程序博客网 > 有关网络得现代诗歌

Fuzz - Sulley Framework

来源:互联网 发布:有关网络得现代诗歌 编辑:程序博客网 时间:2024/05/18 03:52
OS Name:                   Microsoft Windows XP ProfessionalOS Version:                5.1.2600 Service Pack 3 Build 2600

Install Sulley Framework

https://github.com/OpenRCE/sulley/wiki/Windows-Installation

Create a new fuzz Program

Write the following code to file fuzz_pcmanftpd.py

# Video 1 Practical Fuzzing Basic using the Sulley Framework# https://www.exploit-db.com/exploits/37731/# C:\Fuzzing\sulley>python network_monitor.py -d 0 -f "port 21" -P audit# C:\Fuzzing\sulley>python process_monitor.py -c audit\pcmanftpd_crashbin -p "PCManFTPD2.exe""""220 PCMan's FTP Server 2.0 Ready.USER anonymous331 User name okay, need password.PASS password12345230 User logged inPORT 192,168,1,106,206,27200 Command okay.STOR demo2.txt150 File status okay; Open data connection.226 Data Sent okay.PORT 192,168,1,106,206,28200 Command okay.LIST150 File status okay; Open data connection.226 Data Sent okay.PORT 192,168,1,106,206,29200 Command okay.RETR demo2.txt150 File status okay; Open data connection.226 Data Sent okay.QUIT"""from sulley import *# General Overview# 1. Create requests (define fuzzing grammar)# 2. Define sessions# 3. Define target# 4. Fuzz!# s_initialize - Construct a new request# s_static ("USER") - A string that is static (umutated) and does not get fuzzed# s_delin(" ") - A delimiter that can be fuzzed. Will have different mutations that using s_string# s_string("anonymous") - A string that will be mutated. Includes more mutations than s_delim# -------------------------------------------------------------------# Grammar to be testeds_initialize("user")s_static("USER")s_delim(" ", fuzzable=False)s_string("anonymous")s_static("\r\n")s_initialize("pass")s_static("PASS")s_delim(" ", fuzzable=False)s_string("pass12345")s_static("\r\n")s_initialize("put")s_static("PUT")s_delim(" ", fuzzable=False)s_string("fuzz_strings")s_static("\r\n")s_initialize("stor")s_static("STOR")s_delim(" ", fuzzable=True)s_string("AAAA")s_static("\r\n")s_initialize("mkd")s_static("MKD")s_delim(" ", fuzzable=False)s_string("AAAA")s_static("\r\n")# -------------------------------------------------------------------# Define pre_send function. Will be executed right after the three-way handshakedef receive_ftp_banner(sock):    sock.recv(1024)# -------------------------------------------------------------------# Define session# Session parametersSESSION_FILENAME = "pcmanftpd-session"  # Keeps track of the current fuzzing stateSLEEP_TIME = 0.5                        # Pause between two fuzzing attemptsTIMEOUT = 5                             # Fuzzer will time out after 5 seconds of no connectionCRASH_THRESHOLD = 4                     # After 4 crashes parameter will be skippedmysession = sessions.session(    session_filename=SESSION_FILENAME,    sleep_time=SLEEP_TIME,    timeout=TIMEOUT,    crash_threshold=CRASH_THRESHOLD)mysession.pre_send = receive_ftp_bannermysession.connect(s_get("user"))mysession.connect(s_get("user"), s_get("pass"))mysession.connect(s_get("pass"), s_get("stor"))mysession.connect(s_get("pass"), s_get("mkd"))mysession.connect(s_get("pass"), s_get("put"))# -------------------------------------------------------------------# Draw graph representing the fuzzing paths.with open("session_test.udg", "w+") as f:    f.write(mysession.render_graph_udraw())# -------------------------------------------------------------------# Just some overview outputprint("Number of mutation during one case: %s\n" % str(s_num_mutations()))print("Total number of mutations: %s\n" % str(s_num_mutations() * 5))decision = raw_input("Do you want to continue?(y/n): ")if decision == "n":    exit()# -------------------------------------------------------------------# Define target paramstershost = "192.168.1.107"ftp_port = 21netmon_port = 26001procmon_port = 26002target = sessions.target(host, ftp_port)target.procmon = pedrpc.client(host, procmon_port)target.netman = pedrpc.client(host, netmon_port)target.procmon_options = {    "proc_name": "pcmanftpd2.exe",    "stop_commands": ["wmic process where (name='PCManFTPD2.exe') call terminate"],    "start_commands": ["C:\\PCManFTP\\PCManFTPD2.exe"]}# Add target to the sessionmysession.add_target(target)# -------------------------------------------------------------------# Lets get rollinprint("Starting fuzzing now")mysession.fuzz()# Starts the fuzzing process and# also the web interface (http://127.0.0.1:26000) to see the current state

