openrce / sulley Goto Github PK

What steps will reproduce the problem?

1. Create a fuzzer
2. Run it with network monitor attached
3. Cry ;)

What is the expected output? What do you see instead?
Expecting to receive a paquet formatted like (len on 4bytes)(method + args
on 'len' bytes) in the __pickle_recv function. It appears to be the client
who sent a SYN paquet while the server was waiting for datas...

What version of the product are you using? On what operating system?
svn version, date 11/03/2008

Please provide any additional information below.
I'm using Debian etch, as a DomU in Xen 3.2(CentOs), client side(fuzzer),
and a similar configuration for the server (netmon). Tryed it in Debian
Etch without virtualization too, same problem.

If any additional informations are required, mail me :)

C:\sulley_build\sulley>unit_test.py
PRIMITIVE MUTATION COUNTS (SIZES):
delim: 44 (3979)
string: 1078 (72904962)
byte: 112
word: 141
dword: 143
qword: 143
sizer: 143
Traceback (most recent call last):
File "C:\sulley_build\sulley\unit_test.py", line 5, in
unit_tests.blocks.run()
File "C:\sulley_build\sulley\unit_tests\blocks.py", line 5, in run
dependencies()
File "C:\sulley_build\sulley\unit_tests\blocks.py", line 89, in dependencies
assert(s_render().find("ONE") == -1)
AssertionError

What steps will reproduce the problem?

1. Executing default vmcontroly.py on Ubuntu 10.04 64-bit fails because of incorrect check for the "interactive" argument.

What version of the product are you using? On what operating system?
Ubuntu 10.04 64-bit

Please provide any additional information below.
I made the following changes and was able to properly run vmcontrol.py on 64-bit Linux. The script properly controlled the target VM (start, reset to snapshot, stop)

vmcontrol.py diff
340c340
< if not os.name == "nt" and interactive:
---
> if not os.name == "nt":

sulley/pedrpc.py diff (is this related to 64-bitness?)
13,14c13
< #self.NOLINGER = struct.pack('HH', 1, 0)
< self.NOLINGER = struct.pack('ii', 1, 0)
---
> self.NOLINGER = struct.pack('HH', 1, 0)

I am using python 2.4.

assert(type(self.max_num) is int or type(self.max_num) is long)

# build the fuzz library.
if self.full_range:
    # add all possible values.
    for i in xrange(0, self.max_num): #Bug
        self.fuzz_library.append(i)

for i in xrange(0, self.max_num): #Bug``

OverflowError: long int too large to convert to int

Trigger using:
 s_dword(0x1, full_range="true")

Now another problem is, I change the line to be 
  for i in xrange(0, sys.maxint):

I get another error:
    self.fuzz_library.append(i)
    MemoryError

So is this even possible ?

Thanks
-d

What steps will reproduce the problem?

1. When trying to fuzz binary files with custom request

What is the expected output? What do you see instead?
seems value = struct.unpack(endian + "B", value)[0] in primitives.py will not unpack binary data sent.
Custom request is attached.

File "C:\sulley\primitives.py", line 807, in init
value = struct.unpack(endian + "B", value)[0]
struct.error: unpack requires a string argument of length 1

Attachments:
bmp.py

What steps will reproduce the problem?

1. Use attached crashbin file with crashbin_explorer.py
2. Run "crashbin_explorer.py http.crashbin -g httpcrashbin

What is the expected output? What do you see instead?
This is the output I get from crashbin_explorer:

C:\dev\sulley>python utils\crashbin_explorer.py audit\HTTP -g out
[5] [INVALID]:226e2522 Unable to disassemble at 226e2522 from thread 3408
caused access violation
2671, 2671, 6401, 10131, 13861,

[2] :00403524 rep movsd from thread 3236 caused access violation
89, 89,

[2] :00400047 int 0x21 from thread 3712 caused access violation
103, 4207,

[2] [INVALID]:22732522 Unable to disassemble at 22732522 from thread 2240
caused access violation
2674, 2674,

[3] :7c91142e mov edi,[ecx] from thread 3332 caused access violation
Traceback (most recent call last):
File "utils\crashbin_explorer.py", line 86, in
edge = pgraph.edge.edge(n.id, last)
AttributeError: type object 'edge' has no attribute 'edge'

The line "edge = pgraph.edge.edge(n.id, last)" - if I change it to "edge =
pgraph.edge(n.id, last)", I don't get an AttributeError from Python; not
sure if this is the correct behavior.

