Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

[dave () immunityinc com: I love the smell of Cisco remotes in the morning]

From: Enno Rey <erey () ernw de>
Date: Thu, 17 Apr 2008 23:21:07 +0200
List,

in the meantime we've expanded the stuff a bit. The code for SPIKE and Sulley (+ the Shmoo08 presentation) can be found 
here:

http://www.ernw.de/download/l2spike_04-15-08.tar.bz2
http://www.ernw.de/download/l2sulley_04-15-08.tar.bz2
http://www.ernw.de/download/l2_fuzzing_shmoo08.pdf

Most of the work has been done on Sulley scripts. Now there are some (not tested too extensively so far) on:
arp, dtp, lldp (bit fields still missing), lwapp, pvstp, udld, vtp, cdp, edp, mpls, stp, vrrp, wlccp

============


Dave, in particular for SPIKE some words below.

thanks,

Enno


-- 
Enno Rey

Check out www.troopers08.org!


=========================================================================
New Spike L2 Version released

We are happy to announce the relase of a new Version of SPIKE_L2 Fuzzing-Framework. It mainly consists of the original
SPIKE 2.9 and a few new functions with the focus on layer 2 fuzzing.
This "add-on" for SPIKE is the output of one of our research projects. The goal of this project was to evaluate the 
security
of network devices and to get a better understanding of some protocols and the fuzzing process in protocol space.
The layer 2 stuff is based on libnet and like the original SPIKE 2.9 runs only on linux.
To compile just:
 ./configure
 make

=======New Functions===============
 - l2_write_data()
 - s_binary_type_and_block_size_lldp()
 - s_random_fuzz() and s_random_fuzz_repeat()
 - s_binary_selection()
 - s_string_variable_sized()

 For more details take a look at the changelog

=======Layer2 Protocol-Scripts=====
 - ARP
 - DTP
 - VTP
 - LLDP
 - MPLS

 Now layer 2 fuzzing is as easy as fuzzing on tcp or udp!

========================================================================



----- Forwarded message from Dave Aitel <dave () immunityinc com> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So there was a talk at Shmoocon about modifying SPIKE 2.9 to be a decent 
fuzzer for Layer 2. During the talk they demonstrated a remote stack 
overflow in some Cisco box via some random L2 protocol I'd never heard 
of before. That was very cool. :>

This has an earlier version of their talk. At some point they're going 
to put their modified SPIKE online, so everyone can find cool L2 bugs, 
although for their newer work I believe they've switch to Sulley.

http://www.day-con.org/2007/l2_fuzzing_v099r_ger.pdf

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHuGE7tehAhL0gheoRArKqAJ9MzilSKaJI9mfZMcwHe65WEiaw1gCfQi61
LDtWk6eKuBHX5KCdmLOgzKk=
=S1Mj
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

----- End forwarded message -----

-- 
Enno Rey

Check out www.troopers08.org!


ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: