{ "info": { "author": "Alex Moneger", "author_email": "alexmgr+github@gmail.com", "bugtrack_url": null, "classifiers": [], "description": "fuzzmon\n=======\n\nEver wished you could just focus on data mutation and not fuzzing\ninstrumentation? Fuzzmon let's you do just that. It takes care of the\ninstrumentation and tracking of fuzzed inputs and let's you focus on\nbuilding a good data model or fuzzing transform.\n\nIt's an application layer proxy which attaches to the backend server to\ndetect faults. It's purpose is to record and proxy fuzzing traffic from\nclients, whilst gathering interesting crash information from the target\nusing ptrace.\n\nIt tries to solve the problem of some network fuzzers: **which input\ncaused which crash?** Since fuzzmon sees both the traffic in flight and\nthe state of the application, it knows which input triggered which\ncrash. It is also fast, since it does not require any form of fuzzing\nclient/server synchronization.\n\nOnce a crash happens, it records interesting information as JSON blobs,\nand either exits or restarts the target process. The information within\nthe JSON blob makes it easy to match the corresponding coredump. It also\nmakes it easy to perform initial analysis on the recorded JSON.\n\n``Fuzzmon`` also provides ``fuzzreplay``, which is able to replay a\ngiven JSON output against the server ## Installation #### From pypi\n\n::\n\n pip install fuzzmon\n\nFrom github\n^^^^^^^^^^^\n\n::\n\n git clone https://github.com/alexmgr/fuzzmon/\n\nFuzzmon usage\n-------------\n\nGet me started\n^^^^^^^^^^^^^^\n\nProxy all connections from tcp port ``1234`` to my target running on\nport ``6666``. Also start the process (``vuln-server 6666``)\n\n.. code:: python\n\n \u00bb ./fuzzmon -d tcp:0.0.0.0:1234 -u tcp:127.0.0.1:6666 vuln-server 6666\n\nProxy all connections from udp port ``1234`` to my target running unix\nsocket ``\"/tmp/test\"``. Also start the process\n(``vuln-server /tmp/test``). Follow fork() and execve()\n\n.. code:: python\n\n \u00bb ./fuzzmon -f -e -d udp:0.0.0.0:1234 -u tcp:uds:/tmp/test vuln-server /tmp/test\n\nProxy all connections to tcp port ``5555``, restart process\nautomatically on crash, but wait for ``45`` seconds before doing so.\nAlso set logging to ``DEBUG``, redirect target stdout/stderr and accept\n``10`` client connections:\n\n.. code:: python\n\n \u00bb ./fuzzmon -w 45 -l DEBUG -n -c 10 -u tcp:127.0.0.1:5555 vuln-server 5555\n\nYou get the idea. #### A bit more detail Fuzzmon requires only 2\nmandatory arguments:\n\n1. The *binary and arguments* to run (or the *pid* (**-p**) to attach\n to)\n\n2. The *upstream server* (**-u**) to connect to. Since fuzzmon uses\n ptrace to monitor the target, both fuzzmon and the target server must\n run on the same host. The following protocols are supported:\n\n- IPv4 (TCP or UDP)\n- IPv6 (TCP or UDP)\n- Unix Domain Sockets (UDS) (TCP or UDP)\n\nDetailed usage\n^^^^^^^^^^^^^^\n\n::\n\n usage: fuzzmon [-h] [-p PID] -u UPSTREAM [-d DOWNSTREAM] [-o OUTPUT]\n [-s SESSION] [-f] [-e] [-n] [-c CONNS] [-q | -w WAIT]\n [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]\n ...\n\n A proxy which monitors the backend application state\n\n positional arguments:\n program The command line to run and attach to\n\n optional arguments:\n -h, --help show this help message and exit\n -p PID, --pid PID Attach running process specified by its identifier\n -u UPSTREAM, --upstream UPSTREAM\n Upstream server to which to connect. Format is\n proto:host:port or uds:proto:file for Unix Domain\n Sockets\n -d DOWNSTREAM, --downstream DOWNSTREAM\n IP and port to bind to, or UDS. Format is\n proto:host:port or uds:proto:file. By default, listen\n to TCP connections on port 25746\n -o OUTPUT, --output OUTPUT\n Output folder where to store the crash metadata\n -s SESSION, --session SESSION\n A session identifier for the fuzzing session\n -f, --fork Trace fork and child process\n -e, --trace-exec Trace execve() event\n -n, --no-stdout Use /dev/null as stdout/stderr, or close stdout and\n stderr if /dev/null doesn't exist\n -c CONNS, --conns CONNS\n Number of downstream connections to accept in\n parallel. Default is 1\n -q, --quit Do not restart the program after a fault is detected.\n Exit cleanly\n -w WAIT, --wait WAIT How long to wait for before restarting the crashed\n process\n -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}\n Set the debugging level\n\nRecording crashes\n-----------------\n\nWhen a crash is detected, the following elements are extracted on\ncompatible OS: \\* ``pip``: pid \\* ``stream``: packets causing the crash\n(as well as previous packets within the stream) in hex format. Each\npacket is tagged with the direction is has been seen in (\"upstream\" or\n\"downstream\") \\* ``stream_count``: stream count since beginning of\nfuzzing in hex format \\* ``history``: history of previous streams (up to\n10) \\* ``backtrace``: backtrace \\* ``disassembly``: instruction causing\nthe crash, as well as the 10 following instructions \\* ``maps``: memory\nmappings \\* ``stack``: state of the stack \\* ``time``: time of the crash\n\\* ``signal``: signal \\* ``session_id``: fuzzing session identifier\n\nAll output is written to a JSON blob which is identified by the process\n**pid**. Example output from a test run:\n\n.. code:: python\n\n \u00bb fuzzmon -q -n -l WARNING -f -e -s a_session_id -d tcp:0.0.0.0:1234 -u tcp:127.0.0.1:6666 vuln-server 6666\n ....\n \u00bb nc 127.0.0.1 1234 \n abcdefgh\n 1234567890\n qwertyuiop\n ^C\n \u00bb nc 127.0.0.1 1234\n i'm going to crash soon\n it's coming\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u00bb\n WARNING:DebuggingHooks:Received signal 11 from process: 13223. Gathering crash information\n WARNING:DebuggingHooks:Propagating signal 11 to child process: 13223\n WARNING:PtraceDbg:Detached from process: 13223\n WARNING:PtraceDbg:Terminated process: 13223\n WARNING:DebuggingHooks:Stopped debugger. Exiting now\n WARNING:DebuggingHooks:Upstream server crashed!\n WARNING:Downstream:Upstream server appears to be dead: \n WARNING:Downstream:Stopped downstream server\n\n \u00bb cat metadata/14612.json \n {\n \"stream\": [\n [\n \"downstream\", \n \"547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a\"\n ], \n [\n \"upstream\", \n \"69276d20676f696e6720746f20637261736820736f6f6e0a\"\n ], \n [\n \"downstream\", \n \"6e6f6f73206873617263206f7420676e696f67206d27690a\"\n ], \n [\n \"upstream\", \n \"6974277320636f6d696e670a\"\n ], \n [\n \"downstream\", \n \"676e696d6f6320732774690a\"\n ], \n [\n \"upstream\", \n \"41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424343434343434343434343434343434343434343434343434343434343434343434343434343434344444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444440a\"\n ]\n ], \n \"backtrace\": {\n \"0x400ea1L\": [\n \"???\", \n []\n ]\n }, \n \"pid\": 13223, \n \"registers\": {\n \"gs\": \"0x0000000000000000\", \n \"gs_base\": \"0x0000000000000000\", \n \"rip\": \"0x0000000000400ea1\", \n \"rdx\": \"0x0000000000000000\", \n \"fs\": \"0x0000000000000000\", \n \"cs\": \"0x0000000000000033\", \n \"rax\": \"0x00007fffd7ab84c0\", \n \"rsi\": \"0x0000000000000000\", \n \"rcx\": \"0x00000000000000fb\", \n \"es\": \"0x0000000000000000\", \n \"r14\": \"0x0000000000000000\", \n \"r15\": \"0x0000000000000000\", \n \"r12\": \"0x0000000000400a80\", \n \"r13\": \"0x00007fffd7ab8850\", \n \"r10\": \"0x0000000000000000\", \n \"r11\": \"0x00007f26a52e09a8\", \n \"orig_rax\": \"0xffffffffffffffff\", \n \"fs_base\": \"0x00007f26a57eb700\", \n \"rsp\": \"0x00007fffd7ab8778\", \n \"ds\": \"0x0000000000000000\", \n \"rbx\": \"0x0000000000000000\", \n \"ss\": \"0x000000000000002b\", \n \"r8\": \"0x0000000000000074\", \n \"r9\": \"0x0000000000c00000\", \n \"rbp\": \"0x4141414141414141\", \n \"eflags\": \"0x0000000000010206\", \n \"rdi\": \"0x00007fffd7ab86b4\"\n }, \n \"disassembly\": {\n \"0x400ea1L\": \"RET\", \n \"0x400ea2L\": \"PUSH RBP\", \n \"0x400ea3L\": \"MOV RBP, RSP\", \n \"0x400ea6L\": \"SUB RSP, 0x140\", \n \"0x400eadL\": \"MOV [RBP-0x134], EDI\", \n \"0x400eb3L\": \"MOV [RBP-0xa0], RDX\", \n \"0x400ebaL\": \"MOV [RBP-0x98], RCX\", \n \"0x400ec1L\": \"MOV [RBP-0x90], R8\", \n \"0x400ec8L\": \"MOV [RBP-0x88], R9\", \n \"0x400ecfL\": \"TEST AL, AL\"\n }, \n \"stack\": {\n \"STACK\": \"0x00007fffd7a99000-0x00007fffd7aba000 => [stack] (rwxp)\", \n \"STACK-40\": \"0x4242424242424242\", \n \"STACK-32\": \"0x4242424242424242\", \n \"STACK-24\": \"0x4142424242424242\", \n \"STACK-16\": \"0x4141414141414141\", \n \"STACK -8\": \"0x4141414141414141\", \n \"STACK +0\": \"0x4141414141414141\", \n \"STACK +8\": \"0x4141414141414141\", \n \"STACK+16\": \"0x4141414141414141\", \n \"STACK+24\": \"0x4141414141414141\", \n \"STACK+32\": \"0x4141414141414141\", \n \"STACK+40\": \"0x4141414141414141\"\n }, \n \"stream_count\": 1, \n \"signal\": \"SIGSEGV\", \n \"session_id\": \"a_session_id\", \n \"maps\": [\n [\n [\n \"0x0000000000400000\", \n \"0x0000000000402000\"\n ], \n \"vuln-server\", \n \"r-xp\"\n ], \n [\n [\n \"0x0000000000601000\", \n \"0x0000000000602000\"\n ], \n \"vuln-server\", \n \"rwxp\"\n ], \n [\n [\n \"0x000000000162e000\", \n \"0x000000000164f000\"\n ], \n \"[heap]\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a525d000\", \n \"0x00007f26a53df000\"\n ], \n \"/lib/x86_64-linux-gnu/libc-2.13.so\", \n \"r-xp\"\n ], \n [\n [\n \"0x00007f26a53df000\", \n \"0x00007f26a55df000\"\n ], \n \"/lib/x86_64-linux-gnu/libc-2.13.so\", \n \"---p\"\n ], \n [\n [\n \"0x00007f26a55df000\", \n \"0x00007f26a55e3000\"\n ], \n \"/lib/x86_64-linux-gnu/libc-2.13.so\", \n \"r-xp\"\n ], \n [\n [\n \"0x00007f26a55e3000\", \n \"0x00007f26a55e4000\"\n ], \n \"/lib/x86_64-linux-gnu/libc-2.13.so\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a55e4000\", \n \"0x00007f26a55e9000\"\n ], \n \"\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a55e9000\", \n \"0x00007f26a5609000\"\n ], \n \"/lib/x86_64-linux-gnu/ld-2.13.so\", \n \"r-xp\"\n ], \n [\n [\n \"0x00007f26a57ea000\", \n \"0x00007f26a57ed000\"\n ], \n \"\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a5805000\", \n \"0x00007f26a5808000\"\n ], \n \"\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a5808000\", \n \"0x00007f26a5809000\"\n ], \n \"/lib/x86_64-linux-gnu/ld-2.13.so\", \n \"r-xp\"\n ], \n [\n [\n \"0x00007f26a5809000\", \n \"0x00007f26a580a000\"\n ], \n \"/lib/x86_64-linux-gnu/ld-2.13.so\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007f26a580a000\", \n \"0x00007f26a580b000\"\n ], \n \"\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007fffd7a99000\", \n \"0x00007fffd7aba000\"\n ], \n \"[stack]\", \n \"rwxp\"\n ], \n [\n [\n \"0x00007fffd7ad4000\", \n \"0x00007fffd7ad6000\"\n ], \n \"[vvar]\", \n \"r--p\"\n ], \n [\n [\n \"0x00007fffd7ad6000\", \n \"0x00007fffd7ad8000\"\n ], \n \"[vdso]\", \n \"r-xp\"\n ], \n [\n [\n \"0xffffffffff600000\", \n \"0xffffffffff601000\"\n ], \n \"[vsyscall]\", \n \"r-xp\"\n ]\n ], \n \"time\": 1437179338.290207, \n \"history\": [\n [\n [\n \"downstream\", \n \"547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a\"\n ], \n [\n \"upstream\", \n \"61626364656667680a\"\n ], \n [\n \"downstream\", \n \"68676665646362610a\"\n ], \n [\n \"upstream\", \n \"313233343536373839300a\"\n ], \n [\n \"downstream\", \n \"303938373635343332310a\"\n ], \n [\n \"upstream\", \n \"71776572747975696f700a\"\n ], \n [\n \"downstream\", \n \"706f69757974726577710a\"\n ]\n ]\n ]\n }\n\nBy setting the proper sysctls, you can record the pid in the coredump\nname. You should then have all the information needed to automatically\ntriage your crashes!\n\nFuzzreplay usage\n----------------\n\n``fuzzreplay`` allows to replay crashes recorded by ``fuzzmon``. Provide\nthe target server address as well as the JSON dump, and ``fuzzreplay``\nwill reproduce the crash. The last stream can be replayed or all streams\n(*-a*) in history can be replayed. That way it is possible to reproduce\ncrashes which take a specific set of requests to trigger. ####Get me\nstarted Just provide the target upstream server (*-u*) and the JSON to\nreplay. Note that you can replay crashes directly to the server, or\nthrough ``fuzzmon`` if you wish to leverage application layer\ntranslation\n\n.. code:: python\n\n ./fuzzreplay tests/integration/replay-test.json -a -u tcp:10.212.223.52:1234\n WARNING:root:Sleeping for 3 seconds before sending alive test\n WARNING:root:Performing alive test against target\n Replay of stream 0 did not crash the server\n WARNING:root:Sleeping for 3 seconds before sending alive test\n WARNING:root:Performing alive test against target\n WARNING:root:Stream replay failed: [Errno 61] Connection refused\n Successfully crashed server by replaying stream 1:\n [[u'downstream', u'547970652051554954206f6e2061206c696e6520627920697473656c6620746f20717569740a'], [u'upstream', u'3131313131313131313131313131313131323332343334330a'], [u'downstream', u'3334333432333231313131313131313131313131313131310a'], [u'upstream', u'333235313435333235323335323532333534323532330a'], [u'downstream', u'333235323435333235323533323532333534313532330a'], [u'upstream', u'414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434444444444444444444444444444444444444444444444444444444444444444444444444444444444444545454545454545454545454545454545454545454545454545454545454545454545454545450a']]\n\nDetailed usage\n^^^^^^^^^^^^^^\n\n.. code:: python\n\n usage: fuzzreplay [-h] -u UPSTREAM [-a] [-w WAIT]\n [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]\n filename\n\n Replay streams captured by fuzzmon\n\n positional arguments:\n filename JSON test case to replay\n\n optional arguments:\n -h, --help show this help message and exit\n -u UPSTREAM, --upstream UPSTREAM\n Upstream server to which to connect. Format is\n proto:host:port or uds:proto:file for Unix Domain\n Sockets\n -a, --all Also replay all packets from history\n -w WAIT, --wait WAIT Time to wait before performing alive test. Default is\n 3 seconds\n -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}\n Set the debugging level", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/alexmgr/fuzzmon", "keywords": "proxy,fuzzing,debugger,ptrace,bsd", "license": "MIT", "maintainer": null, "maintainer_email": null, "name": "fuzzmon", "package_url": "https://pypi.org/project/fuzzmon/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/fuzzmon/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/alexmgr/fuzzmon" }, "release_url": "https://pypi.org/project/fuzzmon/0.4/", "requires_dist": null, "requires_python": null, "summary": "A transport layer proxy which monitors the target server using ptrace", "version": "0.4" }, "last_serial": 2014835, "releases": { "0.4": [ { "comment_text": "", "digests": { "md5": "69982644945c740d558b319dc8eacba9", "sha256": "becb51ac4c74030df436be0fa417fdc02c977c96f7268ae905e4b890a51e1411" }, "downloads": -1, "filename": "fuzzmon-0.4.tar.gz", "has_sig": false, "md5_digest": "69982644945c740d558b319dc8eacba9", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15475, "upload_time": "2016-03-18T18:28:32", "url": "https://files.pythonhosted.org/packages/d7/91/7af8da8dc6da355e168c8ca7263770a801aace51bfd1b98b3952584356c3/fuzzmon-0.4.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "69982644945c740d558b319dc8eacba9", "sha256": "becb51ac4c74030df436be0fa417fdc02c977c96f7268ae905e4b890a51e1411" }, "downloads": -1, "filename": "fuzzmon-0.4.tar.gz", "has_sig": false, "md5_digest": "69982644945c740d558b319dc8eacba9", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15475, "upload_time": "2016-03-18T18:28:32", "url": "https://files.pythonhosted.org/packages/d7/91/7af8da8dc6da355e168c8ca7263770a801aace51bfd1b98b3952584356c3/fuzzmon-0.4.tar.gz" } ] }