2010
02.21

The Sulley Framework is a great fuzzing tool. One of the best out there in my opinion. Unfortunately, as far as I can tell anyway, development has stopped. Meaning nothing new to the framework… For last few months, I’ve been doing my best to learn this framework. Let me tell you, it hasn’t been always easy. Not much information out there besides a few basic tutorials.
Something else that is missing are request files. The request file is, in sense, what makes fuzzing an application possible. There are a few files that come stock with Sulley, but not many. So I’m gonna try and re-mediate the situation by posting/sharing request files I’ve been able to find and/or create with the help of a few friends.

Sulley Request Files
The Sulley Framework Request File Repository; My hopes (in time) is to build a nice collection of files so people trying to learn and use Sulley can have a starting point. I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they’ve crafted over time. The site is pretty new, and I’m not web designer. I’ll do my best to update the file list when new ones are created, or sent in.

So I call out to everyone that has experience with this framework, and to help out the new guys.

Thank you,
loneferret
www.kioptrix.com

2010
02.14

Automated tool Dependency

I while ago, when I was doing the OSCP course. I learned about shellcodes and exploits. During this time, usage of Metasploit’s online shellcode generator was really useful. When it came down to exam time, well the site was down… No more automated tool, and this during my 24 hour exam. What did I do? A little google search and presto found how to correctly use msfpayload + msfencode. All was well.

Since then, I’ve gone back to using the online tool. Bad idea.. I say this because recently, I’ve had to generate some shellcode for an exploit. Of course the automated online tool was down. This forced me once again to re-learn the command line tool. This made me realize two things.
1: We rely way too much on automated tools
2: Laziness kicks in so very fast.

I mean, it isn’t that hard to use, and remember. Just need to type it a few times to get the syntax burned into that gray matter of ours.

msfpayload windows/exec cmd=calc.exe R | msfencode -b ‘\x00\x0a\x2f\x5c’ -e x86/shikata_ga_nai -t c

Here’s an example of using both msfpayload and msfencode.
The payload is windows/exec, the CMD is calc.exe and we output the raw code. We pipe that into msfencode.
The “-b” is the list of bad characters the -e is the encoder (this case shikata ga nai) and we output to C format using the “-t” switch.

There are plenty of online resources that can show you how to use it. This is true for every automated tool we are used to use.

Bottom line, if it’s command line and there’s an automated tool…. learn the command line first.
You never know when that automated one will be pulled off the air.

2010
02.04

In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server. This time we’ll look at what we need to have and do to fuzz a TFTP server. The big difference is one uses the TCP protocol and the other UDP.

By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.

from sulley import * # import everything from Sulley

from requests import tftp

sess = sessions.session(session_filename=”audits/tftpserver.session”,proto=”udp”)

#Target IP xxx.xxx.xxx.xxx

target = sessions.target(“xxx.xxx.xxx.xxx”, <
PORT#>)

target.netmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26001)

target.procmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26002)

target.procmon_options = { “proc_name” : “<
PROCESS NAME>” }

sess.add_target(target)

sess.connect(s_get(“tftp”))

sess.fuzz()

Once you’ve specified the “proto” parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you’ll need a request file. I found this basic file TFTP request file on the Internet here.



Now that we have our session and request file. There’s one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:

c:\sulley>python network_monitor.py -d X -f “src or dst port XX” -P \\path

Well since this is UDP and the traffic is only one way, the pcap string won’t capture anything. So you’ll need to enter it this way:

c:\sulley>python network_monitor.py -d X -f “udp dst port XX” -P \\path

As with anything script related, this can be improved.

So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz… Here’s a nice little list from exploit-db that you can have fun with.

As always, I’ll try and get a video up demonstrating this. Always fun to make those, and perhaps I’ll actually put the “Benny Hill” theme song… or just sound. One day perhaps.

Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com