What version of the product are you using? On what operating system?
Current from SVN as of 1/14/2009, XP SP3.

Please provide any additional information below.
Is my change by removing the last reference of .edge from pgraph.edge correct?

Attachments:
http.crashbin

Simple epydoc build script attached.

Attachment:
generate_epydocs.sh

Enhancement suggested by Byrne G.

Hello,

I've been playing several days with sulley for fuzzing TFTP servers and I noticed a weird UDP communication behaviour badly handled by Sulley.
When making a TFTP request, a random source port is used for sending a packet to tftp port (69). For the answer, the TFTP server will not use the TFTP port but another random port. Example here :
01:45:40.774198 IP 10.1.1.1.44412 > 10.1.1.2.tftp: 18 RRQ "uname.txt" octet 01:45:40.776609 IP 10.1.1.2.38667 > 10.1.1.1.44412: UDP, length 80 01:45:40.776665 IP 10.1.1.1.44412 > 10.1.1.2.38667: UDP, length 4

While it is not documented (to my knowledge) when using socket.connect on an UDP communication, the next socket.recv will not receive the packet if the source port is different.

Thus using socket.sendto only for UDP seems to fix this problem.
Here is a small diff of modifications I made :

Index: sulley/sessions.py
===================================================================
--- sulley/sessions.py  (revision 162)
+++ sulley/sessions.py  (working copy)
@@ -436,7 +436,8 @@

                         try:
                             sock.settimeout(self.timeout)
-                            sock.connect((target.host, target.port))
+                            if self.proto == socket.SOCK_STREAM:
+                                sock.connect((target.host, target.port))
                         except Exception, e:
                             error_handler(e, "failed connecting on socket", target, sock)
                             continue
@@ -804,7 +805,10 @@
                 data = data[:MAX_UDP]

         try:
-            sock.send(data)
+            if self.proto == socket.SOCK_STREAM:
+                sock.send(data)
+            else:
+                sock.sendto(data,(self.targets[0].host, self.targets[0].port))
         except Exception, inst:
             self.log("Socket error, send: %s" % inst[1])

What steps will reproduce the problem?
Run unittests.

What is the expected output? What do you see instead?
I see warnings on python2.6 about using hashlib instead of md5/sha1 directly.

What version of the product are you using? On what operating system?
r156 from SVN.

Please provide any additional information below.
Patch attached (in git format) which attempts to use hashlib and, if it's
an old enough version of python, it will fall back to md5/sha lib.

Attachment:
use-hashlib.patch

What steps will reproduce the problem?

1. Modifiyng pedrpc.py according to
   http://code.google.com/p/sulley/wiki/KnownBugs,
2. Using attached files sip.py and requests/sip_data.py,
3. Creating the folder audits/sip/,
4. Running :
   3a. sudo python network_monitor.py -d 1 -f "src or dst port 5060" -P
   audits/sip
   3b. python sip.py

What is the expected output? What do you see instead?
A segmentation fault happens !

What version of the product are you using? On what operating system?
I am using the last cvs version (on the 2008-06-06, 16h16).
My system is an Ubuntu lenny/sid, 2.6.24-16-generic.
If you have any idea, please help me :)

Attachments:
sip.py & sip_data.py

Just a milestone issue to track any issues with the logging facility that I'll be implementing in Sulley.

Hi all,

I'm evaluating sulley for fuzzing an application which is only available via SSL. Unfortunately when I try to enable SSL in sulley I get the following error:

Traceback (most recent call last):
File "fuzz.py", line 26, in
sess.fuzz()
File "/home/mcc/OpenRCE-sulley-8cb5e1d/sulley/sessions.py", line 473, in fuzz
error_handler(e, "failed transmitting fuzz node", target, sock)
File "/home/mcc/OpenRCE-sulley-8cb5e1d/sulley/sessions.py", line 393, in error_handler
sock.close()
AttributeError: close

My code looks like this:
sess = sessions.session(session_filename="http.session", log_level="9", proto="ssl", skip=0)
target = sessions.target("myservice", 443)

I'd have raised a bug already but I'm new to sulley so I'm not 100% if I've done everything correctly.

Thanks in advanced,
Matt

General question: Does Process_monitor_unix.py actually work? It doesn't seem to have the same options as the standard process_monitor file.

Dynamo pointed out the fact that Sulley doesn't really fuzz multiple ports very well. This is necessary in some cases like a dynamic RPC interface.

This should be possible (and may be, but I'm not sure it is...).

Why are theses lines (401-402) as error in the logger :
self.logger.error("current fuzz path: %s" % current_path)
self.logger.error("fuzzed %d of %d total cases" % (self.total_mutant_index, self.total_num_mutations)).
It's confusing whereas it doesn't seem to raise an error.

Thank you for answering.

I am trying to fuzz a server which hands out random session ids to clients when they connect.
This session id should be provided in many requests from the client. How do I do that?

When connecting the nodes I can put up a callback that catches the session id, but how do I specify that a block needs data that is not known until a few packets have been sent and received?

In private email correspondence with Paul Drapeau, he created a vmcontrol that works with virtualbox, so we've decided it's be best to modify the original script to work with either through the use of flags.

Should be easy enough!

See this gist for the patch (lest GitHub markup monkeys fling poo all over python's whitespace!)

I am trying to set up the linux process monitor and it is not working. It never actually starts monitoring. what exactly are the steps I should be following to set it up?

What steps will reproduce the problem?

1. create a block with an s_byte("\x00", full_range="True") in it
2. I use the session_file() class to output to a file

What is the expected output? What do you see instead?
I expected 256 packets to be created (0-255). I got 0-254.

What version of the product are you using? On what operating system?
Latest, I think. Windows.

Please provide any additional information below.
I think the xrange(start, stop) used in primitives.py is the problem. It
does not include the stop value.

Hello,

I'm using Sulley for a particular project, and after fuzz all my data I had some duplicates.
I discovered that Sulley fuzz even his own default value for the integers.

For exemple s_int(2); generate in his fuzzed values the number 2.
I don't know if it's wanted or if it is a "bug". I solved it by adding 3 lines of codes in primitives.py but I think the better option will be to add an option to select if the default value have to be in the fuzzed values or not.

Let me know if you want my modifications and if it's normal behavior of Sulley.
Thank you,

Olivier

What steps will reproduce the problem?

1. Simple HTTP fuzzer against local XP target
2. procmon detects access violation on a test case
3. sessions.py references a null variable, crashes

What is the expected output? What do you see instead?
In the Sulley script output, I expect to see lines like this:

[03:23.34] xmitting: [1.2673]
[03:23.35] fuzzing 2674 of 18655
[03:23.35] xmitting: [1.2674]
[03:23.36] procmon detected access violation on test case #2674
[03:23.36] primitive lacks a name, type: string, default value: www.foo.bar
[03:23.36] [INVALID]:22732522 Unable to disassemble at 22732522 from thread 2240 caused access violation

And in this specific script, I see this exact output for faults discovered
prior to the Sulley crash. When I get the crash, this is what I see:

[03:24.19] fuzzing 3731 of 18655
[03:24.19] xmitting: [1.3731]
[03:24.20] procmon detected access violation on test case #3731
_Traceback (most recent call last):
File "http.py", line 74, in
sess.fuzz()
File "C:\dev\sulley\sulley\sessions.py", line 495, in fuzz
self.poll_pedrpc(target)
File "C:\dev\sulley\sulley\sessions.py", line 638, in poll_pedrpc
msg += "type: %s, default value: %s" % (self.fuzz_node.mutant.s_type,
self.fuzz_node.mutant.original_value)
AttributeError: repeat instance has no attribute 's_type'_

What version of the product are you using? On what operating system?
Sulley up-to-date SVN as of 1/14/2009. This is Windows XP SP3.

Please provide any additional information below.
I'm not sure how self.fuzz_node.mutant loses s_type, but I added a little
try/except loop around it as a workaround for the time being.

Thanks,
-Josh

In order to play nice with readthedocs.com, we need to move the documentation from Epydocs to Sphinx.

What steps will reproduce the problem?

1. Set the restart_interval to a small value, 10
2. Set the skip value to a high value, 100
3. The processes on the target will be restarted 100/10 times

sessions.py patch:
OLD:
# if we've hit the restart interval, restart the target.
if self.restart_interval and self.total_mutant_index % self.restart_interval == 0:

NEW:
# if we've hit the restart interval, restart the target.
if self.restart_interval and self.total_mutant_index % self.restart_interval == 0 and self.total_mutant_index > self.skip:

You are missing a bunch of \r\n after the later headers, just fyi. BTW, awesome to see someone pick up sulley.

