윈도우 소프트웨어 Zero-Day Hunting 프로젝트를 진행하면서 Fuzzer나 여러 정보들을 남기려고 한다.
다운로드 링크 : https://resources.sei.cmu.edu/forms/bff-download.cfm
링크를 들어가면 다음과 같은 화면이 나올 것이다.
그러면 BFF=2.8-setup.zip 을 다운로드한다.
이후 압축을 풀면 BFF-2.8-setup.exe 파일이 있을 것이고, 이 실행 파일을 실행하여 쭉 진행하면 BFF Fuzzer의 설치는 끝난다.
BFF 설정
설치 후 BFF 폴더를 보면 다음과 같다.
이 중 configs 폴더 안에 bff.yaml이라는 파일이 있을 것인데 이것이 Fuzzer 설정 파일이다.
다음은 bff.yaml의 내용이다.
##############################################################################
#
# This file specifies the options that BFF will use to fuzz
# Comments are specified by the "#" character
#
##############################################################################
# FUZZ CAMPAIGN SETTINGS
#
# id:
# used for identifying campaign, placement of results
#
# keep_heisenbugs:
# Keep crashing testcases detected by the Windows XP hook, but not when run
# via the debugger. This option is ignored on non-XP platforms.
#
# use_buttonclicker:
# Spawn program to click buttons
##############################################################################
campaign:
id: convert v5.5.7
keep_heisenbugs: False
use_buttonclicker: False
##############################################################################
# Fuzz target options:
#
# program:
# Path to fuzzing target executable
#
# cmdline_template:
# Used to specify the command-line invocation of the target
##############################################################################
target:
program: C:\BFF\imagemagick\convert.exe
cmdline_template: $PROGRAM $SEEDFILE NUL
# With the default ImageMagick fuzz run, the above target options
# will result in the following invocation of ImageMagick:
# C:\BFF\imagemagick\convert.exe <SEEDFILE> NUL
# This exercises ImageMagick's image decoding, while also outputting
# to the Windows NUL device, minimizing I/O.
# When choosing a fuzzing target, modify the cmdline_template line to
# reflect how that target needs to be invoked.
#
# NOTE:
# If your target application doesn't use any parameters after the
# file name, you will probably just use:
# cmdline_template: $PROGRAM $SEEDFILE
#
# NOTE: BFF uses python's shlex.split() method to parse the command
# line template after substituting in the program and seedfile values.
# For this reason, it is required that if any other items in the
# cmdline_template involve windows paths, you need either use
# forward slashes or double quotes. For example:
# cmdline_template: $PROGRAM -in $SEEDFILE -out c:/some/path/to/file
# cmdline_template: $PROGRAM -in $SEEDFILE -out "c:\some path\to file"
##############################################################################
# Directories used by BFF (all relative to bff.py)
#
# seedfile_dir:
# Location of seed files
#
# working_dir:
# Temporary directory used by BFF. Use a ramdisk to reduce disk activity
#
# results_dir:
# Location of fuzzing results
##############################################################################
directories:
seedfile_dir: seedfiles\examples
working_dir: fuzzdir
results_dir: results
##############################################################################
# Runner options
#
# hideoutput:
# Hide stdout of target application
#
# runtimeout:
# Number of seconds to allow target application to execute
#
# watchcpu:
# Kill target process when its CPU usage drops towards zero
# (Auto, True, False)
#
##############################################################################
runner:
hideoutput: False
runtimeout: 5
watchcpu: Auto
##############################################################################
# Debugger options
#
# debugheap:
# Use the debug heap for the target application
#
# max_handled_exceptions:
# Maximum number of times to continue exceptions
#
##############################################################################
debugger:
debugheap: False
max_handled_exceptions: 6
##############################################################################
# Fuzz run options
#
# first_iteration:
# The iteration number to begin with. Defaults to zero if not present.
#
# seed_interval:
# The number of iterations to perform before selecting a new seed file and
# mutation range. Default is 1 if not present.
#
# minimize:
# True: Create a file that is minimally-different than the seed file, yet crashes
# with the same hash
# string: Create a file that is mostly 'x' (0x78) characters, yet crashes with
# the same hash
# False: Don't minimize
#
# minimizer_timeout:
# The maximum amount of time that BFF will spend on a minimization run before
# giving up
#
# keep_unique_faddr:
# Consider the Exception Faulting Address value as part of the crash hash
#
# keep_duplicates:
# Keep all duplicate crashing cases
#
# recycle_crashers:
# Recycle uniquely-crashing testcases into the pool of available seed files
# to fuzz
##############################################################################
runoptions:
first_iteration: 0
seed_interval: 5
minimize: True
minimizer_timeout: 3600
keep_unique_faddr: False
keep_duplicates: False
recycle_crashers: False
##############################################################################
# FUZZER OPTIONS
#
# ** Note that only one fuzzer can be selected per campaign **
#
# bytemut:
# replace bytes with random values
#
# swap:
# swap adjacent bytes
#
# wave:
# cycle through every possible single-byte value, sequentially
#
# drop:
# removes one byte from the file for each position in the file
#
# insert:
# inserts a random byte for each position in the file
#
# truncate:
# truncates bytes from the end of the file
#
# crmut:
# replace carriage return bytes with random values
#
# crlfmut:
# replace carriage return and linefeed bytes with random values
#
# nullmut:
# replace null bytes with random values
#
# verify:
# do not mutate file. Used for verifying crashing testcases
#
# OPTIONS APPLIED TO THE ABOVE MUTATORS:
#
# fuzz_zip_container:
# rather than fuzzing zip file contents, fuzz the zip container itself
#
##############################################################################
fuzzer:
fuzzer: bytemut
# fuzzer: swap
# fuzzer: wave
# fuzzer: drop
# fuzzer: insert
# fuzzer: truncate
# fuzzer: crmut
# fuzzer: crlfmut
# fuzzer: nullmut
# fuzzer: verify
fuzz_zip_container: False이 중 Fuzzer를 돌리기 위해 몇 가지만 짚어보면
campaign:
id: convert v5.5.7 #results 폴더 안에 저장될 프로젝트 폴더 이름이다.
target:
program: C:\BFF\imagemagick\convert.exe # 퍼징을 진행할 프로그램 경로
cmdline_template: $PROGRAM $SEEDFILE NUL # 프로그램 호출에 사용된다.cmdline_template를 어떻게 주는지 헷갈린다면 다음과 같이 직접 해보면 된다.
기본 인자 세팅과 같이 넣어줘 보면 다음과 같이 이미지가 아닌 폴더 목록만이 보인다.
하지만 NUL을 지우고 다시 시도해보면
정상적으로 이미지를 보여주는 것을 볼 수 있다.
이처럼 NUL 하나로도 프로그램 실행이 바뀌므로 유의해서 줘야 한다.
예를 들어 다씨의 경우 처음처럼 NUL을 넣어준 후 진행하게 되면 아무리 오래 돌려도 Crash가 일어나지 않는다... (경험담) 그러니 꼭 cmd로 직접 실행해보자
directories:
seedfile_dir: seedfiles\examples # 시드 파일 위치
working_dir: fuzzdir
results_dir: results # 결과 파일 위치
fuzzer:
fuzzer: bytemut # 임의의 값으로 바이트 교체
# fuzzer: swap 인접한 바이트 교환
# fuzzer: wave 순차적으로 모든 가능한 단일 바이트 값을 순환
# fuzzer: drop 각 파일마다 바이트 하나를 제거
# fuzzer: insert 각 파일마다 임의의 값 하나를 추가
# fuzzer: truncate 파일의 끝 바이트 제거
# fuzzer: crmut 임의의 값으로 캐리지 리턴 바이트를 교체
# fuzzer: crlfmut 임의의 값으로 캐리지 리턴, 줄 바꿈 바이트 교체
# fuzzer: nullmut 임의의 값으로 NULL 바이트 교체
# fuzzer: verify 충돌 테스트 케이스 확인용
fuzz_zip_container: False # Zip 파일 내용을 퍼징하지 않고, Zip 자체를 퍼징Fuzzer 설정 후 BFF폴더 안 bff를 더블 클릭을 눌러주면 Fuzzer가 실행된다.