Tuesday, January 14, 2014

Fuzzing Vulnserver with Peach 3

Vulnserver

Vulnserver is a purposely vulnerable application that is meant for practicing exploitation written by Stephan Bradshaw. It's basically a server that accepts TCP connections and takes in random input that will result in various buffer overflows and SEH overwrites. It's a pretty good way of learning how buffer overflows and SEH overwrites work in a manageable setting. There are also lots of good walkthroughs on how to achieve code execution on Bradshaw's blog and on Infosecinstitute. There's even a good walkthrough on fuzzing Vulnserver with Peach 2.x by Dejan Lukan. I probably wouldn't have even bothered with this posting if it wasn't for the fact that Peach 3.0 was a complete rewrite so some of the syntax in Lukan's example is a tad out of date. 

Peach

Peach is a fuzzer that supports generational and mutation based fuzzing. It uses XML files to determine the structure of the protocol you are trying to fuzz and how it should go about performing the actual fuzzing, i.e. make a network connection or output to a file. I've been meaning to practice fuzzing with a fuzzer like Peach or Spike. I ultimately settled on Peach because from the looks of it it has a more active support community so if I ran in to issues it could be easier to find answers. 

Setting Up

After downloading peach from here, downloading Vulnserver from here, netcat for Windows from here (with or without the -e option), and installing the Windbg for Windows 7 Standalong Debugging Tools (also for Windows XP) from here we are more or less ready to go. 

First we fire up a command prompt and execute vulnserver. By default it will listen on port 9999, but if you give it a port number it will listen on that instead. 


Next, we'll open up another command prompt and connect to it with netcat on port 9999 and poke around the application. Typing, 'HELP', we are presented with a list of commands that vulnserver supports. The exact meaning of these commands are not important. They are just there to provide different ways of supplying input that can crash the application.

If you go ahead and type a command and provide some input you should get a response back saying that the input was received fine. Here are a few examples of interaction with vulnserver:

So it appears that the general protocol used by vulnserver is: [command] [input] [newline]. This should be enough knowledge to start making a Peach Pit and start fuzzing vulnserver.

Peach Pit

Peach Pits have the general form of Data Models, followed by State Models, followed by Agents, followed by Tests.

Data Model

The Data Model describes the format of data that Peach can accept as input or that it should use when attempting to fuzz something. Fortunately our format is fairly simple with just a fixed command, a space, a string that is fuzzable, a carriage return character, and a new line character. More complex protocols may require you to have more fields, numbers and strings mixed, fields that are dependent on the size of other fields, etc. 
Something to note is that you can have multiple Data Models in a Peach Pit. Although in our case we will only focus on one command, you could have a Data Model for each command in vulnserver in your Peach Pit.

State Model

Next up we have the State Model. The State Model basically tells Peach how to behave so that it cooperates with the protocol is it trying to fuzz. The State Model will consist one or more States which are comprised of one or more Actions which lay out the exact steps that Peach should take when fuzzing. Does Peach need to accept output from a network connection before supplying input? Your actions will have to model that. Not only that, but if you are accepting output, you need to tell Peach what that output will look like in the form of a Data Model. If you are fuzzing a file format, you may have to have actions that tell Peach to open, write fuzzed data to, and close files. Again, fortunately for us vulnserver is pretty basic so our State Model will just consist of an input action to accept the initial welcome message, and output action to send our fuzzed data model, and another input action to receive the confirmation output from vulnserver if it hasn't crashed.

Agents

While fuzzing, run one of the things you will have to do is start Peach in agent mode. This agent will run the program that you are trying to fuzz and a debugger to monitor the program. It will also be responsible for detecting crashes and logging those instances. Agents can be a tricky thing to configure. 

Tests

Finally, there are Tests. A Test will kind of bring everything together and describe how you want your fuzzing run to proceed. Here you get to decide which Agent and State Model should be used. There also two other important things you determine in a Test as well. The Publisher tells Peach in what manner it will input and output with the program. Are we communicating via a file? TCP? UDP? You will specify that in a Publisher. The Logger is where you tell Peach to place the logs that it will generate.

HTER Example

Here is what a Peach Pit for the HTER command might look like (modified from Lukan's tutorial):
As a short run down here is a summary of what we have. First there is a Data Model named DataHTER which basically describes how to will send out HTER command to vulnserver. We will always send the string "HTER " (observe the space!), then a string which we will let Peach decide what that should be, followed by a carriage return and a new line.

Next, the StateHTER State Model says we will accept output from vulnserver that will look like the DataResponse Data Model (which we haven't defined yet!), send a DataHTER Data Model, and then accept more output that looks like a DataResponse Data Model.

Now we define the DataResponse DataModel. This is merely a string. Nothing fancy.

The Agent comes next. Here we indicate that Peach fuzzer will connect to the Peach Agent at 127.0.0.1 on TCP port 9001. We also say that the Monitor for this Agent will be a WindowsDebugger and we indicate that the command line program to run is vulnserver.exe and where it can be found. Then we tell the Monitor where it can find WinDbg.

Test is last and here we say that we want to use the Agent named "RemoteAgent", perform a test using the protocol described in the State Model named "StateHTER", that we should publish the fuzzed output using the TcpClient on IP address 127.0.0.1 at TCP port 9999. Finally we say that we should record the findings in a subfolder named "Logs".

Whew!

Fuzzing

Now comes the fun part. First we will fire up a Peach Agent and tell it to use the TCP channel. The Peach Agent will wait for instructions from a Peach fuzzer and ultimately be responsible for running vulnserver each and every time and detect if a crash occurred.

Next, the moment of truth, we will run Peach, pass in our Peach Pit, and the name of the test we want to run. 


Hopefully every once in a while you should see output from your Peach command shell that looks similar to this:

This is an indication that Peach sent a value that caused a crash. Peach should then save off the same input for you look at later. Peach can take a while to run through its test cases so you can feel free to stop Peach whenever you feel like or leave it running for as long as you care.

Examining the Output

Let's take a closer look at the input that caused the crash at iteration 171. From where you ran Peach, you should have a folder named Logs. Inside of that you should have a folder that was created from your run and inside of that you should have a folder named Faults. This folder will store the runs that caused a crash. One of the nice feature of Peach is that when it runs a program using WinDbg, it will automatically load a module from Microsoft, MSEC Debugger Extensions, that will make an attempt to determine if the crash is exploitable or not. MSEC is currently on 1.6 but Peach only comes with 1.0.6 so hopefully that will change in the future. 
We are in luck because in our Faults folder we see a folder named, EXPLOITABLE_0x264d5172_0x00000000. Opening up that folder we see yet another folder named after the iteration that caused the crash, 171. Inside the 171 folder there are several text files. Probably, the two most interesting ones in this cause will be WindowsDebugEngine_StackTrace.txt and action_2_Output_Unknown Action 2.txt. WindowsDebugEngine_StackTrace.txt is, not surprisingly, a stack trace of vulnserver at the time of the crash. It's worth it to take a look just to see what the state of the registers are to see if we could potentially have control over any of them. The other interesting file, action_2_Output_Unknown Action 2.txt, is what Peach sent to vulnserver. The output and action 2 part of the title correspond to the StateHTER State Model that we specified in TestHTER in our Peach Pit.

Now we know that sending HTER followed by 9,526 As will crash vulnserver in a potentially exploitable way. 

Hooray! 

Can we do better and turn this in to remote code execution? Maybe I'll write this up if there's interest in this, but there a bunch of tutorials that explain how to do this.

23 comments:

  1. Nice tutorial!

    Make more tutorials!

    pusheax
    http://blog.pusheax.com/ (Security Research)

    ReplyDelete
    Replies
    1. Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download Now

      >>>>> Download Full

      Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download LINK

      >>>>> Download Now

      Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download Full

      >>>>> Download LINK xq

      Delete
  2. I like your article.
    I am beginning to use Peach. I am trying to write a file fuzzer that *waits* for a trigger before starting to fuzz.
    The trigger is a UDP packet. Can you give me a sample pit file that does this?

    Thanks
    Joshua

    ReplyDelete
  3. Thank you so much for giving us valuable and informative knowledge about that virus. By this we would be able to save our websites and blogs.

    ReplyDelete
  4. Hi, I am trying to do the similar thing with the choice of 6 commands, but I am unable to condition the choice description. Can you help me to manipulate the choice?

    ReplyDelete
  5. I followed your instructions, but, unfortunately, a lot of errors occured. I think, I need to make another try. Anyway, thank you for the information.

    ReplyDelete
  6. Confront your cheating spouse with evidence, i was able to spy on my cheating ex phone without finding out.....it really helped me during my divorce ...you can contact BESTAPPSHACKERS@GMAIL.COM) call and text him whatsapp +1(602) 609-4730 for spying and hacking social networks, school servers, icloud and much more, viber chats hack, Facebook messages and yahoo messenger, calls log and spy call recording, monitoring SMS text messages remotely, cell phone GPS location tracking, spy on Whats app Messages, his services are AFFORDABLE .............179800

    ReplyDelete
  7. If you are looking for a professional hacker to provide hacking solutions on

    -Social media hacks

    -Recovering Scammed funds

    -Email hacks

    -Phone hacks

    -DMV database

    -School result upgrading

    -Tracking & Finding People

    -Increased Credit score boost to 850

    - Access your spouse/partner social media, Monitor your colleague

    -Bitcoin mining, Lost Forex trading funds recovery, Lost Cryptocurrency trading funds recovery, Binary option funds recovery and a lot more, search no further.

    -Hunting Down Scammers With the help of, Federal Bureau of Investigation (FBI) and The International Criminal Police Organisation (INTERPOL)✅

    I fully recommend it to everyone, he recovered all data I had on a lost phone and helped in tracking the phone till it was found. I feel so happy writing this review about him, try him he's the best.

    Email. info@wizardcharlesgrouphackers.com

    visit their website to read more about them: https://wizardcharlesgrouphackers.com/.n/

    ReplyDelete
  8. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com 

    ReplyDelete
  9. Are you financially down, do you need a loan to get out of Debts or pay your Bills? Do you need a Home/Car Real Estate or Business Investment loan? have you been rejected by a bank, friends or partner? We offer all types of loans at a low interest rate of 2%. loan duration starting from 1 year to 10 years. We give out loans within the range of $ 10,000.00 USD to $ 1,000,000.00 USD If you are interested in getting a loan Just contact us for more information Representative Email: : brianclooney5@gmail.com

    ReplyDelete
  10. I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues. I do not know how to fullcrackedpc.com But thankfully, I recently visited a website named vsthomes.com
    Apowersoft ApowerManager Crack
    iExplorer crack
    Avast Premium Crack
    Google Chrome crack

    ReplyDelete
  11. Hire Wizard Brixton for a clean hacking job, you can trust on him, I'm Maria James Amos from Atlanta Georgia who has been through scam victim several times and that include the process i was trying to get my first scammer and then came in contact with fake hacker online, immediately i reached out to Wizard Brixton on WhatsApp (+) 1 807/ 234/ 0428 he got all my stolen funds recovered within a prior period of 48 hours, his technology actually works well and he prove him self to be the best hacker
    contact him now and recover all your lost funds Btc, Account ,cryptocurrency, and all platform you lost your funds ,Mobile cloning ,Social media hack contact him on email : Wizardbrixton@gmail.com he is a Real Wizard and Expert in Hacking filed

    ReplyDelete
  12. Greetings from Maria James from Florida, United State. It is so overwhelming to know that honest hackers do still exist these days though it's hard to get to them. Have been living under a blind romantic scam with my boyfriend not knowing he was after my Dad money, no way to get to my dad except through me, he was hired to ruin my life. He made me fall in love with him so crazy and after two months of our relationship he traveled without my knowledge and I was so worried about him because I couldn't reach him and this lead me to Wizard Brixton and it was not easy getting to know this great wizard, I email him directly via WIZARDBRIXTON (AT) GMAIL (DOT) COM and he then asked me to reach him on WhatsApp if my case was very urgent and I urgently contacted him on WhatsApp with (+1- /807-23 ) 4-0428 ;) Immediately I contacted him' I asked him to help me with the exact location of my boyfriend where-about and he then asked for his mobile number and I gave it out to him not so long he just asked me to wait for 15 minutes and exactly the time he gave to me he got back with unbelievable news.
    I wouldn't have believed him if he didn't get back with proof because I so much trusted my boyfriend and loved him, why I log in to the mobile spy anonymous monitor I saw for myself that he was without another Lady in Maryland, USA. I then see all conversations and WhatsApp voice records with his boss. Well, All thanks to Wizard Brixton though it actually hurts to know the truth his services I highly recommend and he is very active and fast with a sense of humor. Do reach him today for similar cases and loss of funds. He also retrieves my funds back

    ReplyDelete
  13. I was twice a victim of a cryptocurrency scam lead by romance trying to find the right partner. I Lost about $64,000 (BTC and USDT) in the process and that funds was from my father's life insurance... I was broken, desperate and had a week left to pay rent...luckily I can across Albert Gonzalez Wizard who truly was like a God sent savior.. just a day after my rent been due he helped me recover 80% of my stolen money.. I was shocked and overwhelmed I had to post this advert for him... please if ever in such need as I was write him on: albertgonzalezwizard (@) gmail com or Whatsapp +31684181827 Telegramm:  +31687920980

    ReplyDelete
  14. Hello, no need to waste time rushing up to WIZARD BRIXTON HACKER they are the perfect Group for the Hacking job, Mobile Spy, Fund Recovery, Instagram Hack, Facebook Hack, Bitcoin Recovery, they hack everything, they are veterans with cutting edge insights when it comes to executing hacks, an amazing track record of 97% success rate in all exacted hack since 2010 he discrete, efficient, and satisfactory conduct towards their customer. contact them WIZARDBRIXTON AT GMAIL DOT COM

    ReplyDelete
  15. Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download Now

    >>>>> Download Full

    Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download LINK

    >>>>> Download Now

    Rockfish Sec: Fuzzing Vulnserver With Peach 3 >>>>> Download Full

    >>>>> Download LINK hM

    ReplyDelete