Now is time to define our main session file and its agents
#coding=utf-8from sulley import *
from requests import ftp
# this is our ftp.py filedefreceive_ftp_banner(sock):
sock.recv(1024)
sess = sessions.session(session_filename="C:\\sulley\\sulley-master\\audits\\easyftpserver.session",sleep_time=0.01)
target = sessions.target("192.168.43.110", 21)
target.netmon = pedrpc.client("192.168.43.110",26001)
target.procmon = pedrpc.client("192.168.43.110", 26002)
target.procmon_options = \
{
"proc_name" : "easyftp.exe",
"stop_commands" : ['taskkill /im "easyftp.exe" -f'],
"start_commands" : ['C:\\easyftp\\easyftp.exe'],
}
# Here we tie in the receive_ftp_banner function which receives# a socket.socket() object from Sulley as its only parameter
sess.pre_send = receive_ftp_banner
sess.add_target(target)
sess.connect(s_get("user"))
sess.connect(s_get("user"), s_get("pass"))
sess.connect(s_get("pass"), s_get("cwd"))
sess.connect(s_get("pass"), s_get("dele"))
sess.connect(s_get("pass"), s_get("mdtm"))
sess.connect(s_get("pass"), s_get("mkd"))
sess.fuzz()
The session file imports our ftp module previously created.
receive_ftp_banner () is required because each FTP server sends a banner when the client is connected. We bind it to sess.pre_send, so that Sulley receives the FTP banner first before sending fuzzing data.
Then the Sulley session name is defined.
Later the target information is specified within the IP address and the TCP port to connect to.
The Sulley network monitor and process monitor agents are defined too. We will give more information on them later.
The name of the target binary is provided into the procmon_options block
It’s very important to provide to Sulley the right command in order to stop and start the target application.
With these commands Sulley will be able to properly restart the application if a crash is produced. We will name this file ftp_session.py.
Test procedure
server:
The Sulley process monitor agent is responsible for perceiving errors which may occur during fuzzing process python process_monitor.py -c C:\easyftpserver.crash -p easyftp.exe
The Sulley network monitor agent is responsible for monitoring network communications and logging them to PCAP files. python network_monitor.py -d 0 -f "src or dst port 21" -P C:\pcaps\
client:
fuzzing python ftp_session.py
Sulley has a Web service who listens on TCP port 26000, which permits to observe produced crashes.
Constantly refresh the browser will be able to see the current process of fuzzing, the request which is used and crash information.
Click on the number of test case, you will see a detailed crash information in PyDbg crash message format.
server:
Check the crash information crashbin_explorer.py c:\easyftpserver.crash -t #
attach immunity debugger or PyDbg to the vulnerable process during the first crash