Below you will find few notes related to basic protocol fuzzing. Here we go...
Few days ago I decided to find some time and read more about protocol fuzzing... So I started preparing my VM-lab :)
Good example to start should be an old PCManFTPD server. You should already know the app because there were multiple bugs found in the past ;) I decided it will be good to check.
So...
Settings for the 'lab' (based on VirtualBox):
#VM01: Kali (default installation)
#VM02: Windows 7 (32bit) with:
- ImmunityDbg (with !mona.py)
- PCMan FTP Server (from Exploit-DB)
When you are ready - we should be somewhere here:
Sure, let's allow. :) Next, our server should be ready to use:
In the mean time let's start Kali VM. We will 'prepare' some small-sample file with the 'request' we would like to do/send to the application/service. In our case - FTP - so it should be pretty easy. :)
Checking SPIKE fuzzer:
(Later reading about 'protocol fuzzers' I "found" that there are some 'sample-requests' in /usr/share/spike/audits/ but it was cool exercise to write few examples by myself. ;))
Preparing small sample case will look like this:
Of course you can add more ftp-commands - I will leave it for you. ;)
Starting fuzzer against PCMan FTP on Windows 7:
As you can see above (generic_[Tab]) we can prepare few more examples (like for example UDP tests).
Before we will start (generic tool) on Windows 7: run ImmunityDbg (as admin user) and attach to ftp server:
Yes:
...and we are here:
Ok, cool. Press F9 (few times if you want) and Alt+Tab to see PCMan FTP window:
Ok.
NOW :) we are ready to start the fuzzer with our simple-example-request:
Cool. :) After a while (on your Win7 VM) you should see something like that:
That should be all for our 'very basic protocol fuzzing'... :)
...but I decided to go deeper ("try_harder" ;D ) and I used (a little bit) modified script (from audits directory from /usr/share/spike). Results you will find below.
After a while (with the fuzzer) I found that there is a possibility to crash the target ftp server by sending HOST command. I decided to try to write an exploit for that.
Idea to do that looks like that:
-- find offset to crash
-- find jmp to esp
-- add few NOPs
-- add reverse_shell from MSF.
Small skeleton (with JMP ESP value found by: !mona jmp -r esp):
Preparing shellcode with msfvenom:
And with your netcat listening on port 443/tcp you should receive a connection:
Maybe you will find it useful. ;)
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz