Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

30 KiB

Fuzzing (and bug hunting)

Table of Contents


  • Add Descriptions/generals to types of fuzzing

  • FuzzManager

    • With this project, we aim to create a management toolchain for fuzzing. Unlike other toolchains and frameworks, we want to be modular in such a way that you can use those parts of FuzzManager that seem interesting to you without forcing a process upon you that does not fit your requirements.
  • COMRaider

    • ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
    • Github
  • From Fuzzing to 0day.

  • Basic fuzzing framework

  • Fuzzing 101 (Part 1)

  • Fuzzing 101 (Part 2)

  • 0-day streams: pdfcrack

  • pcrappyfuzzer

    • Script to perform quick 'n dirty fuzzing of PCAPs with radamsa and Scapy.

end sort


Fuzzing Stuff & Hunting Bugs

  • Dynamic Fuzzing
    • Frameworks
      • Triton
        • Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint engine, AST representations of the x86 and the x86-64 instructions set semantics, SMT simplification passes, an SMT Solver Interface and, the last but not least, Python bindings.
    • General
    • Tools
      • usercorn
        • dynamic binary analysis via platform emulation
    • Writeups
  • Static Fuzzing
    • Frameworks
      • Paper Machete
        • Paper Machete (PM) orchestrates Binary Ninja and GRAKN.AI to perform static analysis on binary targets with the goal of finding exploitable vulnerabilities. PM leverages the Binary Ninja MLIL SSA to extract semantic meaning about individual instructions, operations, register/variable state, and overall control flow. This data is then migrated into GRAKN.AI, a hyper-relational database. We then run queries against the database that are designed to look for indications of common software vulnerability classes.
    • General
    • Tools
    • Talks/Writeups
      • Aiding Static Analysis: Discovering Vulnerabilities in Binary Targets through Knowledge Graph Inferences - John Toterhi - Derbycon7
        • Static analysis is the foundation of vulnerability research (VR). Even with today's advanced genetic fuzzers, concolic analysis frameworks, emulation engines, and binary instrumentation tools, static analysis ultimately makes or breaks a successful VR program. In this talk, we will explore a method of enhancing our static analysis process using the GRAKN.AI implementation of Google's knowledge graph and explore the semantics from Binary Ninja's Medium Level static single assignment (SSA) intermediate language (IL) to perform inference queries on binary-only targets to identify vulnerabilities.
  • Taint Analysis
    • Taint analysis and pattern matching with Pin - Jonathan Salwan
    • Applying Taint Analysis and Theorem Proving to Exploit Development - Sean Heelan - RECON2010
    • All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
      • Abstract —Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability dis- covery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts. The contributions of this paper are two-fold. First, we precisely describe the algorithms for dynamic taint analysis and forward symbolic execution as extensions to the run-time se- mantics of a general language. Second, we highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
    • A Critical Review of Dynamic Taint Analysis and Forward Symbolic Execution
      • In this note , we describe a critical review of the paper titled “All you wanted to know about dynamics taint analysis and forward symbolic execution (but may have been afraid to ask)” [1] . We analyze the paper using Paul Elder critical thinking framework [2] . We sta rt with a summary of the paper and motivation behind the research work described in [1]. Then we evaluate the study with respect to the universal intellectual standards of [2]. We find that the paper provides a good survey of the existing techniques and algorithms used for security analysis. It explains them using the theoretical framework of operational runtime semantics. However in some places t he paper can do a better job in highlighting what new insights or heuristics can be gained from a runtime seman tics formulation. The paper fails to convince the reader how such an intricate understanding of operational semantics of a new generic language SimpIL helps in advancing the state of the art in dynamic taint analysis and forward symbolic execution. We also found that the Paul Elder critical thinking framework is a useful technique to reason about and analyze research papers.
    • TAJ: Effective Taint Analysis of Web Applications - Java Webapps
      • Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
  • Android Bug Hunting/Fuzzing
  • Browser Bug Hunting/Fuzzing
    • Browser Bug Hunting and Mobile
    • Grinder - Fuzzer
      • Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
    • browserfuzz
      • A very simple browser fuzzer based on tornado.
    • Browser bug hunting - Memoirs of a last man standing, Atte Kettunen
    • morph
      • an open source browser fuzzing framework for fun.
  • C/C++ Fuzzing
    • ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
    • libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
  • Cellular Related Technologies Bug Hunting/Fuzzing
  • Cisco
    • asadbg
      • asadbg is a framework of tools to aid in automating live debugging of Cisco ASA devices, as well as automating interaction with the Cisco CLI over serial/ssh to quickly perform repetitive tasks.
    • asatools - NCCGroup
      • Main repository to pull all Cisco ASA-related projects.
    • asafw
      • Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
  • File Formats Bug Hunting/Fuzzing
    • Practical File Format Fuzzing
      • File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
    • File Format Fuzzing in Android
  • Network Protocols Bug Hunting/Fuzzing
  • Fuzzing Linux
    • Kernel
    • Syscalls
      • syzkaller - linux syscall fuzzer
        • An unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
  • Libraries
  • Medical Devices
    • Open Up and Say 0x41414141: Attacking Medical Devices - Robert PortvlIet - Toorcon19
      • Network accessible medical devices are ubiquitous in today’s clinical environment. These devices can be of great aid to healthcare profes- sionals in assessing, treating and monitoring a patient’s condition. However, they can also fall victim to a number of systemic vulnerabili- ties that can expose personal health information or PHI, compromise the integrity of patient data in transit, and affect the availability of the devices themselves. This talk looks at the methodology and approach to penetration testing of modern medical devices. It will provide an overview of the various stages of a medical device assessment, including discovery and analysis of a device’s remote and local attack surface, reverse engineering and exploitation of proprietary network protocols, vulner- ability discovery in network services, compromising supporting sys- tems, attacking common wireless protocols, exploitation of hardware debug interfaces and bus protocols and assessing proprietary wireless technologies. It will also cover a number of real world vulnerabilities that the speaker has discovered during medical device penetration testing assessments. These include weak cryptographic implementations, device impersonation and data manipulation vulnerabilities in pro- prietary protocols, unauthenticated database interfaces, hardcoded credentials/keys and other sensitive information stored in firmware/ binaries and the susceptibility of medical devices to remote denial of service attacks. The talk will conclude with some suggestions on how some of the most common classes of medical device vulnerabilities might be reme- diated by vendors and also how hospitals and other healthcare provid- ers can defend their medical devices in the meantime.
  • OS X Bug Hunting/Fuzzing
  • RTP
    • ohrwurm
      • ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
  • Source Code Fuzzing/Bug Hunting
    • Articles/Talks/Writeups
      • Improving security with Fuzzing and Sanitizers
        • A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.
    • Tools
  • USB Bug Hunting/Fuzzing
  • Virtual Appliance Bug Hunting/Fuzzing
    • Hacking Virtual Appliances - DerbyconV
      • Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remotes on these appliances.
  • Web Application Bug Hunting/Fuzzing
  • Windows Fuzzing/Bug Hunting

Non-Specific Tools(Don't explicitly fit into above sections)