Sulley Fuzzer 实战教程：Trend Micro Server Protect 漏洞挖掘<\/h1>

前言<\/h2>
本教程基于Sulley Fuzzer对Trend Micro Server Protect的漏洞挖掘过程，详细展示了从环境搭建到漏洞发现的完整流程。Sulley是一个模块化的模糊测试框架，特别适合协议和文件格式的模糊测试。<\/p>

目标分析<\/h2>
目标系统：Trend Micro Server Protect
目标服务：SpntSvc.exe服务绑定的TCP端口5168上的Microsoft DCE\/RPC端点
目标接口：TmRpcSvc.dll中的RPC接口<\/p>

接口定义(IDL)<\/h3>

\/\/ opcode: 0x00, address: 0x65741030
<\/span><\/span><\/span>\/\/ uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
<\/span><\/span><\/span>\/\/ version: 1.0
<\/span><\/span><\/span><\/span>error_status_t rpc_opnum_0<\/span> (
<\/span><\/span>    [in] handle_t arg_1,        \/\/ 不通过网络传输
<\/span><\/span><\/span><\/span>    [in] long<\/span> trend_req_num,
<\/span><\/span>    [in][size_is(arg_4)] byte some_string[],
<\/span><\/span>    [in] long<\/span> arg_4,
<\/span><\/span>    [out][size_is(arg_6)] byte arg_5[],  \/\/ 不通过网络传输
<\/span><\/span><\/span><\/span>    [in] long<\/span> arg_6
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>关键参数分析<\/h3>

