Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from sulley import *
- # General Overview of a Sulley Script
- # 1. Create the requests and connections (define the fuzzing grammar)
- # 2. Define the sessions
- # 3. Define the target
- # 4. Fuzz the target
- #
- # s_initialize - Construct a new request
- # s_static ("USER") - A string that is STATIC that does not get fuzzed (e.g. the user value of an FTP server)
- # s_delim(" ") - A delimiter that can be fuzzed. Will have different (less) mutations than using s_string.
- # s_string("anonymous") - A string that can be mutated (fuzzed). Includes more mutations than s_delim - this is our main fuzzing input
- #
- # Grammar to be tested:
- s_initialize("user") # This creates new fuzzing job, and gives it the name "user" - this can be called anything. Call it something you identify the job properly with.
- s_static("USER") # A static value - in FTP, this is the USER command. We could fuzz the USER command, but we're not going to in this case. All user supplied input can be fuzzed.
- s_delim(" ",fuzzable=False) # This delimiter simply adds a space between the USER and anonymous bits of the login. e,g, - USER anonymous. This can be fuzzed too with random chars. Setting Fuzzable=True will fuzz it with lots of chars
- s_string("anonymous") # A fuzzable string. In this case, the username field. Beginning with anonymous.
- s_static("\r\n") # A static value - In FTP, a carriage return is needed to enter the username of the user connecting.
- # This repeats itself for all of the test cases. Below is a request for the PASS command (fuzzing the user supplied input to the password)
- s_initialize("pass")
- s_static("PASS")
- s_delim(" ",fuzzable=False)
- s_string("anonymous")
- s_static("\r\n")
- # We can continue creating these test cases, for example, PUT, GET, STOR, but we'll do one for this case, the MKD command.
- s_initialize("mkd")
- s_static("MKD") # imagine we only wanted to fuzz this. We can make the above "blocks" all static, as opposed to strings, so they will not be fuzzed.
- s_delim(" ",fuzzable=False)
- s_string("AAAA")
- s_static("\r\n")
- # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
- ## Define the pre_send function. This will be executed right after the three way hand-shake.
- def receive_ftp_banner(sock):
- sock.recv(1024) #Receive 1024 bytes from the server after connecting
- # Define Session
- # Session Paramaters
- SESSION_FILENAME = "FreeFloatFTP-Session" # Keeps track of the current fuzzing state - SO long as you have possession of this file, this enables you to resume your fuzzing if paused. Make sure you change this on a new fuzz.
- SLEEP_TIME = 0.5 # The pause length between two fuzzing attempts
- TIMEOUT = 5 # Fuzzer will time out and stop after 5 seconds of no connection
- CRASH_THRESHOLD = 4 # After 4 crashes, a parameter will be skipped. Imagine a block crashes 4 times. It will then stop and move on to a new block (e.g. there's no point in keeping crashing a block if it crashes at 1000 bytes, why do 1500, 2000 etc?)
- mysession = sessions.session(
- session_filename = SESSION_FILENAME,
- sleep_time=SLEEP_TIME,
- timeout=TIMEOUT,
- crash_threshold=CRASH_THRESHOLD)
- mysession.pre_send = receive_ftp_banner
- mysession.connect(s_get("user")) # - Here, we are connecting to the user block, and fuzz this.
- mysession.connect(s_get("user") ,s_get("pass")) # - Here, we are connecting to the user block, giving a username, and supplying a password (anonymous / anonymous)
- mysession.connect(s_get("pass") ,s_get("mkd")) # - Here, we are connecting to the user block, giving a username, and supplying a password and supplying the MKD command. Sully knows we need a username (set above) We can check all of this in wireshark.
- #mysession.connect(s_get("pass") ,s_get("stor")) - Examples of other blocks we could create/fuzz
- #mysession.connect(s_get("pass") ,s_get("put")) - Examples of other blocks we could create/fuzz
- # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
- # Draw a graph representing the fuzzing paths. This will create a cool udg graph showing the fuzzing steps.
- fh = open("session_test.udg", "w+")
- fh.write(mysession.render_graph_udraw())
- fh.close()
- # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
- # Just some overview output when the fuzzer is ran, tells you how many tests are to be conducted, and wether or not to continue
- print "Number of tests during this case: " + str(s_num_mutations()) + "\n"
- print "Total number of tests (mutations): " + str(s_num_mutations()*5) + "\n"
- decision = raw_input("Do you want to continue? y/n: ")
- if decision == "n":
- exit()
- # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
- # Define target parameters
- target = sessions.target("192.168.50.128",21) # The IP and Port that the FTP server listens / sits on
- target.procmon = pedrpc.client("192.168.50.128",26002) # The IP and Port of the host running the process monitor (The exploit dev box, the machine running the vuln software)
- target.netmon = pedrpc.client("127.0.0.1",26001) # The IP and Port of the host running the network monitor (The Fuzzer, this host)
- target.procmon_options = { # Parameters for the process monitor
- "proc_name" : "FTPServer.exe", # The process name
- "stop_commands" : ['wmic process where (name="FTPServer.exe") call terminate'], # The ability to remotely kill the PID
- "start_commands" : ['C:\Users\user1\Desktop\VulnSoftware\Part 1 - Saved Return Pointer Overflows\FreeFloatFTP\Win32\FTPServer.exe"'] # The ability to remotely start the process
- }
- # Add target to the session
- mysession.add_target(target)
- # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
- # Let's get fuzzing!
- print "Starting fuzzing now"
- mysession.fuzz() # Starts the fuzzing process. Also starts the web interface (http://127.0.0.1:26000) to see the current state of the job.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement