0

我正在尝试使用 Sulley Fuzzing Framework 对 BACNet 设备进行模糊测试。

为了了解框架,我编写了这个相当简单的示例,但它不起作用。

from sulley import *

s_initialize("Test")

s_static(0x10, "Something")
s_byte(0x00, "SomeByte")

sess = sessions.session(proto="UDP")

sess.connect(sulley.s_get("Test"))

target = sessions.target("192.168.1.3", 0xBAC0)

target.netmon    = None
target.procmon   = None
target.vmcontrol = None

sess.add_target(target)
sess.fuzz()

但是执行它会导致以下输出

pydev debugger: starting (pid: 3356)
[2015-11-09 09:40:54,351] [INFO] -> current fuzz path:  -> Test
[2015-11-09 09:40:54,352] [INFO] -> fuzzed 0 of 112 total cases
[2015-11-09 09:40:54,354] [INFO] -> fuzzing 1 of 112
[2015-11-09 09:40:54,354] [INFO] -> xmitting: [1.1]
[2015-11-09 09:40:54,355] [CRITICAL] -> failed transmitting fuzz node
Exception caught: TypeError("cannot concatenate 'str' and 'int' objects",)
Restarting target and trying again
[2015-11-09 09:40:54,355] [ERROR] -> no vmcontrol or procmon channel available ... sleeping for 300 seconds

我认为问题可能是,我设置netmon, procmon, vmcontrolNone,但只是省略它们会导致相同的输出。我没有创建这些监视器,因为无论如何我都不能将它们用于我以后想要模糊测试的设备。我只想发送数据包,看看会发生什么。那么,没有这些监视器就不可能使用 Sulley,还是我的代码有其他问题?

4

2 回答 2

1

您说您不能将监视器用于稍后要进行模糊测试的设备。但是网络监视器应该能够运行,因为它是在运行模糊测试脚本的攻击者机器上运行的。

至于进程监视器,我建议您使用.../sully/sully/instrumentation.py 中的外部监视器/仪器。您可以从以下位置找到文档:.../sully/docs/index.html

“某些类型的目标(例如嵌入式设备)不支持调试器,并且在这些情况下无法使用进程监控代理。外部仪器类允许调用外部命令来检测故障并重新启动目标。SSH在以下示例中使用,但可以使用任何 python 函数或外部脚本:"

import os

def ssh_is_alive():
    '''Check that the target is alive. Called after each test case. Return True if alive, False otherwise'''

    _, stdout = os.popen2('ssh %s pidof target' % IP_DST)
    pid = stdout.read()
    return pid != ''

def ssh_restart():
    '''Restart the target. Called when instrumentation (post) fail.'''

    os.popen2('ssh %s /etc/init.d/target restart' % IP_DST)

sess           = sessions.session()
target         = sessions.target(IP_DST, PORT_DST)
target.procmon = instrumentation.external(post=ssh_is_alive, start=ssh_restart)
sess.add_target(target)
sess.connect(s_get('node'))
sess.fuzz()
于 2016-07-12T12:12:44.380 回答
1

Okay, it turns out it is possible to fuzz without monitors. Sulley just doesn't seem to like integer values in the s_static() function. That's also what caused the error. It needs to be a string. Like s_static("00", "static")

于 2015-11-09T11:48:20.480 回答