środa, 19 czerwca 2019

Basic protocol fuzzing

Below you will find few notes related to basic protocol fuzzing. Here we go...
Few days ago I decided to find some time and read more about protocol fuzzing... So I started preparing my VM-lab :)

Good example to start should be an old PCManFTPD server. You should already know the app because there were multiple bugs found in the past ;) I decided it will be good to check.


Settings for the 'lab' (based on VirtualBox):
  #VM01: Kali (default installation)
  #VM02: Windows 7 (32bit) with:
    - ImmunityDbg (with !mona.py)
    - PCMan FTP Server (from Exploit-DB)

When you are ready - we should be somewhere here:

Sure, let's allow. :) Next, our server should be ready to use:

In the mean time let's start Kali VM. We will 'prepare' some small-sample file with the 'request' we would like to do/send to the application/service. In our case - FTP  - so it should be pretty easy. :)

Checking SPIKE fuzzer:

(Later reading about 'protocol fuzzers' I "found" that there are some 'sample-requests' in /usr/share/spike/audits/ but it was cool exercise to write few examples by myself. ;))

Preparing small sample case will look like this:

Of course you can add more ftp-commands - I will leave it for you. ;)

Starting fuzzer against PCMan FTP on Windows 7:

As you can see above (generic_[Tab]) we can prepare few more examples (like for example UDP tests).

Before we will start (generic tool) on Windows 7: run ImmunityDbg (as admin user) and attach to ftp server:


...and we are here:

Ok, cool. Press F9 (few times if you want) and Alt+Tab to see PCMan FTP window:


NOW :) we are ready to start the fuzzer with our simple-example-request:

Cool. :) After a while (on your Win7 VM) you should see something like that:

That should be all for our 'very basic protocol fuzzing'... :)

...but I decided to go deeper ("try_harder" ;D ) and I used (a little bit) modified script (from audits directory from /usr/share/spike). Results you will find below.

After a while (with the fuzzer) I found that there is a possibility to crash the target ftp server by sending HOST command. I decided to try to write an exploit for that.

Idea to do that looks like that:
-- find offset to crash
-- find jmp to esp
-- add few NOPs
-- add reverse_shell from MSF.

Small skeleton (with JMP ESP value found by: !mona jmp -r esp):

Preparing shellcode with msfvenom:

And with your netcat listening on port 443/tcp you should receive a connection:

Maybe you will find it useful. ;)

See you next time. 


Brak komentarzy:

Prześlij komentarz