-
-
[旧帖] [原创][申请邀请码]SPIKE经验总结及错误解决(仅供参考) 0.00雪花
-
发表于: 2011-3-7 15:23
-
最近在学习SPIKE,整理了网上资料,和自己的经验及错误,仅供大家参考安装:aclocal && automake; ./configure; make
====================================================
SPIKE是一套C函数接口的API(Primitives ),注意没有windows版本,构造的基本语法:
静态内容:s_string() s_binary(),s_intelword(),s_string_repeat()
动态内容:s_string_variable(),
网络控制:spike_send_udp() spike_listen_udp() spike_send_tcp()
Block控制:s_binary_block_size_intel_word () s_block_end ()
变量控制:s_incrementfuzzstring () s_incrementfuzzvariable ()
====================================================
SPIKE结构体是程序中最重要的数据结构
struct spike {
/*updated whenever anything is added into an open and used block*/
listener block_listeners[MAXLISTENERS];
/*list of places we need to add sizes to*/
listener size_listeners[MAXLISTENERS];
/*total size of all data*/
unsigned long datasize;
unsigned char *databuf;
unsigned char *endbuf;
int fd; /*for holding socket or file information*/
int proto; /*1 for tcp, 2 for udp*/
struct sockaddr_in *destsockaddr;
/*all the web fuzz stuff*/
int didlastvariable;
int didlastfuzzstring;
int didlastfuzzint;
int didlastbeforefuzzstring;
int didlastafterfuzzstring;
int fuzzstring;
int fuzzvariable;
int currentvariable;
int firstvariable;
int needreserved;
/*unicode protocol stuff*/
int do_unicode_ms;
int terminate_unicode;
};
1. new_spike()函数用于生成这个结构体并进行简单的初始化;
2. setspike(p_spike)
一个程序可能使用多个SPIKE结构体,所以需要用setspike(p_spike)指明当前所使用的是哪个spike结构体。
3. s_string()
s_string( )函数用于以字符串形式向SPIKE结构体的缓冲区添加数
据。插入字符串常量。s_string("Referer\r\n"),插入一个字符串常量。
4. s_print_buffer()
s_print_buffer()函数用于以16进制形式输入当前缓冲区的数
据。
5. spike_clear()函数用于清除全局的spike结构体,有点像置0
把当前的spike结构体清空.做法是先申请一个spike结构体,然后
把当前的spike指向临时的结构体。
6. spike_send_tcp()长连接 ,需要 spike_close_tcp()来断开。
参数(host,port)。做法是先建立连接spike_connect_tcp(host,port),然后spike_send();
7. spike_send_udp()长连接 ,需要 spike_close_udp()来断开。
参数(host,port)。做法是先建立连接spike_connect_udp(host,port),然后spike_send();
8. spike_send() 短连接
先判断是tcp还是udp协议,然后再进行写数据。(我理解就是发送数据)。
int spike_send();//send to the fd which is ready right now
int spike_connect_tcp(char *host,int port);
int spike_send_tcp(char *host,int port);//connects and sends
int s_tcp_accept(int listenfd);
void spike_close_tcp()
int spike_send_udp(char *host,int port);
int spike_connect_udp(char*host,int port);
int spike_connect_udp_ex(char*host,int port,unsigned short local_port);
int spike_listen_udp(int port);//1 on success ,0 on fail
void spike_clear_sendto_addr();
int spike_set_sendto_addr(char * hostname,int destport);
void s_close_udp();
这些函数进行gcc编译时需要带上tcpstuff.o和udpstuff.o
9. s_binary(“”)
这个很强大,可以直接把抓到的数据包放进去。s_binary("使用sniffer工具抓到包直接贴在这里>");插入二进制数据,s_binary("00 00")。
10.构造重复数据
s_string_repeat("A",5000) – 就像 perl -e 'print "A" x 5000'
操作就是做5000次s_string(“A”)。同理s_binary_repeat也是如此。
11.s_string_variable() s_string_variables
/*if current variable is the fuzzed variable, then send in a fuzz string, else just send the variable*/
s_string_variable("test\r\n");插入一个字符串变量
s_string_variables('&',"username=bob&password=feet");插入多个字符串变量;
s_int_variable(0x00,3);插入一个int变量
这类函数都比较类似~~~~
12.int didlastvariable;
测试是否为最后一个变量,也就是fuzzvariable是否为最大值;
13.int didlastfuzzstring;
是否为最后一个fuzzing string的下标
14.int didlastfuzzint;
是否为最后一个fuzzing int的下标
15.int fuzzstring;
当前变量fuzz string/int的下标
16.int fuzzvariable;
第fuzzvariable个变量或第fuzzvariable次循环
17.int currentvariable;
当前的变量~
18.int firstvariable;
第一个变量~if currentvariable==0,则firstvariable=1; currentvariable!=0,则firstvariable=0
19. spike_listen_udp(port)
主要就监听port,如果success,则修改fd和proto;
20. s_binary_block_size_intel_word ()函数(Block控制)
执行add_size_listener(4,blockname,INTELENDIANWORD,some,mult);
用来捕获block的大小,这个函数将按照Intel体系结构的大顶机位序把block的大小表示成一个DWORD。协议中数据的位序有可能不是大顶机模式,而且很多情况下只用一个字节来表示。为了处理这些情况,SPIKE提供了多种计算block大小的函数,例如:
int s_binary_block_size_intel_word( char *blockname);
int s_binary_block_size_word_halfword_bigendian_variable(char *blockname)
ints_binary_block_size_word_bigendian_variable(char *blockname)
