Oops, forgot to include the actual changes!

AUTHORS.txt

@@ -6,5 +6,4 @@ Aaron Portnoy <[email protected]>
     http://dvlabs.tippingpoint.com/team/aportnoy
 
 Ryan Sears <[email protected]>
-    http://talesofacoldadmin.com
     http://fitblip.github.com/

examples/fuzz_trend_control_manager_20901.py

@@ -6,7 +6,7 @@
 # this was a really half assed fuzz. someone should take it further, see my notes in the requests file for more info.
 #
 
-from sulley   import *
+from sulley import *
 from requests import trend
 
 ########################################################################################################################

examples/fuzz_trend_server_protect_5168.py

@@ -9,31 +9,31 @@
 #     network_monitor.py -d 1 -f "src or dst port 5168" -p audits\trend_server_protect_5168
 #
 # on localhost:
-#     vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx" --snapshot "sulley ready and waiting"
+#     vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" \
+#                  -x "v:\vmfarm\images\windows\2000\win_2000_pro-clones\TrendM~1\win_2000_pro.vmx" \
+#                  --snapshot "sulley ready and waiting"
 #
 # this key gets written which fucks trend service even on reboot.
 # HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion\Engine
 #
 # uncomment the req/num to do a single test case.
 #
 
-import time
-
-from sulley   import *
+from sulley import utils, s_get, s_mutate, s_render, sessions, pedrpc
 from requests import trend
 
 req = num = None
 #req = "5168: op-3"
 #num = "\x04"
 
-def rpc_bind (sock):
+def rpc_bind(sock):
     bind = utils.dcerpc.bind("25288888-bd5b-11d1-9d53-0080c83a5c2c", "1.0")
     sock.send(bind)
 
     utils.dcerpc.bind_ack(sock.recv(1000))
 
 
-def do_single (req, num):
+def do_single(req, num):
     import socket
 
     # connect to the server.
@@ -56,7 +56,7 @@ def do_single (req, num):
     print "done."
 
 
-def do_fuzz ():
+def do_fuzz():
     sess   = sessions.session(session_filename="audits/trend_server_protect_5168.session")
     target = sessions.target("192.168.181.133", 5168)
 
@@ -88,7 +88,6 @@ def do_fuzz ():
 
     print "done fuzzing. web interface still running."
 
-
 if not req or not num:
     do_fuzz()
 else:

examples/fuzz_trillian_jabber.py

@@ -9,17 +9,22 @@
 #     process_monitor.py -c audits\trillian_jabber.crashbin -p trillian.exe
 #
 # on localhost:
-#     vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" -x "v:\vmfarm\images\windows\xp\win_xp_pro-clones\allsor~1\win_xp_pro.vmx" --snapshot "sulley ready and waiting"
+#     vmcontrol.py -r "c:\Progra~1\VMware\VMware~1\vmrun.exe" \
+#                  -x "v:\vmfarm\images\windows\xp\win_xp_pro-clones\allsor~1\win_xp_pro.vmx" \
+#                  --snapshot "sulley ready and waiting"
 #
 # note:
 #     you MUST register the IP address of the fuzzer as a valid MDNS "presence" host. to do so, simply install and
 #     launch trillian on the fuzz box with rendezvous enabled. otherwise the target will drop the connection.
 #
 
-from sulley   import *
+from sulley import sessions, \
+    pedrpc, \
+    s_get
+
 from requests import jabber
 
-def init_message (sock):
+def init_message(sock):
     init  = '<?xml version="1.0" encoding="UTF-8" ?>\n'
     init += '<stream:stream to="152.67.137.126" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">'
 
@@ -30,8 +35,8 @@ def init_message (sock):
 target                 = sessions.target("152.67.137.126", 5298)
 target.netmon          = pedrpc.client("152.67.137.126", 26001)
 target.procmon         = pedrpc.client("152.67.137.126", 26002)
-target.vmcontrol       = pedrpc.client("127.0.0.1",      26003)
-target.procmon_options = { "proc_name" : "trillian.exe" }
+target.vmcontrol       = pedrpc.client("127.0.0.1", 26003)
+target.procmon_options = {"proc_name": "trillian.exe"}
 
 # start up the target.
 target.vmcontrol.restart_target()

examples/mdns.py

@@ -3,13 +3,22 @@
 # A partial MDNS fuzzer.  Could be made to be a DNS fuzzer trivially
 # Charlie Miller <[email protected]>
 
-from sulley   import *
-from binascii import *
-from struct import *
+from sulley import s_word, \
+    s_initialize,          \
+    sessions,              \
+    s_block_start,         \
+    s_size,                \
+    s_block_end,           \
+    s_string,              \
+    s_repeat,              \
+    s_group,               \
+    s_dword,               \
+    s_binary,              \
+    s_get
 
-def insert_questions (sess, node, edge, sock):
-	node.names['Questions'].value = 1+node.names['queries'].current_reps
-        node.names['Authority'].value = 1+node.names['auth_nameservers'].current_reps
+def insert_questions(sess, node, edge, sock):
+    node.names['Questions'].value = 1 + node.names['queries'].current_reps
+    node.names['Authority'].value = 1 + node.names['auth_nameservers'].current_reps
 
 s_initialize("query")
 s_word(0, name="TransactionID")
@@ -19,50 +28,50 @@ def insert_questions (sess, node, edge, sock):
 s_word(1, name="Authority", endian='>')
 s_word(0, name="Additional", endian='>')
 
-######### Queries ################
+# ######## Queries ################
 if s_block_start("query"):
-	if s_block_start("name_chunk"): 
-		s_size("string", length=1)
-		if s_block_start("string"):
-			s_string("A"*10)
-		s_block_end()
-	s_block_end()
-	s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")
+    if s_block_start("name_chunk"):
+        s_size("string", length=1)
+        if s_block_start("string"):
+            s_string("A" * 10)
+        s_block_end()
+    s_block_end()
+    s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")
 
-	s_group("end", values=["\x00", "\xc0\xb0"])   # very limited pointer fuzzing
-	s_word(0xc, name="Type", endian='>')
-	s_word(0x8001, name="Class", endian='>')
+    s_group("end", values=["\x00", "\xc0\xb0"])  # very limited pointer fuzzing
+    s_word(0xc, name="Type", endian='>')
+    s_word(0x8001, name="Class", endian='>')
 s_block_end()
 s_repeat("query", 0, 1000, 40, name="queries")
 
 
 ######## Authorities ############
 if s_block_start("auth_nameserver"):
-	if s_block_start("name_chunk_auth"):
-	        s_size("string_auth", length=1)
-	        if s_block_start("string_auth"):
-	                s_string("A"*10)
-	        s_block_end()
-	s_block_end()
-	s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth")
-	s_group("end_auth", values=["\x00", "\xc0\xb0"])   # very limited pointer fuzzing
+    if s_block_start("name_chunk_auth"):
+        s_size("string_auth", length=1)
+        if s_block_start("string_auth"):
+            s_string("A" * 10)
+        s_block_end()
+    s_block_end()
+    s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth")
+    s_group("end_auth", values=["\x00", "\xc0\xb0"])  # very limited pointer fuzzing
 
-	s_word(0xc, name="Type_auth", endian='>')
-	s_word(0x8001, name="Class_auth", endian='>')
-	s_dword(0x78, name="TTL_auth", endian='>')
-	s_size("data_length", length=2, endian='>')
-	if s_block_start("data_length"):
-		s_binary("00 00 00 00 00 16 c0 b0")      # This should be fuzzed according to the type, but I'm too lazy atm
-	s_block_end()
+    s_word(0xc, name="Type_auth", endian='>')
+    s_word(0x8001, name="Class_auth", endian='>')
+    s_dword(0x78, name="TTL_auth", endian='>')
+    s_size("data_length", length=2, endian='>')
+    if s_block_start("data_length"):
+        s_binary("00 00 00 00 00 16 c0 b0")  # This should be fuzzed according to the type, but I'm too lazy atm
+    s_block_end()
 s_block_end()
 s_repeat("auth_nameserver", 0, 1000, 40, name="auth_nameservers")
 
 s_word(0)
 
