diff --git a/hw5/hw5.md b/hw5/hw5.md index 5063809..05b2513 100644 --- a/hw5/hw5.md +++ b/hw5/hw5.md @@ -4,7 +4,7 @@ ## Prelude The first step I took for this asignment was setting up the docker container. This was straightforward with the provided instructions -![docker](./step0/docker.png) +![docker](./part1/step0/docker.png) # Part 1 - Tutorial @@ -14,11 +14,11 @@ Here, I have followed the instructions the run the sample RTSP client and server The server running is shown here -![step0-a](./step0/server.png) +![step0-a](./part1/step0/server.png) In another terminal, we run the sample client -![step0-b](./step0/client.png) +![step0-b](./part1/step0/client.png) ## Step-1. Prepare message sequences as seed inputs @@ -26,17 +26,17 @@ At this point, we have the server and client running. The next step is to instal As we can see, with this approach we have captured 24 packets -![step1/capture](./step1/capture.png) +![step1/capture](./part1/step1/capture.png) -Using `docker cp` I have copied that file `rtsp.pcap` to my local machine, and also have included it at [./rtsp.pcap](./rtsp.pcap) +Using `docker cp` I have copied that file `rtsp.pcap` to my local machine, and also have included it at [./part1/rtsp.pcap](./part1/rtsp.pcap) Lets take a look at this file with `wireshark rtsp.pcap` -![wireshark](./step1/wireshark.png) +![wireshark](./part1/step1/wireshark.png) -Following the instruction, we can save the raw TCP stream of the request messages to [rtsp_requests_wav.raw](./step1/rtsp_requests_wav.raw) +Following the instruction, we can save the raw TCP stream of the request messages to [rtsp_requests_wav.raw](./part1/step1/rtsp_requests_wav.raw) -![tcp-raw](./step1/tcp-raw.png) +![tcp-raw](./part1/step1/tcp-raw.png) ## Step-2 Modifications @@ -52,35 +52,35 @@ afl-fuzz -d -i $AFLNET/tutorials/live555/in-rtsp -o out-live555 -N tcp://127.0.0 It seems off to a good start, and I will let this run for some time and check back later. In this case, I will use the provided seed corpus. -![begin-fuzz](./step3/begin-fuzz.png) +![begin-fuzz](./part1/step3/begin-fuzz.png) -![afl](./step3/afl-start.png) +![afl](./part1/step3/afl-start.png) After about 44 hours of running this test it is time to move on. We notice we have 40 unique craches at this point, and the last one found was about 3 hours ago -![afl](./step3/afl-end.png) +![afl](./part1/step3/afl-end.png) These crashes can be found in the `replayable-crashes` directory of our run -![replayable-crashes.png](./step3/replayable-crashes.png) +![replayable-crashes.png](./part1/step3/replayable-crashes.png) ## Step-4 Reproducing As noted in the instructions, with `afl-replay` we can replay the crashing client input on the running test server, as shown with the provided example input CVS_2019_7314.poc -![CVE_2019_7314.poc_crash.png](./step4/CVE_2019_7314.poc_crash.png) +![CVE_2019_7314.poc_crash.png](./part1/step4/CVE_2019_7314.poc_crash.png) Here is another example of performing and `aflnet-replay` with one of the replayable crashes results I found to again crash the RTSP server -![fuzz-crash.png](./step4/fuzz-crash.png) +![fuzz-crash.png](./part1/step4/fuzz-crash.png) # Part 2 - Our own example -I will run through this exercise again choosing my own example +I will run through this exercise again choosing my own example. In this case, I have chosen to follow the [OpenSSH Example](https://github.com/profuzzbench/profuzzbench/tree/master/subjects/SSH/OpenSSH) -## Step-1. Prepare message sequences as seed inputs -## Step-2 Modifications -## Step-3 Fuzzing -## Step-4 Reproducing +## Step-1. Build a docker image +## Step-2. Run fuzzing +## Step-3. Collect the results +## Step-4. Analyze the results diff --git a/hw5/Dockerfile b/hw5/part1/Dockerfile similarity index 100% rename from hw5/Dockerfile rename to hw5/part1/Dockerfile diff --git a/hw5/rtsp.pcap b/hw5/part1/rtsp.pcap similarity index 100% rename from hw5/rtsp.pcap rename to hw5/part1/rtsp.pcap diff --git a/hw5/step0/client.png b/hw5/part1/step0/client.png similarity index 100% rename from hw5/step0/client.png rename to hw5/part1/step0/client.png diff --git a/hw5/step0/docker.png b/hw5/part1/step0/docker.png similarity index 100% rename from hw5/step0/docker.png rename to hw5/part1/step0/docker.png diff --git a/hw5/step0/server.png b/hw5/part1/step0/server.png similarity index 100% rename from hw5/step0/server.png rename to hw5/part1/step0/server.png diff --git a/hw5/step1/capture.png b/hw5/part1/step1/capture.png similarity index 100% rename from hw5/step1/capture.png rename to hw5/part1/step1/capture.png diff --git a/hw5/step1/rtsp_requests_wav.raw b/hw5/part1/step1/rtsp_requests_wav.raw similarity index 100% rename from hw5/step1/rtsp_requests_wav.raw rename to hw5/part1/step1/rtsp_requests_wav.raw diff --git a/hw5/step1/tcp-raw.png b/hw5/part1/step1/tcp-raw.png similarity index 100% rename from hw5/step1/tcp-raw.png rename to hw5/part1/step1/tcp-raw.png diff --git a/hw5/step1/wireshark.png b/hw5/part1/step1/wireshark.png similarity index 100% rename from hw5/step1/wireshark.png rename to hw5/part1/step1/wireshark.png diff --git a/hw5/step3/afl-end.png b/hw5/part1/step3/afl-end.png similarity index 100% rename from hw5/step3/afl-end.png rename to hw5/part1/step3/afl-end.png diff --git a/hw5/step3/afl-start.png b/hw5/part1/step3/afl-start.png similarity index 100% rename from hw5/step3/afl-start.png rename to hw5/part1/step3/afl-start.png diff --git a/hw5/step3/begin-fuzz.png b/hw5/part1/step3/begin-fuzz.png similarity index 100% rename from hw5/step3/begin-fuzz.png rename to hw5/part1/step3/begin-fuzz.png diff --git a/hw5/step3/replayable-crashes.png b/hw5/part1/step3/replayable-crashes.png similarity index 100% rename from hw5/step3/replayable-crashes.png rename to hw5/part1/step3/replayable-crashes.png diff --git a/hw5/step4/CVE_2019_7314.poc_crash.png b/hw5/part1/step4/CVE_2019_7314.poc_crash.png similarity index 100% rename from hw5/step4/CVE_2019_7314.poc_crash.png rename to hw5/part1/step4/CVE_2019_7314.poc_crash.png diff --git a/hw5/step4/fuzz-crash.png b/hw5/part1/step4/fuzz-crash.png similarity index 100% rename from hw5/step4/fuzz-crash.png rename to hw5/part1/step4/fuzz-crash.png