2010
02.04

In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server. This time we’ll look at what we need to have and do to fuzz a TFTP server. The big difference is one uses the TCP protocol and the other UDP.

By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.

from sulley import * # import everything from Sulley

from requests import tftp

sess = sessions.session(session_filename=”audits/tftpserver.session”,proto=”udp”)

#Target IP xxx.xxx.xxx.xxx

target = sessions.target(“xxx.xxx.xxx.xxx”, <
PORT#>)

target.netmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26001)

target.procmon = pedrpc.client(“xxx.xxx.xxx.xxx”, 26002)

target.procmon_options = { “proc_name” : “<
PROCESS NAME>” }

sess.add_target(target)

sess.connect(s_get(“tftp”))

sess.fuzz()

Once you’ve specified the “proto” parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you’ll need a request file. I found this basic file TFTP request file on the Internet here.



Now that we have our session and request file. There’s one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:

c:\sulley>python network_monitor.py -d X -f “src or dst port XX” -P \\path

Well since this is UDP and the traffic is only one way, the pcap string won’t capture anything. So you’ll need to enter it this way:

c:\sulley>python network_monitor.py -d X -f “udp dst port XX” -P \\path

As with anything script related, this can be improved.

So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz… Here’s a nice little list from exploit-db that you can have fun with.

As always, I’ll try and get a video up demonstrating this. Always fun to make those, and perhaps I’ll actually put the “Benny Hill” theme song… or just sound. One day perhaps.

Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com

  1. Hi,
    What is your OS for your test ? Windows or Linux (Debian, Backtrack…) ?
    I’m currently using Ubuntu 9.10 which provides Python2.6 and I have some issue with Network_Monitor.py.

    sudo python network_monitor.py -d 0 -P ./logs -f “host 172.20.1.89″ -l 3
    /home/sulley/blocks.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
    import md5
    /home/sulley/blocks.py:7: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
    import sha
    [06:13.54] Network Monitor PED-RPC server initialized:
    [06:13.54] device: eth0
    [06:13.54] filter: host xxx.xxx.xxx.xxx
    [06:13.54] log path: ./logs
    [06:13.54] log_level: 3
    [06:13.54] Awaiting requests…
    [06:14.06] initializing capture for test case #1
    Exception in thread Thread-1:
    Traceback (most recent call last):
    File “/usr/lib/python2.6/threading.py”, line 525, in __bootstrap_inner
    self.run()
    File “network_monitor.py”, line 87, in run
    self.pcap.dispatch(0, self.packet_handler)
    PcapError: corrupted frame on kernel ring mac offset 70 + caplen 0 > frame len 64

    Do you have encountered this problem ? The same python script runs perfectly on Windows XP ????
    Thanks in advance fr your comment.

  2. I run sulley on windows, haven’t gone around to using it on Linux, but I’ll see if I run into the same problem.
    If you find a solution, please feel free to the post it.

  3. I have done additonal testings :
    – Firstly, I have modified the source code of the file block.py of Sulley in order to avoid warning about MD5 and SHA1 by introducing Hashlib (of course, without any effect).
    – then I have tried the same script on Backtrack 4 which provides python2.5.2. The behaviour is quite different. The first capture is normaly finished, but the second command crashs the script with segmentation fault :-(
    Moreover, the file pcap is not valid, not possible to open it with tcpdump or wireshark.

    python network_monitor.py -d 0 -P ./logs -f “host xxx.xxx.xxx.xxx” -l 3
    [09:56.03] Network Monitor PED-RPC server initialized:
    [09:56.03] device: eth0
    [09:56.03] filter: host xxx.xxx.xxx.xxx
    [09:56.03] log path: ./logs
    [09:56.03] log_level: 3
    [09:56.03] Awaiting requests…
    [09:56.35] initializing capture for test case #1
    [09:56.41] stopped PCAP thread, snagged 0 bytes of data
    [09:56.41] initializing capture for test case #2
    Segmentation fault

    tcpdump -r logs/3.pcap
    reading from file logs/3.pcap, link-type EN10MB (Ethernet)
    tcpdump: pcap_loop: bogus savefile header

  4. The above mentioned file 3.pcap was generated with the simple commande : python network_monitor.py -d 0 -P ./logs (not the command shown which has generated the file 2.pcap :-)

  5. So,
    with Ubuntu 9.10 and the following native packages : Python_2.6.4-0ubuntu3, libpcap0.8_1.0.0-2ubuntu1, python-pcapy_0.10.6-1ubuntu2, python-impacket_0.9.6.0-3
    -> Pcaperror !
    with Debian Lenny and the following native packages : Python_2.5.2-3, libpcap0.8_0.9.8-5, python-pcapy_0.10.6-1~lenny1, python-impacket_0.9.6.0-3
    -> segmentation fault (like with Backtrack 4)…

  6. can you post an example on how to use sulley when a required answers on a challenge?

    for example in STUN protocol if you are the server and get a request from a clinet you need to answer to the cliet the same transaction ID.
    i haven’t saw any exmples with sulley about how to get back data and extract data from it to be later used in the send packet.
    Thank!