🥷
🥷

Fuzzing学习笔记:fuzzing firefox browser with grizzly

2019.07.31 放之 安全工程师

grizzly is cross platform browser fuzzing framework, when we read the introduction. it was developed by Mozilla Security. In this blog, i will show you how to use it to start browser fuzzing. This tutorial was running on my windows computer

This is the finally status:

image

So. let’s beginning.

First, we need to follow this instruction to install grizzly

  • install grizzly
1
2
git clone https://github.com/MozillaSecurity/grizzly.git
python -m pip install -e grizzly --user

  • install testcase reducer

    1
    2
    git clone https://github.com/MozillaSecurity/lithium.git
    python -m pip install -e lithium --user

  • install firefox support

    1
    2
    git clone https://github.com/MozillaSecurity/ffpuppet.git
    python -m pip install -e ffpuppet --user

  • download firefox build viaa fuzzfetch

    1
    2
    3
    git clone https://github.com/MozillaSecurity/fuzzfetch.git
    python -m pip install -e fuzzfetch --user
    python -m fuzzfetch -a -n firefox --fuzzing -o browsers/

  • download prefs.js

    1
    wget -O ./browsers/prefs.js https://raw.githubusercontent.com/MozillaSecurity/fuzzdata/master/settings/firefox/prefs-default-e10s.js

image

Now, you can running it with no-op adapter, because there was only one adapter was being installed by default, also you have no choice to find new one. you must write it by yourself. So, we can run it firstly:
image

But if you want another adapter, what should i do ?

image

Now, you can see this example. it was create from wiki, but it not suitable to Windows. so let’s change it.

  • download domato (Dom fuzzer was developed by google project zero)
1
git clone --depth=1 https://github.com/googleprojectzero/domato

in this tutorial, i put in this place:

image

Now, we need to modify the script to make it suitable for windows.

  • tempfile can not used in windows
  • subprocess was error winError xx
  • windows path format
  • environment problem

also, you need make sure you fuzz data was generator correctly. So you need time sleep.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import os
import uuid
import random
import shutil
import subprocess
import tempfile
import time

from grizzly.common import Adapter, TestFile

DOMATO_PATH = "../../domato/generator.py"

class BasicExampleAdapter(Adapter):
    NAME = "basic"

    def setup(self, _):
        self.enable_harness()
        # create directory to temporarily store generated content
        self.fuzz["tmp"] = "./fuzztest{}".format(random.random()) #os.path.join('../../domato/','fuzz_gen{}'.format(str(uuid.uuid1()).split("-")[0]))   # tempfile.mkdtemp(prefix="fuzz_gen_")

        os.mkdir(self.fuzz['tmp'])
        
        if os.environ.get("FUZZTOOL"):
            run = "pythoh {}".format(os.environ["FUZZTOOL"])
        else:
            run = "pythoh {}".format(DOMATO_PATH)
        # command used to call fuzzer to generate output
        self.fuzz["cmd"] = [
            run,  # binary to call
            "--no_of_files", "1",
            "--output_dir", self.fuzz["tmp"]
        ]

        
    def generate(self, testcase, *_):
        # launch fuzzer to generate a single file
        # subprocess.check_output(self.fuzz["cmd"])
        # subprocess.Popen(self.fuzz["cmd"], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE )

        # lookup the name of the newly generated file on disk

        os.system("python ../../domato/generator.py --no_of_files 10 --output_dir {}".format(self.fuzz["tmp"]))
        time.sleep(3)

        gen_file = os.path.join(self.fuzz["tmp"], os.listdir(self.fuzz["tmp"])[0])
        # create a TestFile from the generated file
        test_file = TestFile.from_file(gen_file, testcase.landing_page)
        # remove generated file now that the data has been added to a test file
        os.remove(gen_file)
        # add test file to the testcase
        testcase.add_file(test_file)

    def shutdown(self):
        # remove temporary working directory if needed
        if os.path.isdir(self.fuzz["tmp"]):
            shutil.rmtree(self.fuzz["tmp"], ignore_errors=True)

Now, you would found, it can be used correctly for custom fuzzer adapter. As you viewed as beginning. When i try to run this demo, it was caused about 2 days. Also there was another reason. for example. horriable network… So, next step, we should waiting and reading the source code.