One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 7841 |
| Date de publication | 2016-06-06 08:39:09 (vue: 2016-06-06 08:39:09) |
| Titre | Instrumenting masscan for AFL network fuzzing |
| Texte | This blog post is about work in progress. You probably don't want to read it. So I saw this tweet today:Fuzzing masscan by @ErrataRob with AFL by @lcamtuf. Forgot to remove the crash-handler so crashes logged as hangs. pic.twitter.com/Yh5ElNyvOm- Dr David D. Davidson (@dailydavedavids) June 5, 2016As it turns it, he's just fuzzing input files. This is good, he's apparently already found some bugs, but it's not a huge threat.Instead, what really needs to be fuzzed is network input. This is chronic problem with AFL, which is designed for inserting files, not network traffic, into programs.But making this work is actually pretty trivial. I just need to make a tiny change to masscan so that instead of opening a libpcap adapter, it instead opens a libpcap formatted file.This change was trivial, successfully running it is tough. You have to configure the command-line so all IP addresses match up with the libpcap file content, which is a pain. I created a sample lipcap file and checked it into the project, along with a help document explaining it. Just git clone the project, run make, then run this command line to see it run for yourself:bin/masscan --nobacktrace --adapter file:data/afl-http.pcap --source-ip 10.20.30.200 --source-port 6000 --source-mac 00-11-22-33-44-55 --router-mac c0-c1-c0-a0-9b-9d --seed 0 --banners -p80 74.125.196.147 --nostatusIf you run on the command-line, it appears to return immediately. I say "appears" because there's actually a 10 millisecond wait. That limits fuzzing speed to a 100 attempts per second, rather than thousands per second. That's a tougher change, so I'll have to get around to fixing that, but in the meanwhile, you can just run a bunch of AFLs in parallel to get around this.But when I try to run AFL, it's not working at the moment. In instead get this error:  As you can see, the command that returns in 10ms is now hanging when run under AFL, which says that it doesn't return in 1000ms. Using the '-t' option to increase the timeout doesn't help. Running masscan in some other way, such as parsing configuration files, works just fine.UpdateSo I changed to where I "join" threads cleanly, so that the entire thing can run cleanly without every having to stop and wait. However, this creates a second problem not AFL refused to run because it's crashing instead of hanging. AFL suggests that it might be an out-of-memory i |
| Envoyé | Oui |
| Condensat | 100 1000ms 10ms 125 147 196 1986 200 2016as 6000 @dailydavedavids @erratarob @lcamtuf a help about across actually adapter addresses afl afls all along already apparently appears arm around assumed assumes attempts available banners because big bit blog bugs bumped bunch but byte bytes can change changed checked chronic cleanly clone the com/yh5elnyvom command configuration configure content cores cpus crash crashes crashing created creates data david davidson deeper designed determined document explaining doesn don down entire error:as every exceed fact faster figure file file:data/afl files fine first fixing forgot found fuzz fuzzed fuzzing get git good got handler hanging hangs has have having help how however http huge immediately importantly increase input input:but inserting instead instrumenting isn issue join june just large libpcap libpcap adapter libpcap formatted libpcap library limits line linux lipcap file llvm logged long mac magic make making masscan masscan in masscan so match may meanwhile megabyte memory might millisecond moment mostly multiple naturally need needs network nobacktrace nostatusif not now odroid opening opens option other out p80 pain parallel parsing pcap per pic port post pretty probably problem programs progress project raspberry rather read really refused remove response return returns router run running sample saw say says scanning second see seed server sets should slightly some source speed spread start starting still doesn stop string structures success successfully such suggests supports testing than that then there thing thousands threads threat timeout tiny today:fuzzing tough tougher traffic trimmed trivial try turns tweet twitter types under updatei updateso using version wait want way what when where which without work working works yourself:bin/masscan |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.