-sess                   = sessions.session(proto="udp")
-target                 = sessions.target("224.0.0.251", 5353)
+sess = sessions.session(proto="udp")
+target = sessions.target("224.0.0.251", 5353)
 sess.add_target(target)
-sess.connect(s_get("query"), callback=insert_questions )
+sess.connect(s_get("query"), callback=insert_questions)
 
 sess.fuzz()
 

network_monitor.py

@@ -55,7 +55,7 @@ def create_usage():
 
 ########################################################################################################################
 class PcapThread (threading.Thread):
-    def __init__ (self, network_monitor, pcap, pcap_save_path):
+    def __init__(self, network_monitor, pcap, pcap_save_path):
         self.network_monitor = network_monitor
         self.pcap            = pcap
         self.decoder         = None
@@ -73,7 +73,7 @@ def __init__ (self, network_monitor, pcap, pcap_save_path):
 
         threading.Thread.__init__(self)
 
-    def packet_handler (self, header, data):
+    def packet_handler(self, header, data):
         # add the captured data to the PCAP.
         self.dumper.dump(header, data)
 
@@ -83,15 +83,15 @@ def packet_handler (self, header, data):
         # log the decoded data at the appropriate log level.
         self.network_monitor.log(self.decoder.decode(data), 15)
 
-    def run (self):
+    def run(self):
         # process packets while the active flag is raised.
         while self.active:
             self.pcap.dispatch(0, self.packet_handler)
 
 
 ########################################################################################################################
 class NetworkMonitorPedrpcServer (pedrpc.server):
-    def __init__ (self, host, port, monitor_device, bpf_filter="", path="./", level=1):
+    def __init__(self, host, port, monitor_device, bpf_filter="", path="./", level=1):
         """
         @type  host:           str
         @param host:           Hostname or IP address to bind server to
@@ -128,7 +128,7 @@ def __init__ (self, host, port, monitor_device, bpf_filter="", path="./", level=
         self.log("\t log_level: %d" % self.log_level)
         self.log("Awaiting requests...")
 
-    def __stop (self):
+    def __stop(self):
         """
         Kill the PCAP thread.
         """
@@ -139,14 +139,14 @@ def __stop (self):
             self.pcap_thread.active = False
             self.pcap_thread        = None
 
-    def alive (self):
+    def alive(self):
         """
         Returns True. Useful for PED-RPC clients who want to see if the PED-RPC connection is still alive.
         """
 
         return True
 
-    def post_send (self):
+    def post_send(self):
         """
         This routine is called after the fuzzer transmits a test case and returns the number of bytes captured by the
         PCAP thread.
@@ -164,7 +164,7 @@ def post_send (self):
         self.log("stopped PCAP thread, snagged %d bytes of data" % data_bytes)
         return data_bytes
 
-    def pre_send (self, test_number):
+    def pre_send(self, test_number):
         """
         This routine is called before the fuzzer transmits a test case and spin off a packet capture thread.
         """
@@ -180,7 +180,7 @@ def pre_send (self, test_number):
         self.pcap_thread = PcapThread(self, self.pcap, pcap_log_path)
         self.pcap_thread.start()
 
-    def log (self, msg="", level=1):
+    def log(self, msg="", level=1):
         """
         If the supplied message falls under the current log level, print the specified message to screen.
 
@@ -191,7 +191,7 @@ def log (self, msg="", level=1):
         if self.log_level >= level:
             print "[%s] %s" % (time.strftime("%I:%M.%S"), msg)
 
-    def retrieve (self, test_number):
+    def retrieve(self, test_number):
         """
         Return the raw binary contents of the PCAP saved for the specified test case number.
 
@@ -208,11 +208,11 @@ def retrieve (self, test_number):
 
         return data
 
-    def set_filter (self, new_filter):
+    def set_filter(self, new_filter):
         self.log("updating PCAP filter to '%s'" % new_filter)
         self.filter = new_filter
 
-    def set_log_path (self, new_log_path):
+    def set_log_path(self, new_log_path):
         self.log("updating log path to '%s'" % new_log_path)
         self.log_path = new_log_path