from sulley import *# General Overview of a Sulley Script# 1. Create the r

1. from sulley import *
2.  
3. # General Overview of a Sulley Script
4. # 1. Create the requests and connections (define the fuzzing grammar)
5. # 2. Define the sessions
6. # 3. Define the target
7. # 4. Fuzz the target
8. #
9. # s_initialize - Construct a new request
10. # s_static ("USER") - A string that is STATIC that does not get fuzzed (e.g. the user value of an FTP server)
11. # s_delim(" ") - A delimiter that can be fuzzed. Will have different (less) mutations than using s_string.
12. # s_string("anonymous") - A string that can be mutated (fuzzed). Includes more mutations than s_delim - this is our main fuzzing input
13. #
14. # Grammar to be tested:
15.  
16. s_initialize("user") # This creates new fuzzing job, and gives it the name "user" - this can be called anything. Call it something you identify the job properly with.
17. s_static("USER") # A static value - in FTP, this is the USER command. We could fuzz the USER command, but we're not going to in this case. All user supplied input can be fuzzed.
18. s_delim(" ",fuzzable=False) # This delimiter simply adds a space between the USER and anonymous bits of the login. e,g, - USER anonymous. This can be fuzzed too with random chars. Setting Fuzzable=True will fuzz it with lots of chars
19. s_string("anonymous") # A fuzzable string. In this case, the username field. Beginning with anonymous.
20. s_static("\r\n") # A static value - In FTP, a carriage return is needed to enter the username of the user connecting.
21.  
22. # This repeats itself for all of the test cases. Below is a request for the PASS command (fuzzing the user supplied input to the password)
23.  
24. s_initialize("pass")
25. s_static("PASS")
26. s_delim(" ",fuzzable=False)
27. s_string("anonymous")
28. s_static("\r\n")
29.  
30. # We can continue creating these test cases, for example, PUT, GET, STOR, but we'll do one for this case, the MKD command.
31.  
32. s_initialize("mkd")
33. s_static("MKD") # imagine we only wanted to fuzz this. We can make the above "blocks" all static, as opposed to strings, so they will not be fuzzed.
34. s_delim(" ",fuzzable=False)
35. s_string("AAAA")
36. s_static("\r\n")
37.  
38. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
39. ## Define the pre_send function. This will be executed right after the three way hand-shake.
40. def receive_ftp_banner(sock):
41. sock.recv(1024) #Receive 1024 bytes from the server after connecting
42.  
43. # Define Session
44. # Session Paramaters
45. SESSION_FILENAME = "FreeFloatFTP-Session" # Keeps track of the current fuzzing state - SO long as you have possession of this file, this enables you to resume your fuzzing if paused. Make sure you change this on a new fuzz.
46. SLEEP_TIME = 0.5 # The pause length between two fuzzing attempts
47. TIMEOUT = 5 # Fuzzer will time out and stop after 5 seconds of no connection
48. CRASH_THRESHOLD = 4 # After 4 crashes, a parameter will be skipped. Imagine a block crashes 4 times. It will then stop and move on to a new block (e.g. there's no point in keeping crashing a block if it crashes at 1000 bytes, why do 1500, 2000 etc?)
49.  
50. mysession = sessions.session(
51. session_filename = SESSION_FILENAME,
52. sleep_time=SLEEP_TIME,
53. timeout=TIMEOUT,
54. crash_threshold=CRASH_THRESHOLD)
55.  
56. mysession.pre_send = receive_ftp_banner
57. mysession.connect(s_get("user")) # - Here, we are connecting to the user block, and fuzz this.
58. mysession.connect(s_get("user") ,s_get("pass")) # - Here, we are connecting to the user block, giving a username, and supplying a password (anonymous / anonymous)
59. mysession.connect(s_get("pass") ,s_get("mkd")) # - Here, we are connecting to the user block, giving a username, and supplying a password and supplying the MKD command. Sully knows we need a username (set above) We can check all of this in wireshark.
60. #mysession.connect(s_get("pass") ,s_get("stor")) - Examples of other blocks we could create/fuzz
61. #mysession.connect(s_get("pass") ,s_get("put")) - Examples of other blocks we could create/fuzz
62.  
63.  
64. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
65.  
66. # Draw a graph representing the fuzzing paths. This will create a cool udg graph showing the fuzzing steps.
67. fh = open("session_test.udg", "w+")
68. fh.write(mysession.render_graph_udraw())
69. fh.close()
70.  
71. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
72.  
73. # Just some overview output when the fuzzer is ran, tells you how many tests are to be conducted, and wether or not to continue
74. print "Number of tests during this case: " + str(s_num_mutations()) + "\n"
75. print "Total number of tests (mutations): " + str(s_num_mutations()*5) + "\n"
76.  
77. decision = raw_input("Do you want to continue? y/n: ")
78. if decision == "n":
79. exit()
80.  
81. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
82.  
83. # Define target parameters
84. target = sessions.target("192.168.50.128",21) # The IP and Port that the FTP server listens / sits on
85. target.procmon = pedrpc.client("192.168.50.128",26002) # The IP and Port of the host running the process monitor (The exploit dev box, the machine running the vuln software)
86. target.netmon = pedrpc.client("127.0.0.1",26001) # The IP and Port of the host running the network monitor (The Fuzzer, this host)
87.  
88. target.procmon_options = { # Parameters for the process monitor
89. "proc_name" : "FTPServer.exe", # The process name
90. "stop_commands" : ['wmic process where (name="FTPServer.exe") call terminate'], # The ability to remotely kill the PID
91. "start_commands" : ['C:\Users\user1\Desktop\VulnSoftware\Part 1 - Saved Return Pointer Overflows\FreeFloatFTP\Win32\FTPServer.exe"'] # The ability to remotely start the process
92. }
93.  
94. # Add target to the session
95. mysession.add_target(target)
96.  
97. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #
98.  
99. # Let's get fuzzing!
100.  
101. print "Starting fuzzing now"
102. mysession.fuzz() # Starts the fuzzing process. Also starts the web interface (http://127.0.0.1:26000) to see the current state of the job.