The Sulley Fuzzing Framework

According to KriPpLer - This is a short demonstration on using the sulley fuzzing framework. I'll be fuzzing an application with a known bug (for obvious reasons...) that has already been exploited.(http://packetstormsecurity.org/advisories/misc/savant.overflow.txt) I chose a basic plan-text HTTP server just for demonstration purposes. This is not a protocol fuzzing tutorial. Anyway, I've tried pretty much all of the fuzzers worth using. I decided to give this project a try and I must say I'm pretty impressed with it. It's a block based protocol fuzzer similar to SPIKE. Seems to be a little bit more robust and a little less tedious since you don't have to recompile anything after your done coding mainly. It's python based which isn't my primary language. (I'm a C/++ guy) I just started to finally sit down and learn some kind of fuzzing framework to automate and streamline the process of finding bugs. I've just started to get into writing exploits and need a nice fuzzer that I can start finding bugs with so I went with sulley. Has decent documentation I guess. Not many examples however. Theres a couple in the "archived_fuzzies" folder though. The nice thing about it is that it has a network / process monitor with a built in debugger that dumps wire captures as well as crash dumps. This is a pretty cheesy example but It's just to give you an idea of how it works.

You can download Sulley from here and also view the detailed document here. Thanks go out to KriPpLer from Xsploitedsecurity (xsploitedsecurity [] gmail) for submitting this video to us.

We hate these ADs as much as you do! Help us stay FREE and CLEAN by making a Generous Donation!

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net