Sulley Fuzzer 学习指南 - 第二部分：高级使用与实战<\/h1>

1. Sessions 会话管理<\/h2>

1.1 请求连接与图形化表示<\/h3>

Sulley 的核心优势之一是能够将多个请求(request)连接成协议图(protocol graph)，实现深度模糊测试：<\/p>

from<\/span> sulley import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 定义多个请求<\/span>
<\/span><\/span>s_initialize("helo"<\/span>)
<\/span><\/span>s_static("helo"<\/span>)
<\/span><\/span>
<\/span><\/span>s_initialize("ehlo"<\/span>) 
<\/span><\/span>s_static("ehlo"<\/span>)
<\/span><\/span>
<\/span><\/span>s_initialize("mail from"<\/span>)
<\/span><\/span>s_static("mail from"<\/span>)
<\/span><\/span>
<\/span><\/span>s_initialize("rcpt to"<\/span>)
<\/span><\/span>s_static("rcpt to"<\/span>)
<\/span><\/span>
<\/span><\/span>s_initialize("data"<\/span>)
<\/span><\/span>s_static("data"<\/span>)
<\/span><\/span>
<\/span><\/span># 创建会话并连接请求<\/span>
<\/span><\/span>sess =<\/span> sessions.<\/span>session()
<\/span><\/span>sess.<\/span>connect(s_get("helo"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("ehlo"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("helo"<\/span>), s_get("mail from"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("ehlo"<\/span>), s_get("mail from"<\/span>)) 
<\/span><\/span>sess.<\/span>connect(s_get("mail from"<\/span>), s_get("rcpt to"<\/span>))
<\/span><\/span>sess.<\/span>connect(s_get("rcpt to"<\/span>), s_get("data"<\/span>))
<\/span><\/span>
<\/span><\/span># 生成图形化表示<\/span>
<\/span><\/span>fh =<\/span> open("session_test.udg"<\/span>, "w+"<\/span>)
<\/span><\/span>fh.<\/span>write(sess.<\/span>render_graph_udraw())
<\/span><\/span>fh.<\/span>close()
<\/span><\/span><\/code><\/pre>1.2 会话执行流程<\/h3>
Sulley 从根节点开始遍历图结构：<\/p>

从"helo"请求开始模糊测试<\/li>
完成后，开始模糊测试"mail from"请求，每个测试用例前加上有效的"helo"请求<\/li>
接着模糊测试"rcpt to"请求，前面加上有效的"helo"和"mail from"请求<\/li>
最后处理"data"请求<\/li>
完成后转回从"ehlo"开始<\/li>
<\/ol>
1.3 会话配置参数<\/h3>
实例化 session 时可配置的参数：<\/p>



参数<\/th>
类型<\/th>
默认值<\/th>
描述<\/th>
<\/tr>
<\/thead>


session_filename<\/td>
string<\/td>
None<\/td>
持久化数据的文件名<\/td>
<\/tr>

skip<\/td>
integer<\/td>
0<\/td>
要跳过的测试用例数<\/td>
<\/tr>

sleep_time<\/td>
float<\/td>
1.0<\/td>
测试用例间的休眠时间(秒)<\/td>
<\/tr>

log_level<\/td>
integer<\/td>
2<\/td>
日志级别(数字越大日志越多)<\/td>
<\/tr>

proto<\/td>
string<\/td>
"tcp"<\/td>
通信协议<\/td>
<\/tr>

timeout<\/td>
float<\/td>
5.0<\/td>
send()\/recv()超时时间(秒)<\/td>
<\/tr>

restart_interval<\/td>
integer<\/td>
0<\/td>
每N个测试用例后重启目标(0表示禁用)<\/td>
<\/tr>

crash_threshold<\/td>
integer<\/td>
3<\/td>
节点耗尽前允许的最大崩溃次数<\/td>
<\/tr>
<\/tbody>
<\/table>
1.4 边缘回调<\/h3>
可以在协议图的边缘注册回调函数，原型如下：<\/p>
def<\/span> callback<\/span>(node, edge, last_recv, sock):
<\/span><\/span>    # node: 要发送的节点<\/span>
<\/span><\/span>    # edge: 当前fuzz到node的最后一条路径<\/span>
<\/span><\/span>    # last_recv: 最后一次socket传输返回的数据<\/span>
<\/span><\/span>    # sock: 实时socket<\/span>
<\/span><\/span><\/code><\/pre>注册回调示例：<\/p>
sess.<\/span>connect(s_get("helo"<\/span>), s_get("mail from"<\/span>), callback=<\/span>my_callback)
<\/span><\/span><\/code><\/pre>2. Targets 和 Agents<\/h2>
2.1 目标配置<\/h3>
target =<\/span> sessions.<\/span>target("10.0.0.1"<\/span>, 5168<\/span>)
<\/span><\/span>target.<\/span>netmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26001<\/span>)  # 网络监控<\/span>
<\/span><\/span>target.<\/span>procmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26002<\/span>) # 进程监控<\/span>
<\/span><\/span>target.<\/span>vmcontrol =<\/span> pedrpc.<\/span>client("127.0.0.1"<\/span>, 26003<\/span>) # VMWare控制<\/span>
<\/span><\/span>
<\/span><\/span># 进程监控选项<\/span>
<\/span><\/span>target.<\/span>procmon_options =<\/span> {
<\/span><\/span>    "proc_name"<\/span>: "SpntSvc.exe"<\/span>,
<\/span><\/span>    "stop_commands"<\/span>: ['net stop "trend serverprotect"'<\/span>],
<\/span><\/span>    "start_commands"<\/span>: ['net start "trend serverprotect"'<\/span>],
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>sess.<\/span>add_target(target)
<\/span><\/span>sess.<\/span>fuzz()
<\/span><\/span><\/code><\/pre>2.2 网络监控代理 (network_monitor.py)<\/h3>
功能<\/strong>：<\/p>

监控网络通信并记录为PCAP文件<\/li>
硬编码绑定到TCP端口26001<\/li>
通过PedRPC协议与Sulley通信<\/li>
<\/ul>
命令行参数<\/strong>：<\/p>
USAGE: network_monitor.py
    <-d|--device DEVICE #>    设备号(见下方列表)
    [-f|--filter PCAP FILTER] BPF过滤字符串
    [-p|--log_path PATH]      PCAP日志目录
    [-l|--log_level LEVEL]    日志级别(默认1，数字越大越详细)
<\/code><\/pre>
2.3 进程监控代理 (process_monitor.py)<\/h3>
功能<\/strong>：<\/p>

检测fuzz过程中发生的故障<\/li>
硬编码绑定到TCP端口26002<\/li>
通过PedRPC协议与Sulley通信<\/li>
<\/ul>
命令行参数<\/strong>：<\/p>
USAGE: process_monitor.py
    <-c|--crash_bin FILENAME> 序列化crash bin类的文件名
    [-p|--proc_name NAME]     要查找和附加的进程名
    [-i|--ignore_pid PID]     搜索目标进程时忽略的PID
    [-l|--log_level LEVEL]    日志级别(默认1，数字越大越详细)
<\/code><\/pre>
2.4 VMWare控制代理 (vmcontrol.py)<\/h3>
功能<\/strong>：<\/p>

控制虚拟机操作(启动、停止、挂起、重置)<\/li>
管理快照(获取、删除、恢复)<\/li>
硬编码绑定到TCP端口26003<\/li>
<\/ul>
命令行参数<\/strong>：<\/p>
USAGE: vmcontrol.py
    <-x|--vmx FILENAME>       VMX文件路径
    <-r|--vmrun FILENAME>     vmrun.exe路径
    [-s|--snapshot NAME>      快照名称
    [-l|--log_level LEVEL]    日志级别(默认1，数字越大越详细)
<\/code><\/pre>
3. Web监控界面<\/h2>
Sulley Session类内置Web服务：<\/p>

硬编码绑定到端口26000<\/li>
调用fuzz()方法后自动启动<\/li>
功能：

显示fuzz进度<\/li>
暂停\/恢复fuzzer<\/li>
查看崩溃详情<\/li>
<\/ul>
<\/li>
<\/ul>
4. 事后分析工具<\/h2>
4.1 崩溃浏览工具 (crashbin_explorer.py)<\/h3>
USAGE: crashbin_explorer.py <xxx.crashbin>
    [-t|--test #]         转储特定测试用例的崩溃概要
    [-g|--graph name]     生成所有崩溃路径的图形，保存为'name'.udg
<\/code><\/pre>
示例输出：<\/p>
[3] ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused access violation
    1415, 1416, 1417,
[2] ntdll.dll:7c910e03 mov [edx],eax from thread 664 caused access violation
    3780, 9215,
[24] rendezvous.dll:4900c4f1 rep movsd from thread 664 caused access violation
    1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 3443, 3781, 3782, 3783, 3784, 3785, 3786, 3787,
[1] ntdll.dll:7c911639 mov cl,[eax+0x5] from thread 664 caused access violation
    3442,
<\/code><\/pre>
4.2 PCAP清理工具 (pcap_cleaner.py)<\/h3>
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>
<\/code><\/pre>
功能：删除不包含崩溃信息的PCAP文件<\/p>
5. 实战案例分析<\/h2>
5.1 Trillian Jabber协议解析器漏洞<\/h3>
漏洞分析<\/strong>：<\/p>


在plugins\rendezvous.dll中，处理接收消息的逻辑：<\/p>
4900C470 str_len:
4900C470     mov cl, [eax]     ; *eax = message+1
4900C472     inc eax
4900C473     test cl, cl
4900C475     jnz short str_len
4900C477     sub eax, edx
4900C479     add eax, 128      ; strlen(message+1) + 128
4900C47E     push eax
4900C47F     call _malloc
<\/code><\/pre>
<\/li>

计算消息长度并分配堆缓冲区(长度+128)<\/p>
<\/li>

通过expatxml.xmlComposeString()处理字符串，将&,>,<编码为&,>,<<\/p>
<\/li>

初始长度计算未考虑字符串扩展，导致后续内存操作可能触发内存损坏<\/p>
<\/li>
<\/ol>
崩溃表现<\/strong>：<\/p>

多个崩溃点实际上源于同一逻辑错误<\/li>
通过图形化分析可以快速识别问题根源<\/li>
<\/ul>
6. 最佳实践<\/h2>


协议图设计<\/strong>：<\/p>

充分理解协议状态转换<\/li>
覆盖所有可能的协议路径<\/li>
示例中"ehlo"路径暴露了"helo"路径未发现的漏洞<\/li>
<\/ul>
<\/li>

监控配置<\/strong>：<\/p>

同时使用网络和进程监控<\/li>
利用VM快照快速恢复测试环境<\/li>
<\/ul>
<\/li>

分析流程<\/strong>：<\/p>

首先使用crashbin_explorer分类崩溃<\/li>
对关键崩溃点进行详细分析<\/li>
使用图形化工具识别问题模式<\/li>
清理无关的PCAP文件节省存储空间<\/li>
<\/ul>
<\/li>

复杂漏洞识别<\/strong>：<\/p>

注意字符串扩展等边界条件<\/li>
跟踪内存分配与实际使用情况<\/li>
分析多个崩溃点间的关联性<\/li>
<\/ul>
<\/li>
<\/ol>

参数<\/th>	类型<\/th>	默认值<\/th>	描述<\/th> <\/tr> <\/thead>
session_filename<\/td>	string<\/td>	None<\/td>	持久化数据的文件名<\/td> <\/tr>
skip<\/td>	integer<\/td>	0<\/td>	要跳过的测试用例数<\/td> <\/tr>
sleep_time<\/td>	float<\/td>	1.0<\/td>	测试用例间的休眠时间(秒)<\/td> <\/tr>
log_level<\/td>	integer<\/td>	2<\/td>	日志级别(数字越大日志越多)<\/td> <\/tr>
proto<\/td>	string<\/td>	"tcp"<\/td>	通信协议<\/td> <\/tr>
timeout<\/td>	float<\/td>	5.0<\/td>	send()\/recv()超时时间(秒)<\/td> <\/tr>
restart_interval<\/td>	integer<\/td>	0<\/td>	每N个测试用例后重启目标(0表示禁用)<\/td> <\/tr>
crash_threshold<\/td>	integer<\/td>	3<\/td>	节点耗尽前允许的最大崩溃次数<\/td> <\/tr> <\/tbody> <\/table> 1.4 边缘回调<\/h3> 可以在协议图的边缘注册回调函数，原型如下：<\/p> def<\/span> callback<\/span>(node, edge, last_recv, sock): <\/span><\/span> # node: 要发送的节点<\/span> <\/span><\/span> # edge: 当前fuzz到node的最后一条路径<\/span> <\/span><\/span> # last_recv: 最后一次socket传输返回的数据<\/span> <\/span><\/span> # sock: 实时socket<\/span> <\/span><\/span><\/code><\/pre>注册回调示例：<\/p> sess.<\/span>connect(s_get("helo"<\/span>), s_get("mail from"<\/span>), callback=<\/span>my_callback) <\/span><\/span><\/code><\/pre>2. Targets 和 Agents<\/h2> 2.1 目标配置<\/h3> target =<\/span> sessions.<\/span>target("10.0.0.1"<\/span>, 5168<\/span>) <\/span><\/span>target.<\/span>netmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26001<\/span>) # 网络监控<\/span> <\/span><\/span>target.<\/span>procmon =<\/span> pedrpc.<\/span>client("10.0.0.1"<\/span>, 26002<\/span>) # 进程监控<\/span> <\/span><\/span>target.<\/span>vmcontrol =<\/span> pedrpc.<\/span>client("127.0.0.1"<\/span>, 26003<\/span>) # VMWare控制<\/span> <\/span><\/span> <\/span><\/span># 进程监控选项<\/span> <\/span><\/span>target.<\/span>procmon_options =<\/span> { <\/span><\/span> "proc_name"<\/span>: "SpntSvc.exe"<\/span>, <\/span><\/span> "stop_commands"<\/span>: ['net stop "trend serverprotect"'<\/span>], <\/span><\/span> "start_commands"<\/span>: ['net start "trend serverprotect"'<\/span>], <\/span><\/span>} <\/span><\/span> <\/span><\/span>sess.<\/span>add_target(target) <\/span><\/span>sess.<\/span>fuzz() <\/span><\/span><\/code><\/pre>2.2 网络监控代理 (network_monitor.py)<\/h3> 功能<\/strong>：<\/p> 监控网络通信并记录为PCAP文件<\/li> 硬编码绑定到TCP端口26001<\/li> 通过PedRPC协议与Sulley通信<\/li> <\/ul> 命令行参数<\/strong>：<\/p> USAGE: network_monitor.py <-d\|--device DEVICE #> 设备号(见下方列表) [-f\|--filter PCAP FILTER] BPF过滤字符串 [-p\|--log_path PATH] PCAP日志目录 [-l\|--log_level LEVEL] 日志级别(默认1，数字越大越详细) <\/code><\/pre> 2.3 进程监控代理 (process_monitor.py)<\/h3> 功能<\/strong>：<\/p> 检测fuzz过程中发生的故障<\/li> 