Stateful fuzzing: Authenticate and Authorize first, than fuzzing

[MauriceJoren]

Hi,

I'm trying to fuzz a protocol. In the first steps, there is some authentication and authorisation. To fuzz this part I use the following code:

session.connect(s_get("COTP ConnectionRequest"))
session.connect(s_get("COTP ConnectionRequest"), s_get("Request CreateObject"))
session.connect(s_get('Request CreateObject'), s_get('Request SetMultiVariables'), callback get_session_parameters_from_create_object)

This works great for me. Now, I want to fuzz the messages after the authentication steps. To keep the number of messages small, I don't want to authenticate every time, just once. Of course, if my target goes down, the authentication has to be done again; that's no issue.

What is the best way to do with BooFuzz?
I tried to do it with: post_start_target_callbacks = [callback_post_start_target], but can't figure out how to send the messages that are contained in COTP ConnectionRequest and Request CreateObject.

With def callback_post_start_target(target=None, fuzz_data_logger=None, session=None, **kwargs):
if tried, but when opening a new socket, a new portnumber is used. Which, of course isn't OK. I cannot find any send/receive method with' target' and' session'.

Any ideas?
Thanks!

[cq674350529]

I used to fuzz http requests with both pre-authenticated and post-authenticated. The method I choose is to put the login procedure in the edge callback. And I can decide if login is required based on a global flag and the repsonse. If the response indicates unauthorized or unauthenticated, then I'll login again, update the cookie/session to the next node and set the global flag. I'm not sure if it suits your case.

[MauriceJoren]

Thanks for your answer, I'll give it a try.

I understand what you mean, but I can't figure out how to implement it. In the callback, I don't find any methods to send on the same port, or is it just me?

FYI: I fuzz a network protocol used by PLCs.

[SR4ven]

Hi @SimaticFuzz,

I see two approaches to reach your goal. One would be the already mentioned edge callback passed to Session.connect().
When your callback is called during runtime, you get the current target passed as an argument and can call the send and receive functions on the same socket that is used during fuzzing.

The second approach utilizes the rather new monitors.
With those it's possible to register pre-/post_send and post_start_target callbacks in which you will again have the target object available to interact with the socket.
Check out https://github.com/jtpereyda/boofuzz/blob/cffea3dc206151fb481f9ad38ce9bf5422565c12/boofuzz/monitors/callback_monitor.py

Nice seeing PLC protocols beeing fuzzed, too!
If you're able to share some code, a contribution to our examples or protocol definitions is always welcome!

[MauriceJoren]

Thanks for your answer @SR4ven,

I'm already using the monitor function. I've created a monitor and added it to the target:
PLC_TargetMonitor(host = g_target_ip_addr, port = g_target_port)
This monitor is defined as class PLC_TargetMonitor(NetworkMonitor): and in this class, the alive() is declared. I use a ping command to check if the PLC is accessible, which works fine.

The target, and the monitor are defined as follows:
PLCTarget = Target(
connection = TCPSocketConnection(host = g_target_ip_addr, port = g_target_port),
monitors = [PLC_TargetMonitor],
)

The best method to do the authentication is then in the class PLC_TargetMonitor, with the method def post_start_target(target = None, fuzz_data_logger = None, session = None, **kwargs):.

Now, I'm trying to send the authentication sequence in that method.

Currently, the authentication looks like this:
session.connect(s_get("COTP ConnectionRequest"))
session.connect(s_get("COTP ConnectionRequest"), s_get("Request CreateObject"))
session.connect(
s_get('Request CreateObject'),
s_get('Request SetMultiVariables'),
callback = set_session_parameters_from_create_object
)
In the callback function, among other things, some anti-replay calculation is done.

The fuzzing part is here:
session.connect(
s_get('Request SetMultiVariables'),
s_get('Request SetVariable'),
callback = get_response_from_set_multi_variables
)

When I try to open a connection in post_start_target with target.open(), the log shows that 2 connections are open.

What I'm doing wrong? It will be something small, but I can't figure it out.
Of course, I've looked at the examples and many other Boofuzz-based fuzzers on GitHub.

[SR4ven]

The NetworkMonitor you're inheriting from is meant to interact with an RPC client. It's not suitable to what you're doing if I got your usecase correctly.

Try inheriting from BaseMonitor directly and checkout the docstrings on when to perfrom the ping test (probably in post_send()).
You also have to implement a restart_target() method, even if it always returns True.

Then inside post_start_target() you can send data. To send it on the same socket as the fuzz data later on, set reuse_target_connection=True in the Session constructor. This will keep the TCP connection open in between test cases.

Hope that helps.

[MauriceJoren]

Hi @SR4ven,

Thanks for your answer. I've got it working so far.

Just wondering:
I've defined the authorisation messages within blocks like s_initialize("Request SetMultiVariables") because I want to fuzz these too. Is there any way to use them (and the corresponding callbacks, within the post_start_target(), instead of creating new functions that arrange the bytes?

[SR4ven]

Take a look at what Session.feature_check() and Session.transmit_normal() do. Maybe there is something that you can reuse.
I haven't done anything like this so far.

Let us know if you've found a way.

[MauriceJoren]

Thanks for your answer. I'll give it a try.