thatsBroken

If you’re going to start fuzzing with Sulley I’m hoping you’ve spent a little time getting to know the concepts.

Overall usage of Sulley breaks down to the following:
Data Representation: First step in using any fuzzer. Run your target and tickle some interfaces while snagging the packets. Break down the protocol into individual requests and represent that as blocks in Sulley.
Session: Link your developed requests together to form a session, attach the various available Sulley monitoring agents (socket, debugger, etc…) and commence fuzzing.
Post Mortem: Review the generated data and monitored results. Replay individual test cases.

Today we’re going to be focusing on Data Representation. I’ve chosen a UDP broadcast protocol used by a demo SCADA app.

Here is a screenshot of the network traffic.

So it sends packets out from TCP 5513 to a UDP subnet broadcast IP of 10.7.0.255 at port 5512. After observing the application idle for 5 minutes I identified two slightly different packets:

4e65747363616e3b30643b353b
4e65747363616e3b30643b373b

As you can see in the wireshark screenshot, this is an ascii, plain text representation of those two packets:

Netscan;0d;5;
Netscan;0d;7;

To build our simple protocol defnintion lets look at the following example:

# fuzzes the string: 
s_delim("<")
s_string("BODY")
s_delim(" ")
s_string("bgcolor")
s_delim("=")
s_delim("\"")
s_string("black")
s_delim("\"")
s_delim(">")

Ours will look like:

s_string("Netscan")
s_delim(";")
s_binary(“0d”)
s_delim(";")
s_word(1, format="ascii")
s_delim(";")

Check out “C:/sulley/docs/index.html#installation” for full API details.

Lets create our Sulley fuzzing scripts. I use Crimson Editor for quick edits. Feel free to use your favorite IDE.

Create a new file called irc5.py in C:\sulley\requests

from sulley import *

########################################################################################################################
s_initialize("irc5")

if s_block_start("bcast"):
	s_string("Netscan")
	s_delim(";")
	s_binary("0d")
	s_delim(";")
	s_word(1, format="ascii")
	s_delim(";")
s_block_end()

Now in C:\sulley\ create irc5_bcast.py with the following:

#!c:\\python\\python.exe

from sulley   import *
from requests import irc5

########################################################################################################################
sess = sessions.session(session_filename="audits/irc5-bcast.session", sleep_time=.25, log_level=10)
sess                   = sessions.session(proto="udp")
sess.add_target(sessions.target("10.7.0.255", 5513))

sess.connect(s_get("irc5"))
sess.fuzz()

Now from the DOS box run the fuzzing script:

And if we look at Wireshark we can see the packets going across the wire… I wonder what code out packets are hitting… is there more we should know about the code that processes incoming packets (yes!)

Enter Process Stalking. This process will allow us to identify the basic blocks hit by our incoming packets. Check out the next post on Process Stalking.