More Related Content Similar to レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
Similar to レベルを上げて物理で殴れ、Fuzzing入門 #pyfes (7) More from Tokoroten Nakayama
More from Tokoroten Nakayama (11) レベルを上げて物理で殴れ、Fuzzing入門 #pyfes8. ファジングの種類
• ダムファジング
– ガチでランダムなデータを入力
– 作るのは簡単、効率は悪い
• ミューテーションファジング
– 正常なデータを元に突然変異させて入力
– 作るのはある程度簡単、効率はそこそこ
• スマートファジング
– プロトコルを元にしてデータを生成
– 作るのは超大変、効率はものすごく良い
10. 研究レベルのもの
• GA Fuzzing
– Fuzzingしながらコードカバレッジを計測
– よりコードカバレッジが高いテストデータほ
ど評価
– テストデータをGA交配してテストを作り出す
– より深い場所のコードに対して攻撃できる
• 再実装してみたが性能はいまひとつ
– 深いところに到達するが、境界を攻撃しづら
い http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4682289
11. Fuzzingの例
• Firefox
– Alexaを元に100万のサイトからHTMLを取得
– デイリーでサブセットを食わせる
– 週末に全部のデータを食わせる
• マイクロソフト
– Fuzzingで自社プロダクトを攻撃
– Office2010は1800個のバグを発見
– 他にもVistaはFuzzingでXPよりバグを減らせた
– 社内でFuzzingコンテストをしている
12. 今回作ったモノ
• 正規表現を入力すると、
受理可能な文字列を返す、Fuzzer
• 実装
– pythonのreモジュールの内部で利用されてい
る
sre_parseモジュールを利用
– sre_parseは正規表現をパース、木構造に変換
– 正規表現のオートマトンをランダムウォーク
して、
受理可能な文字列を出力
https://github.com/tokoroten/acceptableRegex
13. sre_parseの利用
• 正規表現 "(fuga{4,10})+"
• sre_parseでパース後の構造
– [('max_repeat', (1, 65535, [('subpattern', (1, [('liter
al', 102), ('literal', 117), ('literal', 103), ('max_repea
t', (4, 10, [('literal', 97)]))]))]))]
• あとはがんばってランダムウォーク
14. 実験
• URLの正規表現
– http://(?:(?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][-a-zA-Z0-9]*[a-
zA-Z0-9]).)*(?:[a-zA-Z]|[a-zA-Z][-a-zA-Z0-9]*[a-zA-Z0-
9]).?|[0-9]+.[0-9]+.[0-9]+.[0-9]+)(?::[0-
9]*)?(?:/(?:[-_.!~*'()a-zA-Z0-9:@&=+$,]|%[0-9A-Fa-
f][0-9A-Fa-f])*(?:;(?:[-_.!~*'()a-zA-Z0-9:@&=+$,]|%[0-
9A-Fa-f][0-9A-Fa-f])*)*(?:/(?:[-_.!~*'()a-zA-Z0-
9:@&=+$,]|%[0-9A-Fa-f][0-9A-Fa-f])*(?:;(?:[-_.!~*'()a-
zA-Z0-9:@&=+$,]|%[0-9A-Fa-f][0-9A-Fa-
f])*)*)*(?:?(?:[-_.!~*'()a-zA-Z0-9;/?:@&=+$,]|%[0-9A-
Fa-f][0-9A-Fa-f])*)?)?
http://www.din.or.jp/~ohzaki/perl.htm
15. sre_parseによるパース結果
• [('literal', 104), ('literal', 116), ('literal', 116), ('literal', 112), ('literal', 58), ('literal', 47), ('literal', 47), ('subpattern', (None, [('branch', (None, [[('max_re
peat', (0, 65535, [('subpattern', (None, [('subpattern', (None, [('in', [('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57))]), ('branch', (None, [[], [('
max_repeat', (0, 65535, [('in', [('literal', 45), ('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57))])])), ('in', [('range', (97, 122)), ('range', (65, 90)), ('
range', (48, 57))])]]))])), ('literal', 46)]))])), ('subpattern', (None, [('in', [('range', (97, 122)), ('range', (65, 90))]), ('branch', (None, [[], [('max_repeat', (0,
65535, [('in', [('literal', 45), ('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57))])])), ('in', [('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57))]
)]]))])), ('max_repeat', (0, 1, [('literal', 46)]))], [('max_repeat', (1, 65535, [('in', [('range', (48, 57))])])), ('literal', 46), ('max_repeat', (1, 65535, [('in', [('ra
nge', (48, 57))])])), ('any', None), ('max_repeat', (1, 65535, [('in', [('range', (48, 57))])])), ('literal', 46), ('max_repeat', (1, 65535, [('in', [('range', (48, 57)
)])]))]]))])), ('max_repeat', (0, 1, [('subpattern', (None, [('literal', 58), ('max_repeat', (0, 65535, [('in', [('range', (48, 57))])]))]))])), ('max_repeat', (0, 1, [('
subpattern', (None, [('literal', 47), ('max_repeat', (0, 65535, [('subpattern', (None, [('branch', (None, [[('in', [('literal', 45), ('literal', 95), ('literal', 46), ('li
teral', 33), ('literal', 126), ('literal', 42), ('literal', 39), ('literal', 40), ('literal', 41), ('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57)), ('literal', 58), ('
literal', 64), ('literal', 38), ('literal', 61), ('literal', 43), ('literal', 36), ('literal', 44)])], [('literal', 37), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97,
102))]), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))])]]))]))])), ('max_repeat', (0, 65535, [('subpattern', (None, [('literal', 59), ('max_r
epeat', (0, 65535, [('subpattern', (None, [('branch', (None, [[('in', [('literal', 45), ('literal', 95), ('literal', 46), ('literal', 33), ('literal', 126), ('literal', 42), ('lit
eral', 39), ('literal', 40), ('literal', 41), ('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57)), ('literal', 58), ('literal', 64), ('literal', 38), ('literal', 61), ('lit
eral', 43), ('literal', 36), ('literal', 44)])], [('literal', 37), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))]), ('in', [('range', (48, 57)), ('range',
(65, 70)), ('range', (97, 102))])]]))]))]))]))])), ('max_repeat', (0, 65535, [('subpattern', (None, [('literal', 47), ('max_repeat', (0, 65535, [('subpattern', (No
