Hot Fuzz Datamodel problem

41 views
Skip to first unread message

spiders...@gmail.com

unread,
May 31, 2013, 9:08:54 AM5/31/13
to hotfuzz...@googlegroups.com
Hello, i have got a little problem with datamodel, i record without problem, but when i record hotfuzz only recognize blub.
you can see the datamodel example generated.
<DataModel name="HotFuzzDataModel_1">
<Blob name="data" defaultValue="use 1&#13;&#10;" value="75736520310d0a" isToken="False" mutable="True" valueType="hex"/>
</DataModel>
<DataModel name="HotFuzzDataModel_2">
<Blob name="data" defaultValue="error id=0 msg=ok&#10;&#13;" value="6572726f722069643d30206d73673d6f6b0a0d" isToken="False" mutable="False" valueType="hex"/>
</DataModel>
<DataModel name="HotFuzzDataModel_3">
<Blob name="data" defaultValue="login serveradmin u6OUcUrM&#13;&#10;" value="6c6f67696e2073657276657261646d696e2075364f556355724d0d0a" isToken="False" mutable="False" valueType="hex"/>
</DataModel>
<DataModel name="HotFuzzDataModel_4">
<Blob name="data" defaultValue="error id=0 msg=ok&#10;&#13;" value="6572726f722069643d30206d73673d6f6b0a0d" isToken="False" mutable="False" valueType="hex"/>
</DataModel>
<DataModel name="HotFuzzDataModel_5">
<Blob name="data" defaultValue="sendtextmessage? targetmode=1 target=1 msg=sometext&#13;&#10;" value="73656e64746578746d65737361676500207461726765746d6f64653d31207461726765743d31206d73673d505554410d0a" isToken="False" mutable="False" valueType="hex"/>
</DataModel>
I use telnet for communicate with the program (protocol ), but not telnet real, i use a python Script for communication, and send data.
A part from a python script.
sock.send("use 1\r\n")
print sock.recv(1024)
sock.send("login serveradmin u6OxxcUrN\r\n")
print sock.recv(1024)
sock.send("sendtextmessage targetmode=1 target=1 msg=sometext\r\n")
print sock.recv(1024)
 
 
But hotfuzz only record the data like Blub, i test ftp and other test and take more little parts, need for fuzz.
 
For example i need fuzz login, server admin and the pass, but it mark whit a line like blub.
I think hotzuzz don't recognize the string from the python script, because data not its formatted like a real protocol, its this possible???
or need modify hotfuzz scripts for recognize this protocol and know when a string finish?? for example this protocol use /r/n for finish line., ftp use command null for finish x00 or similar.
i think use the telnet command for send the data, but i cant send commands whit a file like a FTP.
 
 
Any suggestion??   a  Greet .

Mgr. Martin Žember

unread,
May 31, 2013, 11:42:11 AM5/31/13
to spiders...@gmail.com, hotfuzz...@googlegroups.com
Hi,

you are exactly right. HotFuzz uses Wireshark to determine what is a
String, what is a Number, and, the rest is a Blob.

It has the advantage that there is about 1000 protocols that can be
parsed with Wireshark like this. And you can use a real program, you
do not have to write a script that tries to communicate in the right
way. If you are able to write such a script, you are probably able to
write a fuzzer. (And the amount of work is the same as writing a Data
model for Peach or SPIKE.)

If you fuzz a protocol that is not recognized by Wireshark, you can
try that way. If it is FTP, I am sure that there is a way how to run
FTP non-interactively.

Maybe with an in-here document (ftp << EOF) or with expect like this:

#/usr/bin/expect -f
stty cooked
spawn ftp 10.1.1.1
set login "............"
set timeout 60
expect "Login: " {
send -- "$login\r"
}
expect "> " {
send -- "pass\r"
send -- "put file.txt\r"
send -- "quit"
}

Martin
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "HotFuzz project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hotfuzz-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

spiders...@gmail.com

unread,
May 31, 2013, 1:50:58 PM5/31/13
to hotfuzz...@googlegroups.com, spiders...@gmail.com

Thanks for the info, the problem its the protocol, its new and dont standart it, and wireshark dont know, but is more easy make a specific fuzzer for this or edit the fuzz xml.

 
i think i can edit the xml and define more exact the string for fuzz, because record fine.
 
Coments if finish, a greet.
 
Jose 

Mgr. Martin Žember

unread,
Jun 1, 2013, 2:05:13 PM6/1/13
to hotfuzz...@googlegroups.com

Hi!
From my point of view, running Peach would be the best. Now that you have the XML, you can use most of it to create an ordinary pit file.

Because in the running phase when using HotFuzz, you need to run a client that generates communication that is parsed by wireshark into a similar structure as is in the XML file. If it is too different, say Strings and Blobs, it will not match the similarity and will not know whether to fuzz or not, say.

Martin

--

spiders...@gmail.com

unread,
Jun 5, 2013, 8:01:34 PM6/5/13
to hotfuzz...@googlegroups.com

Hi !!

 

Yes Martin, thanks for the advice, i try use too for this, its a exelent idea.
 
 
Sorry for the time response, traveling.
 
Coment when use for this, a greet, and thanks again. 
Reply all
Reply to author
Forward
0 new messages