Fuzz Structure

fuzz structure

Starts fuzzing

process_monitor

network_monitor

Check fuzz results

Fuzz results

We can access http://127.0.0.1:26000/view_crash/2 for crash details.

[INVALID]:41414141 Unable to disassemble at 41414141 from thread 720 caused access violationwhen attempting to read from 0x41414141CONTEXT DUMP  EIP: 41414141 Unable to disassemble at 41414141  EAX: 00000000 (         0) -> N/A  EBX: 00000000 (         0) -> N/A  ECX: 00000000 (         0) -> N/A  EDX: 0000000b (        11) -> N/A  EDI: 00000004 (         4) -> N/A  ESI: 0012edc4 (   1240516) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)  EBP: 00a31c30 (  10689584) -> UCP+DDIQA&U$`A1A1aC  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)  +00: 41414141 (1094795585) -> N/A  +04: 41414141 (1094795585) -> N/A  +08: 41414141 (1094795585) -> N/A  +0c: 41414141 (1094795585) -> N/A  +10: 41414141 (1094795585) -> N/A  +14: 41414141 (1094795585) -> N/Adisasm around:    0x41414141 Unable to disassembleSEH unwind:    0012fec0 -> USER32.dll:7e44048f push ebp    0012ffb0 -> USER32.dll:7e44048f push ebp    0012ffe0 -> PCManFTPD2.exe:004185bc push ebp    ffffffff -> kernel32.dll:7c839ac0 push ebp

References

https://github.com/OpenRCE/sulley/wiki/Windows-Installation
http://pen-testing.sans.org/blog/pen-testing/2011/12/05/fuzzing-in-a-penetration-test
http://www.dfate.de/public/index.php/post/exploit-development-series-video-1-practical-fuzzing-basics-using-the-sulley-framework

0 0
有关网络得现代诗歌 有关网络得现代诗歌
原创粉丝点击
热门IT博客
大圣归来豆瓣知乎大圣归来豆瓣知乎
淘宝装修视频淘宝装修视频
coc法师升级数据
cda数据分析师书籍
天书残卷辅助软件
淘宝旗舰店药是正品吗
opencv图像融合算法
java图片转base64
stc单片机简介
wifi密码备份软件
串口数据采集实时显示
扬州大学网络报修
网站登录 源码
淘宝下单失败怎么回事
网线粗细 影响网络吗?
舞蹈服装大全淘宝网
mac无法更新flash
服装终端数据分析报告
域名.网址
n8设计软件虚拟机
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 钓椅推荐 二手钓椅 自做钓椅 钓椅报价 钓椅品牌排行榜 钓椅和钓箱哪个更实用 钓椅包 钓椅包背包 钓椅大全 自制钓鱼椅 钓椅品牌 自制钓椅的制作方法 买钓箱好还是钓椅好 钓椅和钓箱哪个好 钓椅配件大全 钓椅批发 钓椅好还是钓箱好 台钓椅 钓椅图片 佳钓尼钓椅 钓鱼椅 哪个牌子的钓椅好 什么牌子的钓椅好 哪个牌子钓椅好 什么牌子钓椅好 佳钓尼 钓椅 什么牌钓椅好 钓椅炮台 佳钓尼台钓椅 钩鱼椅 钓台钓椅钓箱 我飞钓椅 钓椅和钓箱 性价比高的钓椅 钓椅饵料盘 好钓椅 新款钓鱼椅 改装钓椅 如何制作钓椅 钓鱼凳 电子经纬仪价格

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里