rspike: a ruby wrapper for the SPIKE fuzzing framework
Rspike will allow you to use the SPIKE fuzzing framework from your ruby
scripts. The SPIKE framework is an extremely powerful tool used to discover
vulnerabilities in applications.
what is a fuzzer?
According to Wikipedia,
“Fuzz testing, fuzzing, Robustness Testing or Negative Testing is a
software testing technique that provides random data (”fuzz") to the
inputs of a program. If the program fails (for example, by crashing, or
by failing built-in code assertions), the defects can be noted."
about SPIKE
SPIKE is a very complete fuzzing API. It’s framework design makes it perfect
to test any protocol, regardless of whether or not it’s stucture is actually
known. Protocol definitions are stored in SPIKE files. This separation of
fuzzing logic and the protocol definition makes it easy to re-use your fuzzing
code with many different protocols. You can visit the SPIKE web page
here.
tutorial
As a working example, I will show you how to fuzz a Dopewars server.
First, clone the rspike git repository:
git clone git://github.com/dougsko/rspike.git
Change to the rspike directory and compile SPIKE and the rspike
extention. You should be able to do this with the included Rakefile.
rake make sudo rake lib_install
If for whatever reason this doesn’t work for you, you can compile
the two pieces by hand. These are the manual compile instructions:
cd ext/SPIKE/SPIKE/src/ ./configure make sudo make install
If make doesn’t finish, try export
LD_LIBRARY_PATH=. , then, make again.
Now, cd back to the ext folder and run,
ruby extconf.rb make
That should be it for manual compilation. Hopefully none of that is
needed and the Rakefile will do the trick.
Since rspike is just a thin wrapper around the SPIKE API, I re-wrote
example script that comes with SPIKE, line_send_tcp.c in ruby just to
show how it works. It’s almost the exact same program, but is much
easier to read and add on to. This script can be found under the bin
folder.
Now, we need some SPIKE files. Again, since rspike is just a thin
wrapper, it uses plain old SPIKE files, which means you can re-use ones
you already have. The Dopewars protocol is well documented and quite
simple. You can read about it
here.
This is a SPIKE file that fuzzes the name sent to the server during the
introduction sequence.
s_string_variable("dougsko");
s_string("^^");
s_string("Ar");
s_string("1111111");
s_string("\n");
s_string("^^");
s_string("Ac");
s_string_variable("dougsko");
s_string("\n");
You can find this file at data/spike_files/dopewars/intro.spk.
Now, all that’s left is to start a Dopewars server and start fuzzing.
Once you server is running, use the line_send_tcp.rb script to do
the work. Let’s say that the Dopewars server is running on IP,
192.168.1.100 and on port, 7902. You would call
line_send_tcp.rb like this:
./bin/line_send_tcp.rb 192.168.1.100 7902 data/spike_files/dopewars/intro.spk 0 0
The 0 0 at the end just means that you do not want to skip and of
the variables.
That’s all there is to it. There are several SPIKE files already made in the
data/spike_files/dopewars/ folder to try out (HINT: One of them is quite
interesting…). I have also written another script called,
file_maker.rb, that can create fuzzed files. All you have to do is
create a SPIKE file outlining the file format you want to fuzz and it will
create a whole mess of files for you to throw at your applications. There is an
example of SPIKE file for .pls files under data/spike_files/pls.spk.
I hope that’s enough to get you started. To get a more indepth view on how to
use the SPIKE API, take a look at the source for the scripts under
bin/, but also, don’t forget the programs that come with SPIKE; rspike works
almost exactly the same way as they do.
download
You can check out the rspike git repository with this command:
git clone git://github.com/dougsko/rspike.git
Enjoy!
© 2009 doug | generated by webgen | last modified at Fri May 29 03:22:28 -0400 2009