I created this project as part of my thesis, where I presented computer security and it’s importance in the modern world. I tested the fuzzyftp on different FTP servers with a goal of finding existing vulnerabilities to prove that fuzzyftp can be used to find vulnerabilities in real world FTP servers.
The table below presents the FTP servers and existing vulnerabilities that I was able to detect with Peach and Sulley FTP input file. The first column presents the FTP server and version I was testing, the second column presents an existing vulnerability, where the third and forth columns present the numbers 0 or 1 based on whether the vulnerability was found by Sulley or Peach (by using my input files defining FTP protocol).
FTP Server | Known Vulnerabilities | Sulley | Peach |
---|---|---|---|
SlimFTPd 3.15 | CWD | 0 | 1 |
STOR | 0 | 1 | |
MKD | 0 | 1 | |
STAT | 0 | 1 | |
Other | 0 | 10 | |
None | 0 | 0 | |
EasyFTP 1.7.0.11 | CWD | 1 | 1 |
LIST | 1 | 1 | |
MKD | 1 | 1 | |
DELE | 1 | 1 | |
STOR | 1 | 1 | |
RNFR | 1 | 1 | |
RMD | 1 | 1 | |
XRMD | 1 | 1 | |
NLST | 1 | 1 | |
APPE | 1 | 1 | |
RETR | 1 | 1 | |
SIZE | 1 | 1 | |
XCWD | 1 | 1 | |
Cesar FTP 0.99g | MKD | 0 | 1 |
Serv-U 4.1.0.0 | MDTM | 0 | 0 |
From the table above, we can see that Peach found more vulnerabilities than Sulley by using the same specification of the FTP protocol.
This repository holds the following files for presenting the FTP protocol:
Aditionally, the repository also contains input files for Vulnserver:
To use the input files into the Sulley/Peach generic fuzzers, you first have to download the fuzzers. The instructions for downloading the fuzzers:
If we would like to use Peach, we need to follow these steps:
Install Peach agent on computer where FTP server is running.
Install Peach on computer from where we'll be testing the FTP server (can be the same computer).
Edit the ftp.xml and change the IP address of the Peach agent as well as the command that will restart the FTP server once it becomes unavailable (on crash).
<Agent name="AgentRemote" location="http://10.1.1.169:9001">
<Monitor name="AgentDebugger" class="debugger.WindowsDebugEngine">
<Param name="CommandLine" value="C:\Users\eleanor\Desktop\easyftp\ftpbasicsvr.exe /nontservice" />
</Monitor>
</Agent>
# python peach.py ftp.xml
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。