Giters

jtpereyda / boofuzz

A fork and successor of the Sulley Fuzzing Framework

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Procmon "freezes" multithreaded software

henryreed opened this issue · comments

commented

Report

Hi folks,

I am attempting to fuzz NASA's Core Flight System (cFS) using Boofuzz and its Process Monitor for unix. Unfortunately, when Procmon hooks into cFS it seems to also break its UDP input. This can be seen by capturing packets on the loopback interface, where the kernel sends ICMP packets back indicating the port is closed. Additionally, while normally cFS complains when it receives a broken message, in this case there is no standard error or standard output relating to any broken messages.

If I do not use Procmon and launch cFS normally, it can receive messages from Boofuzz as normal. I would like to get Procmon to work with cFS. I suspect that because cFS is a multithreaded application, Procmon somehow breaks cFS, but I am not sure how to debug this any further. Any assistance or pointers are appreciated.

Expected behavior

I expected Procmon to not freeze cFS and instead let it run like normal and receive command messages.

Actual behavior

Procmon "freezes" (for a lack of a better term) cFS, disavowing it from binding to listening port 1234/UDP and from receiving any data.

Steps to reproduce the problem

  1. Install cFS as per instructions in the Setup and Build and Run sections of the GitHub repository: https://github.com/nasa/cfs#setup
  2. Launch process_monitor_unix.py
  3. Launch the Boofuzz script attached

boofuzz script

from boofuzz import * 

def define_proto(session):
    cfe_es_noop_cc = Request("CFE_ES_NOOP_CC", children=(
        Block("Packet_Identification", children=(
            Bytes(name="CFE_PLATFORM_CMD_MID_BASE", default_value=b'\x18', max_len=1),
            Bytes(name="CFE_MISSION_ES_CMD_MSG", default_value=b'\x06', max_len=1),
            Bytes(name="Packet_Sequence_Control", default_value=b'\xC0\x00', max_len=2)
            )),
        Size("Packet_Length", block_name="Packet_Data", offset=-1, length=2, endian='>'),
        Block("Packet_Data", children=(
            Bytes(name="NOOP_CC", default_value=b'\x00\x20')
            ))
        ))
 

    session.connect(cfe_es_noop_cc)
 

if __name__ == "__main__":
    port = 1234
    host = "127.0.0.1"
    options = {"start_commands": ['/home/user/cFS/build/exe/cpu1/core-cpu1']}
    procmon = ProcessMonitor(host,26002)
    procmon.set_options(**options)
    monitors = [procmon]

    session = Session(
            target=Target(
                connection=UDPSocketConnection(host, port),
                monitors=monitors,
                ),
            )
    define_proto(session)
    session.fuzz()

boofuzz version

0.4.0

Python version

3.8

Platform

Linux

Anything else?

No response