Monday, January 20, 2014

Fuzzing vulnserver with Python

A request from the corelan.be forums was made asking about creating a custom fuzzer using Python. It's simple enough, but for posterity let's go through this process.

Fuzzing

So, if we examined the kinds of input Peach was supplying to vulnserver when we fuzzed the HTER command in a previous post we see that it basically threw a bunch of junk input of varying sizes. In a very bad generalization, it's increasing the amount of junk to determine if it crashes the program. Fuzzing is a lot more complicated and nuanced than this obviously so check out this book or these links for further reading. 

Using Python to Fuzz

OK, but lets try and roll our own fuzzer in Python for the HTER command. If we recall the StateModel we created in our Peach Pit, the format of the HTER protocol was:
  1. Receive some data
  2. Send the HTER command with our input
  3. Receive some data

With this in mind, we know enough to go about creating our fuzzer in Python. The general flow is going to be:
  1. Create a connection to vulnserver
  2. Receive the banner for vulnserver, i.e. "Welcome to Vulnerable Server..."
  3. Send our fuzzed data in ever increasing amounts, i.e. "HTER <fuzzed input>
  4. Receive the response from vulnserver, i.e. "HTER RUNNING FINE"
  5. Increase the amount of fuzzed input
  6. Close the connection to vulnerserver
  7. Go back to step 1
  8. If we can't connect to vulnserver then we can guess that the previous input crashed vulnserver and we can print a message
Here's what this looks like in code:

Here's what the output looks like when running this script against an instance of vulnserver:

And we are greeted with this popup as well:

So we have a good indication that 2040 As will result in vulnserver crashing. Let's make a quick proof of concept from our fuzzer to test if 2040 As will crash vulnserver.

Not that complicated, but when we run it we get the popup that vulnserver.exe has crashed so we're on to something.

Viewing the Crash Under a Debugger

Just for fun, let's run vulnserver under Immunity Debugger and see what's going on under the covers when we run our proof of concept. You can get Immunity Debugger from here.
First we'll start Immunity. Then File > Open and select vulnserver.exe and then click the Open button. This spin up vulnserver, but pause it right before it hits the Program entry point. You should see on the bottom right hand side a yellow text box that says "Paused". Hit F9 or go to Debug > Run to start the program. That yellow text box saying "Paused" should now say "Running". Great, now we have vulnserver up and running so we can throw our proof of concept at it. Hopefully we should see some registers light up with As when we run it.
Once we execute our proof of concept we see at the bottom of Immunity that we've hit an exception.

And if we look at our registers we see that this particular crash didn't reveal anything too interesting.

It looks like we were able to overwrite most of EBP, but we didn't get a hold of anything else =/. Ohh well, from here we could start throwing 2030 As and so on to see if we get a better result.

Hope this helped.

1 comment: