浏览器fuzz
首页 > 学习    作者:Iamyc   2019年12月26日 10:55 星期四   热度:572°   百度已收录  
时间:2019-12-26 10:55   热度:572° 

昨晚找了个二进制的个人,给点资料,然后给了这个url:

https://github.com/CHYbeta/Software-Security-Learning/blob/master/README.md?from=singlemessage&isappinstalled=1

里面的东西确实非常多,然后我大致看了下,觉得浏览器fuzz比较有趣

也比较使用吧!特别是web渗透的话,作用毋庸置疑。

然后上午找了一上午,学习了一下常见的fuzz。

https://bbs.pediy.com/thread-249986.htm

资料也比较多,还是比较看好domato吧,googole里的人写的:

https://github.com/googleprojectzero/domato

当然,已经找了各大浏览器共计几十个CVE确实吸引眼球。

第一个Fuzz工具,找了BFuzz,开源的,支持fuzz chrome和firefox:

https://github.com/RootUp/BFuzz

里面内嵌了domato,用法随便找一下都有,主要就几条命令

domato生成html文件:

python generator.py --output_dir ../recurve/ --no_of_files 1000

然后python BFuzz.py

选择输入浏览器类型和等待时间就行,不过试了下,会不停打开chrome加载。

感觉可能不太好,又是fuzz文件一躲,内存不够好像不太好,刚好是py源码,自己稍后得改改。

因为自己用的windows,所以修改了下Bfuzz.py,把.sh脚本改成了.bat调用domato

优化了每次自动关闭firefox,并且不会在终端显示,还有些东西要调firefox配置文件,请自行百度google。

https://github.com/zyfyc/BFuzz

然后昨晚睡前考虑到云服的算了,domato了10000个测试文件。

当然,睡觉的时候还在想,bfuzz的crash总觉得不明显。

看来bfuzz作者的youtube视频,提示crash直接在终端显示。

不过我也学过python,好像这样源代码不行呀!然后想着测一下看看

结果网上也没找到对应的html源文件和对应版本,poc一般没公开。

甚至还想着今早起床换另外的fuzz,结果登录服务器就发现了惊喜:

查fuzz日志,果然一点崩溃信息都没有,不过好在firefox自带崩溃报告器。

firefox果然想的好,关闭默认自动提交crash给他们的team,哈哈


AdapterDeviceID: 0x0000
AdapterSubsysID: 00000000
AdapterVendorID: 0x0000
Add-ons: cehomepage%40mozillaonline.com:3.66.2,cpmanager%40mozillaonline.com:4.72,formautofill%40mozilla.org:1.0,webcompat%40mozilla.org:6.4.0,default-theme%40mozilla.org:1.0,baidu%40search.mozilla.org:1.0,google%40search.mozilla.org:1.0,bing%40search.mozilla.org:1.0,ddg%40search.mozilla.org:1.0,wikipedia%40search.mozilla.org:1.0,amazondotcn%40search.mozilla.org:1.0
AvailablePageFile: 1010552832
AvailablePhysicalMemory: 1034682368
AvailableVirtualMemory: 3623755776
BreakpadReserveAddress: 46071808
BreakpadReserveSize: 83886080
BuildID: 20191202093317
CPUMicrocodeVersion: 0x1
ContentSandboxCapable: 1
ContentSandboxLevel: 5
CrashTime: 1577372916
DOMIPCEnabled: 1
FramePoisonBase: 0000004041080832
FramePoisonSize: 65536
InstallTime: 1576943060
LauncherProcessState: 0
ModuleSignatureInfo: {"Microsoft Corporation":["ucrtbase.dll","api-ms-win-crt-multibyte-l1-1-0.dll","api-ms-win-crt-environment-l1-1-0.dll","api-ms-win-crt-utility-l1-1-0.dll","api-ms-win-crt-time-l1-1-0.dll","api-ms-win-crt-filesystem-l1-1-0.dll","api-ms-win-crt-locale-l1-1-0.dll","api-ms-win-crt-math-l1-1-0.dll","api-ms-win-crt-stdio-l1-1-0.dll","api-ms-win-crt-convert-l1-1-0.dll","api-ms-win-crt-string-l1-1-0.dll","api-ms-win-crt-heap-l1-1-0.dll","api-ms-win-core-file-l2-1-0.dll","api-ms-win-core-synch-l1-2-0.dll","api-ms-win-core-timezone-l1-1-0.dll","msvcp140.dll","api-ms-win-core-processthreads-l1-1-1.dll","api-ms-win-core-file-l1-2-0.dll","VCRUNTIME140.dll","api-ms-win-core-localization-l1-2-0.dll","api-ms-win-crt-runtime-l1-1-0.dll"],"Microsoft Windows":["dui70.dll","duser.dll","explorerframe.dll","propsys.dll","wbemcomn2.DLL","mscms.dll","DWrite.dll","MMDevAPI.dll","netprofm.dll","uxtheme.dll","d3d11.dll","wbemprox.dll","npmproxy.dll","RpcRtRemote.dll","ntmarta.dll","dwmapi.dll","dxgi.dll","avrt.dll","wsock32.dll","apphelp.dll","bcrypt.dll","winsta.dll","dhcpcsvc.dll","wtsapi32.dll","winmm.dll","rsaenh.dll","cryptsp.dll","rasadhlp.dll","FWPUCLNT.DLL","wship6.dll","winrnr.dll","dnsapi.dll","NapiNSP.dll","nlaapi.dll","version.dll","powrprof.dll","dbghelp.dll","WSHTCPIP.DLL","mswsock.dll","winnsi.dll","IPHLPAPI.DLL","CRYPTBASE.dll","sspicli.dll","user32.dll","devobj.dll","msctf.dll","sechost.dll","rpcrt4.dll","wintrust.dll","gdi32.dll","ws2_32.dll","userenv.dll","usp10.dll","ole32.dll","lpk.dll","msvcrt.dll","advapi32.dll","cfgmgr32.dll","shlwapi.dll","clbcatq.dll","oleaut32.dll","profapi.dll","setupapi.dll","Wldap32.dll","crypt32.dll","KERNELBASE.dll","msasn1.dll","psapi.dll","nsi.dll","shell32.dll","imm32.dll","kernel32.dll","ntdll.dll"],"Mozilla Corporation":["firefox.exe","xul.dll","nssckbi.dll","freebl3.dll","softokn3.dll","nss3.dll","lgpllibs.dll","mozglue.dll"]}
Notes: FP(D00-L1000-W00000000-T000) 
DWrite? DWrite+ WR? WR- D2D1.1? D2D1.1- OMTP? OMTP+1 
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
SafeMode: 0
SecondsSinceLastCrash: 12369394
StartupCrash: 0
StartupTime: 1577372906
SystemMemoryUsePercentage: 51
TelemetryEnvironment: {"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86","buildId":"20191202093317","version":"71.0","vendor":"Mozilla","displayVersion":"71.0","platformVersion":"71.0","xpcomAbi":"x86-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":2047,"virtualMaxMB":4096,"cpu":{"count":1,"cores":1,"vendor":"GenuineIntel","family":6,"model":79,"stepping":1,"l2cacheKB":256,"l3cacheKB":40960,"speedMHz":2494,"extensions":["hasMMX","hasSSE","hasSSE2","hasSSE3","hasSSSE3","hasSSE4_1","hasSSE4_2","hasAVX","hasAVX2","hasAES"]},"os":{"name":"Windows_NT","version":"6.1","locale":"zh-CN","servicePackMajor":1,"servicePackMinor":0,"windowsBuildNumber":7601},"hdd":{"profile":{"model":null,"revision":null,"type":null},"binary":{"model":null,"revision":null,"type":null},"system":{"model":null,"revision":null,"type":null}},"gfx":{"D2DEnabled":false,"DWriteEnabled":true,"ContentBackend":"Skia","Headless":false,"adapters":[{"description":"RDPDD Chained