Sulley Fuzzer 学习指南 - Vulnserver 实战篇<\/h1>

1. 前言<\/h2>
Sulley 是一个功能强大的模糊测试框架，本教程将详细介绍如何使用 Sulley 对 Vulnserver 进行模糊测试。Vulnserver 是由 Stephen Bradshaw 编写的故意包含漏洞的服务器程序，专门用于学习模糊测试技术。<\/p>

2. 模糊测试流程概述<\/h2>

完整的模糊测试过程包含以下关键阶段：<\/p>

确定目标<\/strong>：在本例中为运行在端口 9999 上的 Vulnserver<\/li>
识别输入<\/strong>：找出应用程序接受的所有输入<\/li>
生成模糊数据<\/strong>：创建无效输入数据<\/li>
执行模糊测试<\/strong>：将数据发送到目标<\/li>
检测异常<\/strong>：监控服务器崩溃情况<\/li>

确定可利用性<\/strong>：分析导致崩溃的输入数据<\/li> <\/ol>
3. 准备工作<\/h2>
3.1 识别 Vulnserver 输入<\/h3>
通过 telnet 连接到 Vulnserver 并执行 HELP 命令可以获取所有有效命令：<\/p>
telnet localhost 9999 HELP <\/code><\/pre> Vulnserver 支持的命令包括：<\/p> HELP<\/li> STATS [stat_value]<\/li> RTIME [rtime_value]<\/li> LTIME [ltime_value]<\/li> SRUN [srun_value]<\/li> TRUN [trun_value]<\/li> GMON [gmon_value]<\/li> GDOG [gdog_value]<\/li> KSTET [kstet_value]<\/li> GTER [gter_value]<\/li> HTER [hter_value]<\/li> LTER [lter_value]<\/li> KSTAN [lstan_value]<\/li> EXIT<\/li> <\/ul> 3.2 启动监控工具<\/h3> 在开始模糊测试前，需要启动两个关键监控工具：<\/p> 网络监控器<\/strong>：记录所有网络通信<\/p> python network_monitor.py -d 0 -f "src or dst port 9999" -P audits\vulnserver\ <\/code><\/pre> <\/li> 进程监控器<\/strong>：检测 Vulnserver 崩溃<\/p> python process_monitor.py -c audits\vulnserver.crashbin -p vulnserver.exe <\/code><\/pre> <\/li> <\/ol> 4. Vulnserver 模糊测试脚本详解<\/h2> 以下是完整的 vulnserver.py 模糊测试脚本：<\/p> #!\/usr\/bin\/python<\/span> <\/span><\/span>from<\/span> sulley import<\/span> *<\/span> <\/span><\/span>import<\/span> sys <\/span><\/span>import<\/span> time <\/span><\/span> <\/span><\/span># 接收服务器banner<\/span> <\/span><\/span>def<\/span> banner<\/span>(sock): <\/span><\/span> sock.<\/span>recv(1024<\/span>) <\/span><\/span> <\/span><\/span># 定义数据模型<\/span> <\/span><\/span>s_initialize("VulnserverDATA"<\/span>) <\/span><\/span>s_group("commands"<\/span>, values=<\/span>['HELP'<\/span>, 'STATS'<\/span>, 'RTIME'<\/span>, 'LTIME'<\/span>, 'SRUN'<\/span>, 'TRUN'<\/span>, 'GMON'<\/span>, 'GDOG'<\/span>, 'KSTET'<\/span>, 'GTER'<\/span>, 'HTER'<\/span>, 'LTER'<\/span>, 'KSTAN'<\/span>, 'EXIT'<\/span>]) <\/span><\/span>s_block_start("CommandBlock"<\/span>, group=<\/span>"commands"<\/span>) <\/span><\/span>s_delim(' '<\/span>) <\/span><\/span>s_string('fuzz'<\/span>) <\/span><\/span>s_static('<\/span>\r\n<\/span>'<\/span>) <\/span><\/span>s_block_end() <\/span><\/span> <\/span><\/span># 会话设置<\/span> <\/span><\/span>s =<\/span> sessions.<\/span>session(session_filename=<\/span>"audits\/vulnserver.session"<\/span>) <\/span><\/span> <\/span><\/span># 定义状态模型<\/span> <\/span><\/span>s.<\/span>connect(s_get("VulnserverDATA"<\/span>)) <\/span><\/span> <\/span><\/span># 定义目标<\/span> <\/span><\/span>target =<\/span> sessions.<\/span>target("192.168.1.126"<\/span>, 9999<\/span>) <\/span><\/span>target.<\/span>netmon =<\/span> pedrpc.<\/span>client("192.168.1.126"<\/span>, 26001<\/span>) <\/span><\/span>target.<\/span>procmon =<\/span> pedrpc.<\/span>client("192.168.1.126"<\/span>, 26002<\/span>) <\/span><\/span>target.<\/span>procmon_options =<\/span> { <\/span><\/span> "proc_name"<\/span> : "vulnserver.exe"<\/span>, <\/span><\/span> "stop_commands"<\/span> : ['wmic process where (name="vulnserver.exe") delete'<\/span>], <\/span><\/span> "start_commands"<\/span> : ['C:<\/span>\\<\/span>Users<\/span>\\<\/span>eleanor<\/span>\\<\/span>Desktop<\/span>\\<\/span>vulnserver<\/span>\\<\/span>vulnserver.exe'<\/span>], <\/span><\/span>} <\/span><\/span> <\/span><\/span># 设置banner接收<\/span> <\/span><\/span>s.<\/span>pre_send =<\/span> banner <\/span><\/span> <\/span><\/span># 开始模糊测试<\/span> <\/span><\/span>s.<\/span>add_target(target) <\/span><\/span>s.<\/span>fuzz() <\/span><\/span><\/code><\/pre>4.1 关键组件解析<\/h3> 数据模型<\/strong>：<\/p> s_initialize<\/code> 初始化数据组<\/li> s_group<\/code> 定义所有命令名称<\/li> s_block_start\/s_block_end<\/code> 定义命令体结构<\/li> s_delim<\/code> 指定分隔符（空格）<\/li> s_string<\/code> 指定要模糊测试的字符串参数<\/li> s_static<\/code> 指定固定内容（回车换行）<\/li> <\/ul> <\/li> 会话管理<\/strong>：<\/p> sessions.session<\/code> 创建会话，支持后续恢复<\/li> <\/ul> <\/li> 目标配置<\/strong>：<\/p> 指定目标IP和端口<\/li> 配置网络和进程监控器连接<\/li> 定义进程启动\/停止命令<\/li> <\/ul> <\/li> <\/ol> 5. 执行模糊测试<\/h2> 设置PYTHONPATH：<\/p> export PYTHONPATH="$PYTHONPATH:\/home\/user\/sulley\/ <\/code><\/pre> <\/li> 启动模糊测试：<\/p> python requests\/vulnserver.py <\/code><\/pre> <\/li> 监控进度：<\/p> 通过Web界面 http:\/\/127.0.0.1:26000<\/code> 查看进度<\/li> 界面显示测试完整性及导致崩溃的输入<\/li> <\/ul> <\/li> <\/ol> 6. 结果分析<\/h2> Sulley 成功发现了 Vulnserver 中的所有六个漏洞：<\/p> 命令<\/th> 崩溃次数<\/th> 示例崩溃输入<\/th> <\/tr> <\/thead> TRUN<\/td> 3x<\/td> -<\/td> <\/tr> GMON<\/td> 1x<\/td> -<\/td> <\/tr> KSTET<\/td> 4x<\/td> -<\/td> <\/tr> GTER<\/td> 2x<\/td> -<\/td> <\/tr> HTER<\/td> 1x<\/td> -<\/td> <\/tr> LTER<\/td> 1x<\/td> LTER \/.:\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n<\/code><\/td> <\/tr> <\/tbody> <\/table> 7. 关键点总结<\/h2> 数据模型设计<\/strong>：正确构建输入数据结构是模糊测试成功的关键<\/li> 监控配置<\/strong>：网络和进程监控器必须正确配置才能捕获崩溃<\/li> 会话管理<\/strong>：支持从崩溃点恢复测试<\/li> 目标管理<\/strong>：确保目标进程能在崩溃后自动重启<\/li> 结果分析<\/strong>：通过Web界面高效分析测试结果<\/li> <\/ol> 8. 结论<\/h2> Sulley 是一个强大的模糊测试框架，通过本教程的 Vulnserver 实战，我们学习了：<\/p> 如何构建有效的模糊测试数据模型<\/li> 配置和管理模糊测试会话<\/li> 监控和分析测试结果<\/li> 识别和验证软件漏洞<\/li> <\/ul> 这种方法可以扩展到其他网络服务和应用程序的测试中，是安全研究人员发现软件漏洞的有力工具。<\/p>

命令<\/th>	崩溃次数<\/th>	示例崩溃输入<\/th> <\/tr> <\/thead>
TRUN<\/td>	3x<\/td>	-<\/td> <\/tr>
GMON<\/td>	1x<\/td>	-<\/td> <\/tr>
KSTET<\/td>	4x<\/td>	-<\/td> <\/tr>
GTER<\/td>	2x<\/td>	-<\/td> <\/tr>
HTER<\/td>	1x<\/td>	-<\/td> <\/tr>
LTER<\/td>	1x<\/td>	LTER \/.:\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n<\/code><\/td> <\/tr> <\/tbody> <\/table> 7. 关键点总结<\/h2> 数据模型设计<\/strong>：正确构建输入数据结构是模糊测试成功的关键<\/li> 监控配置<\/strong>：网络和进程监控器必须正确配置才能捕获崩溃<\/li> 会话管理<\/strong>：支持从崩溃点恢复测试<\/li> 目标管理<\/strong>：确保目标进程能在崩溃后自动重启<\/li> 结果分析<\/strong>：通过Web界面高效分析测试结果<\/li> <\/ol> 8. 结论<\/h2> Sulley 是一个强大的模糊测试框架，通过本教程的 Vulnserver 实战，我们学习了：<\/p> 如何构建有效的模糊测试数据模型<\/li> 配置和管理模糊测试会话<\/li> 监控和分析测试结果<\/li> 识别和验证软件漏洞<\/li> <\/ul> 这种方法可以扩展到其他网络服务和应用程序的测试中，是安全研究人员发现软件漏洞的有力工具。<\/p>

Sulley Fuzzer 学习指南 - Vulnserver 实战篇<\/h1>

1. 前言<\/h2> Sulley 是一个功能强大的模糊测试框架，本教程将详细介绍如何使用 Sulley 对 Vulnserver 进行模糊测试。Vulnserver 是由 Stephen Bradshaw 编写的故意包含漏洞的服务器程序，专门用于学习模糊测试技术。<\/p>

3. 准备工作<\/h2>

1. 前言<\/h2>
Sulley 是一个功能强大的模糊测试框架，本教程将详细介绍如何使用 Sulley 对 Vulnserver 进行模糊测试。Vulnserver 是由 Stephen Bradshaw 编写的故意包含漏洞的服务器程序，专门用于学习模糊测试技术。<\/p>