Below you will find few notes from sample (and simple ;)) "fuzzing automation". It is not a rocket science but maybe you will find it useful...
I decided that it will be a good idea to create some little "automation" for our fuzzing adventures.
I thought that one small FTP server - called FreeFloat FTP Server - will be a good example to use here. Let's go...
In our case the idea was very simple:
- prepare 2 VM's - (I used) Kali Linux and Windows 7 (32bit)
- on Kali you'll need: python, editor
- on Windows you'll need: Windbg, editor, target application (in our case FTP server)
- patience :]
"Sample application" (freefloat) I found in download section for one of the bugs/exploits described here (> for example <). We can proceed now.
After a while, when all your machines will be ready to work, we should be somewhere here:
(Open your FTPServer.exe in Windbg)
Good, we should be here:
Next thing was to create a small script (in python) to:
- use (some ftp) command
- add our 1337 payload
- send it to the target (ftp) server (where our Windbg will catch the crash and log it;))
Simple :)
So:
First skeleton of the script and first results:
So far, so good.
...but the idea was to 'automate it'. So I decided that I'll use the same idea that I used during my adventures with cross_fuzz few years ago: run Windbg with autorun-script :)
In our case ('fuzzing Ftp server') it should be easy to achieve some 'quick results'. Let's see:
Cool, we found a crash. But still the whole process(.exe) needs to be restarted in debugger.
We can not automate the process of sending (fuzz) commands to the target machine... yet. ;]
Now I decided to prepare that windbg-script file. (Sample) Content you can find below:
As you will see (if you're checking those results on your VM right now ;)) there will still be a 'bug'. Windbg will not ".restart" after the crash.
I assumed that the reason was simple: too much commands in the script file. :)
Restarting:
And...
"Almost"... but my sup3r-4dv4nc3-python-ninjitsu wasn't enough to see that socket() is in a wrong place in the code... ;] Nevermind, fixed:
That's better! :) Now we can finally see some results generated (during the crash) by Windbg autorun-script.
Example log file:
I added few more (ftp) commands to check if Windbg will restart correctly this time:
Looks good. :) We can now add more FTP commands and check other FTP servers :)
As you can see the idea is simple enough to prepare the skeleton to other protocols (mail/http/and so on...) ;)
[1] - Windbg script with sample commands
[2] - 'quick&dirty' small fuzzer
Comments/questions - drop me a message.
Happy hunting!
Cheers
Brak komentarzy:
Prześlij komentarz