嘘声:'PED-RPC> remote method restart_target cannot be found'
boofuzz: 'PED-RPC> remote method restart_target cannot be found'
我正在尝试学习模糊未知协议的复杂性以定位应用程序中的漏洞。我正在使用一个众所周知的易受攻击的应用程序,Disk Savvy Enterprise 10.4.18,其中有一个已知的 SEH 缓冲区溢出。
我目前有一个 boofuzz 脚本,我正在尝试使用 process_monitor.py
脚本,但无法重新启动崩溃的服务。我的目标机器上有 process_monitor.py
运行,并且从我的模糊测试机器成功连接到它。我的问题是问题标题中的错误——当应用程序崩溃时,它 'attempts' 重新启动进程,但我得到错误
PED-RPC> remote method restart_target cannot be found
我的 python 脚本的相关部分是:
session = sessions.Session(
crash_threshold="10000", # Arbitrary, high crash threshold
check_data_received_each_request=0, # Don't check data after every request (slow)
restart_sleep_time=0.1,
sleep_time=0.1,
)
# Define target
target = sessions.Target(
connection = SocketConnection(dst, dport, proto='tcp')
)
# Define procmon options
target.procmon = pedrpc.Client(dst, 26002)
target.procmon_options = {
"proc_name" : "disksvs.exe",
"stop_commands" : ['net stop "Disk Savvy Enterprise"'],
"start_commands" : ['net start "Disk Savvy Enterprise"']
}
我在目标计算机上使用以下行启动 process_monitor.py
:
python process_monitor.py --port 26002 --crash_bin diskSaavy_Crashes.txt
这是启动和崩溃后的结果输出:
Couldn't import dot_parser, loading of dot files will not be possible.
[03:11.00] Process Monitor PED-RPC server initialized:
[03:11.00] crash file: C:\Python27\Lib\site-packages\boofuzz\diskSaavy_Crashes.txt
[03:11.00] # records: 3
[03:11.00] proc name: None
[03:11.00] log level: 1
[03:11.00] awaiting requests...
[03:23.29] updating target process name to 'disksvs.exe'
[03:23.30] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.30] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.30] debugger thread-1523215410 looking for process name: disksvs.exe
[03:23.42] debugger thread-1523215410 found match on pid 2908
[03:23.48] updating target process name to 'disksvs.exe'
[03:23.48] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.48] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.49] debugger thread-1523215410 caught access violation: 'libpal.dll:004a9
19f movsx ebp,[eax+ebx] from thread 2424 caused access violation'
[03:23.49] debugger thread-1523215410 exiting
PED-RPC> remote method restart_target cannot be found
对于同样的崩溃,这是我模糊测试机器上 boofuzz 的输出:
[2018-04-08 15:23:49,996] Test Step: Failure summary
[2018-04-08 15:23:49,996] Info: procmon detected crash on test case #2: libpal.dll:004a919f movsx ebp,[eax+ebx] from thread 2424 caused access violation
[2018-04-08 15:23:49,996] Test Step: restarting target
[2018-04-08 15:23:49,996] Info: restarting target process
[2018-04-08 15:23:50,206] Error!!!! Restarting the target failed, exiting.
Traceback (most recent call last):
File "./boofuzz-diskSaavy.py", line 72, in <module>
main()
File "./boofuzz-diskSaavy.py", line 17, in main
fuzz(dst, dport)
File "./boofuzz-diskSaavy.py", line 69, in fuzz
session.fuzz()
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 414, in fuzz
self._fuzz_current_case(*fuzz_args)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 893, in _fuzz_current_case
self._process_failures(target=target)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 603, in _process_failures
self.restart_target(target)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 680, in restart_target
raise sex.BoofuzzRestartFailedError()
boofuzz.sex.BoofuzzRestartFailedError
我尝试了 start_commands
的不同变体,不发送 proc_name
也不发送 stop_commands
,并且 运行 process_monitor.py
指定了它们,不同的 start_commands
,例如在服务名称周围包含 net.exe
的完整路径和引号的不同转义等。到目前为止,我没有尝试过。
查看 sessions.py
、pedrpc.py
和多个其他文件,我发现 __getattr__
用于处理方法调用,但据我所知,restart_target
存在于 sessions.py
中,所以我不确定为什么 PEDRPC 声明无法找到 restart_target...我正在拔头发。 boofuzz 正在做我想让它做的一切,减去重启。
如果这还不够,我可以提供更多信息,如果能得到任何帮助,我将不胜感激。
谢谢!
TL;DR 该方法不存在,因为 process_monitor.py
已过时;从 boofuzz 下载最新副本,然后重试。
感谢您在问题中提供详尽的调试信息。如果 process_monitor.py 打印堆栈跟踪,包括它也会有所帮助。 :)
我在代码库中搜索了 "PED-RPC> remote" 并在第 2 行的 boofuzz/pedrpc.py
中找到了它 (permalink):
sys.stderr.write('PED-RPC> remote method "{0}" of {1} cannot be found\n'.format(method_name, self))
请注意细微差别,输出中没有 of {1}
。这表明您的 process_monitor.py 来自旧版本的 boofuzz。 git blame
显示此更改发生在 e4723204d43bd758077f56df419af1c7c7424f14,首次包含在 v0.0.8 中。
下载最新的 process_monitor.py
应该可以解决问题。
如果进程监视器公布了它的版本,这可能已经避免了;我提交了 an issue.
