10.19.07
Sulley Fuzzing Framework
I installed the Sulley Fuzzing Framework ( pdf | download ) when it was first released... unfortunately lack of time kept me from playing with it... in fact... I downloaded it again tonight because I'd forgotten that I'd installed it. Tonight I noticed a post to the fuzzing mailing list and decided to play around for a few minutes to see if I could answer the question. After a few minutes to familiarize myself with the framework (read: browsing the sample "fuzzies"), I jumped into example giving in the mailing list post. After about 10 minutes I came up with
from sulley import *
s_initialize
s_initialize("HTTP")
s_group("verbs", values=['GET','HEAD','POST','TRACE'])
s_block_start("header", group="verbs")
s_delim(' ')
s_delim('/')
s_string('index.html')
s_delim(' ')
s_string('HTTP')
s_delim('/')
s_string('1')
s_delim('.')
s_string('1')
s_static('\r\n\r\n')
s_block_end()
sess = sessions.session(session_filename="tmp.log")
sess.add_target(sessions.target('shell',80))
sess.connect(s_get("HTTP"))
sess.fuzz()
and I even got back some output:
[02:52.53] fuzzed 0 of 18092 total cases
[02:52.53] fuzzing 2 of 18092
[02:52.53] xmitting: [1.1]
[02:52.55] fuzzing 3 of 18092
[02:52.55] xmitting: [1.2]
Wireshark also showed promising data:
POST /index.html HTTP/1.1\r\n
TRACE /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
etc....
I can't wait to play around some more and find some interesting things to do with the framework... expect more blog posts on the subject as I start to investigate it.
bugfree said,
October 19, 2007 at 11:18 am
Interesting to know there is a fuzzing mail list. From the presentation of blackhat, it should be a little complex to setup a full fuzzing environment. Fuzzing engine is just one component of it. I always wonder Sulley can fully replace fuzzing tool like Spike or Peach or not in the near future. The concept/idea is beautiful, but it need time to prove its efficiency.