ne, [('branch', (None, [[('in', [('literal', 45), ('literal', 95), ('literal', 46), ('literal', 33), ('literal', 126), ('literal', 42), ('literal', 39), ('literal', 40), ('literal', 41),
('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57)), ('literal', 58), ('literal', 64), ('literal', 38), ('literal', 61), ('literal', 43), ('literal', 36), ('literal', 44)])
], [('literal', 37), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))]), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))])]]))]))]))
, ('max_repeat', (0, 65535, [('subpattern', (None, [('literal', 59), ('max_repeat', (0, 65535, [('subpattern', (None, [('branch', (None, [[('in', [('literal', 45),
('literal', 95), ('literal', 46), ('literal', 33), ('literal', 126), ('literal', 42), ('literal', 39), ('literal', 40), ('literal', 41), ('range', (97, 122)), ('range', (65, 90)), ('ra
nge', (48, 57)), ('literal', 58), ('literal', 64), ('literal', 38), ('literal', 61), ('literal', 43), ('literal', 36), ('literal', 44)])], [('literal', 37), ('in', [('range', (48, 57)), ('
range', (65, 70)), ('range', (97, 102))]), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))])]]))]))]))]))]))]))])), ('max_repeat', (0, 1, [('subpatt
ern', (None, [('literal', 63), ('max_repeat', (0, 65535, [('subpattern', (None, [('branch', (None, [[('in', [('literal', 45), ('literal', 95), ('literal', 46), ('literal', 3
3), ('literal', 126), ('literal', 42), ('literal', 39), ('literal', 40), ('literal', 41), ('range', (97, 122)), ('range', (65, 90)), ('range', (48, 57)), ('literal', 59), ('literal',
47), ('literal', 63), ('literal', 58), ('literal', 64), ('literal', 38), ('literal', 61), ('literal', 43), ('literal', 36), ('literal', 44)])], [('literal', 37), ('in', [('range', (48, 57))
, ('range', (65, 70)), ('range', (97, 102))]), ('in', [('range', (48, 57)), ('range', (65, 70)), ('range', (97, 102))])]]))]))]))]))]))]))]))]
16. 出力結果
• http://1625.33425u08104123.781417247
• http://55528104.3857525588?613082112.77601072
• http://35037.3542P46667.48007/%eD%ee~;-):=-
:%Be;@$%D4+!;%aB,;)r%B7%68;%ed$%58':),/%31%5A%DC/%bB%e1.;&;)%AB%Db4,%e1%Ee4;%A4=%dB6%67;%Bd0%6b/;%b8%eB%4B%2e%c6%1b-
• http://E--L.f.R.8.2.qj-6.pvYRV-10J8:2067715
• http://235430.86635865x3304578.84274/%cB%AC;)_'_;%bA'%E0$%31)%c3;'%Aa*%bE+;!y+~=@;!)%DB:%dD%bb'@;_%cE%de@%A6%cC);%BB%Dc;n
%Ec%4D;=(=;%68$&%eD$--/IY-;.%aE-)&%ed%E7%71%Eb?.%AC'%Db%cC%eEfl%67
• http://3.044n8365426546.864:707/%65%A2,%5E,%ea%Ec%2C_%dD;;c%45&%dE~L;)%aA~=;%bC%34%d6;%0D:%Cb=_/%aA,%ab=%B1%bC:&_;,+=;%3
e=%BB%C0%34)%0b.;%5AI%eB%a1;@;%EA%c5:;%bB%4a,%c0%3D%0E%Ce;!%Ee*)%e82+;@E*'%72-$$%2c;%bD%bD%De-
%b0+/;$%DE%17%1E)%CB%2E-;%aB!;%24%d4$_%5d/%70@~%cb'(;%4d%CA%80:;%ED%205%7d=;;*l%D8*;-@,/%D3.%eEi;(*%B3=Bc;+%aD%bA)'--
