How to use target input in Mayhem

Welcome to Mayhem Tips and Tricks series! Our goal is to help you learn about the best features of Mayhem in small bite-size chunks. Today, we will explain how you can use the target input in Mayhem.

By default, Mayhem allows you to fuzz your target in one of 3 different ways: via STDIN, via a file descriptor (containing fuzzed data), or via a TCP/UDP port or UNIX socket. But say you’re interested in fuzzing a fixed configuration file, or some file set by an environment variable, and you don’t have control over the name. Well, one way to work around this problem is to harness the application to read configuration from the command line parameter instead of a fixed file, but the easier method is to use the target_input variable!

Take the following Mayhemfile:

version: '1.15'
project: abrewer/readsBuiltinConfigs
target: readsBuiltinConfigs
baseimage: $MAYHEM_DOCKER_REGISTRY/abrewer/readsBuiltinConfigs:latest

tasks:
 - name: exploitability_factors
 - name: regression_testing
 - name: behavior_testing
 - name: coverage_analysis

cmds:

 - cmd: /readsBuiltinConfigs

Say your binary always reads its configuration from /opt/myreader/initialize.conf, and that this file could be modified (maliciously, even!) by a user or outside source. You can add a valid initialize.conf to your corpus directory (to tell the fuzzer what sort of data it should be fuzzing):

$ cat Dockerfile
## [other cmds…]
RUN cp /opt/myreader/initialize.conf /corpus
## [more cmds…]

Then, in your Mayhemfile, set the target_input to be the path of your configuration file:

version: '1.15'
project: abrewer/readsBuiltinConfigs
target: readsBuiltinConfigs
baseimage: $MAYHEM_DOCKER_REGISTRY/abrewer/readsBuiltinConfigs:latest

tasks:
 - name: exploitability_factors
 - name: regression_testing
 - name: behavior_testing
 - name: coverage_analysis

cmds:
 - cmd: /readsBuiltinConfigs
   
target_input: /opt/myreader/initialize.conf

Now Mayhem will write (and overwrite) your /opt/myreader/initialize.conf with fuzzed data. That’s it! You may want to make sure that directory/file is writable (you can set this in the Dockerfile with something like):

## [cmds…]

RUN chmod 777 /opt/myreader/initialize.conf

## [cmds…]

We hope that you found this Tips and Tricks article helpful.