Monday, January 20, 2014

Fuzzing vulnserver with Python

A request from the corelan.be forums was made asking about creating a custom fuzzer using Python. It's simple enough, but for posterity let's go through this process.

Fuzzing

So, if we examined the kinds of input Peach was supplying to vulnserver when we fuzzed the HTER command in a previous post we see that it basically threw a bunch of junk input of varying sizes. In a very bad generalization, it's increasing the amount of junk to determine if it crashes the program. Fuzzing is a lot more complicated and nuanced than this obviously so check out this book or these links for further reading. 

Using Python to Fuzz

OK, but lets try and roll our own fuzzer in Python for the HTER command. If we recall the StateModel we created in our Peach Pit, the format of the HTER protocol was:
  1. Receive some data
  2. Send the HTER command with our input
  3. Receive some data

With this in mind, we know enough to go about creating our fuzzer in Python. The general flow is going to be:
  1. Create a connection to vulnserver
  2. Receive the banner for vulnserver, i.e. "Welcome to Vulnerable Server..."
  3. Send our fuzzed data in ever increasing amounts, i.e. "HTER <fuzzed input>
  4. Receive the response from vulnserver, i.e. "HTER RUNNING FINE"
  5. Increase the amount of fuzzed input
  6. Close the connection to vulnerserver
  7. Go back to step 1
  8. If we can't connect to vulnserver then we can guess that the previous input crashed vulnserver and we can print a message
Here's what this looks like in code:

Here's what the output looks like when running this script against an instance of vulnserver:

And we are greeted with this popup as well:

So we have a good indication that 2040 As will result in vulnserver crashing. Let's make a quick proof of concept from our fuzzer to test if 2040 As will crash vulnserver.

Not that complicated, but when we run it we get the popup that vulnserver.exe has crashed so we're on to something.

Viewing the Crash Under a Debugger

Just for fun, let's run vulnserver under Immunity Debugger and see what's going on under the covers when we run our proof of concept. You can get Immunity Debugger from here.
First we'll start Immunity. Then File > Open and select vulnserver.exe and then click the Open button. This spin up vulnserver, but pause it right before it hits the Program entry point. You should see on the bottom right hand side a yellow text box that says "Paused". Hit F9 or go to Debug > Run to start the program. That yellow text box saying "Paused" should now say "Running". Great, now we have vulnserver up and running so we can throw our proof of concept at it. Hopefully we should see some registers light up with As when we run it.
Once we execute our proof of concept we see at the bottom of Immunity that we've hit an exception.

And if we look at our registers we see that this particular crash didn't reveal anything too interesting.

It looks like we were able to overwrite most of EBP, but we didn't get a hold of anything else =/. Ohh well, from here we could start throwing 2030 As and so on to see if we get a better result.

Hope this helped.

25 comments:

  1. Replies
    1. CRYPTO ACCOUNT TAKEOVER (ATO) FAKE INVESTMENT & OTHER TROUBLESHOOT. As Bitcoin reaches all-time highs, and continues to go through price action swings, it has been attracting a lot of attention. As unknowing, new supporters of Bitcoin enter the cryptocurrency craze, this has presented ideal opportunities for Bitcoin scams to occur. Every day investors are getting scammed by old and new tactics. It’s important to note that although Bitcoin itself is not a scam, attacks are on the rise and they are costing individuals, businesses, and organizations significant financial and damage that are often difficult to recover quickly. When it comes to Binary Options, there are quite people who have been taken for a ride by a Brokers and at a result of this many have lost a large amount of money to Fake Binary Option Scammers this bring Investors down to a Zero point financially.

      D-hackers is a multinational equipped Hackers come together as a team to track down & to recover whatever that has being stolen from you from the most difficult internet SCAMMERS. NOTE!! We've received countless heartbreaking reports of notorious cyber scammers and we’ve successful recover them back.

      contact us on
      1⃣Binary Recovery.
      2⃣Files Recovery
      3⃣School Grades Change & Exam Questions
      4⃣Password Bypass / Recovery
      5⃣Malware Removal / Criminal Record Expunge
      6⃣Blank ATM Card
      7⃣Social Media Hack
      8⃣Remote Mobile Monitoring & Hacking
      9⃣ Credit Repair
      🔟Private Key Reset

      Relate whatever it is to City Center Of Binary Option Service & allow us give you positive result with our hacking skills. Visit our BLOG page Dhackerspot.com
      Email 📩 binaryoptionservice01@gmail.com pointekhack@gmail.com cyberhackertap@gmail.com we Guarantee you up to %85
      REMEMBER YOUR HAPPINESS

      Delete
    2. Rockfish Sec: Fuzzing Vulnserver With Python >>>>> Download Now

      >>>>> Download Full

      Rockfish Sec: Fuzzing Vulnserver With Python >>>>> Download LINK

      >>>>> Download Now

      Rockfish Sec: Fuzzing Vulnserver With Python >>>>> Download Full

      >>>>> Download LINK QN

      Delete
  2. I like this site for it's comprehensive and extensive information best for programmers and or students. Thank you for sharing.

    ReplyDelete
  3. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    appvn
    hotmail sign up login

    ReplyDelete
  4. I faced a lot of problems with this. Fortunately, I have a friend who helped me with it. I think, I need to learn more about it.