trend_req_num<\/code>参数具有特殊含义：

上半部分和下半部分控制一对跳转表<\/li>
通过逆向工程发现的合法组合：<\/li>
<\/ul>
<\/li>
<\/ol>



上半部分值<\/th>
有效的下半部分范围<\/th>
<\/tr>
<\/thead>


0x0001<\/td>
1-21<\/td>
<\/tr>

0x0002<\/td>
1-18<\/td>
<\/tr>

0x0003<\/td>
1-84<\/td>
<\/tr>

0x0005<\/td>
1-24<\/td>
<\/tr>

0x000A<\/td>
1-48<\/td>
<\/tr>

0x001F<\/td>
1-24<\/td>
<\/tr>
<\/tbody>
<\/table>
环境准备<\/h2>
自定义编码器<\/h3>
创建DCE\/RPC请求编码器，将操作码硬编码为零：<\/p>
# dce rpc request encoder used for trend server protect 5168 RPC service<\/span>
<\/span><\/span># opnum is always zero<\/span>
<\/span><\/span>def<\/span> rpc_request_encoder<\/span>(data):
<\/span><\/span>    return<\/span> utils.<\/span>dcerpc.<\/span>request(0<\/span>, data)
<\/span><\/span><\/code><\/pre>构建请求<\/h2>
在requests\/trend.py<\/code>中定义请求：<\/p>
for<\/span> op, submax in<\/span> [(0x1<\/span>, 22<\/span>), (0x2<\/span>, 19<\/span>), (0x3<\/span>, 85<\/span>), (0x5<\/span>, 25<\/span>), (0xa<\/span>, 49<\/span>), (0x1f<\/span>, 25<\/span>)]:
<\/span><\/span>    s_initialize("5168: op-<\/span>%x<\/span>"<\/span> %<\/span> op)
<\/span><\/span>    if<\/span> s_block_start("everything"<\/span>, encoder=<\/span>rpc_request_encoder):
<\/span><\/span>        # [in] long trend_req_num,<\/span>
<\/span><\/span>        s_group("subs"<\/span>, values=<\/span>map(chr, range(1<\/span>, submax)))
<\/span><\/span>        s_static("<\/span>\x00<\/span>"<\/span>)  # subs is actually a little endian word<\/span>
<\/span><\/span>        s_static(struct.<\/span>pack("<H"<\/span>, op))  # opcode<\/span>
<\/span><\/span>        # [in][size_is(arg_4)] byte some_string[],<\/span>
<\/span><\/span>        s_size("some_string"<\/span>)
<\/span><\/span>        if<\/span> s_block_start("some_string"<\/span>, group=<\/span>"subs"<\/span>):
<\/span><\/span>            s_static("A"<\/span> *<\/span> 0x5000<\/span>, name=<\/span>"arg3"<\/span>)
<\/span><\/span>        s_block_end()
<\/span><\/span>        # [in] long arg_4,<\/span>
<\/span><\/span>        s_size("some_string"<\/span>)
<\/span><\/span>        # [in] long arg_6<\/span>
<\/span><\/span>        s_static(struct.<\/span>pack("<L"<\/span>, 0x5000<\/span>))  # output buffer size<\/span>
<\/span><\/span>    s_block_end()
<\/span><\/span><\/code><\/pre>创建会话<\/h2>
在fuzz_trend_server_protect_5168.py<\/code>中：<\/p>
导入模块<\/h3>
from<\/span> sulley import<\/span> *<\/span>
<\/span><\/span>from<\/span> requests import<\/span> trend
<\/span><\/span><\/code><\/pre>RPC绑定函数<\/h3>
def<\/span> rpc_bind<\/span>(sock):
<\/span><\/span>    bind =<\/span> utils.<\/span>dcerpc.<\/span>bind("25288888-bd5b-11d1-9d53-0080c83a5c2c"<\/span>, "1.0"<\/span>)
<\/span><\/span>    sock.<\/span>send(bind)
<\/span><\/span>    utils.<\/span>dcerpc.<\/span>bind_ack(sock.<\/span>recv(1000<\/span>))
<\/span><\/span><\/code><\/pre>会话配置<\/h3>
sess =<\/span> sessions.<\/span>session(session_filename=<\/span>"audits\/trend_server_protect_5168.session"<\/span>)
<\/span><\/span>target =<\/span> sessions.<\/span>target("10.0.0.1"<\/span>, 5168<\/span>)
<\/span><\/span>target.<\/span>netmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26001<\/span>)
<\/span><\/span>target.<\/span>procmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26002<\/span>)
<\/span><\/span>target.<\/span>vmcontrol =<\/span> pedrpc.<\/span>client("127.0.0.1"<\/span>, 26003<\/span>)
<\/span><\/span>
<\/span><\/span>target.<\/span>procmon_options =<\/span> {
<\/span><\/span>    "proc_name"<\/span>: "SpntSvc.exe"<\/span>,
<\/span><\/span>    "stop_commands"<\/span>: ['net stop "trend serverprotect"'<\/span>],
<\/span><\/span>    "start_commands"<\/span>: ['net start "trend serverprotect"'<\/span>],
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 启动目标<\/span>
<\/span><\/span>target.<\/span>vmcontrol.<\/span>restart_target()
<\/span><\/span>print "virtual machine up and running"<\/span>
<\/span><\/span>
<\/span><\/span># 添加目标和请求<\/span>
<\/span><\/span>sess.<\/span>add_target(target)
<\/span><\/span>sess.<\/span>pre_send =<\/span> rpc_bind
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-1"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-2"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-3"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-5"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-a"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("5168: op-1f"<\/span>))
<\/span><\/span>sess.<\/span>fuzz()
<\/span><\/span><\/code><\/pre>环境设置<\/h2>
网络监控器<\/h3>
network_monitor.py -d 1<\/span> \
<\/span><\/span><\/span><\/span>    -f "src or dst port 5168"<\/span> \
<\/span><\/span><\/span><\/span>    -p audits\t<\/span>rend_server_protect_5168
<\/span><\/span><\/code><\/pre>进程监控器<\/h3>
process_monitor.py -c audits\t<\/span>rend_server_protect_5168.crashbin \
<\/span><\/span><\/span><\/span>    -p SpntSvc.exe
<\/span><\/span><\/code><\/pre>VMWare控制代理<\/h3>
vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe"<\/span> \
<\/span><\/span><\/span><\/span>    -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx"<\/span> \
<\/span><\/span><\/span><\/span>    --snapshot "sulley ready and waiting"<\/span>
<\/span><\/span><\/code><\/pre>结果分析<\/h2>
运行221个测试用例后，发现19个触发了故障。使用crashbin_explorer.py<\/code>分析：<\/p>
$ .\/utils\/crashbin_explorer.py audits\/trend_server_protect_5168.crashbin
<\/span><\/span>[<\/span>6]<\/span> [<\/span>INVALID]<\/span>:41414141 Unable to disassemble at 41414141<\/span> from thread 568<\/span> caused access violation
<\/span><\/span>42, 109, 156, 164, 170, 198,
<\/span><\/span>[<\/span>3]<\/span> LogMaster.dll:63272106 push ebx from thread 568<\/span> caused access violation
<\/span><\/span>53, 56, 151,
<\/span><\/span>[<\/span>...]<\/span>
<\/span><\/span><\/code><\/pre>测试用例分析<\/h3>
$ .\/utils\/crashbin_explorer.py audits\/trend_server_protect_5168.crashbin -t 70<\/span>
<\/span><\/span>[<\/span>INVALID]<\/span>:0058002e Unable to disassemble at 0058002e from thread 568<\/span> caused access violation
<\/span><\/span>when attempting to read from 0x0058002e
<\/span><\/span>CONTEXT DUMP
<\/span><\/span>EIP: 0058002e Unable to disassemble at 0058002e
<\/span><\/span>EAX: 00000001<\/span> (<\/span> 1)<\/span> -> N\/A
<\/span><\/span>EBX: 0259e118 (<\/span> 39444760)<\/span> -> A.....AAAAA (<\/span>stack)<\/span>
<\/span><\/span>[<\/span>...]<\/span>
<\/span><\/span><\/code><\/pre>清理PCAP文件<\/h3>
$ .\/utils\/pcap_cleaner.py audits\/trend_server_protect_5168.crashbin audits\/trend_server_protect_5168
<\/span><\/span><\/code><\/pre>发现的漏洞<\/h2>


