This document provides an overview of fuzzing techniques and the Sulley fuzzing framework. It begins with definitions of fuzzing and different fuzzing techniques like static testing, randomized fuzzing, and mutation-based fuzzing. The rest of the document demonstrates how to setup and use the Sulley framework to fuzz protocols like HTTP and file formats. It includes explanations of the Sulley API and how to generate test cases, monitor for crashes, and analyze results. Examples are provided of fuzzing HTTP servers and file formats.
3. Agenda
0x01 What is Fuzzing ?
next3
0x02 Fuzzing Techniques
0x03 Intelligent Mutation
0x05 Setup the Weapon
0x04 Sulley fuzzing framework
0x06 Demo Fuzzing HTTP and FTP
0x08 Q / A ?
0x07 Demo Fuzzing File Format
4. 0x01
next
Fuzzing is simply a software testing
mechanism that sends malformed to
protocol implementation such as a web
application, file format PDF, MS Word
etc.
4
What is Fuzzing ?
Fuzzing is a useful research techniques
in identifying vulnerabilities
Fuzzing is an essential part of the
Software Development Lifecycle (SDL)
5. 0x02
next
Static Test Case
• Information collection, Analyst
identifies individual tests
• Test case stored as a file that can
be sent to target, often binary file
• Lost of up-front development time
• Scope of the test limited by
creativity
5
Fuzzing Techniques
Randomized
• Starts with a valid frame
• Selected portions replaced with
randomized data
• Simple to develop and utilize
• No protocol knowledge needed
• Infinite run-time process
• Difficult to pin-point cause of crash
6. 0x02
next
Mutation
• No protocol analysis
• Mutates one byte/short/long at a time
• History of success, But limited at
testing parsing flaws in string,
delimiters
• Quick to get started using fuzzing
tools
• Finite runtime stopping after it
exhausts all mutations
6
Fuzzing Techniques CONT.
10. 0x03
next
• Describes a protocol and tests
permutations
• Protocol “grammar”
• Identifies fields
• Lots of up-front time analyzing
(Protocol is defined and uses
knowledge to build a protocol
“grammar”
• Best method for comprehensive code-
reaching tests
10
Intelligent Mutation
11. 0x03.1
next
What to test ?
• Using intelligent mutation.
• Analyst selects permutations,
(selecting the fields and data
permutations for individual test
case)
• Randomly inserting new data will have
limited value in testing, discovering
only “Surface” vulnerabilities.
• For more comprehensive analysis,
(such as specific header fields)
11
Intelligent Mutation
12. 0x03.2
next
What to test ?
• Signed and Unsigned Integers
• Signed integers => Positive(+) and
Negative(-)
• Unsigned integers => Positive(+) only
• MSB(Most Significant Bit) +/- when
signed
12
Intelligent Mutation
Value Signed Unsigned
1 1 1
-1 -1 4294967295
What happens ?
memcpy(destptr,srcptr,-1);
13. 0x03.3
next
What to test ?
• Integer Underflow
13
Intelligent Mutation
Index Other declarations
-4 -3 -2 -1
<——————————————————————————— Array ———————————————————————>
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Other memory
16. 0x03.6
next
What to test ?
• Directory Transversal
16
Intelligent Mutation
What happens ?
“../../../../../../../../../../etc/passwd” ?
17. 0x04
next17
Sulley Fuzzing Framework
Leveraging
• Framework for describing a protocol
(grammar)
• Delivers protocol mutations based on
grammar
- Monitors process, Log traffic
- Control VM’s to reset target
- Assists in analysis of crashes
• Written in python
• Full functionality in Windows only
29. 0x04.C
next29
Sulley Fuzzing Framework
Sessions
• Identify fuzzer name with
s_initialize()
• Can join multiple fuzzers
• One or more targets with control
options
• Over TCP, UDP or SSL
• Uses graph theory to fuzz each
component
30. 0x04.D
next30
Sulley Fuzzing Framework
Sessions
• Add fuzzer to session using
connect()
• Fuzzer name returned by s_get()
- Name from s_initialize()
• Multiple nodes
- mysess.connect(s_get(“FOO”),
s_get(“BAR”), s_get(“BAZ”))
33. 0x04.11
next33
Sulley Fuzzing Framework
Sessions Agents
• netmon: capture libpcap file
• procmon: monitor process for faults
• vmcontrol: start, stop, and reset
guest; take, delete and restore
snapshots
34. 0x04.12
next34
Sulley Fuzzing Framework
Step for Running Sulley
• Start procmon.py
• Start netmon.py
• Start Software
• Start Fuzzing script
• Monitor status with web UI
• And !!!!!!
