Fuzzing using man pages This article is to introduce a (probably) new fuzzing idea (FuzzMan) that is built around man pages. Many know that in *nix systems if you type man command you will get a manual page informing you on how to use a specific tool. So by just looking at the manual you can find out pretty much in seconds what type of argument and what options are offered by any given command.

The format which man pages follow is universal (mostly), so it is not very difficult to make a script and extract the offered options - which is exactly what gave me the idea of making a tool that can generate fuzzing data based on manual pages. Based on that concept we can fuzz as accurately as possible any command that has a man page.

So lets take a command and generate fuzzing data.

The choice for this example is "shar" - GNU sharutils 4.2.1

Shar creates "shell archives" (or shar files) which are in text format and can be mailed. These files may be unpacked later by executing them with /bin/sh. The resulting archive is sent to standard out unless the -o option is given.

Below you can see how a man page looks in the console

or have a look at the On-line Shar Manual pageThere are several options available for this command and therefore the fuzzer has to generate lots of combinations. Fuzzman catches signals so if you see that you have enough combinaitons you can press ctrl-c.
if you type ./fuzzman.pl shar you get :

=== Extract arguments for "shar" ===
STANDARD
: --version
: --print-text-domain-dir
: --help
: --version
: -q
: -p
: -Z
: -S
: -z
: -o
: -l
: -L
: -n
.
.
.
: --no-i18n
: --print-text-domain-dir
ADDITIONAL
: EXTRA BoF Arg
: EXTRA Format String Arg
: EXTRA Numbers Arg

:Number of Arguments :36 <=== it is not 100% accurate but is very close

=== Generate Fuzzing Script ===
+STOP GENERATOR WITH CTRL-C
:Agrument combinations : 1040 <== This is the combinations counter
:Partial shar.sh, not all combinations have been generated
:Run fuzzing script [sh shar.sh]

We can see above that there are approximately 36 options. That would create several thousand combinations so I stopped it at 1040 combinations. Fuzzman tried different options adding arguments that could potentially lead to different overflow types, now the shar.sh script is ready.

Starting the shar.sh will execute the command 1040 times.

As we can see above we hit into a bug, Segmentation fault is always a sign.

You can download Fuzzman from here,
Enjoy

Note: This version of Sharutils have been reported for both Buffer Overflow and Format string vulns some time ago (here and here)