+%D8%bA;'=~%Ad%67%30';%aD*%45%c4(*;%36%E6$!=(;_%Ab%ED%db+U%aA%0B;!%DB:(A%e76%AB*;='%8e%d7!%AD%2dS~;+%Da%cC%2BT%BE)
_%dDy?%CA%aE
• http://11285763.087w614.4257718562/%AB$%Cd*;*,%be%E3:%5B)%aa%8Ba;%d3_+%E6%E6*%ca;.,;,!%7E~%ee%a8%AB;%5DB8;%Ae%CA%4A(+;*-
%2c%d3@*;%26.%6D:@%C6/@;%8A%BA%D4%be%E8%E3,;.%Cb+%cD/!'%bc;%EA$m%d830_%c8%6D;%AB@~;;;%a8;:@_%e1;%a4;%cC%db%aE%0c
%A3(!$;%c4%ca~&%cdc;-)/_.%B6(%cb!;$%7D%aC~@%7b%ee,%0a;%4c;%Ce;%bb$%c7%8C:%Ee%Eb%EE%48~;%Ab*%0A/%be-
EY%dC%bb(:;%45%6Cp)%55-
%aA%7A;%DB%Ab%66=%Ed%db%BD&%D3/*@.%Abl=%B8_%BD@;%5B)((h%bD%e3'%d7/%e0);%bB;%CB%5e;@H:%e5;~_:=%6A%0c%Da%Bb,/h:%D1
%Ea,;%43'%eA%BB.%a7:%a5;-2%Cc1':./;-%Ee;%4E*.%84=~%D6&%A8;%eB%dC%cB;%db%aA%7E):,(,%2E-
;)%AEi++$;;==%ac:%C4%62X%7A/)%eb%3a%EB%4c0%aa;C-@@;-
:@&5Q%eD,,';!:y,i*'=%4e;%21%aa%68$',%Bc:%A2%7B;'%2d@%dA%ED%6a;(%dB%2a(%35;%e7%ED(_%bD%51+1;%26%D0!%Ce;%4ap%Ea%B1;/%aC
=+%a2_AN;~@%Bb%CB%b2;.%bb%cA%1B=@%Cb%c1%8Aq;v%CA%BA;@'%bD=;,%1b%a2@@@;_@&@!%ac?%ce+_XS$%d8
• http://s.E.x6a-Y7-W.X.lJ-S1A7.:5/%C5;%d4Q$-
$!*+B/%a3@%2b,j%A1%c1@%aB;~)S%eE%01fl);+%7e%BA&%03@=U,%67;e,%0b%cc%77;(_%65%e1%AD+%e8H;&e.+!%aE%C8*%Bb!;%Da+%eB:%8c
;%32%B5%E6%CD@!%61/-+%5E%D3+:!;;1$,%cA$%ca!$%e3!/%8B%a2%C3%a3%b0~%a6%Da;'%d1%D7,%88);'::~@3%58_;--
@_%8b;%c5%a1%Eb6&%2b%Ae%ba;&%67@%Be%A4%4D!;%EDeD+%2d%da)%57*/&%ca%d1'F)%D26w;-:;+=%44I%ede%D6%41%ee;%ee-
%db@%c4',%ee;%Da;@%c3G~:6;%52p)o%Eb%AA!;$!:'%DA&%C50;/%ca%ea'1.;%AC%Ca:%73L;;%Aa&a)%Aa;;$~!_%ac,/)%BD.;:L%63-
%54,!;%ee%cD%36%bB=!%D0;;%be%E5.;%ad%6E%38%BeI!;%dd%EC;%c6*;+%2B_%81')%58(/(%45%BC;=*:'%3a%cE*%5B$;%c7%C8%74$,;$%cE%E4
%A5;;%E0%B5'%AB%Cd%87m+?'$:;!%DE%5b
• http://J8614.C/,%D1%E3%2a@;.-%b8;=@%36=$;%Ce@;%2a_&E%AE/%0C%De%eB+;!%EE-,%5A~=_@-
;%20%BC%Bd!%Ec;%ba;%07;=%Da)S%ee.%aa%dE'$;;(%Ee$;%C8%aD%ad;/;;,%7A;nY%B1;.%cE%Bd%D8/.@-%67_0%dD%2A0/%EB%ea$%CC%3a-
!~t;%bc%2c%CB%d4!;%C4%a1@~%DE,%Ed%6a_;;%dA)*%2d/%1b,-%6Em%ec%01%81%bE%da;%Dd=~%0B%A1%bD'o;)%Ad@%b8+%Ee~&(.;%2e%EB
まさに外道!
17. アタックしてみよう
URLを10万件食わせても、TeraPadとSkypeは問題なし
URLパーサがヘボいとクラッシュする可能性
21. 参考文献
• 書籍
– ビューティフルテスティング
– ファジング:ブルートフォースによる脆弱性発見手法
– リバースエンジニアリング ―Pythonによるバイナリ解析技
法
• 記事
– http://www.computerworld.com/s/article/9174539/Microsoft_r
uns_fuzzing_botnet_finds_1_800_Office_bugs
– http://www.hackingvoip.com/
– http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-
Endler.pdf
– http://msdn.microsoft.com/en-us/library/cc162782.aspx
– http://news.mynavi.jp/articles/2007/11/17/bhj3/index.html
22. 参考文献
• ツール
– http://peachfuzzer.com/
– http://www.microsoft.com/download/en/details.aspx
?id=21769
– http://www.microsoft.com/download/en/details.aspx
?id=20095
– http://freecode.com/projects/zzuf?branch_id=68024
&release_id=245074
– http://packetstormsecurity.org/fuzzer/
– http://www.computerdefense.org/2006/12/webfuzz-
a-series-of-basically-useless-python-scripts/