8

利用AFL黑盒测试网络协议

 3 years ago
source link: https://cool-y.github.io/2021/05/20/aflnw-blackbox/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

利用AFL黑盒测试网络协议

发表于 2021-05-20

| 分类于 IOT

| 阅读次数:

639 字

|

2 分钟

做对比实验用的小工具,在拿不到固件的情况下,可以用AFL的变异策略尝试fuzz

源码:https://github.com/Cool-Y/aflnw_blackbox

AFL是基于变异的模糊测试方法的代表工作,其主要应用于非结构化数据处理程序的漏洞挖掘中。但使用AFL具有比较多的限制:

  1. 本地运行被测程序,从而获取覆盖率等反馈信息
  2. 被测程序从基本输入输出获取数据

因此无法直接使用AFL对远程服务进行黑盒测试

目前针对限制2已经有一些解决方案:

但是如果无法将程序放在本地运行,比如物联网设备在拿不到固件的情况下,如何利用AFL的变异方式进行模糊测试。

在aflnw的基础上,对辅助程序的工作方式进行了修改,从而实现在不对AFL和被测程序进行修改的条件下,使用一个辅助程序接收AFL从标准输入传递进来的数据,然后通过网络转发给UPnP服务,辅助程序会间隔性地与UPnP端口建立TCP连接,从而判断测试用例是否导致程序崩溃。

git clone https://github.com/LyleMi/aflnw.gitcd aflnw
export CC=/path/to/afl/afl-clang-fast
mkdir build && cd build && cmake .. && make
  1. 使用wireshark采集种子输入(Follow→TCP Stream,保存为raw文件)
  2. 确定通信协议(udp/tcp)、服务端监控地址、服务端监控端口、socket本地绑定地址
  3. fuzz,以UPnP协议为例
    afl-fuzz -t 1000+ -i ./soap_input/ -o ./soap_out/ -- ./build/aflnw -a 192.168.2.2 -p 5000 -m tcp
    afl-fuzz -t 2000+ -i ./ssdp_input/ -o ./ssdp_out/ -- ./build/aflnw -a 239.255.255.250 -p 1900 -m udp
  1. 崩溃重放
    ./build/aflnw -a 239.255.255.250 -p 1900 -m udp < soap_out/crashes/id:00000....
    ./build/aflnw -a 192.168.2.2 -p 5000 -m tcp < ssdp_out/crashes/id:000000.....
您的支持将鼓励我继续创作!

report

Recommend

  • 54
    • Github github.com 6 years ago
    • Cache

    GitHub - wmliang/pe-afl

    README.md pe-afl combines static binary instrumentation on PE binary and WinAFL so that it can fuzz on windows user-mode application and kernel-mode driv...

  • 27
    • www.dontblamethedata.com 5 years ago
    • Cache

    Analysing AFL Team Age... Properly!

    Mean, Median…what of it? The mean , from Wikipedia ; For a data set, the arithmetic mean, also called the mathematical expectation or avera...

  • 6
    • Github github.com 4 years ago
    • Cache

    American Fuzzy Lop plus plus (afl++)

    American Fuzzy Lop plus plus (afl++)

  • 8
    • gamozolabs.github.io 4 years ago
    • Cache

    Scaling AFL to a 256 thread machine

    Changelog Date Info 2018-09-16 Initial 2018-09-16 Changed custom JPEG test program a little, saves...

  • 8
    • alexgaynor.net 4 years ago
    • Cache

    Introduction to Fuzzing in Python with AFL

    Introduction to Fuzzing in Python with AFL Mon, Apr 13, 2015Fuzzing is a technique in computer testing and security where you generate a bunch of random inputs, and see...

  • 10
    • www.mikeash.com 4 years ago
    • Cache

    Friday Q&A 2015-05-01: Fuzzing with afl-fuzz

    Friday Q&A 2015-05-01mikeash.com: just this guy, you know? Friday Q&A 2015-05-01: Fuzzing with afl-fuzz by Mike Ash   With computer securi...

  • 11
    • www.anquanke.com 3 years ago
    • Cache

    AFL源码分析(III)——afl-fuzz分析(Part 1)

    robots 0x00 写在前面 在前两篇文章中,我分析了afl-gcc的相关处理逻辑。简单来说,afl-gcc会将必要的函数以及桩代码插入到我们的源汇编文件中,这样,经过编译的程序将会带有一...

  • 13
    • www.ryanliptak.com 3 years ago
    • Cache

    Fuzzing Zig Code Using AFL++

    Fuzzing Zig Code Using AFL++ 2021-09-19 - Programming - Zig -

  • 10
    • paper.seebug.org 3 years ago
    • Cache

    AFL 二三事——源码分析

    AFL 二三事——源码分析 2021年10月08日2021年10月08日经验心得 作者:深信服千里目安全实验室 原文链接:

  • 7
    • cool-y.github.io 3 years ago
    • Cache

    模糊测试与AFL

    0x01 模糊测试首先,模糊测试(Fuzzing)是一种测试手段,它把系统看成一个摸不清内部结构的黑盒,只是向其输入接口随机地发送合法测试用例,这些用例并不是开发者所预期的输入,所以极有可能会造成系统的崩溃,通过分析崩溃信息,测试人员(黑客)就...

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK