Named after the big, fuzzy, blue monster in the movie Monsters, Inc., Sulley is a potent Python-based fuzzing framework developed by Pedram Amini and Aaron Portnoy of TippingPoint. Sulley is more than just a fuzzer; it comes packed with packet-capturing capabilities, extensive crash reporting, and VMWare automation. It also is able to restart the target application after a crash has occurred so that the fuzzing session can carry on hunting for bugs. In short, Sulley is badass.
For data generation, Sulley uses block-based fuzzing, the same method as Dave Aitel's SPIKE,[39] the first public fuzzer to use this approach. In block-based fuzzing you describe the general skeleton of the protocol or file format you are fuzzing, assigning lengths and datatypes to fields that you wish to fuzz. The fuzzer then takes its internal list of test cases and applies them in varying ways to the protocol skeleton that you create. It has proven to be a very effective means for finding bugs because the fuzzer gets inside knowledge beforehand about the protocol it is fuzzing.
To start we will go through the necessary steps to get Sulley installed and working. Then we'll cover Sulley primitives, which are used to create a protocol description. Next we'll move right into a full fuzzing run, complete with packet capturing and crash reporting. Our fuzzing target will be WarFTPD, an FTP daemon vulnerable to a stack-based overflow. It is common for fuzzer writers and testers to take a known vulnerability and see if their fuzzer finds the bug or not. In this case we are going to use it to illustrate how Sulley handles a successful fuzzing run from start to finish. Don't hesitate to refer to the Sulley manual[40] that Pedram and Aaron wrote, as it has detailed walkthroughs and an extensive reference for the whole framework. Let's get fuzzy!
Before we dig into the nuts and bolts of Sulley, we first have to get it installed and working. I have provided a zipped copy of the Sulley source code for download at http://www.nostarch.com/ghpython.htm.
Once you have the zip file downloaded, extract it to any location you choose. From the extracted Sulley directory, copy the sulley, utils, and requests folders to C:\Python25\Lib\site-packages\. This is all that is required to get the core of Sulley installed. There are a few more prerequisite packages that we must install, and then we're ready to rock.
The first required package is WinPcap, which is the standard library to facilitate packet capture on Windows-based machines. WinPcap is used by all kinds of networking tools and intrusion-detection systems, and it is a requirement in order for Sulley to record network traffic during fuzzing runs. Simply download and execute the installer from http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe.
Once you have WinPcap installed, there are two more libraries to install: pcapy and impacket, both provided by CORE Security. Pcapy is a Python interface to the previously installed WinPcap, and impacket is a packet-decoding-and-creation library also written in Python. To install pcapy, download and execute the installer provided at http://oss.coresecurity.com/repo/pcapy-0.10.5.win32-py2.5.exe.
Once pcapy is installed, download the impacket library from http://oss.coresecurity.com/repo/Impacket-stable.zip. Extract the zip file to your C:\ directory, change into the impacket source directory, and execute the following:
C:\Impacket-stable\Impacket-0.9.6.0>C:\Python25\python.exe setup.py installThis will install impacket into your Python libraries, and you are now fully set up to begin using Sulley.
[39] For the SPIKE download, go to http://immunityinc.com/resources-freesoftware.shtml.
[40] To download the Sulley: Fuzzing Framework manual, go to http://www.fuzzing.org/wp-content/SulleyManual.pdf.