leancloud

source/_posts/DIR-802-OS-Command-Injection.md

@@ -13,6 +13,7 @@ description: 提交个漏洞
 > by Cool
 #### 漏洞已提交厂商
 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29379
 #### 漏洞类型
 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
 

source/_posts/aflnw-blackbox.md

@@ -0,0 +1,71 @@
+---
+title: 利用AFL黑盒测试网络协议
+date: 2021-05-20 19:26:35
+tags:
+- 模糊测试
+categories:
+- IOT
+description: 做对比实验用的小工具，在拿不到固件的情况下，可以用AFL的变异策略尝试fuzz
+---
+源码：https://github.com/Cool-Y/aflnw_blackbox
+
+AFL是基于变异的模糊测试方法的代表工作，其主要应用于非结构化数据处理程序的漏洞挖掘中。但使用AFL具有比较多的限制：
+
+1. 本地运行被测程序，从而获取覆盖率等反馈信息
+2. 被测程序从基本输入输出获取数据
+
+因此无法直接使用AFL对远程服务进行黑盒测试
+
+## 现有工作
+
+目前针对限制2已经有一些解决方案：
+
+1. hook socket调用：利用 `preeny`库辅助；AFLplusplus
+    1. https://www.cnblogs.com/hac425/p/9416917.html
+    2. https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/socket_fuzzing
+2. 修改AFL传递数据的方式：AFLNet: A Greybox Fuzzer for Network Protocols，aflnet在AFL的基础上，将标准输入修改为网络发包的方式
+    1. https://github.com/aflnet/aflnet
+    2. https://www.comp.nus.edu.sg/~abhik/pdf/AFLNet-ICST20.pdf
+3. 修改网络程序接收数据的方式：bind9的代码中专门提供了用于Fuzz的部分。
+    1. https://github.com/isc-projects/bind9/tree/main/fuzz
+4. 利用AFL Persistent Mode
+    1. https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop
+    2. https://sensepost.com/blog/2017/fuzzing-apache-httpd-server-with-american-fuzzy-lop-%2B-persistent-mode/
+5. 利用辅助程序转发AFL的输入
+    1. https://github.com/LyleMi/aflnw/blob/main/README.zh-cn.md
+
+
+但是如果无法将程序放在本地运行，比如物联网设备在拿不到固件的情况下，如何利用AFL的变异方式进行模糊测试。
+
+## 黑盒方案
+
+在aflnw的基础上，对辅助程序的工作方式进行了修改，从而实现在不对AFL和被测程序进行修改的条件下，使用一个辅助程序接收AFL从标准输入传递进来的数据，然后通过网络转发给UPnP服务，辅助程序会间隔性地与UPnP端口建立TCP连接，从而判断测试用例是否导致程序崩溃。
+![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1621510535/ufuzzer/image_33.png)
+## 如何安装
+```
+git clone https://github.com/LyleMi/aflnw.gitcd aflnw
+export CC=/path/to/afl/afl-clang-fast
+mkdir build && cd build && cmake .. && make
+```
+
+
+
+## 如何使用
+
+1. 使用wireshark采集种子输入（Follow→TCP Stream，保存为raw文件）
+![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1621510534/ufuzzer/image_35.png)
+2. 确定通信协议（udp/tcp）、服务端监控地址、服务端监控端口、socket本地绑定地址
+3. fuzz，以UPnP协议为例
+```
+afl-fuzz -t 1000+ -i ./soap_input/ -o ./soap_out/ -- ./build/aflnw -a 192.168.2.2 -p 5000 -m tcp
+afl-fuzz -t 2000+ -i ./ssdp_input/ -o ./ssdp_out/ -- ./build/aflnw -a 239.255.255.250 -p 1900 -m udp
+```
+![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1621510535/ufuzzer/image_34.png)
+4. 崩溃重放
+```
+./build/aflnw -a 239.255.255.250 -p 1900 -m udp < soap_out/crashes/id:00000....
+./build/aflnw -a 192.168.2.2 -p 5000 -m tcp < ssdp_out/crashes/id:000000.....
+```
+
+## 问题
+效率很低

source/about/index.md

@@ -7,12 +7,12 @@ comments: false
 
 ------
 ## TL;DR
-- 🔭 I’m currently focus on IoT security and Android security.
-- 🌱 I’m currently learning VM escape.
+- 🔭 Focus on IoT security and Android security.
+- 🌱 Learning VM escape.
 - 📝 My blog: https://cool-y.github.io/
 - 🏫 Bachelor: Sichuan university; Master: Wuhan university
 - 📫 Hit me up: cool.yim@foxmail.com
-- ⚡ Fun fact: ‘Fun Facts’ Are Never Fun
+- ⚡ Fun fact: 'Fun Facts' Are Never Fun
 - 💬 Ask me about ...
 
 ------
@@ -23,7 +23,7 @@ comments: false
 ### **Android Data-Clone Attack via Operating System Customization**
 **IEEE Access**, Song, Wenna, Ming Jiang, Han Yan, Yi Xiang, Yuan Chen, Yuan Luo, Kun He, and Guojun Peng.
 
-### **App’s Auto-Login Function Security Testing via Android OS-Level Virtualization**
+### **App's Auto-Login Function Security Testing via Android OS-Level Virtualization**
 **ICSE'21**, Song, Wenna, Jiang Ming, Lin Jiang, Han Yan, Yi Xiang, Yuan Chen, Jianming Fu, and Guojun Peng.
 
 -------
@@ -36,4 +36,4 @@ comments: false
 - PSV-2019-0164
 - CVE-2019-15843
 - PSV-2020-0211(extended)
-- CVE-2020-15893(extended)
+- CVE-2021-29379

themes/next/_config.yml

@@ -145,7 +145,7 @@ social:
   #YouTube: https://youtube.com/yourname || youtube
   Instagram: https://www.instagram.com/yan__han/ || instagram
   #Skype: skype:yourname?call|chat || skype
-  RSS: /atom.xml || fas fa-rss
+  # RSS: /atom.xml || fas fa-rss
 
 social_icons:
   enable: true
@@ -549,8 +549,8 @@ rating:
 # You can visit https://leancloud.cn get AppID and AppKey.
 leancloud_visitors:
   enable: true
-  app_id: EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz
-  app_key: x8FxDrYG79C8YFrTww9ljo8K
+  app_id: CnxMogaLcXQrm9Q03lF8XH7j-gzGzoHsz
+  app_key: EHqNuJ6AYvuHnY6bN6w2SMXl
 
 # Another tool to show number of visitors to each article.
 # visit https://console.firebase.google.com/u/0/ to get apiKey and projectId

themes/next/source/css/_variables/base.styl

@@ -62,8 +62,8 @@ get_font_family(config) {
 }
 
 // Font families.
-$font-family-chinese      = "PingFang SC", "Microsoft YaHei"
-
+//$font-family-chinese      = "PingFang SC", "Microsoft YaHei"
+$font-family-chinese = "Noto Serif SC";
 $font-family-base         = $font-family-chinese, sans-serif
 $font-family-base         = get_font_family('global'), $font-family-chinese, sans-serif if get_font_family('global')