Start here -> https://github.com/antonio-morales/Hackfest_Advanced_Fuzzing_Workshop/blob/main/Hackfest%20Workshop%20Slides.pdf

• EkoParty => https://github.com/antonio-morales/EkoParty_Advanced_Fuzzing_Workshop

All you need for the workshop is:

• A Telegram account. You will need it to use it to send me your questions/solutions
• A running Linux system with an internet connection
• Latest version of AFL++ installed on the system (https://github.com/AFLplusplus/AFLplusplus#building-and-installing-afl). You can download AFL++ source code at https://github.com/AFLplusplus/AFLplusplus/releases.

You also can find an .OVF virtual machine with everything already set up for the workshop here

• VM credentials: fuzz/fuzz

After booting the VM, open a terminal and go to Desktop -> WORKSHOP -> Fuzz 0 -> unrtf

Then, type:

afl-fuzz -i ./tests -o afl-output  -- ./bin/unrtf --verbose -P ./lib/unrtf/ @@

If all it's ok, you'll be able to see a lot of AFL crashes :)

• It's a CTF-style hands-on workshop.
• There will be 3 different challenges. The goal is to find a reproducible bug on each of them.
• We're looking for exploitable vulnerabilities. In order to be the winner of a challenge, you must provide a crash/PoC. "Theoretical bugs" or code warnings are not welcome, sorry.
• Challenges are intended to be solved by fuzzing, but creative approaches will be encouraged.
• During the workshop you will be able to ask me any questions you might have (via Telegram at xxxxxxxxxxxxx). Please don't share solutions while the challenge is live.
• I will give you some hints and tips before and during the challenge.
• After each challenge, I will show my solution and I will explain it to you.
• There may be more than one correct solution.

The winner of each challenge will receive a coupon to spend in GitHub Shop. Second place will also be awarded.

Build:

gcc HackFest1.c -lcrypto -lssl -w -o hackfest1

Run:

./hackfest1 ./AFL/afl_in/file1 output.ppm

Build:

gcc HackFest2.c -w -o hackfest2

Run:

./hackfest2 Example.xml