35. 0x04.13
next35
Sulley Fuzzing Framework
Post-Mortem Analysis
• Sulley includes two tools to help in
assessing session results
• pcap_cleaner.py crash bin pcaps/
• crashbin_exploere.py for navigate,
examine and graph crash data
39. 0x05.1
next
2. Install Git for clone Sulley or from link download
- https://github.com/OpenRCE/sulley.git
- https://github.com/OpenRCE/sulley
3. Before setup Sulley need install the
setuptools(Easily download, build, install, upgrade,
and uninstall Python packages) from https://
pypi.python.org/pypi/setuptools
=> python setup.py install
4. Now to sulley and install
39
Setup the Weapon
40. 0x05.2
next
5. Netmon Agent
- Requires WinPcap/Libpcap, Impacket and pcapy
- WinPcap => I Install WireShark
- Impacket => https://github.com/CoreSecurity/impacket
- Pcapy => https://github.com/CoreSecurity/pcapy
- Install https://github.com/develersrl/gccwinbinaries/
releases/download/v1.1/gcc-mingw-4.3.3-setup.exe and
install.
- And now run network_monitor.py for test but Error
- Re-install pcapy but Error pcap.h Not Found
40
Setup the Weapon
41. 0x05.3
next
- Solution
1.Download WinPcap developer on https://
www.winpcap.org/devel.htm
2.pip install pcapy --global-option=build_ext
—global-option="-LC:Path to
WpdPack_4_1_2Lib" —global-option=“-IC:Path
to WpdPack_4_1_2WpdPackInclude”
41
Setup the Weapon
Ref: https://stackoverflow.com/questions/22996098/trouble-installing-pcapy-on-windows-7-cannot-open-include-file-pcap-h
42. 0x05.4
next
6. Procmon Agent
Require:
- pefile (Python library for inspecting PE file
format)
- https://code.google.com/p/pefile/downloads/list
- pydasm (Python library for disassembly binary
code)
- https://code.google.com/p/pefile/downloads/list
- paimei (reverse engineering framework written in
Python) optional
- https://github.com/OpenRCE/paimei/archive/
master.zip
- pydbg (pure-Python win32 debugger interface)
- https://github.com/Fitblip/pydbg
- Run on Windows only
- And now run process_monitor.py
42
Setup the Weapon
Ref: https://github.com/OpenRCE/sulley/wiki/Windows-Installation
: http://www.securityaddicted.com/tag/pydbg/
43. 0x05.5
next
7. For File Format Fuzzing
Require:
- WinDbg
- MSEC Debugger Extension: !exploitability
X86 https://msdl.microsoft.com/download/symbols/
debuggers/dbg_x86_6.11.1.404.msi
X64 https://msdl.microsoft.com/download/symbols/
debuggers/dbg_amd64_6.11.1.404.msi
43
Setup the Weapon
46. 0x07
next46
Fuzzing File Formats
• File Format => Very Complex
Protocol
• On proprietary file formats
(opportunities and
challenges) such as MS
Word, Open Office Writer,
OS X Pages.app
• Leveraging Sulley file
format fuzzing?
• Automated and custom
mutation delivery
47. 0x07.1
next47
Fuzzing File Formats
Monitoring the process
• Debugger to watch exit
status
• Watch return status with
crash.exe
• Custom code with Python +
Pydbg
• Code must automate process
termination, exception
handling, logging
49. 0x07.3
next49
Fuzzing File Formats
WinDbg Exploitability Index
• WinDbg - Microsoft Security
Engineering Team (MSEC)
debugger, User-mode and kernel-
mode debugging
• Use Extensions: !exploitability
measurement
• Reliable for “EXPLOITABLE”
Needs more analysis for “NOT
EXPLOITABLE” or “UNKNOWN”
51. 0x07.5
next51
Fuzzing File Formats
Microsoft Console Debugger
• Console-based interface to WinDbg
included with Debugging Tools for
Windows
• Report on “!exploitable”
• Help for automating analysis and
logging
52. 0x07.6
next52
Fuzzing File Formats
Automating CDB
• WinDbg GUI tool, provides a
console-base version known
as “cdb”
for /L %i in (0,1,1075) do @"c:Program FilesDebugging Tools for
Windows (x86)cdb.exe" -aMSEC.dll -c ".logopen case-%i.pls.log; g; !
exploitable -m; .logclose" "c:Program FilesYahoo!PlayerYPlayer.exe"
pls-fuzzplscase-%i.pls
for /L %i in (0,0,0) do @wmic process where (name="cdb.exe") delete && ping -n 6 127.0.0.1 > null
53. 0x07.7
next53
Fuzzing File Formats
File Fuzzing with Sulley
• Sulley does not automate
application launch,
delivery. We perform
manually by custom script,
shell command
56. 0x08.1
next56
Sulley Fuzzing Framework
Tip / Trick
- Run as Administrator or Root
- Time delay for file fuzzing can adjust it as
necessary
- For file fuzzing keep your mouse here while
testing
- For file fuzzing copy MSEC.dll to “C:Program
FilesDebugging Tools for Windows (x86)winext”
- Running msec.dll error because The 1.6 version
of !exploitable was compiled in Visual Studio 12
using CRT 11 runtime.
https://www.microsoft.com/en-us/download/confirmation.aspx?
id=30679
Ref: http://webcache.googleusercontent.com/search?q=cache:WLXxWXjg6KcJ:msecdbg3.rssing.com/chan-8052127/all_p2.html+&cd=5&hl=th&ct=clnk&gl=th