-
Notifications
You must be signed in to change notification settings - Fork 16
Fuzzing a new RTSP client
mlynch-isec edited this page Sep 17, 2013
·
1 revision
It is straightforward to use RtspFuzzer to fuzz an RTSP client that is not already built in.
- Open rtsp.xml in an XML or text editor
- Copy the tag for "VlcAgent" and rename it XyzAgent (where Xyz can be any name, but should be the name of your RTSP client)
- Edit the "Executable" and "CommandLine" fields of the PageHeap and WindowsDebugger child nodes, respectively to match your target RTSP client binary
- Copy the tag for "Vlc"
- Change the ref attribute of the Agent tag to the name of the Agent you chose in step #2
RtspFuzzer attempts to use every field possible in RTSP responses, but some clients will terminate RTSP sessions when they receive a RTSP header or field that they do not support. In these cases, it is necessary to perform the following steps:
- Run RawCap to capture the network communication on the loopback interface
- Examine the generated pcap file in Wireshark
- Identify the RTSP server message (generated by RtspFuzzer) that the client does not respond to
- Use Wireshark to capture network communication between your RTSP client and a known working RTSP server, such as YouTube (see RTSP Feeds for information about generating RTSP links).
- Open the RtspFuzzer\data directory and replace the problematic response message with the known working server's response
- Repeat this process as needed with any other RTSP server responses that your client rejects
This may indicate a bug in either RtspFuzzer or Peach itself. If you encounter this, you can do one of the following:
- Attempt to crack the data again with Peach's --debug flag enabled or using PeachValidator
- File an Issue on the RtspFuzzer project page