Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sulley refactor #99

Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
34969dc
Just an insane amount of refactoring. Mostly just getting things gree…
Fitblip Jun 12, 2014
c6a0c28
Oops, forgot to include the actual changes!
Fitblip Jun 12, 2014
d90779e
Another massive refactor (sessions.py)
Fitblip Jun 13, 2014
756257c
Add helpers
Fitblip Jun 13, 2014
2ab686a
Refactor pgraph stuff
Fitblip Jun 15, 2014
b297f26
Refactor legos
Fitblip Jun 15, 2014
b5fee52
Refactor a bunch of utilities/helpers
Fitblip Jun 15, 2014
aa7f641
Refactor of a bunch of other stuff. No more inspection warnings!
Fitblip Jul 22, 2014
f3c7a83
Replace BaseHTTPServer with flask app.
Fitblip Jul 23, 2014
23362d6
Refactor into templates with actual CSS files.
Fitblip Jul 26, 2014
b762c7d
Fix some OCD crap.
Fitblip Jul 26, 2014
6da9f31
Add some assert fixes and a better repr() method.
Fitblip Jul 26, 2014
5a0ec2c
Missed these in the node -> Node class refactor.
Fitblip Jul 26, 2014
93ed66f
First run at the "new" sulley fuzz definition file.
Fitblip Jul 26, 2014
348968e
Stubs for breaking the fuzzing engine into it's own abstraction
Fitblip Jul 26, 2014
10976e6
Lots of syntactical changes to vmcontrol.
Fitblip Aug 14, 2014
f7f47d0
Only 19 more inspection errors to go! woo hoo!
Fitblip Aug 15, 2014
1d3431c
Add a MustImplementException for people sub-classing a base Fuzzer class
Fitblip Aug 17, 2014
3749f7e
Bug fixes
amoshkina Nov 26, 2014
f567d2a
Fixed assertion if sulley/primitives.py, removed mutable default
amoshkina Nov 26, 2014
5e3355c
Added setup.py
amoshkina Nov 26, 2014
256c21d
Changed type check to isinstance check
amoshkina Nov 27, 2014
0911500
Merge pull request #72 from amoshkina/sulley_refactor
Fitblip Jun 16, 2015
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
*.pyc
archived_fuzzies/*.session
.idea/
.idea/
testing/
1 change: 0 additions & 1 deletion AUTHORS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,4 @@ Aaron Portnoy <[email protected]>
http://dvlabs.tippingpoint.com/team/aportnoy

Ryan Sears <[email protected]>
http://talesofacoldadmin.com
http://fitblip.github.com/
1 change: 0 additions & 1 deletion docs/generate_epydocs.bat

This file was deleted.

Binary file removed docs/img/crash_paths.gif
Binary file not shown.
Binary file removed docs/img/pcap.gif
Binary file not shown.
Binary file removed docs/img/session_test.gif
Binary file not shown.
Binary file removed docs/img/sulley.jpg
Binary file not shown.
Binary file removed docs/img/sulley_web_interface.gif
Binary file not shown.
894 changes: 0 additions & 894 deletions docs/index.html

This file was deleted.

Binary file removed docs/introducing_sulley.pdf
Binary file not shown.
59 changes: 0 additions & 59 deletions docs/stylesheet.css

This file was deleted.

9 changes: 5 additions & 4 deletions examples/fuzz_trend_control_manager_20901.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@
# this was a really half assed fuzz. someone should take it further, see my notes in the requests file for more info.
#

from sulley import *
from sulley import *
# noinspection PyUnresolvedReferences
from requests import trend

########################################################################################################################
sess = sessions.session(session_filename="audits/trend_server_protect_20901.session", sleep_time=.25, log_level=10)
sess.add_target(sessions.target("192.168.181.2", 20901))

sess = sessions.Session(session_filename="audits/trend_server_protect_20901.session", sleep_time=.25, log_level=10)
sess.add_target(sessions.Target("192.168.181.2", 20901))

sess.connect(s_get("20901"))
sess.fuzz()
37 changes: 19 additions & 18 deletions examples/fuzz_trend_server_protect_5168.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,33 @@
# network_monitor.py -d 1 -f "src or dst port 5168" -p audits\trend_server_protect_5168
#
# on localhost:
# vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx" --snapshot "sulley ready and waiting"
# vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" \
# -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx" \
# --snapshot "sulley ready and waiting"
#
# this key gets written which fucks trend service even on reboot.
# HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion\Engine
#
# uncomment the req/num to do a single test case.
#

import time

from sulley import *
from sulley import utils, s_get, s_mutate, s_render, sessions, pedrpc
# noinspection PyUnresolvedReferences
from requests import trend

req = num = None
#req = "5168: op-3"
#num = "\x04"

def rpc_bind (sock):

def rpc_bind(sock):
bind = utils.dcerpc.bind("25288888-bd5b-11d1-9d53-0080c83a5c2c", "1.0")
sock.send(bind)

utils.dcerpc.bind_ack(sock.recv(1000))


def do_single (req, num):
def do_single(req, num):
import socket

# connect to the server.
Expand All @@ -56,20 +58,20 @@ def do_single (req, num):
print "done."


def do_fuzz ():
sess = sessions.session(session_filename="audits/trend_server_protect_5168.session")
target = sessions.target("192.168.181.133", 5168)
def do_fuzz():
sess = sessions.Session(session_filename="audits/trend_server_protect_5168.session")
target = sessions.Target("192.168.181.133", 5168)

target.netmon = pedrpc.client("192.168.181.133", 26001)
target.procmon = pedrpc.client("192.168.181.133", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
target.netmon = pedrpc.Client("192.168.181.133", 26001)
target.procmon = pedrpc.Client("192.168.181.133", 26002)
target.vmcontrol = pedrpc.Client("127.0.0.1", 26003)

target.procmon_options = \
{
"proc_name" : "SpntSvc.exe",
"stop_commands" : ['net stop "trend serverprotect"'],
"start_commands" : ['net start "trend serverprotect"'],
}
{
"proc_name": "SpntSvc.exe",
"stop_commands": ['net stop "trend serverprotect"'],
"start_commands": ['net start "trend serverprotect"'],
}

# start up the target.
target.vmcontrol.restart_target()
Expand All @@ -88,7 +90,6 @@ def do_fuzz ():

print "done fuzzing. web interface still running."


if not req or not num:
do_fuzz()
else:
Expand Down
25 changes: 16 additions & 9 deletions examples/fuzz_trillian_jabber.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,29 +9,36 @@
# process_monitor.py -c audits\trillian_jabber.crashbin -p trillian.exe
#
# on localhost:
# vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" -x "v:\vmfarm\images\windows\xp\win_xp_pro-clones\allsor~1\win_xp_pro.vmx" --snapshot "sulley ready and waiting"
# vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" \
# -x "v:\vmfarm\images\windows\xp\win_xp_pro-clones\allsor~1\win_xp_pro.vmx" \
# --snapshot "sulley ready and waiting"
#
# note:
# you MUST register the IP address of the fuzzer as a valid MDNS "presence" host. to do so, simply install and
# launch trillian on the fuzz box with rendezvous enabled. otherwise the target will drop the connection.
#

from sulley import *
from sulley import sessions, \
pedrpc, \
s_get

# noinspection PyUnresolvedReferences
from requests import jabber

def init_message (sock):

def init_message(sock):
init = '<?xml version="1.0" encoding="UTF-8" ?>\n'
init += '<stream:stream to="152.67.137.126" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">'

sock.send(init)
sock.recv(1024)

sess = sessions.session(session_filename="audits/trillian.session")
target = sessions.target("152.67.137.126", 5298)
target.netmon = pedrpc.client("152.67.137.126", 26001)
target.procmon = pedrpc.client("152.67.137.126", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
target.procmon_options = { "proc_name" : "trillian.exe" }
sess = sessions.Session(session_filename="audits/trillian.session")
target = sessions.Target("152.67.137.126", 5298)
target.netmon = pedrpc.Client("152.67.137.126", 26001)
target.procmon = pedrpc.Client("152.67.137.126", 26002)
target.vmcontrol = pedrpc.Client("127.0.0.1", 26003)
target.procmon_options = {"proc_name": "trillian.exe"}

# start up the target.
target.vmcontrol.restart_target()
Expand Down
80 changes: 45 additions & 35 deletions examples/mdns.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,23 @@
# A partial MDNS fuzzer. Could be made to be a DNS fuzzer trivially
# Charlie Miller <[email protected]>

from sulley import *
from binascii import *
from struct import *
from sulley import s_word, \
s_initialize, \
sessions, \
s_block_start, \
s_size, \
s_block_end, \
s_string, \
s_repeat, \
s_group, \
s_dword, \
s_binary, \
s_get

def insert_questions (sess, node, edge, sock):
node.names['Questions'].value = 1+node.names['queries'].current_reps
node.names['Authority'].value = 1+node.names['auth_nameservers'].current_reps

def insert_questions(sess, node, edge, sock):
node.names['Questions'].value = 1 + node.names['queries'].current_reps
node.names['Authority'].value = 1 + node.names['auth_nameservers'].current_reps

s_initialize("query")
s_word(0, name="TransactionID")
Expand All @@ -19,50 +29,50 @@ def insert_questions (sess, node, edge, sock):
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')

######### Queries ################
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A"*10)
s_block_end()
s_block_end()
s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")

s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_block_end()
s_repeat("query", 0, 1000, 40, name="queries")


######## Authorities ############
if s_block_start("auth_nameserver"):
if s_block_start("name_chunk_auth"):
s_size("string_auth", length=1)
if s_block_start("string_auth"):
s_string("A"*10)
s_block_end()
s_block_end()
s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth")
s_group("end_auth", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
if s_block_start("name_chunk_auth"):
s_size("string_auth", length=1)
if s_block_start("string_auth"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth")
s_group("end_auth", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing

s_word(0xc, name="Type_auth", endian='>')
s_word(0x8001, name="Class_auth", endian='>')
s_dword(0x78, name="TTL_auth", endian='>')
s_size("data_length", length=2, endian='>')
if s_block_start("data_length"):
s_binary("00 00 00 00 00 16 c0 b0") # This should be fuzzed according to the type, but I'm too lazy atm
s_block_end()
s_word(0xc, name="Type_auth", endian='>')
s_word(0x8001, name="Class_auth", endian='>')
s_dword(0x78, name="TTL_auth", endian='>')
s_size("data_length", length=2, endian='>')
if s_block_start("data_length"):
s_binary("00 00 00 00 00 16 c0 b0") # This should be fuzzed according to the type, but I'm too lazy atm
s_block_end()
s_block_end()
s_repeat("auth_nameserver", 0, 1000, 40, name="auth_nameservers")

s_word(0)

sess = sessions.session(proto="udp")
target = sessions.target("224.0.0.251", 5353)
sess = sessions.Session(proto="udp")
target = sessions.Target("224.0.0.251", 5353)
sess.add_target(target)
sess.connect(s_get("query"), callback=insert_questions )
sess.connect(s_get("query"), callback=insert_questions)

sess.fuzz()

Loading