2010
02.04

In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server. This time we’ll look at what we need to have and do to fuzz a TFTP server. The big difference is one uses the TCP protocol and the other UDP.

By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.

from sulley import * # import everything from Sulley

from requests import tftp

sess = sessions.session(session_filename=”audits/tftpserver.session”,proto=”udp”)

#Target IP xxx.xxx.xxx.xxx

target = sessions.target(“xxx.xxx.xxx.xxx”, <
PORT#>)

target.netmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26001)

target.procmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26002)

target.procmon_options = { “proc_name” : “<
PROCESS NAME>” }

sess.add_target(target)

sess.connect(s_get(“tftp”))

sess.fuzz()

Once you’ve specified the “proto” parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you’ll need a request file. I found this basic file TFTP request file on the Internet here.



Now that we have our session and request file. There’s one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:

c:\sulley>python network_monitor.py -d X -f “src or dst port XX” -P \\path

Well since this is UDP and the traffic is only one way, the pcap string won’t capture anything. So you’ll need to enter it this way:

c:\sulley>python network_monitor.py -d X -f “udp dst port XX” -P \\path

As with anything script related, this can be improved.

So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz… Here’s a nice little list from exploit-db that you can have fun with.

As always, I’ll try and get a video up demonstrating this. Always fun to make those, and perhaps I’ll actually put the “Benny Hill” theme song… or just sound. One day perhaps.

Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com