软件漏洞挖掘Fuzz工具之三-入门篇

标题：软件漏洞挖掘Fuzz工具之三-入门篇
作者：condor
时间：2008-08-03 11:17
链接：http://bbs.pediy.com/showthread.php?t=69910

【文章作者】: condor
【作者邮箱】: cracker@vip.qq.com
【作者主页】: http://hi.baidu.com/linshifei
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

    一些朋友反馈不是很理解什么是fuzz，这里就补充做一个介绍。另外，响应kanxue的号召，
该主题参加读书月活动。

What is Fuzz Testing?
Fuzz testing or Fuzzing is a software testing technique, often used to discover security weaknesses in applications and protocols. The basic idea is to attach the inputs of a program to a source of random or unexpected data. If the program fails (for example, by crashing, or by failing in-built code assertions), then there are defects to correct. It should be noted that the majority of security vulnerabilities, from buffer overflows to cross-site scripting attacks, are generally the result of insufficient validation of user-supplied input data. Bugs found using fuzz testing are frequently severe, exploitable bugs that could be used by a real attacker. This has become even more true as fuzz testing has become more widely known, as the same techniques and tools are now used by attackers to exploit deployed software. This is a major advantage over binary or source auditing, or even fuzzing’s close cousin, fault injection, which often rely on artificial fault conditions that are difficult or impossible to exploit.


简单的理解就是黑盒测试的一种方法。
我目前接触的简单的分为协议fuzz和文件fuzz。
fuzz 测试可以发现很多问题，当然引起关注的是安全问题，这里
列出一些fuzz 曾经发现的安全漏洞

dfuz：

Updated: September 2005
Software  Found  Time for success  Tools used  Added (dd/mm/yy)
Microsoft RPC  DoS  Around 30 min  dfuz, windbg  17/12/04
File 3.41  Buffer overflow  Around 4 hours  dfuz, bash  17/12/04
Helix Server 9.0.2  DoS  5 mins  dfuz  17/12/04
Winaxe 6.8  Integer overflow  45 mins  dfuz, windbg  17/12/04
Ipswitch Products  Memory management errors  Relative  dfuz, windbg  17/12/04
Realplayer 10 GOLD  Pointer hijacking error  10 mins  dfuz, ida pro, gdb  17/12/04
libpng3 1.2.7  Memory management error  6 hours  dfuz, awk, bash  17/12/04
WS-FTP  Buffer overflow  45 secs  dfuz  17/12/04
Dfuz的使用方法，接下来我会发文章专门介绍。

Taof的战绩：：http://theartoffuzzing.com/joomla/index.php?option=com_content&task=view&id=20&Itemid=37

Savant Web Server fuzzing (HTTP protocol): This video shows a buffer overflow on the Savant Web Server when a long GET request is made.

Vulnerability:

      CVE-2002-1120

      BID 5686

WarFTPd FTP Server fuzzing (FTP protocol): WarFTPd 1.65 FTP server is vulnerable to a buffer overflow in the authentication process. The video demonstrates the use of TAOF to recreate the bug.

NaviCOPA Web Server fuzzing (HTTP protocol): NaviCOPA web server is vulnerable to a buffer overflow when a client sends a GET request against the ‘cgi-bin’ folder followed by a long string.

这个是一款支持windows UI界面工具，使用方便，是菜鸟入门，探亲访友，装腔作势的好工具-_-

这里列出了一些工具，我接下来可能要介绍的

名称  简介  备注
Sulley  Sulley is a fuzzer development and fuzz testing framework consisting of multiple extensible components  Python的fuzzing框架，包括进程监视、网络监视、虚拟机控制
SPIKE  SPIKE is an attempt to write an easy to use generic protocol API that helps reverse engineer new and unknown network protocols. It features several working examples. Includes a web server NTLM Authentication brute forcer and example code that parses web applications and DCE-RPC (MSRPC).   一个C++的接口 fuzz框架，fuzz http server等比较成熟。
Autodafe  Autodafe is a fuzzing framework that can be used to identify boundary validation and other issues in protocols and applications. Written by Martin Vuagnoux.  支持sniffer包自动生成测试数据，基于block，自动计算block的大小，带调试器，能自动监控危险函数和测试用例间的情况，比较好的一个。
dfuz  a remote protocol fuzzer/triggerer which can do many things such as sending random data/random sizes, together with the data you want. it has alot of ways to tell the program to use this data by using rule files which will be later parsed by the program itself, and with several options and ways to make it very specific, and very flexible. It’s not only a remote protocol fuzzer as itself, but it is a scripting-like motor on which you can create any kind of payload. User-friendly.（Unix）  一个简单易用的fuzz工具
taof  Written in Python, a cross-platform GUI driven network protocol fuzzing environment for both UNIX and Windows systems.  Python，基于代理模式，不支持UDP
更多的到这里找吧，我懒得转了
http://hi.baidu.com/linshifei/blog/item/fdd838fb5c2e868c9f5146ad.html

condor 认为 Fuzz 的关键技术在于:如何产生Fuzz数据
我个人总结了下产生Fuzz数据的方法，后续有机会我会通过相关工具介绍过程。
1 清楚包格式情况下,使用Fuzz工具描述包格式
2 根据sniffer包，自动生成测试数据
3 分析程序流程结构，针对各个分支构造Fuzz包。
之前接受的google 的Bunny 属于这一类，不过它是结合编译器，自动的遍历的。
4 统计分析自动识别协议包，并构造Fuzz包

貌似，图片和表格的格式乱了，传个word到附件。

上传的附件

软件漏洞挖掘Fuzz工具之三-入门篇.rar