Using Sulley Fuzzing Framework without monitoring

Question

I'm trying to fuzz a BACNet device using the Sulley Fuzzing Framework.

In order to get to know the framework I wrote this fairly simple example, but it won't work.

from sulley import *

s_initialize("Test")

s_static(0x10, "Something")
s_byte(0x00, "SomeByte")

sess = sessions.session(proto="UDP")

sess.connect(sulley.s_get("Test"))

target = sessions.target("192.168.1.3", 0xBAC0)

target.netmon    = None
target.procmon   = None
target.vmcontrol = None

sess.add_target(target)
sess.fuzz()

But executing it results in the following output

pydev debugger: starting (pid: 3356)
[2015-11-09 09:40:54,351] [INFO] -> current fuzz path:  -> Test
[2015-11-09 09:40:54,352] [INFO] -> fuzzed 0 of 112 total cases
[2015-11-09 09:40:54,354] [INFO] -> fuzzing 1 of 112
[2015-11-09 09:40:54,354] [INFO] -> xmitting: [1.1]
[2015-11-09 09:40:54,355] [CRITICAL] -> failed transmitting fuzz node
Exception caught: TypeError("cannot concatenate 'str' and 'int' objects",)
Restarting target and trying again
[2015-11-09 09:40:54,355] [ERROR] -> no vmcontrol or procmon channel available ... sleeping for 300 seconds

I think the problem might be, that I set netmon, procmon, vmcontrol to None, but just omitting them results in the same output. I am not creating those monitors because I can't use them for the device I want to fuzz later on anyway. I just want to send out packets and see what happens. So, is it impossible to use Sulley without those monitors or is there something else wrong with my code?

Answer 1

Okay, it turns out it is possible to fuzz without monitors. Sulley just doesn't seem to like integer values in the s_static() function. That's also what caused the error. It needs to be a string. Like s_static("00", "static")

Answer 2

You siad you can't use the monitors for the device you want to fuzz later on. But the network monitor should be able to run since it is run on the attacker machine where you run the fuzzing scripts.

As for the process monitor, I recommend you to use the external monitor/instrumentation which is in .../sully/sully/instrumentation.py. You can find documentation from : .../sully/docs/index.html

"Some kind of targets (embedded devices for example) don't support debugger, and the process monitor agent can't be used in these cases. The external instrumentation class allows external commands to be called to detect fault and restart the target . SSH is used in the following example, but any python function or external script can be used:"

import os

def ssh_is_alive():
    '''Check that the target is alive. Called after each test case. Return True if alive, False otherwise'''

    _, stdout = os.popen2('ssh %s pidof target' % IP_DST)
    pid = stdout.read()
    return pid != ''

def ssh_restart():
    '''Restart the target. Called when instrumentation (post) fail.'''

    os.popen2('ssh %s /etc/init.d/target restart' % IP_DST)

sess           = sessions.session()
target         = sessions.target(IP_DST, PORT_DST)
target.procmon = instrumentation.external(post=ssh_is_alive, start=ssh_restart)
sess.add_target(target)
sess.connect(s_get('node'))
sess.fuzz()