TSRT-07-01<\/strong>: Trend Micro ServerProtect StCommon.dll栈溢出漏洞<\/p>

链接: http:\/\/www.fuzzing.org\/wp-content\/SulleyManual.pdf<\/li>
<\/ul>
<\/li>

TSRT-07-02<\/strong>: Trend Micro ServerProtect eng50.dll栈溢出漏洞<\/p>

链接: https:\/\/www.trendmicro.com\/en_us\/business\/products\/network\/intrusion-prevention.html<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本教程展示了使用Sulley Fuzzer对复杂RPC接口进行模糊测试的完整流程，包括：<\/p>

目标分析和逆向工程<\/li>
自定义编码器开发<\/li>
请求构建和会话配置<\/li>
监控环境设置<\/li>
结果分析和漏洞验证<\/li>
<\/ol>
通过这种方法，可以系统地发现和验证目标系统中的安全漏洞。<\/p>

上半部分值<\/th>	有效的下半部分范围<\/th> <\/tr> <\/thead>
0x0001<\/td>	1-21<\/td> <\/tr>
0x0002<\/td>	1-18<\/td> <\/tr>
0x0003<\/td>	1-84<\/td> <\/tr>
0x0005<\/td>	1-24<\/td> <\/tr>
0x000A<\/td>	1-48<\/td> <\/tr>
0x001F<\/td>	1-24<\/td> <\/tr> <\/tbody> <\/table> 环境准备<\/h2> 自定义编码器<\/h3> 创建DCE\/RPC请求编码器，将操作码硬编码为零：<\/p> # dce rpc request encoder used for trend server protect 5168 RPC service<\/span> <\/span><\/span># opnum is always zero<\/span> <\/span><\/span>def<\/span> rpc_request_encoder<\/span>(data): <\/span><\/span> return<\/span> utils.<\/span>dcerpc.<\/span>request(0<\/span>, data) <\/span><\/span><\/code><\/pre>构建请求<\/h2> 在requests\/trend.py<\/code>中定义请求：<\/p> for<\/span> op, submax in<\/span> [(0x1<\/span>, 22<\/span>), (0x2<\/span>, 19<\/span>), (0x3<\/span>, 85<\/span>), (0x5<\/span>, 25<\/span>), (0xa<\/span>, 49<\/span>), (0x1f<\/span>, 25<\/span>)]: <\/span><\/span> s_initialize("5168: op-<\/span>%x<\/span>"<\/span> %<\/span> op) <\/span><\/span> if<\/span> s_block_start("everything"<\/span>, encoder=<\/span>rpc_request_encoder): <\/span><\/span> # [in] long trend_req_num,<\/span> <\/span><\/span> s_group("subs"<\/span>, values=<\/span>map(chr, range(1<\/span>, submax))) <\/span><\/span> s_static("<\/span>\x00<\/span>"<\/span>) # subs is actually a little endian word<\/span> <\/span><\/span> s_static(struct.<\/span>pack("<H"<\/span>, op)) # opcode<\/span> <\/span><\/span> # [in][size_is(arg_4)] byte some_string[],<\/span> <\/span><\/span> s_size("some_string"<\/span>) <\/span><\/span> if<\/span> s_block_start("some_string"<\/span>, group=<\/span>"subs"<\/span>): <\/span><\/span> s_static("A"<\/span> <\/span> 0x5000<\/span>, name=<\/span>"arg3"<\/span>) <\/span><\/span> s_block_end() <\/span><\/span> # [in] long arg_4,<\/span> <\/span><\/span> s_size("some_string"<\/span>) <\/span><\/span> # [in] long arg_6<\/span> <\/span><\/span> s_static(struct.<\/span>pack("<L"<\/span>, 0x5000<\/span>)) # output buffer size<\/span> <\/span><\/span> s_block_end() <\/span><\/span><\/code><\/pre>创建会话<\/h2> 在fuzz_trend_server_protect_5168.py<\/code>中：<\/p> 导入模块<\/h3> from<\/span> sulley import<\/span> <\/span> <\/span><\/span>from<\/span> requests import<\/span> trend <\/span><\/span><\/code><\/pre>RPC绑定函数<\/h3> def<\/span> rpc_bind<\/span>(sock): <\/span><\/span> bind =<\/span> utils.<\/span>dcerpc.<\/span>bind("25288888-bd5b-11d1-9d53-0080c83a5c2c"<\/span>, "1.0"<\/span>) <\/span><\/span> sock.<\/span>send(bind) <\/span><\/span> utils.<\/span>dcerpc.<\/span>bind_ack(sock.<\/span>recv(1000<\/span>)) <\/span><\/span><\/code><\/pre>会话配置<\/h3> sess =<\/span> sessions.<\/span>session(session_filename=<\/span>"audits\/trend_server_protect_5168.session"<\/span>) <\/span><\/span>target =<\/span> sessions.<\/span>target("10.0.0.1"<\/span>, 5168<\/span>) <\/span><\/span>target.<\/span>netmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26001<\/span>) <\/span><\/span>target.<\/span>procmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26002<\/span>) <\/span><\/span>target.<\/span>vmcontrol =<\/span> pedrpc.<\/span>client("127.0.0.1"<\/span>, 26003<\/span>) <\/span><\/span> <\/span><\/span>target.