lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Mar 2009 19:58:55 -0600
From: "Valdis' Mustache" <security.mustache+fd@...il.com>
To: bobby.mugabe@...h.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: List of Fuzzers

Gabby,

As a general rule, I am opposed to fuzz. Those that are prebuscent and
/ or lack the appropriate testosterone levels to develop full and
bushy facial hair should leave matters to the professionals.

That said, I have been most impressed with the work of the markedly
hairless Mssr. Pedram Amini and his Sulley Fuzzing Framework, located
at http://www.fuzzing.org/wp-content/sulley.zip.

I believe there was a Lebanese gentleman (also notably lacking in
facial hair) from the NSA who created another popular fuzzing tool,
but I believe it was primarily only for crashing Java applications and
developing Python tutorials.


Your humble servant,
The vunts ja Valdis

On Fri, Mar 6, 2009 at 5:47 PM,  <bobby.mugabe@...h.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear list,
>
> Which fuzzer on this list will help me find the most security
> exploits?
>
> Thanks,
> - -bm
>
> On Fri, 06 Mar 2009 18:37:01 -0500 Jeremy Brown
> <0xjbrown41@...il.com> wrote:
>>Don't act like you've gave any constructive advice to anyone in
>>your life.
>>
>>Thanks for trolling, please don't come again.
>>
>>On Fri, Mar 6, 2009 at 6:21 PM, Pete Licoln
>><pete.licoln@...il.com> wrote:
>>> Ok cool, then keep it up Jeremy.
>>> At least you wont be able to say no one told you.
>>>
>>> 2009/3/6 Jeremy Brown <0xjbrown41@...il.com>
>>>>
>>>> I consider you a loser, Pete/Julio/Loser.
>>>>
>>>> On Fri, Mar 6, 2009 at 3:03 PM, Pete Licoln
>><pete.licoln@...il.com> wrote:
>>>> > Well .. what i say is true.
>>>> > If you cant argue on the subject then shut the hell up.
>>>> >
>>>> >
>>>> > 2009/3/6 Rubén Camarero <rjcamarero@...il.com>
>>>> >>
>>>> >> Dont satisfy this idiot with a response, thats what he
>>likes..
>>>> >> Everybody
>>>> >> knows Petie is a troll on every list just use google
>>>> >>
>>>> >> On Fri, Mar 6, 2009 at 10:56 AM, Jeremy Brown
>><0xjbrown41@...il.com>
>>>> >> wrote:
>>>> >>>
>>>> >>> The reason anyone writes a fuzzer is to find bugs. Those
>>that I have
>>>> >>> written are of course for the same purpose as the 101
>>listed: to find
>>>> >>> security bugs. Your ideas are as meaningless and unhelpful
>>as they
>>>> >>> have been in the past. You have no goal but to troll and
>>try to make
>>>> >>> people look like fools, but you are clearly the ignorant
>>one.
>>>> >>>
>>>> >>> What have you ever written? Let us see some of your code to
>>poke fun
>>>> >>> of. If it is as imperfect as you then we'd have a day of
>>fun.
>>>> >>>
>>>> >>> >What's hilarious is that none of them are usefull :)
>>>> >>>
>>>> >>> http://www.milw0rm.com/author/1531
>>>> >>> http://www.milw0rm.com/author/1835
>>>> >>>
>>>> >>> 90% of the research above were found by fuzzing, and those
>>are public.
>>>> >>> Clearly my fuzzers are useful.
>>>> >>>
>>>> >>> >You should really learn the protocol you want to fuzz, and
>>develop a
>>>> >>> >strategy before you create anything else.
>>>> >>>
>>>> >>> Although mistakes are inevitable, and seeming how the stuff
>>I write
>>>> >>> are pretty coherent to the protocol, your statements, once
>>again, are
>>>> >>> unjustifiable. The strategy is simple: gather points of
>>input, fuzz
>>>> >>> them, and watch for exceptions. Obviously.
>>>> >>>
>>>> >>> >Every fuzzer you've made use the SAME way to ""fuzz"" for
>>differents
>>>> >>> > app/protocol.
>>>> >>>
>>>> >>> Because using a fuzzing oracle is a very good way to
>>identify security
>>>> >>> bugs. Throwing random data will surely find lots of
>>programming
>>>> >>> errors, but I want a shell.
>>>> >>>
>>>> >>> > The only change i see is your last fuzzer .. written in a
>>different
>>>> >>> > language, but still the same way ...
>>>> >>>
>>>> >>> Yeah, I wrote it in C, and implemented a fuzzing oracle
>>that way. I
>>>> >>> probably put 100 hours into it, and it gave back some nice
>>return. As
>>>> >>> like the others.
>>>> >>>
>>>> >>> So, "what ever your real name is", I will continue to write
>>fuzzers
>>>> >>> and exploits. If you comments are meant to bend my attitude
>>or
>>>> >>> research rather than to troll, you don't have a chance, so
>>get on with
>>>> >>> your life and I will get on with mine. What a conclusion.
>>>> >>>
>>>> >>>
>>>> >>> On Fri, Mar 6, 2009 at 10:22 AM, Pete Licoln
>><pete.licoln@...il.com>
>>>> >>> wrote:
>>>> >>> > What's hilarious is that none of them are usefull :)
>>>> >>> > You should really learn the protocol you want to fuzz,
>>and develop a
>>>> >>> > strategy before you create anything else.
>>>> >>> > Every fuzzer you've made use the SAME way to ""fuzz"" for
>>differents
>>>> >>> > app/protocol.
>>>> >>> >
>>>> >>> > The only change i see is your last fuzzer .. written in a
>>different
>>>> >>> > language, but still the same way ...
>>>> >>> >
>>>> >>> > 2009/3/5 Jeremy Brown <0xjbrown41@...il.com>
>>>> >>> >>
>>>> >>> >> That is hilarious LOL!
>>>> >>> >>
>>>> >>> >> On Thu, Mar 5, 2009 at 11:14 PM, Pete Licoln
>>>> >>> >> <pete.licoln@...il.com>
>>>> >>> >> wrote:
>>>> >>> >> > 11 fuzzers matchs for Jeremy Brown on this page LOL !
>>>> >>> >> >
>>>> >>> >> > 2009/3/5 Krakow Labs <krakowlabs@...il.com>
>>>> >>> >> >>
>>>> >>> >> >> Krakow Labs maintains a current list of security
>>driven fuzzing
>>>> >>> >> >> technologies.
>>>> >>> >> >>
>>>> >>> >> >> http://www.krakowlabs.com/lof.html
>>>> >>> >> >>
>>>> >>> >> >> _______________________________________________
>>>> >>> >> >> Full-Disclosure - We believe in it.
>>>> >>> >> >> Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> >>> >> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >>> >> >
>>>> >>> >> >
>>>> >>> >> >
>>>> >>> >> > _______________________________________________
>>>> >>> >> > Full-Disclosure - We believe in it.
>>>> >>> >> > Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> >>> >> > Hosted and sponsored by Secunia - http://secunia.com/
>>>> >>> >> >
>>>> >>> >>
>>>> >>> >> _______________________________________________
>>>> >>> >> Full-Disclosure - We believe in it.
>>>> >>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> >>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >>> >
>>>> >>> >
>>>> >>> >
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> Full-Disclosure - We believe in it.
>>>> >>> Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Rubén Camarero
>>>> >> CCNA, CISSP
>>>> >>
>>>> >> _______________________________________________
>>>> >> Full-Disclosure - We believe in it.
>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Full-Disclosure - We believe in it.
>>>> > Charter: http://lists.grok.org.uk/full-disclosure-
>>charter.html
>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>> >
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAkmxtgcACgkQT2/djsYXr/IXigQAgDdkR+dskgmYHYPQeCcKe3QlT7xf
> w0eZDSu0ecbO2vXy0oicANDezPfZDuadwtB6L8Cwoon04gfjVYxTr6GyyvW7hUmAaLt9
> 7GEL/Hh2/cL5rzSzz9mDNOUFrU0S8VanhMVvwjXKtFWNzAWiwfj26lvb8KVRlwfNGlP3
> gVnFnbE=
> =Sy3u
> -----END PGP SIGNATURE-----
>
> --
> Be a Certified Nursing Assistant. Get local training today.
>  http://tagline.hushmail.com/fc/BLSrjkqoiOCPCoMRK9ZgmTNsCtwOZXGIyrzJkWo3YmH0IyTAFJVy7s9Krni/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