DD","vendorID":"0x0000","deviceID":"0x0000","subsysID":"00000000","RAM":null,"driver":"RDPDD","driverVendor":null,"driverVersion":null,"driverDate":null,"GPUActive":true}],"monitors":[{"screenWidth":1920,"screenHeight":1080,"refreshRate":60,"pseudoDisplay":false}],"features":{"compositor":"none","gpuProcess":{"status":"blacklisted"},"wrQualified":{"status":"blacklisted"},"webrender":{"status":"unavailable-no-angle"},"d3d11":{"status":"blacklisted"},"d2d":{"status":"unavailable","version":"1.1"}}},"appleModelId":null},"settings":{"blocklistEnabled":true,"e10sEnabled":true,"e10sMultiProcesses":8,"telemetryEnabled":false,"locale":"zh-CN","intl":{},"update":{"channel":"release","enabled":true},"userPrefs":{"browser.cache.disk.capacity":727040,"browser.newtabpage.enabled":false,"browser.search.region":"CN","browser.search.widget.inNavBar":false,"browser.startup.homepage":"<user-set>","extensions.screenshots.disabled":true},"sandbox":{"effectiveContentProcessLevel":5},"launcherProcessState":0,"addonCompatibilityCheckEnabled":true,"isDefaultBrowser":null},"profile":{}}
ThreadIdNameMapping: 2760:"Gecko_IOThread",2312:"JS Watchdog",2424:"JS Helper",3260:"JS Helper",3000:"Timer",3236:"Link Monitor #1",2616:"Socket Thread",3744:"IPDL Background",3056:"SoftwareVsyncThread",2268:"Compositor",3952:"ImgDecoder #1",3712:"ImageIO",3080:"Cache2 I/O",3384:"Cookie",3108:"GMPThread",3776:"Worker Launcher",3724:"DOM Worker",3084:"QuotaManager IO",620:"StreamTrans #5",3592:"IPC Launch",2588:"ImageBridgeChild",3916:"ProcessHangMon",2352:"IndexedDB #1",3312:"StreamTrans #13",1096:"DataStorage",3580:"DNS Resolver #1",3900:"HTTP Handler Background",2612:"Cache I/O",1328:"mozStorage #1",1568:"HTML5 Parser",2968:"mozStorage #2",4016:"StreamTrans #26",1996:"DNS Resolver #2",3020:"mozStorage #3",520:"DOM Worker",1768:"DNS Resolver #3",2892:"StreamTrans #42",2064:"IndexedDB #2",4044:"StreamTrans #47",3048:"StreamTrans #48",996:"IndexedDB #3",3604:"StreamTrans #49",2324:"localStorage DB",
Throttleable: 1
TotalPageFile: 2146951168
TotalPhysicalMemory: 2146951168
TotalVirtualMemory: 4294836224
URL: file:///C:/Users/Administrator/Desktop/bfuzz/recurve/fuzz-00281.html
UptimeTS: 37.529402
Vendor: Mozilla
Version: 71.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 2 : 1 : 6 : 0x20066 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : e70f1aa0-ab8b-11cf-8ca3-00805f48a192 
 MSAFD Tcpip [UDP/IP] : 2 : 2 : 2 : 17 : 0x20609 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : e70f1aa0-ab8b-11cf-8ca3-00805f48a192 
 MSAFD Tcpip [RAW/IP] : 2 : 2 : 3 : 0 : 0x20609 : 0xc : %SystemRoot%\system32\mswsock.dll :  : e70f1aa0-ab8b-11cf-8ca3-00805f48a192 
 MSAFD Tcpip [TCP/IPv6] : 2 : 23 : 1 : 6 : 0x20066 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4 
 MSAFD Tcpip [UDP/IPv6] : 2 : 23 : 2 : 17 : 0x20609 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4 
 MSAFD Tcpip [RAW/IPv6] : 2 : 23 : 3 : 0 : 0x20609 : 0xc : %SystemRoot%\system32\mswsock.dll :  : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4 
 RSVP TCPv6 服务提供商 : 2 : 23 : 1 : 6 : 0x22066 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : 9d60a9e0-337a-11d0-bd88-0000c082e69a 
 RSVP TCP 服务提供商 : 2 : 2 : 1 : 6 : 0x22066 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : 9d60a9e0-337a-11d0-bd88-0000c082e69a 
 RSVP UDPv6 服务提供商 : 2 : 23 : 2 : 17 : 0x22609 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : 9d60a9e0-337a-11d0-bd88-0000c082e69a 
 RSVP UDP 服务提供商 : 2 : 2 : 2 : 17 : 0x22609 : 0x8 : %SystemRoot%\system32\mswsock.dll :  : 9d60a9e0-337a-11d0-bd88-0000c082e69a
useragent_locale: zh-CN

此报告同时包含了应用程序崩溃时状态的技术信息。


当然,最后一番验证下来,好像是这个文件不断复制自身,导致内存耗尽。

不管如何,能确定可以做着先

另外这也是一些浏览器fuzz相关文章,先记载:

https://bugid.skylined.nl/20181017001.html

http://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/

https://sigpwn.io/blog/2018/5/13/adding-afl-bloom-filter-to-domato-for-fun

https://drive.google.com/file/d/0B4ZwSwfSILSIcWhzY1NnY0lrNEk/view

https://sensepost.com/blog/2015/wadi-fuzzer/

最后,分享下windbg,不过版本可能有点老,当然,可以在win10装上。

https://pc.qq.com/detail/0/detail_2060.html

二维码加载中...
本文作者:Iamyc      文章标题: 浏览器fuzz
本文地址:http://lang-v.com/first_cms/yc/emlog/src/?post=130
版权声明:若无注明,本文皆为“YC's Blog”原创,转载请保留文章出处。

返回顶部    首页    手机版本    后花园  
版权所有:YC's Blog    站长: Iamyc    程序:emlog