SKILL: Week 2: Finding Vulnerabilities Through Fuzzing

Metadata

• Skill Name: fuzzing-course
• Folder: offensive-fuzzing-course
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/2-fuzzing.md

Description

Week 2 of the exploit development curriculum. Covers fuzzing methodology: target selection, corpus generation, coverage-guided fuzzing with AFL++/libFuzzer, structured fuzzing, and triage/deduplication. Use when setting up fuzz campaigns, selecting harness strategies, or triaging fuzzer output.

Trigger Phrases

Use this skill when the conversation involves any of: fuzzing curriculum, AFL++, libFuzzer, coverage-guided fuzzing, corpus generation, harness, fuzz target, mutation, triage, crash dedup, week 2, exploit dev course

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

Full Methodology

Week 2: Finding Vulnerabilities Through Fuzzing

Overview

created by AnotherOne from @Pwn3rzs Telegram channel.

This document is Week 2 of a multi‑week exploit development course, focusing on discovering vulnerabilities through fuzzing techniques and analyzing the crashes to determine exploitability.

Last week we studied vulnerability classes through real-world examples. This week we'll learn to find these vulnerabilities ourselves using fuzzing - the automated technique that has discovered thousands of critical security bugs in production software.

Fuzzing can feel a bit front‑loaded: you may spend time wiring harnesses and running campaigns without immediately finding exciting new bugs, especially on hardened or well‑tested targets. That’s normal, and it's one reason the next week on patch diffing often feels more directly "practical" — many companies already run large fuzzing setups and need people who can understand and exploit the bugs those systems uncover. Still, working through this week is important: it teaches you how fuzzers actually discover real vulnerabilities, so when you later triage crashes or study patches, you'll have a solid intuition for how those bugs were found and how to reproduce them.

Prerequisites

Before starting this week, ensure you have:

• A Linux virtual machine (Ubuntu 24.04 recommended) with at least 8GB RAM and 8 cpu cores
• Basic understanding of C/C++ programming
• Familiarity with command-line tools and debugging (GDB basics)
• Understanding of memory corruption vulnerabilities (from Week 1)

Day 1: Introduction to Fuzzing

• Goal: Understand the fundamentals of fuzzing and get hands-on experience with AFL++.
• Activities:
  • Reading: "Fuzzing for Software Security Testing and Quality Assurance" by Ari Takanen(From 1.3.2 to 1.3.8 and 2.4.1 to 2.7.5).
  • Online Resource:
    • Fuzzing Book by Andreas Zeller - Read "Introduction" and "Fuzzing Basics."
    • AFL++ Documentation - Follow the quick start guide.
    • Interactive Module to Learn Fuzzing
  • Real-World Context:
    • Google OSS-Fuzz: Finding 36,000+ bugs across 1,000+ projects
    • AFL Success Stories - Real vulnerabilities found by AFL
  • Exercise:
    • Set up a Linux virtual machine (VM) with the necessary tools installed, including compilers and debuggers
    • Run AFL++ on a C program
    • If possible, use or write a small C program that contains a simple version of one of the Week 1 vulnerability classes (for example, a stack buffer overflow or integer overflow) so you can see fuzzing rediscover it.

# Setting up AFL++

# Install build dependencies
sudo apt update
sudo apt install -y build-essential gcc-13-plugin-dev cpio python3-dev libcapstone-dev \
    pkg-config libglib2.0-dev libpixman-1-dev automake autoconf python3-pip \
    ninja-build cmake git wget python3.12-venv meson

# Install LLVM (check latest version at https://apt.llvm.org/)
wget https://apt.llvm.org/llvm.sh
chmod +x llvm.sh
sudo ./llvm.sh 19 all

# Verify LLVM installation
clang-19 --version
llvm-config-19 --version

# Install Rust (required for some AFL++ components)
curl --proto '=https' --tlsv1.2 -sSf "https://sh.rustup.rs" | sh
source ~/.cargo/env

# Build and install AFL++
mkdir -p ~/soft && cd ~/soft
git clone --depth 1 https://github.com/AFLplusplus/AFLplusplus.git
cd AFLplusplus
# NOTE: unicorn support might fail(you need to add the env or run ./build_unicorn_support.py and fix issues yourself)
make distrib
sudo make install

# Verify installation
which afl-fuzz
afl-fuzz --version

# Phase 1: Simple crash example
cd ~/ && mkdir -p tuts && cd tuts
git clone --branch main --depth 1 https://github.com/alex-maleno/Fuzzing-Module.git
cd Fuzzing-Module/exercise1 && mkdir -p build && cd build

# Compile with AFL++ instrumentation
CC=/usr/local/bin/afl-clang-fast CXX=/usr/local/bin/afl-clang-fast++ cmake ..
make

# Create seed inputs
cd .. && mkdir -p seeds && cd seeds
for i in {0..4}; do
    dd if=/dev/urandom of=seed_$i bs=64 count=10 2>/dev/null
done

# Run AFL++ fuzzer
cd ../build
echo core | sudo tee /proc/sys/kernel/core_pattern
afl-fuzz -i ../seeds/ -o out -m none -d -- ./simple_crash

# Expected output: AFL++ interface showing coverage, crashes, etc.
# Look for crashes in out/crashes/ directory

# Phase 2: Medium complexity example
cd ~/tuts/Fuzzing-Module/exercise2 && mkdir -p build && cd build
CC=/usr/local/bin/afl-clang-lto CXX=/usr/local/bin/afl-clang-lto++ cmake ..
make

cd .. && mkdir -p seeds && cd seeds
for i in {0..4}; do
    dd if=/dev/urandom of=seed_$i bs=64 count=10 2>/dev/null
done

cd ../build
afl-fuzz -i ../seeds/ -o out -m none -d -- ./medium

Success Criteria:

• AFL++ compiles and installs without errors
• Both fuzzing sessions start successfully
• You can see the AFL++ status screen showing paths found, crashes, etc.
• Check out/crashes/ directory for any discovered crashes

Troubleshooting:

• If afl-clang-fast not found: Check /usr/local/bin/ is in PATH
• If compilation fails: Ensure LLVM 19 is properly installed (clang-19 --version)
• If fuzzer doesn't start: Check CPU scaling governor (echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor)

Real-World Impact: AFL++ Finding CVE-2024-47606 (GStreamer)

Background: AFL++ and similar fuzzers are actively used to find vulnerabilities in production software. Let's examine a real case from Week 1.

Case Study - CVE-2024-47606 (GStreamer Signed-to-Unsigned Integer Underflow):

• Discovery Method: Continuous fuzzing campaigns by security researchers using AFL++ on media parsers
• The Bug: GStreamer's qtdemux_parse_theora_extension had a signed integer underflow that became massive unsigned value
• Attack Surface: MP4/MOV files processed automatically by browsers, media players, messaging apps
• Fuzzing Approach:
  1. Target: GStreamer's QuickTime demuxer (qtdemux)
  2. Seed corpus: Valid MP4 files from public datasets
  3. Instrumentation: Compiled with AFL++ and AddressSanitizer
  4. Mutation strategy: Structure-aware (understanding MP4 atoms)
  5. Result: Heap buffer overflow crash after ~48 hours of fuzzing

Why Fuzzing Found It:

• Rare Input Combination: Required specific Theora extension size values that underflow
• Static Analysis Limitation: Signed-to-unsigned conversion buried in complex parsing logic
• Code Review Miss: Integer arithmetic looked correct without considering negative values
• Automated Testing Gap: Unit tests didn't cover malformed Theora extensi