[prev in list] [next in list] [prev in thread] [next in thread]
List: spike
Subject: Re: [Spike] Fuzzing Questions
From: dave () immunitysec ! com
Date: 2003-06-20 20:23:03
[Download RAW message or body]
Actually, if you arn't dissecting a protocol that uses "size" bytes then
you don't really need to use a block. Here I think a block would not
necesarally be appropriate. What you need here is just a simple
s_int_variable();
For example, in the PPTP fuzzer, I have:
//5 is big endian halfword
s_int_variable(0x0001,5);
A .spk can't contain keywords or anything like that, so the 5 is used to
specify the type. You can find the available types in /include/listener.h.
In your case you probably want to do:
//3 is a one byte
s_int_variable(0x05,3)
This will make it cycle through all 255 options for that one byte, but
otherwise leave it as 0x05 while it's fuzzing something else.
-dave
> I'm fuzzing a hardware protocol, and have my TX / RX working between
> Spike and the hardware.
>
> My next step is to start the actual fuzzing process, but have a couple
> questions.
>
> The .spk file I currently use is a simple one-liner that looks something
> like this:
>
> s_binary( "0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09" );
>
> I only want to start fuzzing one of these bytes.
>
> Assuming the middle byte is the one I want to fuzz, my understanding is
> that I need to block out
> this byte which I you do by changing the .spk file to something like:
>
> s_binary( "0x01 0x02 0x03 0x04 " );
> s_binary_block_size_byte_variable( "0x05" );
> s_binary( "0x06 0x07 0x08 0x09" );
>
> Now, if this is correct, since I'm only fuzzing one "block" do I need to
> change my main code any
> which currently just has the call to parse the .spk file?
>
> i.e. I don't need to cycle through variables to fuzz, because there's
> only one,
> so will it fuzz this one just by parsing the .spk file?
>
> &
>
> In one of Dave's documents it mentions that Spike knows how to fuzz
> different variable types
> based on typical problems with that data type.
>
> With a single "byte_variable" how do I know what it will do?
>
> i.e. will it cycle through the complete .spk script for each value
> possible for that byte_variable, and what values will it place in there?
>
> Thanks.
>
>
> _______________________________________________
> Spike mailing list
> Spike@lists.immunitysec.com
> http://www.immunitysec.com/mailman/listinfo/spike
>
_______________________________________________
Spike mailing list
Spike@lists.immunitysec.com
http://www.immunitysec.com/mailman/listinfo/spike
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic