PFF(Php Fuzzing Framework) by calcite@setec.org
Contact:
	irc.devirc.net #devirc 
	/msg calcite


Contents -

1. ABOUT PFF (Php fuzzing framework)
2. Usage and compiling  
2.1 Framework files 
2.2 Environment variables
2.3 pff shell script wrapper...
2.4 pff bugs
2.5 Other versions

1.
	PFF is a small fuzzer for the php interpreter. Created with intentions of fuzzing php functions
	in order to discover security and general bugs.

2.	Usage
	
	calcite@calcite-desktop:~/Desktop/research$ pff
                Tiny "Php Framework Fuzzer" (PFF) By calcite@setec.org
                        --  phpframe_work <framework_file> <php binary locatin>
                        --  The last argument is optional .
		calcite@calcite-desktop:~/Desktop/research$
	ARG 1 : Argument 1 is the file the user created with the instructions for pff fuzzing engine.
	ARG 2 : The last argument is optional , pff tries to find the location of the php interpreter on its own
		if it can not be found a error is returned to the user. On most systems it is found.

	pff is dependant on the openssl lib 
	"gcc -lssl " should tell your if the lib is on your system or not

	" cc pff.c -o pff -lssl " - to compile. 
	
2.1
	Framework files contains the instructions passed to the fuzzing engine. The syntax goes as follows ....

		php_function_name("ARGUMENT_TYPE","ETC");
	Argument types are "string" or "chars" ,"int" or "integer" , and "rand" or "random". (not case sensitive)
		
	string - A random string is generated and then converted to base64 encoding in order to 
		avoid parsing errors.
	rand - A data type is choosen for you, based on a random condition.

	int - Random integer is generated...negative or positive values maybe generated based on a random conditon.

	Example :
	calcite@calcite-desktop:~/Desktop/research$ cat *.frame
	socket_create([rand],[string],[int]); 
	calcite@calcite-desktop:~/Desktop/research$ 
	calcite@calcite-desktop:~/Desktop/research$ cat /home/calcite/haha/fuzz21.php
	<?php
		socket_create(base64_decode("3483SoNFzp6n/CRhzt9+hcrlCSoU6DlUMTTtIN0FtryU7QYXM9S12tDZO5+4uiSD
		ny6ttBbmCEg=
		"),base64_decode("+PoetI8MuqY/jlwZXzVV/u4PInGuUB5iZwVqryBgFxhaNczpQYaQgBTsmnMh73EP
		/pSArOSf
		"),-75875);

	?>calcite@calcite-desktop:~/Desktop/research$ 

2.2 	Environment Variables

	PFF uses two environment variables , "PFF_TEMPFOLDER" and "PFF_MAXLEN";
	
	"PFF_TEMPFOLDER" - Allows the user to specify a temporary directory, other than "/tmp" to hold
	fuzzer generated files.
	
	Example:
	"[+] Using temporary directory /home/calcite/my_tmp/ ."
 	
	This msg is given when the environment variable is detected.

	"PFF_MAXLEN" - Allows the user to specify the maximum random length ( NOTE 50 bytes is adding to all lengths) .
	
	EXAMPLE :
		calcite@calcite-desktop:~/Desktop/research$ export PFF_TEMPFOLDER="/home/calcite/mytemp"
		calcite@calcite-desktop:~/Desktop/research$ export PFF_MAXLEN="100"
		calcite@calcite-desktop:~/Desktop/research$ pff *.frame
	Function: socket_create 
        	Parameter type: rand : Param # 1 
        	Parameter type: string : Param # 2 
        	Parameter type: int : Param # 3 
		[+] Using temporary directory /home/calcite/mytemp .
		[+] Using maximum random char length 100 .

Warning: socket_create(): invalid socket domain [10805] specified for argument 1, assuming AF_INET in /home/calcite/mytemp/fuzz0.php on line 2

Warning: socket_create(): invalid socket type [10805] specified for argument 2, assuming SOCK_STREAM in /home/calcite/mytemp/fuzz0.php on line 2

Warning: socket_create(): Unable to create socket [93]: Protocol not supported in /home/calcite/mytemp/fuzz0.php on line 2
calcite@calcite-desktop:~/Desktop/research$ 

2.3 Shell script wrapper

	For best result use a shell script for continuous reiteration.
	Example :
		calcite@calcite-desktop:~/Desktop/research$ while true; do sleep 2 ; pff *.frame ; done 
Function: socket_create 
        Parameter type: rand : Param # 1 
        Parameter type: string : Param # 2 
        Parameter type: int : Param # 3 
[+] Using temporary directory /home/calcite/mytemp .
[+] Using maximum random char length 100 .

Warning: socket_create(): invalid socket domain [-89428] specified for argument 1, assuming AF_INET in /home/calcite/mytemp/fuzz1.php on line 2

Warning: socket_create(): Unable to create socket [22]: Invalid argument in /home/calcite/mytemp/fuzz1.php on line 2
Function: socket_create 
        Parameter type: rand : Param # 1 
        Parameter type: string : Param # 2 
        Parameter type: int : Param # 3 
[+] Using temporary directory /home/calcite/mytemp .
[+] Using maximum random char length 100 .

Warning: socket_create() expects parameter 1 to be long, string given in /home/calcite/mytemp/fuzz2.php on line 6

calcite@calcite-desktop:~/Desktop/research$ # here I used a endless loop with a 2 second delay to analyze results..
be creative log all output to a log file or grep for coredumps etc....

If you get a crash, keep in mind the php file that generated the crash is saved to your temporary directory.


2.4 BUGS - If you find any bugs please send me a email at calcite@setec.org or contact me on irc (email preffered).
	A detailed report would be apprechiated (core dump, logfile,etc). 	

2.5 I plan on releasing another version based on user feedback.
	Implementing my own base64 encoding function would get rid of the depending on openssl lib.