diff --git a/source/_posts/DIR-802-OS-Command-Injection.md b/source/_posts/DIR-802-OS-Command-Injection.md index dedaa468..bdc7f82e 100644 --- a/source/_posts/DIR-802-OS-Command-Injection.md +++ b/source/_posts/DIR-802-OS-Command-Injection.md @@ -13,6 +13,7 @@ description: 提交个漏洞 > by Cool #### 漏洞已提交厂商 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29379 #### 漏洞类型 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') diff --git a/source/_posts/aflnw-blackbox.md b/source/_posts/aflnw-blackbox.md new file mode 100644 index 00000000..d8dc0cea --- /dev/null +++ b/source/_posts/aflnw-blackbox.md @@ -0,0 +1,69 @@ +--- +title: 利用AFL黑盒测试网络协议 +date: 2021-05-20 19:26:35 +tags: +- 模糊测试 +categories: +- IOT +description: 做对比实验用的小工具,在拿不到固件的情况下,可以用AFL的变异策略尝试fuzz +--- +源码:https://github.com/Cool-Y/aflnw_blackbox + +AFL是基于变异的模糊测试方法的代表工作,其主要应用于非结构化数据处理程序的漏洞挖掘中。但使用AFL具有比较多的限制: + +1. 本地运行被测程序,从而获取覆盖率等反馈信息 +2. 被测程序从基本输入输出获取数据 + +因此无法直接使用AFL对远程服务进行黑盒测试 + +## 现有工作 + +目前针对限制2已经有一些解决方案: + +1. hook socket调用:利用 `preeny`库辅助;AFLplusplus + 1. https://www.cnblogs.com/hac425/p/9416917.html + 2. https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/socket_fuzzing +2. 修改AFL传递数据的方式:AFLNet: A Greybox Fuzzer for Network Protocols,aflnet在AFL的基础上,将标准输入修改为网络发包的方式 + 1. https://github.com/aflnet/aflnet + 2. https://www.comp.nus.edu.sg/~abhik/pdf/AFLNet-ICST20.pdf +3. 修改网络程序接收数据的方式:bind9的代码中专门提供了用于Fuzz的部分。 + 1. https://github.com/isc-projects/bind9/tree/main/fuzz +4. 利用AFL Persistent Mode + 1. https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop + 2. https://sensepost.com/blog/2017/fuzzing-apache-httpd-server-with-american-fuzzy-lop-%2B-persistent-mode/ +5. 利用辅助程序转发AFL的输入 + 1. https://github.com/LyleMi/aflnw/blob/main/README.zh-cn.md + + +但是如果无法将程序放在本地运行,比如物联网设备在拿不到固件的情况下,如何利用AFL的变异方式进行模糊测试。 + +## 黑盒方案 + +在aflnw的基础上,对辅助程序的工作方式进行了修改,从而实现在不对AFL和被测程序进行修改的条件下,使用一个辅助程序接收AFL从标准输入传递进来的数据,然后通过网络转发给UPnP服务,辅助程序会间隔性地与UPnP端口建立TCP连接,从而判断测试用例是否导致程序崩溃。 + +## 如何安装 +``` +git clone https://github.com/LyleMi/aflnw.gitcd aflnw +export CC=/path/to/afl/afl-clang-fast +mkdir build && cd build && cmake .. && make +``` + + + +## 如何使用 + +1. 使用wireshark采集种子输入(Follow→TCP Stream,保存为raw文件) +2. 确定通信协议(udp/tcp)、服务端监控地址、服务端监控端口、socket本地绑定地址 +3. fuzz,以UPnP协议为例 +``` +afl-fuzz -t 1000+ -i ./soap_input/ -o ./soap_out/ -- ./build/aflnw -a 192.168.2.2 -p 5000 -m tcp +afl-fuzz -t 2000+ -i ./ssdp_input/ -o ./ssdp_out/ -- ./build/aflnw -a 239.255.255.250 -p 1900 -m udp +``` +4. 崩溃重放 +``` +./build/aflnw -a 239.255.255.250 -p 1900 -m udp < soap_out/crashes/id:00000.... +./build/aflnw -a 192.168.2.2 -p 5000 -m tcp < ssdp_out/crashes/id:000000..... +``` + +## 问题 +效率很低 diff --git a/source/about/index.md b/source/about/index.md index d8d70437..a67a7894 100644 --- a/source/about/index.md +++ b/source/about/index.md @@ -7,12 +7,12 @@ comments: false ------ ## TL;DR -- 🔭 I’m currently focus on IoT security and Android security. -- 🌱 I’m currently learning VM escape. +- 🔭 Focus on IoT security and Android security. +- 🌱 Learning VM escape. - 📝 My blog: https://cool-y.github.io/ - 🏫 Bachelor: Sichuan university; Master: Wuhan university - 📫 Hit me up: cool.yim@foxmail.com -- ⚡ Fun fact: ‘Fun Facts’ Are Never Fun +- ⚡ Fun fact: 'Fun Facts' Are Never Fun - 💬 Ask me about ... ------ @@ -23,7 +23,7 @@ comments: false ### **Android Data-Clone Attack via Operating System Customization** **IEEE Access**, Song, Wenna, Ming Jiang, Han Yan, Yi Xiang, Yuan Chen, Yuan Luo, Kun He, and Guojun Peng. -### **App’s Auto-Login Function Security Testing via Android OS-Level Virtualization** +### **App's Auto-Login Function Security Testing via Android OS-Level Virtualization** **ICSE'21**, Song, Wenna, Jiang Ming, Lin Jiang, Han Yan, Yi Xiang, Yuan Chen, Jianming Fu, and Guojun Peng. ------- @@ -36,4 +36,4 @@ comments: false - PSV-2019-0164 - CVE-2019-15843 - PSV-2020-0211(extended) -- CVE-2020-15893(extended) +- CVE-2021-29379 diff --git a/themes/next/_config.yml b/themes/next/_config.yml index b828c10b..3bbaf78e 100644 --- a/themes/next/_config.yml +++ b/themes/next/_config.yml @@ -145,7 +145,7 @@ social: #YouTube: https://youtube.com/yourname || youtube Instagram: https://www.instagram.com/yan__han/ || instagram #Skype: skype:yourname?call|chat || skype - RSS: /atom.xml || fas fa-rss + # RSS: /atom.xml || fas fa-rss social_icons: enable: true diff --git a/themes/next/source/css/_variables/base.styl b/themes/next/source/css/_variables/base.styl index bc56ad0b..75cc2d42 100644 --- a/themes/next/source/css/_variables/base.styl +++ b/themes/next/source/css/_variables/base.styl @@ -62,8 +62,8 @@ get_font_family(config) { } // Font families. -$font-family-chinese = "PingFang SC", "Microsoft YaHei" - +//$font-family-chinese = "PingFang SC", "Microsoft YaHei" +$font-family-chinese = "Noto Serif SC"; $font-family-base = $font-family-chinese, sans-serif $font-family-base = get_font_family('global'), $font-family-chinese, sans-serif if get_font_family('global')