Thursday, March 3, 2011

sickfuzz - HTTP fuzzer.

Before we get started let's start with some basic knowledge which you might or might not know:

# What is fuzzing?

So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).

# How does this help us?

Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.

Before we begin some few answers to some questions that most of you will ask:

1. Why did I make a fuzzer, there are other fuzzers out there ?

Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.

2. Why is my fuzzer more special than other fuzzers out there ?

The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.

Ok now that we have covered these basic questions let's move on and see how it works and what features it has:

# What is sickfuzz?

sickfuzz is a wrapper around SPIKE written in python.

# How does it work?

It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.

# What other features does it have?

- tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.

- checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.

- It's really fast and has a lot of mutations (SPIKE rocks!)

# What do I need to run it?
- Wireshark (tshark + editcap)
- Python
- Web server victims

Also g0tmi1k made a cool video, demonstrating how to use it, check it out:

Download sickfuzz

Ok not at the end I want to thank all who helped me with the fuzzer:

g0tmi1k's blog post here.

1 comment:

  1. Hi, I had tried out this sickfuzz which is preinstalled in Backtrack but when I run the python script of sickfuzz.

    ./ --script 1 --ip --port 80 --iface eth0 --log /root/

    it will this error:

    Running as user "root" and group "root". This could be dangerous.
    Capturing on eth0
    tshark: The capture session could not be initiated (No such device exists).
    Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. '

    Could anyone please help me with this issue thanks. ^.^