[fuzzing] Sulley wont fuzz

Daniel Hood dsmhood at gmail.com
Mon Mar 29 01:19:35 UTC 2010 

List,

I'm trying to get Sulley up and running so wrote a full FTP protocol
descriptor (not sure what exactly they are called), and then setup
Sulley against WarFTPD 1.65 (known USER bof issue) which was a setup
on a Windows XP SP3 machine with DEP turned off.

Attached are my scripts.

But it finds nothing. Goes through all test cases (ran three times)
and it finds nothing. So I cut it down to just the USER command
statement and ran 5 more times and still nothing. What am I doing
wrong?!? If I stop the fuzzer, run a python script that sends the USER
command then 1000 A's to the WarFTPD 1.65, it crashes and triggers the
vulnerabillity so I know its not my setup, it must be something to do
with the way I have Sulley setup or the scripts programmed.

Any ideas guys?

Dan
-------------- next part --------------
from sulley import *
from requests import ftp

def receive_ftp_banner(sock):
    sock.recv(1024)
    
sess                    = sessions.session(session_filename="audits/warftpd.session")
target                  = sessions.target("10.232.56.92", 21)
target.netmon           = pedrpc.client("10.232.56.91",26001)
target.procmon          = pedrpc.client("10.232.56.92",26002)
target.procmon_options  = { "proc_name" : "war-ftpd.exe" }

sess.pre_send = receive_ftp_banner
sess.add_target(target)
sess.connect(s_get("user"))

sess.fuzz()
-------------- next part --------------
from sulley import *

s_initialize("user")
s_static("USER")
s_delim(" ")
s_string("test")
s_static("\r\n")

s_initialize("pass")
s_static("PASS")
s_delim(" ")
s_string("test")
s_static("\r\n")

s_initialize("cwd")
s_static("CWD")
s_delim(" ")
s_string("c:")
s_static("\r\n")

s_initialize("dele")
s_static("DELE")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")

s_initialize("mdtm")
s_static("MDTM")
s_delim(" ")
s_string("c:\\boot.ini")
s_static("\r\n")

s_initialize("mkd")
s_static("MKD")
s_delim(" ")
s_string("c:\\TESTDIR")
s_static("\r\n")

s_initialize("rmdir")
s_static("RMDIR")
s_delim(" ")
s_string("c:\\TESTDIR")
s_static("\r\n")

s_initialize("send")
s_static("SEND")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")

s_initialize("sendr")
s_static("SEND")
s_delim(" ")
s_string("c:\\test.txt")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")

s_initialize("recv")
s_static("RECV")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")

s_initialize("recvr")
s_static("RECV")
s_delim(" ")
s_string("c:\\test.txt")
s_delim(" ")
s_string("c:\\test.txt")
s_static("\r\n")

More information about the fuzzing mailing list