• Search by Module
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

Project: ffw (GitHub Link)

• ffw-master
  • network
    • replay.py
    • tester.py
    • __init__.py
    • interceptor.py
    • networkmanager.py
    • proto_vnc.py
  • hexdump.py
  • defaultconfig.py
  • framework.py
  • tweet.conf.example
  • convertdata.py
  • honggmode
    • honggstats.py
    • honggcorpusdata.py
    • honggmaster.py
    • honggcorpusmanager.py
    • __init__.py
    • honggcomm.py
    • honggslave.py
  • vulnserver
    • src
      • coverageserver.c
      • vulnserver.c
      • Makefile
      • vulnserver_client.py
    • Makefile
    • config.py
    • intercept0.pickle
  • gui.py
  • uploader
    • uploader.py
    • __init__.py
  • LICENSE
  • test
    • test_crashmanager.py
    • mockupfuzzer.py
    • test_crashdata.py
    • test_fuzzer.py
    • test_honggfuzz.py
    • testutils.py
    • test_honggstats.py
    • test_verifymanager.py
    • test_interceptor.py
    • interceptorclientmockup.py
    • test_dictionaryfuzzer.py
    • __init__.py
    • test_namespace.py
    • interceptorservermockup.py
    • mockup_simplebind.py
    • test_honggcorpusmanager.py
    • test_corpusfile.py
    • test_verifydata.py
  • corpusparser.py
  • printpickle.py
  • test_client
    • Makefile
    • fuzzing.py
    • temp
      • README.txt
    • verified
      • README.txt
    • in
      • README.txt
    • clienttest.c
    • out
      • README.txt
    • bin
      • README.txt
  • common
    • crashdata.py
    • verifydata.py
    • corpusmanager.py
    • __init__.py
    • corpusdata.py
    • verifymanager.py
    • networkdata.py
    • ffwfile.py
    • crashmanager.py
  • ffw.py
  • verifier
    • gdbservermanager.py
    • verifier.py
    • minimizer.py
    • debugservermanager.py
    • abstractverifierservermanager.py
    • __init__.py
    • asanparser.py
    • servercrashdata.py
  • configmanager.py
  • classdiagram.md
  • README.md
  • utils.py
  • clientfuzzer
    • clientmanager.py
    • clientfuzzerslave.py
    • clientfuzzermaster.py
    • clientfuzzerserver.py
    • __init__.py
  • make-dictionary.sh
  • requirements.txt
  • mutator
    • mutator_dictionary.py
    • mutatorinterface.py
    • mutator_dumb.py
    • __init__.py
    • mutator_cmiller.py
    • mutator_list.py
  • target
    • targetutils.py
    • __init__.py
    • servermanager.py
  • .gitignore
  • docs
    • tutorial-honggmode.md
    • tutorial-sample-project.md
    • tutorial-grammar-based.md
    • notes.md
  • basicmode
    • basicslave.py
    • basicmaster.py
    • __init__.py
  • twitterinterface.py

FFW - Fuzzing For Worms

Fuzzes network servers/services by intercepting valid network communication data, then replay it with some fuzzing.

FFW can fuzz open source applications and supports feedback driven fuzzing by instrumenting honggfuzz, for both open- and closed source apps.

In comparison with the alternatives, FFW is the most advanced, feature-complete and tested network fuzzer.

Features:

• Fuzzes all kind of network protocol (HTTP, MQTT, SMTP, you name it)
• No modification of the fuzzing target needed (at all)
• Has feedback-driven fuzzing (with compiler support, or hardware based)
• Can fuzz network clients too (wip)
• Fast fuzzing setup (no source code changes or protocol reversing needed!)
• Reasonable fuzzing performance

Presentation

Presented at security conference Area 41 2018.

• (Fuzzing For Worms Slides)[https://docs.google.com/presentation/d/1tLELphbkh2bVLyIedagNoFKBn_DEYv29RskZY4u-szA/edit?usp=sharing]
• (Youtube)[https://www.youtube.com/watch?v=akpk9hrizc4]

Docker

Easiest way to start is to use the docker image:

• https://github.com/dobin/ffw-docker

By doing so:

docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:0.1

Examples are located in /ffw-examples.

Manual Installation

Get FFW

git clone https://github.com/dobin/ffw.git
cd ffw/

Note: Manually installed dependencies are expected to live in the ffw/ directory (e.g. honggfuzz, radamsa).

Install FFW dependencies

If its a fresh Ubuntu, install relevant packages for FFW:

apt-get install python python-pip gdb

For honggfuzz:

apt-get install clang binutils-dev libunwind8-dev

And python dependencies:

pip install -r requirements.txt

Install Radamsa fuzzer

$ git clone https://github.com/aoh/radamsa.git
$ cd radamsa
$ make

Default Radamsa directory specified in ffw is ffw/radamsa.

Setup a project

Steps involved in setting up a fuzzing project:

• Create directory structure for that fuzzing project by copying template folder
• Copy target binary to bin/
• Specify all necessary information in the config file fuzzing.py
• Start interceptor-mode to record traffic
• Start test-mode to verify recorded traffic (optional)
• Start fuzz-mode to fuzz
• Start verify-mode to verify crashed from the fuzz mode (optional)
• Start upload-mode to upload verified crashes to the web (optional)

For a step-by-step guide:

• Setup the sample project tutorial
• Setup the feedback-driven fuzzing project tutorial
• Some fuzzing help and infos

Unit Tests

Test all:

python -m unittest discover

Test a single module:

python -m unittest test.test_interceptor

Alternatives

Fuzzotron

Available via https://github.com/denandz/fuzzotron. "Fuzzotron is a simple network fuzzer supporting TCP, UDP and multithreading."

Support network fuzzing, also uses Radamsa. Can use coverage data, but it is experimental.

Con's:

• Does not restart target server
• Unreliable crash detection
• Experimental code coverage

Mutiny

Available via https://github.com/Cisco-Talos/mutiny-fuzzer. "The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer."

Con's:

• No code coverage
• Only one commit (no development?)
• Rudimentary crash detection