使用ptrace监视目标服务器的传输层代理
fuzzmon的Python项目详细描述
希望你能专注于数据变异而不是模糊化 仪器?fuzzmon让你这么做吧。它负责 检测和跟踪模糊输入 建立良好的数据模型或模糊转换。
它是一个应用层代理,连接到后端服务器 检测故障。它的目的是记录和代理来自 客户,同时从目标收集有趣的崩溃信息 使用ptrace。
它试图解决一些网络模糊器的问题:哪个输入 导致了哪一次坠机?因为fuzzmon同时看到了航班和 应用程序的状态,它知道哪个输入触发了哪个 撞车。它也很快,因为它不需要任何形式的模糊 客户端/服务器同步。
一旦崩溃发生,它会将有趣的信息记录为json blob, 退出或重新启动目标进程。里面的信息 json blob使匹配相应的coredump变得容易。它也 使对记录的json执行初始分析变得容易。
Fuzzmon还提供fuzzreplay,它能够重播 给定来自pypi的针对服务器安装的json输出
pip install fuzzmon
来自Github
git clone https://github.com/alexmgr/fuzzmon/
fuzzmon用法
让我开始
代理从tcp端口1234到运行在 端口6666。同时启动进程(vuln-server 6666)
»./fuzzmon-dtcp:0.0.0.0:1234-utcp:127.0.0.1:6666vuln-server6666
代理从udp端口1234到运行unix的目标的所有连接 插座"/tmp/test"。也开始这个过程 (vuln-server /tmp/test)。跟随fork()和execve()
»./fuzzmon-f-e-dudp:0.0.0.0:1234-utcp:uds:/tmp/testvuln-server/tmp/test
将所有连接代理到TCP端口5555,重新启动进程 崩溃时自动执行,但请等待45秒后再执行此操作。 还将日志记录设置为DEBUG,重定向目标stdout/stderr并接受 10客户端连接:
»./fuzzmon-w45-lDEBUG-n-c10-utcp:127.0.0.1:5555vuln-server5555
你明白了。####更详细一点fuzzmon只需要2 强制参数:
- 要运行的二进制和参数(或要附加的pid(-p) 至)
- 要连接到的上游服务器(-u)。因为fuzzmon使用 ptrace要监视目标,fuzzmon和目标服务器都必须 在同一主机上运行。支持以下协议:
- IPv4(TCP或UDP)
- IPv6(TCP或UDP)
- Unix域套接字(UDS)(TCP或UDP)
详细用法
usage: fuzzmon [-h] [-p PID] -u UPSTREAM [-d DOWNSTREAM] [-o OUTPUT]
[-s SESSION] [-f] [-e] [-n] [-c CONNS] [-q | -w WAIT]
[-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
...
A proxy which monitors the backend application state
positional arguments:
program The command line to run and attach to
optional arguments:
-h, --help show this help message and exit
-p PID, --pid PID Attach running process specified by its identifier
-u UPSTREAM, --upstream UPSTREAM
Upstream server to which to connect. Format is
proto:host:port or uds:proto:file for Unix Domain
Sockets
-d DOWNSTREAM, --downstream DOWNSTREAM
IP and port to bind to, or UDS. Format is
proto:host:port or uds:proto:file. By default, listen
to TCP connections on port 25746
-o OUTPUT, --output OUTPUT
Output folder where to store the crash metadata
-s SESSION, --session SESSION
A session identifier for the fuzzing session
-f, --fork Trace fork and child process
-e, --trace-exec Trace execve() event
-n, --no-stdout Use /dev/null as stdout/stderr, or close stdout and
stderr if /dev/null doesn't exist
-c CONNS, --conns CONNS
Number of downstream connections to accept in
parallel. Default is 1
-q, --quit Do not restart the program after a fault is detected.
Exit cleanly
-w WAIT, --wait WAIT How long to wait for before restarting the crashed
process
-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the debugging level
记录碰撞
当检测到崩溃时,将提取以下元素 兼容操作系统:*pip:pid*stream:导致崩溃的数据包 (以及流中以前的数据包)十六进制格式。每个 数据包上标记的方向在(“上游”或 “下游”)*stream_count:自 十六进制格式的模糊*history:以前流的历史记录(最多 10)*backtrace:回溯*disassembly:指令导致 崩溃,以及以下10条指令*maps:内存 映射*stack:堆栈状态*time:崩溃时间 *signal:信号*session_id:模糊会话标识符
所有输出都写入一个json blob,该blob由进程标识 pid。测试运行的输出示例:
»fuzzmon-q-n-lWARNING-f-e-sa_session_id-dtcp:0.0.0.0:1234-utcp:127.0.0.1:6666vuln-server6666....»nc127.0.0.11234abcdefgh1234567890qwertyuiop^C»nc127.0.0.11234i'm going to crash soonit's comingAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA»WARNING:DebuggingHooks:Receivedsignal11fromprocess:13223.GatheringcrashinformationWARNING:DebuggingHooks:Propagatingsignal11tochildprocess:13223WARNING:PtraceDbg:Detachedfromprocess:13223WARNING:PtraceDbg:Terminatedprocess:13223WARNING:DebuggingHooks:Stoppeddebugger.ExitingnowWARNING:DebuggingHooks:Upstreamservercrashed!WARNING:Downstream:Upstreamserverappearstobedead:<socket._socketobjectobjectat0x1bfb600>WARNING:Downstream:Stoppeddownstreamserver»catmetadata/14612.json{"stream":[["downstream","547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a"],["upstream","69276d20676f696e6720746f20637261736820736f6f6e0a"],["downstream","6e6f6f73206873617263206f7420676e696f67206d27690a"],["upstream","6974277320636f6d696e670a"],["downstream","676e696d6f6320732774690a"],["upstream","41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424343434343434343434343434343434343434343434343434343434343434343434343434343434344444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444440a"]],"backtrace":{"0x400ea1L":["???",[]]},"pid":13223,"registers":{"gs":"0x0000000000000000","gs_base":"0x0000000000000000","rip":"0x0000000000400ea1","rdx":"0x0000000000000000","fs":"0x0000000000000000","cs":"0x0000000000000033","rax":"0x00007fffd7ab84c0","rsi":"0x0000000000000000","rcx":"0x00000000000000fb","es":"0x0000000000000000","r14":"0x0000000000000000","r15":"0x0000000000000000","r12":"0x0000000000400a80","r13":"0x00007fffd7ab8850","r10":"0x0000000000000000","r11":"0x00007f26a52e09a8","orig_rax":"0xffffffffffffffff","fs_base":"0x00007f26a57eb700","rsp":"0x00007fffd7ab8778","ds":"0x0000000000000000","rbx":"0x0000000000000000","ss":"0x000000000000002b","r8":"0x0000000000000074","r9":"0x0000000000c00000","rbp":"0x4141414141414141","eflags":"0x0000000000010206","rdi":"0x00007fffd7ab86b4"},"disassembly":{"0x400ea1L":"RET","0x400ea2L":"PUSH RBP","0x400ea3L":"MOV RBP, RSP","0x400ea6L":"SUB RSP, 0x140","0x400eadL":"MOV [RBP-0x134], EDI","0x400eb3L":"MOV [RBP-0xa0], RDX","0x400ebaL":"MOV [RBP-0x98], RCX","0x400ec1L":"MOV [RBP-0x90], R8","0x400ec8L":"MOV [RBP-0x88], R9","0x400ecfL":"TEST AL, AL"},"stack":{"STACK":"0x00007fffd7a99000-0x00007fffd7aba000 => [stack] (rwxp)","STACK-40":"0x4242424242424242","STACK-32":"0x4242424242424242","STACK-24":"0x4142424242424242","STACK-16":"0x4141414141414141","STACK -8":"0x4141414141414141","STACK +0":"0x4141414141414141","STACK +8":"0x4141414141414141","STACK+16":"0x4141414141414141","STACK+24":"0x4141414141414141","STACK+32":"0x4141414141414141","STACK+40":"0x4141414141414141"},"stream_count":1,"signal":"SIGSEGV","session_id":"a_session_id","maps":[[["0x0000000000400000","0x0000000000402000"],"vuln-server","r-xp"],[["0x0000000000601000","0x0000000000602000"],"vuln-server","rwxp"],[["0x000000000162e000","0x000000000164f000"],"[heap]","rwxp"],[["0x00007f26a525d000","0x00007f26a53df000"],"/lib/x86_64-linux-gnu/libc-2.13.so","r-xp"],[["0x00007f26a53df000","0x00007f26a55df000"],"/lib/x86_64-linux-gnu/libc-2.13.so","---p"],[["0x00007f26a55df000","0x00007f26a55e3000"],"/lib/x86_64-linux-gnu/libc-2.13.so","r-xp"],[["0x00007f26a55e3000","0x00007f26a55e4000"],"/lib/x86_64-linux-gnu/libc-2.13.so","rwxp"],[["0x00007f26a55e4000","0x00007f26a55e9000"],"","rwxp"],[["0x00007f26a55e9000","0x00007f26a5609000"],"/lib/x86_64-linux-gnu/ld-2.13.so","r-xp"],[["0x00007f26a57ea000","0x00007f26a57ed000"],"","rwxp"],[["0x00007f26a5805000","0x00007f26a5808000"],"","rwxp"],[["0x00007f26a5808000","0x00007f26a5809000"],"/lib/x86_64-linux-gnu/ld-2.13.so","r-xp"],[["0x00007f26a5809000","0x00007f26a580a000"],"/lib/x86_64-linux-gnu/ld-2.13.so","rwxp"],[["0x00007f26a580a000","0x00007f26a580b000"],"","rwxp"],[["0x00007fffd7a99000","0x00007fffd7aba000"],"[stack]","rwxp"],[["0x00007fffd7ad4000","0x00007fffd7ad6000"],"[vvar]","r--p"],[["0x00007fffd7ad6000","0x00007fffd7ad8000"],"[vdso]","r-xp"],[["0xffffffffff600000","0xffffffffff601000"],"[vsyscall]","r-xp"]],"time":1437179338.290207,"history":[[["downstream","547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a"],["upstream","61626364656667680a"],["downstream","68676665646362610a"],["upstream","313233343536373839300a"],["downstream","303938373635343332310a"],["upstream","71776572747975696f700a"],["downstream","706f69757974726577710a"]]]}
通过设置正确的sysctls,可以在coredump中记录pid 名字。然后你应该拥有自动 把你的撞车事故分类!
fuzzreplay用法
fuzzreplay允许重播由fuzzmon录制的崩溃。提供 目标服务器地址和json转储,以及fuzzreplay 会重现坠机事件。可以重放最后一个流或所有流 可以重放历史中的(-a)。这样就有可能复制 需要触发特定请求集的崩溃。####抓住我 圣arted只需将目标上游服务器(-u)和json提供给 重播。请注意,可以直接将崩溃重播到服务器,或者 通过fuzzmon如果您希望利用应用程序层 翻译
./fuzzreplaytests/integration/replay-test.json-a-utcp:10.212.223.52:1234WARNING:root:Sleepingfor3secondsbeforesendingalivetestWARNING:root:PerformingalivetestagainsttargetReplayofstream0didnotcrashtheserverWARNING:root:Sleepingfor3secondsbeforesendingalivetestWARNING:root:PerformingalivetestagainsttargetWARNING:root:Streamreplayfailed:[Errno61]ConnectionrefusedSuccessfullycrashedserverbyreplayingstream1:[[u'downstream',u'547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a'],[u'upstream',u'3131313131313131313131313131313131323332343334330a'],[u'downstream',u'3334333432333231313131313131313131313131313131310a'],[u'upstream',u'333235313435333235323335323532333534323532330a'],[u'downstream',u'333235323435333235323533323532333534313532330a'],[u'upstream',u'414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434444444444444444444444444444444444444444444444444444444444444444444444444444444444444545454545454545454545454545454545454545454545454545454545454545454545454545450a']]
详细用法
usage:fuzzreplay[-h]-uUPSTREAM[-a][-wWAIT][-l{DEBUG,INFO,WARNING,ERROR,CRITICAL}]filenameReplaystreamscapturedbyfuzzmonpositionalarguments:filenameJSONtestcasetoreplayoptionalarguments:-h,--helpshowthishelpmessageandexit-uUPSTREAM,--upstreamUPSTREAMUpstreamservertowhichtoconnect.Formatisproto:host:portoruds:proto:fileforUnixDomainSockets-a,--allAlsoreplayallpacketsfromhistory-wWAIT,--waitWAITTimetowaitbeforeperformingalivetest.Defaultis3seconds-l{DEBUG,INFO,WARNING,ERROR,CRITICAL},--log-level{DEBUG,INFO,WARNING,ERROR,CRITICAL}Setthedebugginglevel
欢迎加入QQ群-->: 979659372
