Sulley Fuzzer 框架全面学习指南<\/h1>

前言<\/h2>
Sulley是一个功能强大的模糊测试(Fuzzing)框架，由Pedram Amini和Aaron Portnoy开发。本指南将详细介绍Sulley框架的核心概念、架构和使用方法，帮助安全研究人员和开发人员有效利用该工具进行漏洞挖掘。<\/p>

框架概述<\/h2>

Sulley是一个可扩展的fuzzer框架，由多个组件组成，其特点包括：<\/p>

不仅专注于数据生成，还提供完整的模糊测试解决方案<\/li>
能够系统性地监控网络并保留记录<\/li>
检测和监控目标健康状况，支持多种恢复方法<\/li>
检测、跟踪和分类发现的故障<\/li>
支持并行fuzzing，显著提高测试速度<\/li>

自动确定测试用例触发的特定错误<\/li> <\/ul>

目录结构<\/h2>

Sulley采用精心设计的目录结构：<\/p>

archived_fuzzies\/      # 存储归档的fuzzers和生成的数据
audits\/                # 保存PCAP、崩溃数据、代码覆盖率等分析结果
docs\/                  # 文档和API参考
requests\/              # 请求库，按目标分类存储
sulley\/                # 核心框架代码
legos\/                 # 用户定义的复杂基元
pgraph\/                # Python图形抽象库
utils\/                 # 各种辅助程序
unit_tests\/            # 单元测试
<\/code><\/pre>
数据表示<\/h2>
基本原语<\/h3>


静态原语<\/strong>：<\/p>

s_static()<\/code>: 添加静态不可变值<\/li>
别名：s_raw()<\/code>, s_dunno()<\/code>, s_unknown()<\/code><\/li>
示例：s_static("pedram\x00was\x01here\x02")<\/code><\/li>
<\/ul>
<\/li>

二进制数据<\/strong>：<\/p>

s_binary()<\/code>: 处理多种格式的二进制数据<\/li>
示例：s_binary("0xde 0xad be ef \xca fe 00 01 02 0xba0xdd f0 0d")<\/code><\/li>
<\/ul>
<\/li>

随机数据<\/strong>：<\/p>

s_random()<\/code>: 生成不同长度的随机数据<\/li>
参数：min_length<\/code>, max_length<\/code>, num_mutations<\/code>, fuzzable<\/code>, name<\/code><\/li>
<\/ul>
<\/li>

分隔符<\/strong>：<\/p>

s_delim()<\/code>: 表示协议中的分隔符<\/li>
示例（HTML标签）：
s_delim("<"<\/span>)
<\/span><\/span>s_string("BODY"<\/span>)
<\/span><\/span>s_delim(" "<\/span>)
<\/span><\/span>s_string("bgcolor"<\/span>)
<\/span><\/span>s_delim("="<\/span>)
<\/span><\/span>s_delim("<\/span>\"<\/span>"<\/span>)
<\/span><\/span>s_string("black"<\/span>)
<\/span><\/span>s_delim("<\/span>\"<\/span>"<\/span>)
<\/span><\/span>s_delim(">"<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
模糊库扩展<\/h3>
可以通过外部文件扩展模糊库：<\/p>

.fuzz_strings<\/code>: 每行一个字符串值<\/li>
.fuzz_ints<\/code>: 每行一个整数值<\/li>
<\/ul>
块(Blocks)与组织结构<\/h2>
基本块操作<\/h3>

s_block_start()<\/code>: 定义并打开新块<\/li>
s_block_end()<\/code>: 关闭块<\/li>
块关闭后无法更新<\/li>
<\/ul>
块的高级功能<\/h3>


分组(Groups)<\/strong>：<\/p>

s_group()<\/code>: 定义一组值<\/li>
示例（HTTP方法）：
s_group("verbs"<\/span>, values=<\/span>["GET"<\/span>, "HEAD"<\/span>, "POST"<\/span>, "TRACE"<\/span>])
<\/span><\/span>if<\/span> s_block_start("body"<\/span>, group=<\/span>"verbs"<\/span>):
<\/span><\/span>    # 块内容<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

编码器(Encoders)<\/strong>：<\/p>

在传输前修改块内容<\/li>
示例（Trend Micro XOR编码）：
def<\/span> trend_xor_encode<\/span>(str):
<\/span><\/span>    # 编码实现<\/span>
<\/span><\/span>    return<\/span> encoded_data
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

依赖(Dependencies)<\/strong>：<\/p>

根据条件控制块的渲染<\/li>
参数：dep<\/code>, dep_value<\/code>, dep_values<\/code>, dep_compare<\/code><\/li>
示例：
s_short("opcode"<\/span>, full_range=<\/span>True<\/span>)
<\/span><\/span>if<\/span> s_block_start("auth"<\/span>, dep=<\/span>"opcode"<\/span>, dep_value=<\/span>10<\/span>):
<\/span><\/span>    # 认证序列<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
块辅助工具<\/h2>


大小计算器(Sizers)<\/strong>：<\/p>

s_size()<\/code>: 计算关联块的大小<\/li>
参数：length<\/code>, endian<\/code>, format<\/code>, inclusive<\/code>, signed<\/code>, math<\/code>, fuzzable<\/code>, name<\/code><\/li>
<\/ul>
<\/li>

校验和(Checksums)<\/strong>：<\/p>

s_checksum()<\/code>: 计算块的校验和<\/li>
支持的算法：crc32<\/code>, adler32<\/code>, md5<\/code>, sha1<\/code>或自定义函数<\/li>
<\/ul>
<\/li>

重复器(Repeaters)<\/strong>：<\/p>

s_repeat()<\/code>: 重复块多次<\/li>
参数：min_reps<\/code>, max_reps<\/code>, step<\/code>, fuzzable<\/code>, name<\/code><\/li>
示例：
s_repeat("table entry"<\/span>, min_reps=<\/span>100<\/span>, max_reps=<\/span>1000<\/span>, step=<\/span>50<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
Legos（预定义组件）<\/h2>
Legos是用户定义的复杂组件，如：<\/p>

ASN.1\/BER原语<\/li>
Microsoft RPC NDR原语<\/li>
电子邮件地址、主机名等协议原语<\/li>
XDR类型<\/li>
<\/ul>
示例（ASN.1\/BER字符串）：<\/p>
s_lego("ber_string"<\/span>, "anonymous"<\/span>)
<\/span><\/span><\/code><\/pre>自定义Lego示例<\/h3>


XML标签Lego<\/strong>：<\/p>
class<\/span> tag<\/span> (blocks.<\/span>block):
<\/span><\/span>    def<\/span> __init__ (self, name, request, value, options=<\/span>{}):
<\/span><\/span>        blocks.<\/span>block.<\/span>__init__(self, name, request, None<\/span>, None<\/span>, None<\/span>, None<\/span>)
<\/span><\/span>        self.<\/span>value =<\/span> value
<\/span><\/span>        self.<\/span>options =<\/span> options
<\/span><\/span>        if<\/span> not<\/span> self.<\/span>value:
<\/span><\/span>            raise<\/span> sex.<\/span>error("MISSING LEGO.tag DEFAULT VALUE"<\/span>)
<\/span><\/span>        self.<\/span>push(primitives.<\/span>delim("<"<\/span>))
<\/span><\/span>        self.<\/span>push(primitives.<\/span>string(self.<\/span>value))
<\/span><\/span>        self.<\/span>push(primitives.<\/span>delim(">"<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

