Fuzz - Sulley Framework
来源:互联网 发布:有关网络得现代诗歌 编辑:程序博客网 时间:2024/05/18 03:52
OS Name: Microsoft Windows XP ProfessionalOS Version: 5.1.2600 Service Pack 3 Build 2600
Install Sulley Framework
https://github.com/OpenRCE/sulley/wiki/Windows-Installation
Create a new fuzz Program
Write the following code to file fuzz_pcmanftpd.py
# Video 1 Practical Fuzzing Basic using the Sulley Framework# https://www.exploit-db.com/exploits/37731/# C:\Fuzzing\sulley>python network_monitor.py -d 0 -f "port 21" -P audit# C:\Fuzzing\sulley>python process_monitor.py -c audit\pcmanftpd_crashbin -p "PCManFTPD2.exe""""220 PCMan's FTP Server 2.0 Ready.USER anonymous331 User name okay, need password.PASS password12345230 User logged inPORT 192,168,1,106,206,27200 Command okay.STOR demo2.txt150 File status okay; Open data connection.226 Data Sent okay.PORT 192,168,1,106,206,28200 Command okay.LIST150 File status okay; Open data connection.226 Data Sent okay.PORT 192,168,1,106,206,29200 Command okay.RETR demo2.txt150 File status okay; Open data connection.226 Data Sent okay.QUIT"""from sulley import *# General Overview# 1. Create requests (define fuzzing grammar)# 2. Define sessions# 3. Define target# 4. Fuzz!# s_initialize - Construct a new request# s_static ("USER") - A string that is static (umutated) and does not get fuzzed# s_delin(" ") - A delimiter that can be fuzzed. Will have different mutations that using s_string# s_string("anonymous") - A string that will be mutated. Includes more mutations than s_delim# -------------------------------------------------------------------# Grammar to be testeds_initialize("user")s_static("USER")s_delim(" ", fuzzable=False)s_string("anonymous")s_static("\r\n")s_initialize("pass")s_static("PASS")s_delim(" ", fuzzable=False)s_string("pass12345")s_static("\r\n")s_initialize("put")s_static("PUT")s_delim(" ", fuzzable=False)s_string("fuzz_strings")s_static("\r\n")s_initialize("stor")s_static("STOR")s_delim(" ", fuzzable=True)s_string("AAAA")s_static("\r\n")s_initialize("mkd")s_static("MKD")s_delim(" ", fuzzable=False)s_string("AAAA")s_static("\r\n")# -------------------------------------------------------------------# Define pre_send function. Will be executed right after the three-way handshakedef receive_ftp_banner(sock): sock.recv(1024)# -------------------------------------------------------------------# Define session# Session parametersSESSION_FILENAME = "pcmanftpd-session" # Keeps track of the current fuzzing stateSLEEP_TIME = 0.5 # Pause between two fuzzing attemptsTIMEOUT = 5 # Fuzzer will time out after 5 seconds of no connectionCRASH_THRESHOLD = 4 # After 4 crashes parameter will be skippedmysession = sessions.session( session_filename=SESSION_FILENAME, sleep_time=SLEEP_TIME, timeout=TIMEOUT, crash_threshold=CRASH_THRESHOLD)mysession.pre_send = receive_ftp_bannermysession.connect(s_get("user"))mysession.connect(s_get("user"), s_get("pass"))mysession.connect(s_get("pass"), s_get("stor"))mysession.connect(s_get("pass"), s_get("mkd"))mysession.connect(s_get("pass"), s_get("put"))# -------------------------------------------------------------------# Draw graph representing the fuzzing paths.with open("session_test.udg", "w+") as f: f.write(mysession.render_graph_udraw())# -------------------------------------------------------------------# Just some overview outputprint("Number of mutation during one case: %s\n" % str(s_num_mutations()))print("Total number of mutations: %s\n" % str(s_num_mutations() * 5))decision = raw_input("Do you want to continue?(y/n): ")if decision == "n": exit()# -------------------------------------------------------------------# Define target paramstershost = "192.168.1.107"ftp_port = 21netmon_port = 26001procmon_port = 26002target = sessions.target(host, ftp_port)target.procmon = pedrpc.client(host, procmon_port)target.netman = pedrpc.client(host, netmon_port)target.procmon_options = { "proc_name": "pcmanftpd2.exe", "stop_commands": ["wmic process where (name='PCManFTPD2.exe') call terminate"], "start_commands": ["C:\\PCManFTP\\PCManFTPD2.exe"]}# Add target to the sessionmysession.add_target(target)# -------------------------------------------------------------------# Lets get rollinprint("Starting fuzzing now")mysession.fuzz()# Starts the fuzzing process and# also the web interface (http://127.0.0.1:26000) to see the current state
Fuzz Structure
Starts fuzzing
Check fuzz results
We can access http://127.0.0.1:26000/view_crash/2 for crash details.
[INVALID]:41414141 Unable to disassemble at 41414141 from thread 720 caused access violationwhen attempting to read from 0x41414141CONTEXT DUMP EIP: 41414141 Unable to disassemble at 41414141 EAX: 00000000 ( 0) -> N/A EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0000000b ( 11) -> N/A EDI: 00000004 ( 4) -> N/A ESI: 0012edc4 ( 1240516) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack) EBP: 00a31c30 ( 10689584) -> UCP+DDIQA&U$`A1A1aC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack) +00: 41414141 (1094795585) -> N/A +04: 41414141 (1094795585) -> N/A +08: 41414141 (1094795585) -> N/A +0c: 41414141 (1094795585) -> N/A +10: 41414141 (1094795585) -> N/A +14: 41414141 (1094795585) -> N/Adisasm around: 0x41414141 Unable to disassembleSEH unwind: 0012fec0 -> USER32.dll:7e44048f push ebp 0012ffb0 -> USER32.dll:7e44048f push ebp 0012ffe0 -> PCManFTPD2.exe:004185bc push ebp ffffffff -> kernel32.dll:7c839ac0 push ebp
References
https://github.com/OpenRCE/sulley/wiki/Windows-Installation
http://pen-testing.sans.org/blog/pen-testing/2011/12/05/fuzzing-in-a-penetration-test
http://www.dfate.de/public/index.php/post/exploit-development-series-video-1-practical-fuzzing-basics-using-the-sulley-framework
0 0
- Fuzz - Sulley Framework
- Installing the Sulley fuzzer framework on Windows XP Professiona
- Fuzz testing
- Sulley环境搭建
- win732位安装sulley
- 安装sulley注意点
- Fuzzing及Sulley简介
- Sulley实例:测试easyftp
- ubuntu安装sulley
- What is Fuzz Testing?
- packetstorm fuzz 字典
- fuzz testing 初探
- webscarab fuzz testing
- Python Fuzz Testing Tools
- What is Fuzz Testing?
- What is Fuzz Testing?
- Fuzz漏洞挖掘漫谈
- Fuzz漏洞挖掘漫谈
- H5转盘简单封装
- 学习设计模式 (三)(总结)
- ajax
- cakephp3引入类
- 纪念一次肉眼debugger的过程
- Fuzz - Sulley Framework
- 并查集
- golang 数据库批量更新工具备份
- Geoip geoip-api-php 库包使用 - 通过ip 找到国家
- LoadRunner启动自带例子Web Tours报错
- Java第一次实验要求
- DWM1000DISCOVERY EEPROM数据格式
- POJ1274 匈牙利算法 最大二分图匹配入门模板
- 《DLL for Win32/MFC》Part 5, DLL MFC Client Application