硬编码绑定到TCP端口26002<\/li> 通过PedRPC协议与Sulley通信<\/li> <\/ul> 命令行参数<\/strong>：<\/p> USAGE: process_monitor.py <-c\|--crash_bin FILENAME> 序列化crash bin类的文件名 [-p\|--proc_name NAME] 要查找和附加的进程名 [-i\|--ignore_pid PID] 搜索目标进程时忽略的PID [-l\|--log_level LEVEL] 日志级别(默认1，数字越大越详细) <\/code><\/pre> 2.4 VMWare控制代理 (vmcontrol.py)<\/h3> 功能<\/strong>：<\/p> 控制虚拟机操作(启动、停止、挂起、重置)<\/li> 管理快照(获取、删除、恢复)<\/li> 硬编码绑定到TCP端口26003<\/li> <\/ul> 命令行参数<\/strong>：<\/p> USAGE: vmcontrol.py <-x\|--vmx FILENAME> VMX文件路径 <-r\|--vmrun FILENAME> vmrun.exe路径 [-s\|--snapshot NAME> 快照名称 [-l\|--log_level LEVEL] 日志级别(默认1，数字越大越详细) <\/code><\/pre> 3. Web监控界面<\/h2> Sulley Session类内置Web服务：<\/p> 硬编码绑定到端口26000<\/li> 调用fuzz()方法后自动启动<\/li> 功能：显示fuzz进度<\/li> 暂停\/恢复fuzzer<\/li> 查看崩溃详情<\/li> <\/ul> <\/li> <\/ul> 4. 事后分析工具<\/h2> 4.1 崩溃浏览工具 (crashbin_explorer.py)<\/h3> USAGE: crashbin_explorer.py <xxx.crashbin> [-t\|--test #] 转储特定测试用例的崩溃概要 [-g\|--graph name] 生成所有崩溃路径的图形，保存为'name'.udg <\/code><\/pre> 示例输出：<\/p> [3] ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused access violation 1415, 1416, 1417, [2] ntdll.dll:7c910e03 mov [edx],eax from thread 664 caused access violation 3780, 9215, [24] rendezvous.dll:4900c4f1 rep movsd from thread 664 caused access violation 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 3443, 3781, 3782, 3783, 3784, 3785, 3786, 3787, [1] ntdll.dll:7c911639 mov cl,[eax+0x5] from thread 664 caused access violation 3442, <\/code><\/pre> 4.2 PCAP清理工具 (pcap_cleaner.py)<\/h3> USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps> <\/code><\/pre> 功能：删除不包含崩溃信息的PCAP文件<\/p> 5. 实战案例分析<\/h2> 5.1 Trillian Jabber协议解析器漏洞<\/h3> 漏洞分析<\/strong>：<\/p> 在plugins\rendezvous.dll中，处理接收消息的逻辑：<\/p> 4900C470 str_len: 4900C470 mov cl, [eax] ; *eax = message+1 4900C472 inc eax 4900C473 test cl, cl 4900C475 jnz short str_len 4900C477 sub eax, edx 4900C479 add eax, 128 ; strlen(message+1) + 128 4900C47E push eax 4900C47F call _malloc <\/code><\/pre> <\/li> 计算消息长度并分配堆缓冲区(长度+128)<\/p> <\/li> 通过expatxml.xmlComposeString()处理字符串，将&,>,<编码为&,>,<<\/p> <\/li> 初始长度计算未考虑字符串扩展，导致后续内存操作可能触发内存损坏<\/p> <\/li> <\/ol> 崩溃表现<\/strong>：<\/p> 多个崩溃点实际上源于同一逻辑错误<\/li> 通过图形化分析可以快速识别问题根源<\/li> <\/ul> 6. 最佳实践<\/h2> 协议图设计<\/strong>：<\/p> 充分理解协议状态转换<\/li> 覆盖所有可能的协议路径<\/li> 示例中"ehlo"路径暴露了"helo"路径未发现的漏洞<\/li> <\/ul> <\/li> 监控配置<\/strong>：<\/p> 同时使用网络和进程监控<\/li> 利用VM快照快速恢复测试环境<\/li> <\/ul> <\/li> 分析流程<\/strong>：<\/p> 首先使用crashbin_explorer分类崩溃<\/li> 对关键崩溃点进行详细分析<\/li> 使用图形化工具识别问题模式<\/li> 清理无关的PCAP文件节省存储空间<\/li> <\/ul> <\/li> 复杂漏洞识别<\/strong>：<\/p> 注意字符串扩展等边界条件<\/li> 跟踪内存分配与实际使用情况<\/li> 分析多个崩溃点间的关联性<\/li> <\/ul> <\/li> <\/ol>