ASN.1\/BER整数Lego<\/strong>：<\/p>
class<\/span> integer<\/span> (blocks.<\/span>block):
<\/span><\/span>    def<\/span> __init__ (self, name, request, value, options=<\/span>{}):
<\/span><\/span>        blocks.<\/span>block.<\/span>__init__(self, name, request, None<\/span>, None<\/span>, None<\/span>, None<\/span>)
<\/span><\/span>        self.<\/span>value =<\/span> value
<\/span><\/span>        self.<\/span>options =<\/span> options
<\/span><\/span>        if<\/span> not<\/span> self.<\/span>value:
<\/span><\/span>            raise<\/span> sex.<\/span>error("MISSING LEGO.ber_integer DEFAULT VALUE"<\/span>)
<\/span><\/span>        self.<\/span>push(primitives.<\/span>dword(self.<\/span>value, endian=<\/span>">"<\/span>))
<\/span><\/span>
<\/span><\/span>    def<\/span> render<\/span> (self):
<\/span><\/span>        blocks.<\/span>block.<\/span>render(self)
<\/span><\/span>        self.<\/span>rendered =<\/span> "<\/span>\x02\x04<\/span>"<\/span> +<\/span> self.<\/span>rendered
<\/span><\/span>        return<\/span> self.<\/span>rendered
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
实际应用示例<\/h2>
HTTP请求模糊测试<\/h3>
from<\/span> sulley import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 初始化请求<\/span>
<\/span><\/span>s_initialize("HTTP BASIC"<\/span>)
<\/span><\/span>
<\/span><\/span># 定义HTTP方法组<\/span>
<\/span><\/span>s_group("verbs"<\/span>, values=<\/span>["GET"<\/span>, "HEAD"<\/span>, "POST"<\/span>, "TRACE"<\/span>])
<\/span><\/span>
<\/span><\/span># 定义主体块<\/span>
<\/span><\/span>if<\/span> s_block_start("body"<\/span>, group=<\/span>"verbs"<\/span>):
<\/span><\/span>    # 分解HTTP请求<\/span>
<\/span><\/span>    s_delim(" "<\/span>)
<\/span><\/span>    s_delim("\/"<\/span>)
<\/span><\/span>    s_string("index.html"<\/span>)
<\/span><\/span>    s_delim(" "<\/span>)
<\/span><\/span>    s_string("HTTP"<\/span>)
<\/span><\/span>    s_delim("\/"<\/span>)
<\/span><\/span>    s_string("1"<\/span>)
<\/span><\/span>    s_delim("."<\/span>)
<\/span><\/span>    s_string("1"<\/span>)
<\/span><\/span>    # 结束请求<\/span>
<\/span><\/span>    s_static("<\/span>\r\n\r\n<\/span>"<\/span>)
<\/span><\/span>s_block_end("body"<\/span>)
<\/span><\/span><\/code><\/pre>表条目模糊测试<\/h3>
# 表条目: [type][len][string][checksum]<\/span>
<\/span><\/span>if<\/span> s_block_start("table entry"<\/span>):
<\/span><\/span>    # 随机类型字段<\/span>
<\/span><\/span>    s_random("<\/span>\x00\x00<\/span>"<\/span>, 2<\/span>, 2<\/span>)
<\/span><\/span>    # 字符串长度字段<\/span>
<\/span><\/span>    s_size("string field"<\/span>, length=<\/span>2<\/span>)
<\/span><\/span>    # 字符串块<\/span>
<\/span><\/span>    if<\/span> s_block_start("string field"<\/span>):
<\/span><\/span>        s_string("C"<\/span> *<\/span> 10<\/span>)
<\/span><\/span>    s_block_end()
<\/span><\/span>    # 字符串校验和<\/span>
<\/span><\/span>    s_checksum("string field"<\/span>)
<\/span><\/span>s_block_end()
<\/span><\/span>
<\/span><\/span># 重复表条目<\/span>
<\/span><\/span>s_repeat("table entry"<\/span>, min_reps=<\/span>100<\/span>, max_reps=<\/span>1000<\/span>, step=<\/span>50<\/span>)
<\/span><\/span><\/code><\/pre>总结<\/h2>
Sulley框架提供了强大而灵活的模糊测试能力，通过：<\/p>

丰富的数据原语支持各种协议测试需求<\/li>
块和嵌套块结构实现复杂协议的表示<\/li>
分组、编码器和依赖关系增强测试灵活性<\/li>
块辅助工具简化常见协议模式实现<\/li>
Legos机制支持快速构建复杂协议组件<\/li>
<\/ol>
通过合理组合这些功能，安全研究人员可以构建针对各种协议和应用的强大模糊测试方案，有效发现潜在的安全漏洞。<\/p>

Sulley Fuzzer 框架全面学习指南<\/h1>

前言<\/h2> Sulley是一个功能强大的模糊测试(Fuzzing)框架，由Pedram Amini和Aaron Portnoy开发。本指南将详细介绍Sulley框架的核心概念、架构和使用方法，帮助安全研究人员和开发人员有效利用该工具进行漏洞挖掘。<\/p>

数据表示<\/h2>

块(Blocks)与组织结构<\/h2>

实际应用示例<\/h2>

前言<\/h2>
Sulley是一个功能强大的模糊测试(Fuzzing)框架，由Pedram Amini和Aaron Portnoy开发。本指南将详细介绍Sulley框架的核心概念、架构和使用方法，帮助安全研究人员和开发人员有效利用该工具进行漏洞挖掘。<\/p>