Sulley实例：测试easyftp

use sulley to crash easyftp

Test object：easyftpserver

Test environment：

• VMware Workstation environment with two Windows XP SP3 machines
• in an isolated environment
• Server :
  sulley[monitor process and network ,generate crash file]+python
  IP 192.168.43.110
• Client :
  sulley[Inject data to trigger crashes]+python
  IP 192.168.43.111

Test preparation

• First of all we create our Sulley request
• Later we define our string and delimiters in order to perfectly respect the ftp protocol definition
• Finally we named this file ftp.py

#ftp.py
from sulley import *
s_initialize("user")
s_static("USER")
s_delim(" ")
s_string("justin")
s_static("\r\n")
s_initialize("pass")
s_static("PASS")
s_delim(" ")
s_string("justin")
s_static("\r\n")
s_initialize("cwd")
s_static("CWD")
s_delim(" ")
s_string("c: ")
s_static("\r\n")
s_initialize("dele")
s_static("DELE")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")
s_initialize("mdtm")
s_static("MDTM")
s_delim(" ")
s_string("C:\\boot.ini")
s_static("\r\n")
s_initialize("mkd")
s_static("MKD")
s_delim(" ")
s_string("C:\\TESTDIR")
s_static("\r\n")

• Now is time to define our main session file and its agents

#coding=utf-8
from sulley import *
from requests import ftp
# this is our ftp.py file
def receive_ftp_banner(sock):
    sock.recv(1024)

sess = sessions.session(session_filename="C:\\sulley\\sulley-master\\audits\\easyftpserver.session",sleep_time=0.01)
target = sessions.target("192.168.43.110", 21)
target.netmon = pedrpc.client("192.168.43.110",26001)
target.procmon = pedrpc.client("192.168.43.110", 26002)
target.procmon_options = \
{ 
    "proc_name" : "easyftp.exe",
    "stop_commands" : ['taskkill /im "easyftp.exe" -f'],
    "start_commands" : ['C:\\easyftp\\easyftp.exe'], 
}

# Here we tie in the receive_ftp_banner function which receives
# a socket.socket() object from Sulley as its only parameter
sess.pre_send = receive_ftp_banner
sess.add_target(target)
sess.connect(s_get("user"))
sess.connect(s_get("user"), s_get("pass"))
sess.connect(s_get("pass"), s_get("cwd"))
sess.connect(s_get("pass"), s_get("dele"))
sess.connect(s_get("pass"), s_get("mdtm"))
sess.connect(s_get("pass"), s_get("mkd"))
sess.fuzz()

• The session file imports our ftp module previously created.
• receive_ftp_banner () is required because each FTP server sends a banner when the client is connected. We bind it to sess.pre_send, so that Sulley receives the FTP banner first before sending fuzzing data.
• Then the Sulley session name is defined.
• Later the target information is specified within the IP address and
  the TCP port to connect to.
• The Sulley network monitor and process monitor agents are defined too. We will give more information on them later.
• The name of the target binary is provided into the procmon_options block
• It’s very important to provide to Sulley the right command in order to stop and start the target application.
• With these commands Sulley will be able to properly restart the application if a crash is produced. We will name this file ftp_session.py.

Test procedure

1. server:
   
   • The Sulley process monitor agent is responsible for perceiving errors which may occur during fuzzing process
     python process_monitor.py -c C:\easyftpserver.crash -p easyftp.exe
   • The Sulley network monitor agent is responsible for monitoring network communications and logging them to PCAP files.
     python network_monitor.py -d 0 -f "src or dst port 21" -P C:\pcaps\
2. client:
   
   • fuzzing
     python ftp_session.py
   • Sulley has a Web service who listens on TCP port 26000, which permits to observe produced crashes.
   • Constantly refresh the browser will be able to see the current process of fuzzing, the request which is used and crash information.
   • Click on the number of test case, you will see a detailed crash information in PyDbg crash message format.
3. server:
   
   • Check the crash information
     crashbin_explorer.py c:\easyftpserver.crash -t #
   • attach immunity debugger or PyDbg to the vulnerable process during the first crash