david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-04-28. You can view files and clone it, but cannot push or open issues or pull requests.
8ab73d3dd8
netsec-djw2/hw5/hw5.md
David Westgate 8ab73d3dd8 move directories around
2024-06-07 18:10:19 -07:00

87 lines
3.0 KiB
Markdown
Raw Blame History

# Homework 5: Fuzzing
## Prelude
The first step I took for this asignment was setting up the docker container. This was straightforward with the provided instructions
![docker](./part1/step0/docker.png)
# Part 1 - Tutorial
## Step-0
Here, I have followed the instructions the run the sample RTSP client and server
The server running is shown here
![step0-a](./part1/step0/server.png)
In another terminal, we run the sample client
![step0-b](./part1/step0/client.png)
## Step-1. Prepare message sequences as seed inputs
At this point, we have the server and client running. The next step is to install TCP dump, and open it up on a 3rd terminal window. We can now restart the client and capture some traffic
As we can see, with this approach we have captured 24 packets
![step1/capture](./part1/step1/capture.png)
Using `docker cp` I have copied that file `rtsp.pcap` to my local machine, and also have included it at [./part1/rtsp.pcap](./part1/rtsp.pcap)
Lets take a look at this file with `wireshark rtsp.pcap`
![wireshark](./part1/step1/wireshark.png)
Following the instruction, we can save the raw TCP stream of the request messages to [rtsp_requests_wav.raw](./part1/step1/rtsp_requests_wav.raw)
![tcp-raw](./part1/step1/tcp-raw.png)
## Step-2 Modifications
As understood in the Step 0 instructions, we have already applied the `ceeb4f4` patch to make fuzzing more effective.
## Step-3 Fuzzing
We begin the fuzzing process running the supplied command
```
afl-fuzz -d -i $AFLNET/tutorials/live555/in-rtsp -o out-live555 -N tcp://127.0.0.1/8554 -x $AFLNET/tutorials/live555/rtsp.dict -P RTSP -D 10000 -q 3 -s 3 -E -K -R ./testOnDemandRTSPServer 8554
```
It seems off to a good start, and I will let this run for some time and check back later. In this case, I will use the provided seed corpus.
![begin-fuzz](./part1/step3/begin-fuzz.png)
![afl](./part1/step3/afl-start.png)
After about 44 hours of running this test it is time to move on. We notice we have 40 unique craches at this point, and the last one found was about 3 hours ago
![afl](./part1/step3/afl-end.png)
These crashes can be found in the `replayable-crashes` directory of our run
![replayable-crashes.png](./part1/step3/replayable-crashes.png)
## Step-4 Reproducing
As noted in the instructions, with `afl-replay` we can replay the crashing client input on the running test server, as shown with the provided example input CVS_2019_7314.poc
![CVE_2019_7314.poc_crash.png](./part1/step4/CVE_2019_7314.poc_crash.png)
Here is another example of performing and `aflnet-replay` with one of the replayable crashes results I found to again crash the RTSP server
![fuzz-crash.png](./part1/step4/fuzz-crash.png)
# Part 2 - Our own example
I will run through this exercise again choosing my own example. In this case, I have chosen to follow the [OpenSSH Example](https://github.com/profuzzbench/profuzzbench/tree/master/subjects/SSH/OpenSSH)
## Step-1. Build a docker image
## Step-2. Run fuzzing
## Step-3. Collect the results
## Step-4. Analyze the results
Reference in New Issue View Git Blame Copy Permalink