What steps will reproduce the problem?
1.) Ctrl-C a running fuzzy

What is the expected output? What do you see instead?
Application should clean up, disconnect from all attached pedrpc services,
store it's current session state and exit cleanly.

Currently application doesn't handle KeyboardInterrupt or SystemExit
exceptions properly, so when you control-c your fuzzie because you gooffed
something up it throws KeyboardInterrupt error and you get to sit and wait
until everything timesout, or you have to killall python to get it to
finish exiting.

What steps will reproduce the problem?

1. setup a basic http fuzzer
2. only configure network monitor
3. start fuzzer and you get the following error

linux-4x77:/home/spoofy/hacking/sulley-read-only # ./network_monitor.py -d
3 -l 5 -f "host 127.0.0.1 and port 80" -P audits/
/home/spoofy/hacking/sulley-read-only/sulley/blocks.py:6
DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
/home/spoofy/hacking/sulley-read-only/sulley/blocks.py:7
DeprecationWarning: the sha module is deprecated; use the hashlib module
instead
import sha
[11:51.29] Network Monitor PED-RPC server initialized:
[11:51.29] device: lo
[11:51.29] filter: host 127.0.0.1 and port 80
[11:51.29] log path: audits/
[11:51.29] log_level: 5
[11:51.29] Awaiting requests...
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()
PED-RPC> connection client severed during recv()

pcap looks like..

11:50:35.063439 IP 127.0.0.1.54673 > 127.0.0.1.26001: Flags [S], seq
3604242073, win 32792, options [mss 16396,sackOK,TS val 440266526 ecr
0,nop,wscale 7], length 0
0x0000: 4500 003c b187 4000 4006 8b32 7f00 0001 E..<..@[email protected]....
0x0010: 7f00 0001 d591 6591 d6d4 5e99 0000 0000 ......e...^.....
0x0020: a002 8018 15a0 0000 0204 400c 0402 080a ..........@.....
0x0030: 1a3d ef1e 0000 0000 0103 0307 .=..........
11:50:35.063463 IP 127.0.0.1.26001 > 127.0.0.1.54673: Flags [S.], seq
3598275958, ack 3604242074, win 32768, options [mss 16396,sackOK,TS val
440266526 ecr 440266526,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 4006 3cba 7f00 0001 E..<..@.@.<.....
0x0010: 7f00 0001 6591 d591 d679 5576 d6d4 5e9a ....e....yUv..^.
0x0020: a012 8000 e05a 0000 0204 400c 0402 080a .....Z....@.....
0x0030: 1a3d ef1e 1a3d ef1e 0103 0307 .=...=......
11:50:35.063483 IP 127.0.0.1.54673 > 127.0.0.1.26001: Flags [.], ack 1, win
257, options [nop,nop,TS val 440266526 ecr 440266526], length 0
0x0000: 4500 0034 b188 4000 4006 8b39 7f00 0001 E..4..@[email protected]....
0x0010: 7f00 0001 d591 6591 d6d4 5e9a d679 5577 ......e...^..yUw
0x0020: 8010 0101 c87e 0000 0101 080a 1a3d ef1e .....~.......=..
0x0030: 1a3d ef1e .=..
11:50:35.063504 IP 127.0.0.1.26001 > 127.0.0.1.54672: Flags [F.], seq 1,
ack 2, win 256, options [nop,nop,TS val 440266526 ecr 440266526], length 0
0x0000: 4500 0034 41d2 4000 4006 faef 7f00 0001 E..4A.@.@.......
0x0010: 7f00 0001 6591 d590 d5e2 aae7 d599 26db ....e.........&.
0x0020: 8011 0100 aca0 0000 0101 080a 1a3d ef1e .............=..
0x0030: 1a3d ef1e .=..
11:50:35.063536 IP 127.0.0.1.54672 > 127.0.0.1.26001: Flags [.], ack 2, win
257, options [nop,nop,TS val 440266526 ecr 440266526], length 0
0x0000: 4500 0034 cdef 4000 4006 6ed2 7f00 0001 E..4..@[email protected].....
0x0010: 7f00 0001 d590 6591 d599 26db d5e2 aae8 ......e...&.....
0x0020: 8010 0101 ac9f 0000 0101 080a 1a3d ef1e .............=..
0x0030: 1a3d ef1e .=..

What version of the product are you using? On what operating system?
sulley revision 156 on linux
Linux linux-4x77 2.6.34-rc5-6-desktop #1 SMP PREEMPT 2010-04-22 21:18:20
+0200 x86_64 x86_64 x86_64 GNU/Linux

Please provide any additional information below.
any plans to get pydbg working on linux?

Is there any way to fuzz more than a single field at once?

I've often seen bugs that my fuzzer didn't find because they just required fuzzing two fields at
once.

Obviously, fuzzing all fields simultaneously makes the session take exponentially more time, but I
wonder if there's a way to identify a couple fields that should be fuzzed simultaneously, or a way to
run forever, randomly selecting groups of fields to fuzz simultaneously...

Hello,

I've been trying to compile the source.
Unfortunately the MinGW-version that is recommended in the installation tutorial, seems to have a problem finding the path to gcc.

When I try to compile libdasm, I get the error "gcc: CreateProcess: No such file or directory". I added C:\MinGW and C:\MinGW\bin to PATH, so that shouldn't be the issue.

Additionally I found the following thread in MinGW user forums:
http://mingw-users.1079350.n2.nabble.com/MinGW-users-quot-gcc-CreateProcess-No-such-file-or-directory-quot-td5911173.html

There it is recommended to use another version of MinGW

http://sourceforge.net/projects/mingw/files/MinGW/BaseSystem/GCC/Version4/gcc-4.5.0-1/gcc-objc-4.5.0-1-mingw32-bin.tar.lzma/download

Unfortunately this version is not available anymore on sourceforge.net. Since it is explicitly described in the installation tutorial to 'Make sure to use pre-packaged repo catalogs and the old version!' I'm stuck here and don't know which version of MinGW to use. Any help is appreciated!

Regards,
thelib

Hi,

I was wondering if there is a way to run a Network Monitor from the host computer? Or does it always have to be running on the target computer? If so, are there any special flags I should use/what is the implementation?

Thanks,
4leaf

A lot of the python files are using ^M for EOL. Attached is a patch
removing them (in git format).

https://code.google.com/p/sulley/issues/list

Enhancement requested by nnp:

Just a small suggestion. It could be useful to store the actual data
sent from every fuzz case in the node. The reasoning behind this is
the callbacks receive the node and from that they can call the
.render() method, modify the data and return it but if you use a
post_send method and need to perform some sort of action based on the
data sent you can only get access to the pre-callback rendered data.
This is a problem if the callback can make non-deterministic
modifications to the data, e.g generating a cryptographically secure
key. Also could I suggest passing the node to be rendered to the
post_send methods.

Traceback (most recent call last):
File "process_monitor_unix.py", line 252, in
if crash_bin == None: ERR(USAGE)
NameError: name 'crash_bin' is not defined

Traceback (most recent call last):
File "C:\SE\login.py", line 25, in
sess.fuzz()
File "C:\sulley_build\sulley\sulley\sessions.py", line 540, in fuzz
self.fuzz(self.fuzz_node, path)
File "C:\sulley_build\sulley\sulley\sessions.py", line 553, in fuzz
signal.pause()
AttributeError: 'module' object has no attribute 'pause'

Hi,

There is a bug when trying to fuzz the full range of values in anything larger than an s_word() because when it tries to convert the max number of fuzzes from a python number to a C long, the number is too large. For example, the number of fuzzes for a dword is 4.3 billion and the C long data type maxes out at around 2.15 billion. I know it is kind of silly to be fuzzing something 4 billion times, but it would be nice for it to work in case someone wants to do that!

-4leaf

Hello,

I have some problem when stopping sulley during tests through SIGINT. In fact the main process is waiting for the end of the web server's thread. I don't know if it's a global problem or only on my laptop (archlinux Linux 3.3.7 / python 2.7.3 / Sulley revision 162).

I have done those modifications to correct this bug :

Index: sulley/sessions.py
===================================================================
--- sulley/sessions.py  (revision 162)
+++ sulley/sessions.py  (working copy)
@@ -8,6 +8,7 @@
 import cPickle
 import threading
 import BaseHTTPServer
+import httplib

 import blocks
 import pedrpc
@@ -436,7 +437,8 @@

                         try:
                             sock.settimeout(self.timeout)
-                            sock.connect((target.host, target.port))
+                            if self.proto == socket.SOCK_STREAM:
+                                sock.connect((target.host, target.port))
                         except Exception, e:
                             error_handler(e, "failed connecting on socket", target, sock)
                             continue
@@ -503,7 +505,7 @@
         # finished with the last node on the path, pop it off the path stack.
         if path:
             path.pop()
-            
+
         # loop to keep the main thread running and be able to receive signals
         if self.signal_module:
             # wait for a signal only if fuzzing is finished (this function is recursive)
@@ -739,11 +741,11 @@

         self.total_mutant_index  = 0
         self.total_num_mutations = self.num_mutations()
-        
+
         # web interface thread doesn't catch KeyboardInterrupt
         # add a signal handler, and exit on SIGINT
         # XXX - should wait for the end of the ongoing test case, and stop gracefully netmon and procmon
-        #     - doesn't work on OS where the signal module isn't available        
+        #     - doesn't work on OS where the signal module isn't available
         try:
             import signal
             self.signal_module = True
@@ -753,13 +755,17 @@
             def exit_abruptly(signal, frame):
                 '''Save current settings (just in case) and exit'''
                 self.export_file()
+                try:
+                    self.thread.join()
+                except:
+                    self.log("No web server launched, still exiting...", 10)
                 self.log("SIGINT received ... exiting")
                 sys.exit(0)
             signal.signal(signal.SIGINT, exit_abruptly)

         # spawn the web interface.
-        t = web_interface_thread(self)
-        t.start()
+        self.thread = web_interface_thread(self)
+        self.thread.start()


     ####################################################################################################################
@@ -804,7 +810,10 @@
                 data = data[:MAX_UDP]

         try:
-            sock.send(data)
+            if self.proto == socket.SOCK_STREAM:
+                sock.send(data)
+            else:
+                sock.sendto(data,(self.targets[0].host, self.targets[0].port))
         except Exception, inst:
             self.log("Socket error, send: %s" % inst[1])

@@ -1086,10 +1095,19 @@
     def __init__ (self, session):
         threading.Thread.__init__(self)

+        self._stopevent = threading.event()
         self.session = session
         self.server  = None


     def run (self):
         self.server = web_interface_server(('', self.session.web_port), web_interface_handler, self.session)
-        self.server.serve_forever()
+        while not self._stopevent.isSet():
+            self.server.handle_request()
+
+    def join(self, timeout=None):
+        # A little dirty but no other solution afaik
+        self._stopevent.set()
+        conn = httplib.HTTPConnection("localhost:%d" % self.session.web_port)
+        conn.request("GET", "/")
+        conn.getresponse()

There is a dirty trick at the end because the web server is still waiting for one connection to stop but I haven't found any clue of a better solution.

Is there a way to force sulley to act as a server ? Looking to the code of the function fuzz in session.py, I'm not really sure it is possible natively in Sulley.

I initialize adata model as beneath:

s_initialize("DM2")
s_group("group", values=["A_", "B_", "C_", "D_"])
if s_block_start("BLOCK1"):
s_string("string1_", name="string1")
s_block_end()
if s_block_start("BLOCK2", group="group"):
s_string("string2_", name="string2")
s_block_end()

Then I call 's_render()' and check the value. What I expected was:

'string1_A_string2_'

instead I got:

'A_string1_string2_'

It seems to me that the group reference of BLOCK2 is not rendered at all, because the result is the same, when I remove the group reference from BLOCK2.

Hi,

I have been using Sulley for about a week and a half now on Windows 7 and absolutely love it! Now I am trying to figure out how to install Sulley on my Ubuntu 12.04 machine and cannot find any good tutorials online. Are there any tutorials online that anyone knows of or can somebody please help me figure out how to install Sulley on my Linux machine? This would be a life saver.

Thanks a lot,
-4leaf

Hi,

I am currently trying to fuzz an embedded system using the s_binary() method. I want to fuzz different fields depending on the fuzzing session, so I want to use the s_binary() method to define my protocol so that I can set some fields as fuzzable and some as not fuzzable. For some reason, I am getting the error "TypeError: s_binary() got an unexpected keyword argument 'fuzzable'", even though I know s_binary() should have a fuzzable argument from reading the documentation included with Sulley.

Here is the line of code that is generating the error:

s_binary("0x00", name="IDBit", fuzzable="False")

Any ideas?

Thanks a lot,
-4leaf

Just learning sulley, so if this is already taken care of I apologize.

When defining a session it would be nice to have the option to specify if a
socket read should occur.

Example:
sess.connect(s_get("helo"))
sess.connect(s_get("helo"), s_get("mail from"))

When moving between the 'helo' request and 'mail from' request we should
try not reading from the socket and closing the connection.

From my understanding by reading the documentation a session is always
followed from start to end of the request graph. Part of this socket read
fuzzing would be to stop the session between requests and close the socket
without reading.

This would catch sig pipe issues in server processes.

What steps will reproduce the problem?

1. If an application crashes or bails and pydbg doesn't catch the exception
   for some reason, the crash isn't recorded.
2. Right now this can be replicated with applications that throw C++
   exceptions, as pydbg doesn't seem to handle them properly.

What is the expected output? What do you see instead?
If the debugger thread exits and has to reattach, this should be recorded
as a potential crash

What version of the product are you using? On what operating system?
My really hacked up version of sulley. :) on Ubuntu

Please provide any additional information below.
Once sulley calls post_send in process_monitor and before it calls
restart_target there should be logic that says:

If dbg.thread = dead && app.pid = gone.
    record.crash to session

Sulley has procmon which is really great when fuzzing a tool with access on the server however when you do not have access to the server (embedded device for example), there is no way of detecting a crash.

I think it would be helpful to have several detections possible integrated into Sulley that can be activated in session options, for example :

• End of connection detected (for TCP) or no answer (for UDP)
• ICMP port unreachable received (probably complete crash of the service)
• No answer to ping (perhaps this action can be launched only when receiving ICMP port unreachable).

What does the sulley community think about it ?

When I use network monitor on my kubuntu precise machine, the network_monitor starts and waits for a connection and then exits immediately when it gets one. Traced this back to line 181 of the script "self.pcap = pcapy.open_live(self.device, -1, 1, 100)". Trying this just in a shell I get an error "pcapy.PcapError: eth0: can't allocate oneshot buffer: Cannot allocate memory". Changing line 181 to "self.pcap = pcapy.open_live(self.device, 1518, 1, 100)" fixes this, but I haven't tested on windows, so I don't know if it breaks anything there.

Hi,

I have set up a very simple fuzzer to fuzz two bytes in a particular protocol using the s_word() data element. But, when I try to run the sulley file, I get the error:

File "C:\sulley_build\sulley\sulley\primitives.py", line 845, in __init__ value = struct.unpack(endian + "H", value)[0]
struct.error: unpack requires a string argument of length 2

My data model code looks like this:

s_initialize("ID1")
s_word("0x0000", name="data", full_range="True", format="binary", fuzzable="True")

Looking at the source code, it seems that endian + "H" is in fact a string argument of length 2, so I am a bit confused as to why I'm getting this error.

Any help/ideas would be much appreciated!

Thanks a lot,
-4leaf

From Matt Watchinski:

For the life of me I can't get process_monitor to generate a crashbin
or log test cases that caused a crash, even though the applications
blows up.

Seems the applications throws exception code e06d7363, process_monitor
sees "first chance", then it skips it. The app then NULL ptr
dereferences and dies. Under WinDbg this causes a second chance
exception and everything works as expected. PyDBg just says "thread
exiting" and then Sulley restarts the app and moves on to the next fuzz
case.

When I added something other than None to the _log lamda on pydbg I can
see pydbg sees the C++ exceptions, says it's unhandled, says it's first
chance and then pydbg bails the thread.

What steps will reproduce the problem?

1. done fuzzing
2. use crashbin_explorer.py
3. ERROR

What is the expected output? What do you see instead?
D:\ZFTEST\sulley\utils>crashbin_explorer.py audits\war-ftp.crashbin
unable to open crashbin: 'audits\war-ftp.crashbin'.

why?

What version of the product are you using? On what operating system?
sulley-stable-rev157 WINDOWS XP3

Please provide any additional information below.
Is there something required?

What steps will reproduce the problem?

1. Complete a fuzzer script on Windows
2. Observe error

What is the expected output? What do you see instead?

[11:25.08] netmon captured 0 bytes for test case #18655
[11:25.08] all possible mutations for current fuzz node exhausted
Traceback (most recent call last):
File "http.py", line 75, in
sess.fuzz()
File "C:\dev\sulley\sulley\sessions.py", line 501, in fuzz
self.fuzz(self.fuzz_node, path)
File "C:\dev\sulley\sulley\sessions.py", line 514, in fuzz
signal.pause()
AttributeError: 'module' object has no attribute 'pause'

No support for signal.pause() on Windows.

What version of the product are you using? On what operating system?
Current SVN as of 1/14/2009, Windows XP SP3.