piątek, 3 sierpnia 2018

Sample fuzzing automation

Below you will find few notes from sample (and simple ;)) "fuzzing automation". It is not a rocket science but maybe you will find it useful...
I decided that it will be a good idea to create some little "automation" for our fuzzing adventures
I thought that one small FTP server - called FreeFloat FTP Server - will be a good example to use here. Let's go...


 In our case the idea was very simple:
- prepare 2 VM's - (I used) Kali Linux and Windows 7 (32bit)
- on Kali you'll need: python, editor
- on Windows you'll need: Windbg, editor, target application (in our case FTP server)
- patience :]

"Sample application" (freefloat) I found in download section for one of the bugs/exploits described here (> for example <). We can proceed now.

After a while, when all your machines will be ready to work, we should be somewhere here:

(Open your FTPServer.exe in Windbg)


Good, we should be here:


 Next thing was to create a small script (in python) to:
- use (some ftp) command
- add our 1337 payload
- send it to the target (ftp) server (where our Windbg will catch the crash and log it;))

Simple :)

So:

First skeleton of the script and first results:


So far, so good.

...but the idea was to 'automate it'. So I decided that I'll use the same idea that I used during my adventures with cross_fuzz few years ago: run Windbg with autorun-script :)

In our case ('fuzzing Ftp server') it should be easy to achieve some 'quick results'. Let's see:


Cool, we found a crash. But still the whole process(.exe) needs to be restarted in debugger.
We can not automate the process of sending (fuzz) commands to the target machine... yet. ;]

Now I decided to prepare that windbg-script file. (Sample) Content you can find below:


As you will see (if you're checking those results on your VM right now ;)) there will still be a 'bug'. Windbg will not ".restart" after the crash.

I assumed that the reason was simple: too much commands in the script file. :)

Restarting:


And...



"Almost"... but my sup3r-4dv4nc3-python-ninjitsu wasn't enough to see that socket() is in a wrong place in the code... ;] Nevermind, fixed:


That's better! :) Now we can finally see some results generated (during the crash) by Windbg autorun-script.

Example log file:


 I added few more (ftp) commands to check if Windbg will restart correctly this time:


Looks good. :) We can now add more FTP commands and check other FTP servers :)

As you can see the idea is simple enough to prepare the skeleton to other protocols (mail/http/and so on...) ;)

[1] - Windbg script with sample commands
[2] - 'quick&dirty' small fuzzer


Comments/questions - drop me a message.

Happy hunting!

Cheers

Brak komentarzy:

Prześlij komentarz