我正在尝试学习模糊未知协议的复杂性以定位应用程序中的漏洞。我正在使用一个众所周知的易受攻击的应用程序,Disk Savvy Enterprise 10.4.18,其中有一个已知的 SEH 缓冲区溢出。
我目前有一个 boofuzz 脚本,我正在尝试使用 process_monitor.py
脚本,但无法重新启动崩溃的服务。我的目标机器上有 process_monitor.py
运行,并且从我的模糊测试机器成功连接到它。我的问题是问题标题中的错误——当应用程序崩溃时,它 'attempts' 重新启动进程,但我得到错误
PED-RPC> remote method restart_target cannot be found
我的 python 脚本的相关部分是:
session = sessions.Session(
crash_threshold="10000", # Arbitrary, high crash threshold
check_data_received_each_request=0, # Don't check data after every request (slow)
restart_sleep_time=0.1,
sleep_time=0.1,
)
# Define target
target = sessions.Target(
connection = SocketConnection(dst, dport, proto='tcp')
)
# Define procmon options
target.procmon = pedrpc.Client(dst, 26002)
target.procmon_options = {
"proc_name" : "disksvs.exe",
"stop_commands" : ['net stop "Disk Savvy Enterprise"'],
"start_commands" : ['net start "Disk Savvy Enterprise"']
}
我在目标计算机上使用以下行启动 process_monitor.py
:
python process_monitor.py --port 26002 --crash_bin diskSaavy_Crashes.txt
这是启动和崩溃后的结果输出:
Couldn't import dot_parser, loading of dot files will not be possible.
[03:11.00] Process Monitor PED-RPC server initialized:
[03:11.00] crash file: C:\Python27\Lib\site-packages\boofuzz\diskSaavy_Crashes.txt
[03:11.00] # records: 3
[03:11.00] proc name: None
[03:11.00] log level: 1
[03:11.00] awaiting requests...
[03:23.29] updating target process name to 'disksvs.exe'
[03:23.30] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.30] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.30] debugger thread-1523215410 looking for process name: disksvs.exe
[03:23.42] debugger thread-1523215410 found match on pid 2908
[03:23.48] updating target process name to 'disksvs.exe'
[03:23.48] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.48] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.49] debugger thread-1523215410 caught access violation: 'libpal.dll:004a9
19f movsx ebp,[eax+ebx] from thread 2424 caused access violation'
[03:23.49] debugger thread-1523215410 exiting
PED-RPC> remote method restart_target cannot be found
对于同样的崩溃,这是我模糊测试机器上 boofuzz 的输出:
[2018-04-08 15:23:49,996] Test Step: Failure summary
[2018-04-08 15:23:49,996] Info: procmon detected crash on test case #2: libpal.dll:004a919f movsx ebp,[eax+ebx] from thread 2424 caused access violation
[2018-04-08 15:23:49,996] Test Step: restarting target
[2018-04-08 15:23:49,996] Info: restarting target process
[2018-04-08 15:23:50,206] Error!!!! Restarting the target failed, exiting.
Traceback (most recent call last):
File "./boofuzz-diskSaavy.py", line 72, in <module>
main()
File "./boofuzz-diskSaavy.py", line 17, in main
fuzz(dst, dport)
File "./boofuzz-diskSaavy.py", line 69, in fuzz
session.fuzz()
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 414, in fuzz
self._fuzz_current_case(*fuzz_args)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 893, in _fuzz_current_case
self._process_failures(target=target)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 603, in _process_failures
self.restart_target(target)
File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 680, in restart_target
raise sex.BoofuzzRestartFailedError()
boofuzz.sex.BoofuzzRestartFailedError
我尝试了 start_commands
的不同变体,不发送 proc_name
也不发送 stop_commands
,并且 运行 process_monitor.py
指定了它们,不同的 start_commands
,例如在服务名称周围包含 net.exe
的完整路径和引号的不同转义等。到目前为止,我没有尝试过。
查看 sessions.py
、pedrpc.py
和多个其他文件,我发现 __getattr__
用于处理方法调用,但据我所知,restart_target
存在于 sessions.py
中,所以我不确定为什么 PEDRPC 声明无法找到 restart_target...我正在拔头发。 boofuzz 正在做我想让它做的一切,减去重启。
如果这还不够,我可以提供更多信息,如果能得到任何帮助,我将不胜感激。
谢谢!
TL;DR 该方法不存在,因为 process_monitor.py
已过时;从 boofuzz 下载最新副本,然后重试。
感谢您在问题中提供详尽的调试信息。如果 process_monitor.py 打印堆栈跟踪,包括它也会有所帮助。 :)
我在代码库中搜索了 "PED-RPC> remote" 并在第 2 行的 boofuzz/pedrpc.py
中找到了它 (permalink):
sys.stderr.write('PED-RPC> remote method "{0}" of {1} cannot be found\n'.format(method_name, self))
请注意细微差别,输出中没有 of {1}
。这表明您的 process_monitor.py 来自旧版本的 boofuzz。 git blame
显示此更改发生在 e4723204d43bd758077f56df419af1c7c7424f14,首次包含在 v0.0.8 中。
下载最新的 process_monitor.py
应该可以解决问题。
如果进程监视器公布了它的版本,这可能已经避免了;我提交了 an issue.