int s_binary_block_size_intel_halfword_variable(char *blockname);
int s_binary_block_size_intel_word_variable(char *blockname);
int s_blocksize_unsigned_string_variable(char *instring,int size);
int s_blocksize_asciihex(char * blockname);
int s_blocksize_asciihex_variable(char *blockname);
21. s_block_end () s_block_start(char *blockname)
(1)直接执行close_sizes(blockname,myListener->size);关闭block
(2)增加一个监听器;
add_listener(current_spike->block_listeners,blockname);
22. spike_free(struct spike * old_spike)
释放spike结构体
23. getcurrentspike()
返回当前的spike结构体;
24.get_spike_fd()
获得spike块的描述符;
25.s_update_listeners(unsigned long size)
更新监听器,监听器数组;
26. add_size_listener()
增加listener到数组中。
27. is_int_fuzz_variable(int type)判断是否是fuzz的变量
28.s_init_fuzzing()函数表明使用SPIKE自带的畸形数据集合,目前的版本在默认情况下包含了600多个畸形数据,测试范围涵盖了超长字符串、格式化串、路径回溯攻击等方面。
29.s_add_fuzzstring()函数允许用户添加自定义的畸形数据。
30.s_incrementfuzzstring()表示使用下一个畸形数据。
31.s_incrementfuzzvariable()表示移向下一个变量的位置进行fuzz。
32.s_init_fuzzing()函数表明使用SPIKE自带的畸形数据集合,目前的版本在默认情况下包含了600多个畸形数据,测试范围涵盖了超长字符串、格式化串。
33.s_add_fuzzstring()函数允许用户添加自定义的畸形数据。
34.在生产新的测试用例之前,记得调用spike_clear()清空SPIKE的缓存。
35.S_incrementfuzzstring()表示使用下一个畸形数据。
36.S_incrementfuzzvariable()表示移向下一个变量的位置进行fuzz。
附录:
遇到的错误:
a) Udpconnect()连接失败!!!sfd=-1,socket创建失败
原因:创建超过1200个socket,超过限制。
s_close_udp(),spike_close_tcp().一定要注意关闭。否则提示open too many files。如果没有关闭的话,在超过1200个socket后则会提示错误。
b) SPIKE链接错误
I decided to play around with Spike fuzzer and encountered some weird errors during installation. I was using gcc 4.1.2.
gcc -ggdb -o generic_listen_tcp generic_listen_tcp.o dlrpc.o dlargs.o spike.o listener.o hdebug.o tcpstuff.o spike_dcerpc.o base64.o udpstuff.o spike_oncrpc.o -ldl -L. -ldlrpc/usr/bin/ld: generic_listen_tcp: hidden symbol `__stack_chk_fail_local' in/usr/lib/libc_nonshared.a(stack_chk_fail_local.oS) is referenced by DSO/usr/bin/ld: final link failed: Nonrepresentable section on outputcollect2: ld returned 1 exit statusmake: *** [generic_listen_tcp] Error 1If you are also getting the same error, I would recommend that you do the following
SPIKE/SPIKE/src$ ./configureNow open the Makefile in your favorite editor and edit the CFLAGS line to include the following option:
-fno-stack-protectorThis is how my CFLAGS line looks like in the Makefile:
CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protectorThis should make it build fine (I do get a few warnings but that’s cool…it still does not result in a no-build.
c) Autodafe和SPIKE测试中使用的命令:
root@ubuntu:/home/xq/桌面/实验小屋# gcc -g -o 1 1.c -I ../SPIKE/SPIKE/include ../SPIKE/SPIKE/src/spike.o ../SPIKE/SPIKE/src/tcpstuff.o ../SPIKE/SPIKE/src/udpstuff.o ../SPIKE/SPIKE/src/listener.o
root@ubuntu:/home/xq/桌面/实验小屋# ./1
Datasize=12
Start buffer:
48 65 6c 6c 6f 20 57 6f
72 6c 64 21
End buffer:
***Hello World!***
root@ubuntu:/home/xq/桌面/实验小屋# gcc -ggdb -o 1 1.c -I ../SPIKE/SPIKE/include ../SPIKE/SPIKE/src/spike.o ../SPIKE/SPIKE/src/tcpstuff.o ../SPIKE/SPIKE/src/udpstuff.o ../SPIKE/SPIKE/src/listener.o
root@ubuntu:/home/xq/桌面/实验小屋# gcc -g1 -o 1 1.c -I ../SPIKE/SPIKE/include ../SPIKE/SPIKE/src/spike.o ../SPIKE/SPIKE/src/tcpstuff.o ../SPIKE/SPIKE/src/udpstuff.o ../SPIKE/SPIKE/src/listener.o
root@ubuntu:/home/xq/桌面/实验小屋# gcc -g1 -o snmpv3_spike snmpv3_spike.c -I ../SPIKE/SPIKE/include ../SPIKE/SPIKE/src/spike.o ../SPIKE/SPIKE/src/tcpstuff.o ../SPIKE/SPIKE/src/udpstuff.o ../SPIKE/SPIKE/src/listener.o
root@ubuntu:/home/xq/桌面/实验小屋# gdb snmpv3_spikeGNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/xq/桌面/实验小屋/snmpv3_spike...done.
(gdb) run Starting program /home/xq/桌面/实验小屋/snmpv3_spike
d) Wireshark cannot capture datapackets in Ubuntu。The reason is that the permison of linux user is common user,not root。
Sudo –i ,then input your root password
e) 在做测试时,发现需要加上tcpstuff.o,明明是用的udp,为什么要使用tcpstuff,因为测试时spike_send_udp()需要调用spike_send(),spike_send()需要调用getHostAddress()函数,这个函数就在tcpstuff中。此外还有其他一些函数也在tcpstuff中。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