    ReplyDelete
  5. If you are looking for a professional hacker to provide hacking solutions on

    -Social media hacks

    -Recovering Scammed funds

    -Email hacks

    -Phone hacks

    -DMV database

    -School result upgrading

    -Tracking & Finding People

    -Increased Credit score boost to 850

    - Access your spouse/partner social media, Monitor your colleague

    -Bitcoin mining, Lost Forex trading funds recovery, Lost Cryptocurrency trading funds recovery, Binary option funds recovery and a lot more, search no further.

    -Hunting Down Scammers With the help of, Federal Bureau of Investigation (FBI) and The International Criminal Police Organisation (INTERPOL)✅

    I fully recommend it to everyone, he recovered all data I had on a lost phone and helped in tracking the phone till it was found. I feel so happy writing this review about him, try him he's the best.

    Email. info@wizardcharlesgrouphackers.com

    visit their website to read more about them: https://wizardcharlesgrouphackers.com/.n/

    ReplyDelete
  6. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com 

    ReplyDelete
  7. INSTEAD OF BITCOIN INVESTMENT SCAM WHY DON'T YOU CONTACT MR OSCAR FOR A REAL BLANK ATM CARD
    oscarwhitehackersworld@gmail.com or whats-app +1(513)-299-8247.


    My name is Morgan Williams am from Alabama United State,this is so real and wonderful, at first i thought is a scam , because have been scam by several people claiming they can help me invest my money in bitcoin trading , that is how i lost my $25,000 last week on investment , but with the help of Mr Oscar White Blank ATM Card oscarwhitehackersworld@gmail.com , i was able to withdraw $50,000 from ATM machine without trace more than the money i lost last week , indeed Mr Oscar your Blank ATM card is real and genuine , i will keep telling people about you as i promise to do , if you are in any financial problem to pay up bills and start up a new life , kindly contact Mr Oscar white on how you can obtain his Blank ATM card , he does not charge big , trust him and contact him today through email oscarwhitehackersworld@gmail.com or whats-app +1(513)-299-8247.

    ReplyDelete
  8. It’s really a cool and useful piece of info.

    ReplyDelete
  9. I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report. Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: 213 295 1376.

    ReplyDelete
  10. Never met any hacker as discreet and fast like this Best System Hackers. They are called Best System Hacks and they has helped me in multiple ways first was when my ex spouse cheated on me- they got me every information from my spouse phone number and now they are helping me paying my credit cards debts. They have the best hacking tools plus service any one can ever imagine and I recommend him to the world. I am thankful and grateful for the second chance. Honestly, Best System hackers are life savers please contact them here if you need their swift service Email; BESTSYSTEMHACKSOLUTION@GMAIL.COM or text him on WhatsApp +1 (602) 609-4730 he is very trustworthy.

    ReplyDelete
  11. This type of message always inspiring and I prefer to read quality content, So happy to find good place to many here in the post, the writing is just great, thanks for the post.
    website

    ReplyDelete
  12. Knowit ERP offers solutions across various industries like steel Tube and Pipe industry ,Metal Fabrication industry. We provide the best erp software for steel manufacturing company in India.
    ERP for hot rolling
    erp for steel bars industry
    erp for manufacturing industry in india
    sheet metal fabrication software

    ReplyDelete
  13. HAVE YOU LOST YOUR MONEY TO BINARY OPTION SCAM OR ANY ONLINE SCAM WHATSOEVER?.DO YOUR DESIRE CREDIT REPAIR[EQUIFAX, EXPERIAN, TRANSUNION? WELL, YOU HAVE FOUND REDEMPTION.


    BEWARE OF FRAUDSTERS looking to hoax.
    if you have been a VICTIM, contactEmail:creditcards.creditscoreupgrade@gmail.com
    whatsapp:+1(437) 536-6082 for directives.
    Here, it's always a win for you.

    ��OUR SERVICES��
    ∆Binary Option funds recovery
    ∆Social media hack
    ∆Recovery of loan scam
    ∆Credit repair (Equifax,Experian,Transunion)
    ∆Email hack
    ∆College score upgrade
    ∆Android & iPhone Hack
    ∆Website design
    ∆Website hack
    ∆And lots more.
    We have specially programmed ATMs that can be used to withdraw money at ATMs, shops and points of sale. We sell these cards to all our customers and interested buyers all over the world, the cards have a withdrawal limit every week.

    CONTACT INFO:
    Email:creditcards.creditscoreupgrade@gmail.com
    whatsapp:+1(437) 536-6082
    Copyright ©️ 2022.

    ReplyDelete
  14. IGT Gaming, Casinos, and Games for sale in Maricopa
    Find your https://tricktactoe.com/ complete list of casinos, kadangpintar games and games at IGT Gaming in Maricopa, Arizona. wooricasinos.info 1. Casinos in Casino communitykhabar at Residence apr casino

    ReplyDelete
  15. The Most Successful Sites for Crypto, Casino & Poker - Goyang
    Goyang Casino & Poker is one of the 토토 most famous worrione and well known herzamanindir.com/ crypto gambling goyangfc sites, founded in 2012. หาเงินออนไลน์ They are popular because of their great

    ReplyDelete
  16. Thanks a lot for giving us such a helpful information. You can also visit our website for nmims solved

    ReplyDelete