GithubHelp home page GithubHelp logo

slowmistio / erlamsa Goto Github PK

View Code? Open in Web Editor NEW

This project forked from darkkey/erlamsa

1.0 1.0 0.0 418 KB

Erlang port of famous radamsa fuzzzer.

License: MIT License

Makefile 0.04% C# 0.29% JavaScript 0.97% Python 0.55% C 0.12% Erlang 97.97% Batchfile 0.06%

erlamsa's Introduction

erlamsa

Erlamsa -- "<<smart>> dumb fuzzer" aka erlang port of famous radamsa fuzzer.

TL;DR

$ sudo apt-get install git gcc make erlang erlang-dev erlang-tools erlang-ssl erlang-eunit erlang-mnesia erlang-inets
$ git clone https://github.com/Darkkey/erlamsa && cd erlamsa && make
$ echo 'Hello erlamsa!' | ./erlamsa

Installation:

Installing erlang

Erlamsa requires erlang/OTP 17.5+ to run.

Download erlang from official website http://www.erlang.org, install and put in path to erlc, erl and escript binaries into PATH variable. Or use your system's packet manager to install it.

On OS X (using homebrew):

brew install erlang

On CentOS/RHEL:

yum install erlang

On Debian/Ubuntu/Kali:

apt-get install erlang erlang-dev erlang-tools erlang-ssl erlang-eunit erlang-mnesia erlang-inets

Building erlamsa

Get the latest version of erlamsa:

git clone https://github.com/Darkkey/erlamsa
cd erlamsa

On Linux/OS X:

make

or

escript rebar co

On Windows (escript.exe and erlc.exe should be in %PATH%):

make_windows.bat

Docker

Alternatively, you could use erlamsa Docker container: https://github.com/Darkkey/erlamsa-docker-image

Standalone usage:

Under Linux/OS X use ./erlamsa, under Windows -- erlamsa.bat.

Few examples/templates for a quick start:

$ echo 'Hello erlamsa' | ./erlamsa
Hello erlmo erlamsa
$ erlamsa <<FILE TO FUZZ>>
$ erlamsa <<FILE TO FUZZ>> -o erlamsa <<FILE TO FUZZ>>.fuzzed
$ erlamsa <<FILE TO FUZZ>> -o tcp://:<<LISTEN_ON_PORT>>
$ cat <<BINARY WITH PACKET>> | ./erlamsa -o udp://<<HOST>>:<<PORT>>

For help try:

./erlamsa --help

or

escript erlamsa --help

Using as a service

Launch as a service:

./erlamsa -H 127.0.0.1:17771

Or in detached mode (erlamsa will go background after launch):

./erlamsa -H 127.0.0.1:17771 -D

HTTP POST your data to http://<Host:Port>/erlamsa/erlamsa_esi:fuzz as application/octet-stream. See examples in clients/ folder (provided for C#, node.js and python). E.g. for Python 2.7:

import httplib

erlamsa_url = '127.0.0.1:17771'

original_string = "Hello erlamsa!"

httpconn = httplib.HTTPConnection(erlamsa_url)
headers = {"content-type": "application/octet-stream"}
httpconn.request('POST', '/erlamsa/erlamsa_esi:fuzz', original_string, headers)
response = httpconn.getresponse()

fuzzed_string = response.read()

print(original_string + " erlamsed to " + fuzzed_string)

Result:

$ python clients/erlamsa_python_client.py
Hello erlamsa! erlamsed to rlamsa!rlallo eHello e

JSON service endpoint

Erlamsa also provides JSON service extension, which allows to send request in JSON documents. Fuzzing data should be encoded in base64 format and provided inside data field of the document, e.g.:

$ curl -H "Content-Type: application/json" -X POST -d '{"data":"aGVsbG8="}' http://localhost:17771/erlamsa/erlamsa_esi:json
{"data": "bGxvbGxvaA=="}

Fuzzing options

For standalone Web or JSON fuzzing, along with fuzzing data, you could also provide fuzzing options, including mutations, patterns, seed, blockscale, e.t.c. The format of these options should be the same as in according command line keys. Pass them as HTTP headers (for standalone Web service) or as JSON members (for JSON endpoint). E.g.:

$ curl -H "Content-Type: application/json" -X POST -d '{"data":"aGVsbG8=","seed": "1,2,3"}' http://localhost:17771/erlamsa/erlamsa_esi:json
{"data": "aGVsW2xv"}

Using as fuzzing proxy

Erlamsa could be used a fuzzing "MiTM" proxy for TCP and UDP protocols. This allow to fuzz the communication between server and client, modifying packets coming from server to client, from client to server, or in both cases.

