Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Sunday, June 09, 2013

HOWTO : CERT Basic Fuzzing Framework (BFF) on Ubuntu Desktop 12.04 LTS

BFF is a fuzzing framework.

Step 1 :

sudo -sH

mkdir /opt/bff

cd /opt/bff

wget http://www.cert.org/download/bff/BFF-2.6.zip

unzip BFF-2.6.zip

Step 2 :

sudo -sH

apt-get install python-numpy python-scipy valgrind libtool libcaca0 caca-utils zzuf python-memcache imagemagick

Step 3 :

sudo -sH

mv /usr/bin/strip /usr/bin/strip-original

ln -s /bin/true /usr/bin/strip

ln -s /usr/bin/convert /root/convert



echo "kernel.randomize_va_space=0" >> /etc/sysctl.conf

Reboot your system.

Step 4 :

To run it (for the examples).

sudo -sH

cd /opt/bff

./batch.sh

The result is located at /root/results.

The example is situated at /opt/bff/seedfiles/examples. Those are .bmp, .gif, .ppm and .psd files only. You can fuzz binary file too.

To quit it.

cd /opt/bff

./reset_bff.sh 1

Step 5 (Optional) :

wget http://www.cert.org/download/bff/DebianFuzz-2.6.zip

Please read the Download page for detail of installation of Debian based virtual machine fuzzer. The BFF is running under the virtual machine (VMWare).

ImageMagick Fuzzing Tutorial

Analyzer Scripts Tutorial

Fuzz Testing: Vulnerabilities and Exploit mitigation (PDF)

That's all! See you.