<\/span>procmon_options =<\/span> { <\/span><\/span> "proc_name"<\/span>: "SpntSvc.exe"<\/span>, <\/span><\/span> "stop_commands"<\/span>: ['net stop "trend serverprotect"'<\/span>], <\/span><\/span> "start_commands"<\/span>: ['net start "trend serverprotect"'<\/span>], <\/span><\/span>} <\/span><\/span> <\/span><\/span># 启动目标<\/span> <\/span><\/span>target.<\/span>vmcontrol.<\/span>restart_target() <\/span><\/span>print "virtual machine up and running"<\/span> <\/span><\/span> <\/span><\/span># 添加目标和请求<\/span> <\/span><\/span>sess.<\/span>add_target(target) <\/span><\/span>sess.<\/span>pre_send =<\/span> rpc_bind <\/span><\/span>sess.<\/span>connect(s_get("5168: op-1"<\/span>)) <\/span><\/span>sess.<\/span>connect(s_get("5168: op-2"<\/span>)) <\/span><\/span>sess.<\/span>connect(s_get("5168: op-3"<\/span>)) <\/span><\/span>sess.<\/span>connect(s_get("5168: op-5"<\/span>)) <\/span><\/span>sess.<\/span>connect(s_get("5168: op-a"<\/span>)) <\/span><\/span>sess.<\/span>connect(s_get("5168: op-1f"<\/span>)) <\/span><\/span>sess.<\/span>fuzz() <\/span><\/span><\/code><\/pre>环境设置<\/h2> 网络监控器<\/h3> network_monitor.py -d 1<\/span> \ <\/span><\/span><\/span><\/span> -f "src or dst port 5168"<\/span> \ <\/span><\/span><\/span><\/span> -p audits\t<\/span>rend_server_protect_5168 <\/span><\/span><\/code><\/pre>进程监控器<\/h3> process_monitor.py -c audits\t<\/span>rend_server_protect_5168.crashbin \ <\/span><\/span><\/span><\/span> -p SpntSvc.exe <\/span><\/span><\/code><\/pre>VMWare控制代理<\/h3> vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe"<\/span> \ <\/span><\/span><\/span><\/span> -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx"<\/span> \ <\/span><\/span><\/span><\/span> --snapshot "sulley ready and waiting"<\/span> <\/span><\/span><\/code><\/pre>结果分析<\/h2> 运行221个测试用例后，发现19个触发了故障。使用crashbin_explorer.py<\/code>分析：<\/p> $ .\/utils\/crashbin_explorer.py audits\/trend_server_protect_5168.crashbin <\/span><\/span>[<\/span>6]<\/span> [<\/span>INVALID]<\/span>:41414141 Unable to disassemble at 41414141<\/span> from thread 568<\/span> caused access violation <\/span><\/span>42, 109, 156, 164, 170, 198, <\/span><\/span>[<\/span>3]<\/span> LogMaster.dll:63272106 push ebx from thread 568<\/span> caused access violation <\/span><\/span>53, 56, 151, <\/span><\/span>[<\/span>...]<\/span> <\/span><\/span><\/code><\/pre>测试用例分析<\/h3> $ .\/utils\/crashbin_explorer.py audits\/trend_server_protect_5168.crashbin -t 70<\/span> <\/span><\/span>[<\/span>INVALID]<\/span>:0058002e Unable to disassemble at 0058002e from thread 568<\/span> caused access violation <\/span><\/span>when attempting to read from 0x0058002e <\/span><\/span>CONTEXT DUMP <\/span><\/span>EIP: 0058002e Unable to disassemble at 0058002e <\/span><\/span>EAX: 00000001<\/span> (<\/span> 1)<\/span> -> N\/A <\/span><\/span>EBX: 0259e118 (<\/span> 39444760)<\/span> -> A.....AAAAA (<\/span>stack)<\/span> <\/span><\/span>[<\/span>...]<\/span> <\/span><\/span><\/code><\/pre>清理PCAP文件<\/h3> $ .\/utils\/pcap_cleaner.py audits\/trend_server_protect_5168.crashbin audits\/trend_server_protect_5168 <\/span><\/span><\/code><\/pre>发现的漏洞<\/h2> TSRT-07-01<\/strong>: Trend Micro ServerProtect StCommon.dll栈溢出漏洞<\/p> 链接: http:\/\/www.fuzzing.org\/wp-content\/SulleyManual.pdf<\/li> <\/ul> <\/li> TSRT-07-02<\/strong>: Trend Micro ServerProtect eng50.dll栈溢出漏洞<\/p> 链接: https:\/\/www.trendmicro.com\/en_us\/business\/products\/network\/intrusion-prevention.html<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 本教程展示了使用Sulley Fuzzer对复杂RPC接口进行模糊测试的完整流程，包括：<\/p> 目标分析和逆向工程<\/li> 自定义编码器开发<\/li> 请求构建和会话配置<\/li> 监控环境设置<\/li> 结果分析和漏洞验证<\/li> <\/ol> 通过这种方法，可以系统地发现和验证目标系统中的安全漏洞。<\/p>

Sulley Fuzzer 实战教程：Trend Micro Server Protect 漏洞挖掘<\/h1>

前言<\/h2> 本教程基于Sulley Fuzzer对Trend Micro Server Protect的漏洞挖掘过程，详细展示了从环境搭建到漏洞发现的完整流程。Sulley是一个模块化的模糊测试框架，特别适合协议和文件格式的模糊测试。<\/p>

目标分析<\/h2> 目标系统：Trend Micro Server Protect 目标服务：SpntSvc.exe服务绑定的TCP端口5168上的Microsoft DCE\/RPC端点 目标接口：TmRpcSvc.dll中的RPC接口<\/p>

环境准备<\/h2>

创建会话<\/h2> 在fuzz_trend_server_protect_5168.py<\/code>中：<\/p>

环境设置<\/h2>

前言<\/h2>
本教程基于Sulley Fuzzer对Trend Micro Server Protect的漏洞挖掘过程，详细展示了从环境搭建到漏洞发现的完整流程。Sulley是一个模块化的模糊测试框架，特别适合协议和文件格式的模糊测试。<\/p>

目标分析<\/h2>
目标系统：Trend Micro Server Protect
目标服务：SpntSvc.exe服务绑定的TCP端口5168上的Microsoft DCE\/RPC端点
目标接口：TmRpcSvc.dll中的RPC接口<\/p>

创建会话<\/h2>
在`fuzz_trend_server_protect_5168.py<\/code>中：<\/p>`