To use it as fuzzing proxy, run as:

./erlamsa -i proto://lport:[udpclientport:]rhost:rport -P probsc,probcs

where probsc and probcs are floats in range of 0.0 to 1.0, that represents probabilities of fuzzing packets from server to client and client to server.

E.g. erlamsa, that is started as

./erlamsa -i tcp://7777:192.168.0.1:7777 -P 0.1,0.9 -L -

will accept packets on port 7777 (on all network interfaces, basically on 0.0.0.0 interface) and send them to host's 192.168.0.1 port 7777. All packets coming from server to client will be fuzzed with probability of 0.1(10%), from client to server -- with probability of 0.9(90%). In this case, to start fuzzing just point your client application to erlamsa's host and port 7777. -L - options means that all logging will be output to stdout.

Example usage from erlang code

There are two possible ways to call erlamsa from your code: static (same host, library call) and dynamic (query the application on another node)

  1. Static direct usage: see erlamsa_app:fuzz/1 and erlamsa_app:fuzz/2, e.g.:
$ erl -pa ebin -pa deps/*/ebin
...
Eshell V10.0.3  (abort with ^G)

1> erlamsa_app:fuzz(<<"123">>).
<<243,160,128,169,49,50,51>>
2>

  1. Remotely, on another node:

    a) Start and test fuzzing node:

    $ erl -pa ebin -pa deps/*/ebin -sname erlamsa
...

(erlamsa@server)1> erlamsa_app:start(direct, maps:new()).
ok
(erlamsa@server)2> erlamsa_app:call(erlamsa, <<"123">>).
<<"12311223123">>
(erlamsa@server)3>

    b) Run on client node:

    $ erl -pa ebin -pa deps/*/ebin -sname client
...

(client@user)1> erlamsa_app:start(remote, {erlamsa, 'erlamsa@server'}).
{test,<0.66.0>}
(client@user)2> erlamsa_app:call(erlamsa, <<"321">>).
<<"3321">>

External (extension) scripts

Erlamsa could use external scripts for generation-based fuzzing, custom fuzzing, custom post-fuzzing procedures or custom mutation types. Module should be compiled with erlc before using and passed using -e option to erlamsa. Due to internal mechanism of external modules inclusion, you should pass external module ALWAYS as a FIRST argument to erlamsa.

In the following example, erlamsa is run with custom mutation module (see external_muta.erl for details):

$ echo -n 123 | ./erlamsa -e external_muta -m pan=1 -p od
<pancaked>123</pancaked>

Custom fuzzing extension

Could be using in fuzzing proxy mode, to replace standard fuzzing procedure with a custom one. See external_test.erl for example template.

Custom mutation extension

Adds custom mutation to the list of erlamsa mutators. See external_muta.erl for example.

Custom post-processing extension

Adds post-processing procedure that will be applied to fuzzing result just before output. Useful for fixing checksum or form of data to avoid unnessesary noise. See external_nhrp.erl for example.

Platform limitations

  • on unix platforms (Linux, OS X, ...) erlamsa could not be launched in background mode using standard & shell symbol due to erlang VM limitations; -D option is intended for it. E.g., instead of ./erlamsa -H 127.0.0.1:17771 & use ./erlamsa -H 127.0.0.1:17771 -D
  • ip:// and raw:// outputs are not working on Windows, raw:// output is not working on OS X
  • minimum recommended RAM to run on Windows OS is 4Gb

Code Status

Build Status

erlamsa's People

Contributors

darkkey avatar dukebarman avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.