boofuzz: 'PED-RPC> remote method restart_targe

I'm attempting to learn the intricacies of fuzzing unknown protocols to locate vulnerabilities in applications. I'm using a publicly known vulnerable app, Disk Savvy Enterprise 10.4.18, which has a known SEH Buffer Overflow in it.

I currently have a boofuzz script that I'm trying to utilize the process_monitor.py script with, and am unable to restart the service that is crashing. I have process_monitor.py running on my target machine, and am connecting to it successfully from my fuzzing machine. My problem is the error in the question title-- when the application crashes, it 'attempts' to restart the process, but I get the error

PED-RPC> remote method restart_target cannot be found

The relevant bits of my python script are:

session = sessions.Session(
    crash_threshold="10000",              # Arbitrary, high crash threshold
    check_data_received_each_request=0,   # Don't check data after every request (slow)
    restart_sleep_time=0.1, 
    sleep_time=0.1,
)
# Define target
target = sessions.Target(
    connection = SocketConnection(dst, dport, proto='tcp')
)
# Define procmon options
target.procmon = pedrpc.Client(dst, 26002)
target.procmon_options = {
    "proc_name" : "disksvs.exe",
    "stop_commands" : ['net stop "Disk Savvy Enterprise"'],
    "start_commands" : ['net start "Disk Savvy Enterprise"']        
}

I'm starting process_monitor.py on my destination machine with the following line:

python process_monitor.py --port 26002 --crash_bin diskSaavy_Crashes.txt

Here's the resulting output once started, and after it crashes:

Couldn't import dot_parser, loading of dot files will not be possible.
[03:11.00] Process Monitor PED-RPC server initialized:
[03:11.00]       crash file:  C:\Python27\Lib\site-packages\boofuzz\diskSaavy_Crashes.txt
[03:11.00]       # records:   3
[03:11.00]       proc name:   None
[03:11.00]       log level:   1
[03:11.00] awaiting requests...
[03:23.29] updating target process name to 'disksvs.exe'
[03:23.30] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.30] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.30] debugger thread-1523215410 looking for process name: disksvs.exe
[03:23.42] debugger thread-1523215410 found match on pid 2908
[03:23.48] updating target process name to 'disksvs.exe'
[03:23.48] updating stop commands to: ['net stop "Disk Savvy Enterprise"']
[03:23.48] updating start commands to: ['net start "Disk Savvy Enterprise"']
[03:23.49] debugger thread-1523215410 caught access violation: 'libpal.dll:004a9
19f movsx ebp,[eax+ebx] from thread 2424 caused access violation'
[03:23.49] debugger thread-1523215410 exiting
PED-RPC> remote method restart_target cannot be found

Here's the output from boofuzz on my fuzzing machine, for the same crash:

[2018-04-08 15:23:49,996]   Test Step: Failure summary
[2018-04-08 15:23:49,996]     Info: procmon detected crash on test case #2: libpal.dll:004a919f movsx ebp,[eax+ebx] from thread 2424 caused access violation
[2018-04-08 15:23:49,996]   Test Step: restarting target
[2018-04-08 15:23:49,996]     Info: restarting target process
[2018-04-08 15:23:50,206]     Error!!!! Restarting the target failed, exiting.
Traceback (most recent call last):
  File "./boofuzz-diskSaavy.py", line 72, in <module>
    main()
  File "./boofuzz-diskSaavy.py", line 17, in main
    fuzz(dst, dport)
  File "./boofuzz-diskSaavy.py", line 69, in fuzz
    session.fuzz()
  File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 414, in fuzz
    self._fuzz_current_case(*fuzz_args)
  File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 893, in _fuzz_current_case
    self._process_failures(target=target)
  File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 603, in _process_failures
    self.restart_target(target)
  File "/usr/local/lib/python2.7/dist-packages/boofuzz/sessions.py", line 680, in restart_target
    raise sex.BoofuzzRestartFailedError()
boofuzz.sex.BoofuzzRestartFailedError

I've tried different variations of my start_commands, not sending proc_name nor stop_commands, and running process_monitor.py with them specified, different start_commands, such as including the full path of net.exe and different escapes for quotes, etc, around the service name. So far, nothing I've tried works.

Looking at sessions.py, pedrpc.py and multiple other files, I see that __getattr__ is being used to handle the method calls, but from what I can see, restart_target exists in sessions.py, so I'm not sure why PEDRPC is stating that restart_target cannot be found... I'm pulling my hair out. boofuzz is doing everything I want it to do, minus the restart.

I can provide more info if this isn't enough, and I'd appreciate any help I can get.

Thanks!

TL;DR The method doesn't exist because process_monitor.py is out of date; download the newest copy from boofuzz and try again.

Thank you for the thorough debug information in your question. If process_monitor.py printed a stack trace, including that would also have helped. :)

I searched the code base for "PED-RPC> remote" and found it in boofuzz/pedrpc.py on line 2 (permalink):

sys.stderr.write('PED-RPC> remote method "{0}" of {1} cannot be found\n'.format(method_name, self))

Notice the slight difference, that little of {1} not present in your output. This suggests your process_monitor.py is from an old version of boofuzz. git blame shows this changed happened at e4723204d43bd758077f56df419af1c7c7424f14, which was first included in v0.0.8.

Downloading the latest process_monitor.py should do the trick.

This might have been avoided if the process monitor announced its version; I filed an issue.