Fuzzotron

Fuzzotron is a simple network fuzzer supporting TCP, UDP, and multithreading. Radamsa and Blab are used for test case generation. Fuzzotron exists as a first-port-of-call network fuzzer, aiming for low setup overhead.

Installation

Requirement

• Radamsa

Install

apt install libssl-dev libpcre3-dev

git clone https://github.com/denandz/fuzzotron.git

make

Use

./fuzzotron --radamsa --directory testcases -h 127.0.0.1 -p 8080 -P tcp -c 15634 -o crashes

The above will use radamsa to generate test cases based on the files in the ‘testcases’ directory and fire these test cases at 8080/tcp on localhost. In the event that PID 15634 goes away, fuzzing will stop and the last 100 test cases kept in the output directory. This would be used for something like nginx, running with a single worker and the workers PID being specified. Without a PID specified, Fuzzotron will keep running until a connection failure occurs, indicating the port is down. Fuzzotron currently does not automatically respawn the target after a crash is detected. The ‘-o’ flag specifies the directory to spool the current test cases out to in the event of a crash.

When a crash occurs, the test case queues for each thread will be stored in <output dir>/<thread pid>-<testcaseno>. An easy way to replay this is:

for i in $(ls output/*); do echo "firing $i"; ncat <target> <port> < $i; done

Given the nature of daemon fuzzing, running a rolling tcpdump is good insurance. Worse comes to worst, you can carve the test cases out of the PCAP and replay them manually. For example, a tcpdump command that will capture packets into a 10MB file, and capture a maximum of 10 files, would be executed as such (adding your own filter so you only catch fuzzing relevant packets is a good idea):

tcpdump -i ens33 -C 10M -W 10 -w out.pcap

UDP fuzzing

UDP fuzzing requires some method of determining if the target is down, as the connection should never fail (yay UDP). If you’re fuzzing a daemon running on localhost (recommended), then use the ‘-c’ option and specify a PID. If the daemon is remote, fuzzotron supports the use of an auxiliary check script (–check or -z). The script needs to output ‘1’ as its first character on success and anything else on failure.

An example to fuzz something like, I dunno, a DHCP server running on a router, would be:

./fuzzotron --radamsa --directory ~/testcase-archive/network-services/dhcp-client -h 192.168.1.1 -p 67 -P UDP -z ./is-dhcp-up.py

More…

Copyright (c) 2017, DoI

Source: https://github.com/denandz/