Fuzz → Triage crashes → Report

1. Research Target

  • Map all input surfaces (files, network, IPC, syscalls, IOCTL)
  • Identify high-value areas: previously patched code, complex parsers, newly added code, input ingestion points
  • For kernel modules: look beyond copy_from_user — DMA-BUF ops, page fault handlers, VM operation structs, allocation callbacks

2. Instrument and Build

# AFL++ (preferred for GreyBox)
CC=afl-clang-fast CXX=afl-clang-fast++ cmake -DCMAKE_BUILD_TYPE=Release .. && make -j

# libFuzzer + ASan/UBSan (C/C++)
cmake -DCMAKE_CXX_FLAGS="-fsanitize=fuzzer,address,undefined -O1 -g" ..

# CmpLog build for hard compares
AFL_LLVM_CMPLOG=1 CC=afl-clang-fast CXX=afl-clang-fast++ make clean all

Windows (MSVC): Project Properties → C/C++ → Address Sanitizer: Yes (/fsanitize=address)

3. Write Harness

libFuzzer (C++):

#include <cstdint>
#include <cstddef>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    parse_or_process(data, size);
    return 0;
}

Honggfuzz HF_ITER (persistent mode — preferred for large targets):

#include "honggfuzz.h"
int main(int argc, char** argv) {
    initialize_target(); // runs once
    for (;;) {
        size_t len; uint8_t *buf;
        HF_ITER(&buf, &len);
        FILE* s = fmemopen(buf, len, "r");
        target_function(s);
        fclose(s);
        reset_target_state();
    }
}

AFL++ persistent mode (__AFL_LOOP):

while (__AFL_LOOP(10000)) {
    // re-read input and process
}

macOS IPC (Mach message fuzzing):

void *lib_handle = dlopen("libexample.dylib", RTLD_LAZY);
pFunction = dlsym(lib_handle, "DesiredFunction");

4. Build Seed Corpus

  • Pull from target's test suite, bug reports, and real-world samples
  • Web-crawl (Common Crawl) for file formats; filter by MIME type
  • Minimize: afl-cmin -i raw_corpus -o seeds -- ./target @@
  • Trim inputs: afl-tmin -i crash -o crash.min -- ./target @@

5. Launch Fuzzing

AFL++ parallel (primary + secondary with cmplog):

afl-fuzz -M f1 -i seeds -o findings -x dict.txt -- ./target @@
afl-fuzz -S s1 -i seeds -o findings -c 0 -- ./target @@

libFuzzer:

./target_libfuzzer corpus/ -max_total_time=3600 -workers=4

Binary-only (QEMU):

afl-fuzz -Q -i seeds -o findings -- target.exe @@

Snapshot (AFL++ Nyx):

NYX_MODE=1 AFL_MAP_SIZE=1048576 afl-fuzz -i seeds -o findings -- ./target_nyx @@

Ensemble (AFL++ + Honggfuzz sharing corpus):

# Terminal 1
afl-fuzz -M fuzzer1 -i seeds -o sync_dir -- ./target @@
# Terminal 2
../honggfuzz/honggfuzz -i sync_dir/fuzzer1/queue -W sync_dir/hfuzz \
  --linux_perf_ipt_block -t 10 -- ./target ___FILE___

6. Monitor and Unstick

If progress stalls:

  • Enable CmpLog: -c 0 on AFL++ secondaries
  • Add dictionary: -x dict.txt or AFL_TOKEN_FILE
  • Switch to directed fuzzing (AFLGo) targeting specific BBs/functions
  • Use concolic assistance (QSYM, Driller) on hard branches
  • Snapshot the target to increase exec/s
  • AFL_MAP_SIZE=1048576, -L 0 for MOpt scheduler

7. Triage Crashes

# 1. Minimize
afl-tmin -i crash -o crash.min -- ./target @@
# 2. Symbolize
ASAN_OPTIONS=abort_on_error=1:symbolize=1 ./target crash.min 2>asan.log
# 3. Hash + bucket
./cov-tool --bbids ./target crash.min > cov.hash
./bucket.py --key "$(cat cov.hash)" --log asan.log --out triage/

Sanitizer env quick reference:

ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_stack_use_after_return=1
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
TSAN_OPTIONS=halt_on_error=1:history_size=7
MSAN_OPTIONS=poison_in_dtor=1:track_origins=2

Oracle Selection

Bug Class Oracle
Memory safety ASan, HWASan (AArch64, lower overhead)
Uninitialized reads MSan
Concurrency TSan
Undefined behavior UBSan
Type safety TypeSan
Heap hardening Scudo Hardened Allocator
Logic bugs Differential / idempotency oracles
Kernel memory KASAN, KMSAN, KCSAN
Kernel UB KUBSan (CONFIG_UBSAN_TRAP=y)
CFI KCFI (-fsanitize=kcfi, Clang 18)
Binary-only QASAN (QEMU+ASan), DynamoRIO

Property oracle patterns:

  • Idempotency: f(x) == f(f(x))
  • Differential: compare two impls, bucket on output mismatch
  • Invariants: monotonic lengths, checksum equality, schema validation post-parse

Specialized Targets

Kernel (Linux) — syzkaller

{
  "target": "linux/arm64",
  "http": ":56700",
  "workdir": "/path/to/workdir",
  "kernel_obj": "/path/to/kernel",
  "image": "/path/to/rootfs.ext3",
  "sshkey": "/path/to/id_rsa",
  "procs": 8,
  "enable_syscalls": ["openat$module_name", "ioctl$IOCTL_CMD", "mmap"],
  "type": "qemu",
  "vm": { "count": 4, "cpu": 2, "mem": 2048 }
}
  • Limit enable_syscalls to deepen coverage on specific subsystems
  • Use syz-extract to pull constants for custom modules
  • Enable CONFIG_KASAN=y, CONFIG_KCFI=y, CONFIG_DEBUG_INFO_BTF=y
  • Use kcov filters and syz_cover_filter to direct coverage
  • Network fuzzing: inject via TUN/TAP + pseudo-syscalls (syz_emit_ethernet)
  • Crash decode: ./scripts/decode_stacktrace.sh vmlinux ... < dmesg.log

syzkaller repro:

syz-execprog -repeat=0 -procs=1 -cover=0 -debug target.repro

EDR / Windows Scanning Engines

WTF snapshot harness skeleton (mpengine.dll / mini-filter):

g_Backend->SetBreakpoint("nt!KeBugCheck2", [](Backend_t *Backend) {
    const uint64_t BCode = Backend->GetArg(0);
    Backend->Stop(Crash_t(fmt::format("crash-{:#x}", BCode)));
});

FilterConnectionPort fuzzing:

HANDLE hPort;
FilterConnectCommunicationPort(L"\\PortName", 0, NULL, 0, NULL, &hPort);
FilterSendMessage(hPort, fuzzData, sizeof(fuzzData), NULL, 0, &bytesReturned);

IOCTL fuzzing pattern:

HANDLE hDev = CreateFile(L"\\\\.\\DeviceName", GENERIC_READ|GENERIC_WRITE, ...);
DeviceIoControl(hDev, ioctlCode, inputBuf, inputLen, outBuf, outLen, &ret, NULL);
  • Take snapshots after initialization, right before parse/dispatch loop
  • Use IDA Lighthouse for coverage visualization
  • Monitor: DRIVER_VERIFIER_DETECTED_VIOLATION (0xc4), IRQL_NOT_LESS_OR_EQUAL (0xa)
  • WinDbg: .symfix; !analyze -v; k; !heap -p -a @rax

Cross-platform mpengine.dll on Linux (loadlibrary + HF_ITER + Intel PT):

// Bypass Lua VM to avoid stability issues
insert_function_redirect((void*)luaV_execute_address, my_lua_exec, HOOK_REPLACE_FUNCTION);
for (;;) {
    HF_ITER(&buf, &len);
    ScanDescriptor.UserPtr = fmemopen(buf, len, "r");
    __rsignal(&KernelHandle, RSIG_SCAN_STREAMBUFFER, &ScanParams, sizeof ScanParams);
}

Rust

# Full Rust fuzzing pipeline
cargo test                                         # 1. property tests
cargo +nightly miri test                           # 2. UB via interpreter
cargo +nightly careful test                        # 3. runtime bounds checks
cargo fuzz run fuzz_target_1 -- -max_total_time=3600  # 4. libFuzzer crashes
RUSTFLAGS="--cfg loom" cargo test --release        # 5. concurrency (if needed)
cargo fuzz coverage fuzz_target_1                  # 6. coverage report

Focus unsafe blocks on: Vec::from_raw_parts, unchecked indexing, transmute size mismatches, pointer arithmetic, FFI integer truncation.

Embedded / Binary-Only

  • LibAFL: Modular Rust framework; Unicorn engine, snapshot module, LBRFeedback (zero-instrumentation on Intel), SAND decoupled sanitization
  • Retrowrite / QASAN: Binary rewriting for coverage + ASan without source
  • Nautilus: Grammar-based fuzzing for structured formats

Language Ecosystems

  • Go 1.18+: go test -fuzz=Fuzz -run=^$ ./...
  • Python: Atheris (CPython native extension fuzzing)
  • Rust: cargo-fuzz or honggfuzz-rs
  • JS engines: Fuzzilli with extended instrumentation (__builtin_return_address(0) for PC tracking)
  • Wasm runtimes: wasmtime-fuzz, wafl for differential fuzzing across V8/Wasmer/Wasmtime
  • Smart contracts: Echidna, Foundry-fuzz (Solidity); Move-Fuzz (Aptos/Sui)

CI/CD Integration

- name: Build with afl-clang-fast
  run: CC=afl-clang-fast make -j
- name: Fuzz (smoke, 15 min)
  run: timeout 15m afl-fuzz -i seeds -o findings -- ./target @@ || true
- name: Upload crashes
  if: always()
  uses: actions/upload-artifact@v4
  with:
    path: findings/**/crashes/*

Use ClusterFuzzLite for persistent continuous fuzzing; cache corpora between runs.

Crash Analysis Quick Reference

Linux:

ulimit -c unlimited && sysctl -w kernel.core_pattern=core.%e.%p
gdb -q ./target core.* -ex 'bt' -ex 'info reg' -ex q
addr2line -e ./target 0xDEADBEEF

Windows:

# Enable local dumps
New-Item 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' -Force
# PageHeap
gflags /p /enable target.exe /full

Kernel KASAN/KMSAN:

dmesg -T | egrep -i 'kasan|kmsan' -A 60
./scripts/decode_stacktrace.sh vmlinux /lib/modules/$(uname -r)/build < dmesg.log

Reproducibility: pin CPU governor, disable ASLR only where safe, fix RNG seeds, save input sequences in persistent mode, record binary hashes and sanitizer options with every crash.

Tool Index

Tool Use Case
AFL++ General GreyBox, CmpLog, MOpt, Nyx
Honggfuzz Intel PT, crash detection, HF_ITER
libFuzzer In-process, source available
syzkaller Linux/Windows kernel syscall fuzzing
wtf Snapshot fuzzing, Windows targets
Nyx AFL++ snapshot mode (Intel PT)
Snapchange AWS snapshot fuzzing
LibAFL Custom Rust fuzzing framework
AFLGo Directed fuzzing to target BB/function
kAFL Kernel + OS fuzzing
Jackalope Binary coverage-guided (Windows/macOS)
cargo-fuzz Rust libFuzzer integration
Atheris Python fuzzing
Nautilus Grammar-based fuzzing
AFLTriage Automated crash triage
afl-cov Coverage analysis for AFL++
ClusterFuzz Distributed fuzzing infrastructure

Version History

  • aeb41ec Current 2026-07-05 18:42

Same Skill Collection

Skills/auth/offensive-jwt/SKILL.md
Skills/infrastructure/offensive-shellcode/SKILL.md
Skills/wireless/offensive-deauth-disassoc/SKILL.md
Skills/wireless/offensive-krack-fragattacks/SKILL.md
Skills/wireless/offensive-wpa3-sae/SKILL.md
Skills/wireless/offensive-wps/SKILL.md
Skills/wireless/offensive-z-wave/SKILL.md
Skills/active-directory/offensive-active-directory/SKILL.md
Skills/cloud/offensive-cloud/SKILL.md
Skills/exploit-dev/offensive-toctou/SKILL.md
Skills/iot/offensive-iot/SKILL.md
Skills/mobile/offensive-mobile/SKILL.md
Skills/recon/offensive-osint/SKILL.md
Skills/utility/offensive-reporting/SKILL.md
Skills/web/offensive-business-logic/SKILL.md
Skills/web/offensive-sqli/SKILL.md
Skills/wireless/offensive-bluetooth-ble/SKILL.md
Skills/wireless/offensive-bluetooth-classic/SKILL.md
Skills/wireless/offensive-evil-twin/SKILL.md
Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md
Skills/wireless/offensive-wifi-recon/SKILL.md
Skills/wireless/offensive-wifi/SKILL.md
Skills/wireless/offensive-wpa-enterprise/SKILL.md
Skills/wireless/offensive-wpa2-psk/SKILL.md
Skills/wireless/offensive-zigbee-thread-matter/SKILL.md

Metadata

Files
0
Version
aeb41ec
Hash
fcd129b4
Indexed
2026-07-05 18:42

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 18:17
浙ICP备14020137号-1 $Гость$