Damn thought I had one.

Posted by Eric | Fuzzing, Research, Vulnerabilities | Tuesday 15 April 2008 8:43 am

<meta content="OpenOffice.org 2.0 (Linux)" name="GENERATOR" /><meta content="20080415;7265400" name="CREATED" /><meta content="16010101;0" name="CHANGED" /><br /> <style> <!-- @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } --> </style> <p style="margin-bottom: 0in">Been busy running around lately, and now the mother in law and family is in town, theoretically the wife will be occupied with that. I created a pop3 request for Sulley and I’ve been back tracking and hitting the pop3 service on a few of the Mail servers that I have downloaded and hit with the SMTP requests. Last week I discovered a weird bug that seemed random at best and after a while of getting frustrated I asked MC for an assist. MC Tracked down the bug despite not being able to get it to crash. Turned out there was already an advisory on it, and it was an incorrect handling of connections. Basically the Application (baby pop3) was not handling multiple connections from the same host correctly and would result in a crash. On the vendors website there were quite a few other applications in this baby series and I’m pretty sure they are using the same template for code because I was able to get the web server to crash also.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Last night I discovered an XSS bug in a vendor site. I actually completely stumbled on it. I was messing with a mail server, browsing around and looking for inputs (this thing opens about 12 ports upon install) and I came across the web application on port 7026. Most of the pages required authentication, but the help pages didn’t. Within the Help index there was a search box for “on line search.” When you put Javascript into the search box and hit enter, you are taken to the vendors site (shown your alert text box) and then get some errors on search string not found. I kicked off an email to the vendor and they responded back in like 15 minutes, but have yet to ACK FIN saying it was fixed.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">I continue hitting up that same application, It’s got an smtp, a pop3 and about 4 web interfaces. I noticed that the webmail is actually accessible via a path that leads to webmail.exe?cmd= . Currently fuzzing the admin.cgi ones, but I plan to start fuzzing the webmail.exe input this evening when I get home.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">I need to start working on a short presentation for AHA! I’m debating on talking about the Fuzzing ( a lot of those guys work for dvlabs so I dunno) or I can talk about embedded debugging. On one hand, If i talk about fuzzing, I can segway that into the question of “How can I analyze these crashes better” because the scripts with sulley haven’t been working out for me. Or the “Has anyone done any Fuzzing on embedded systems, and if so how did you go about analyzing the crash.” On the other hand, I can just go straight into Embedded debugging and ask that question anyway. Of course I still need a few hundred bucks from Dean to sponsor more research….</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Thanks again to MC for checking out that bug.</p> <p style="margin-bottom: 0in"> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=60#respond" title="Comment on Damn thought I had one.">Comments (0)</a> </div> </div> <div class="post"> <h2 id="post-58"><a href="http://hamsterswheel.com/techblog/?p=58" rel="bookmark">Awww Shixxnote</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=15" title="View all posts in Fuzzing" rel="category">Fuzzing</a>, <a href="http://hamsterswheel.com/techblog/?cat=11" title="View all posts in Research" rel="category">Research</a> | Sunday 6 April 2008 1:12 am </div> <div class="storycontent"> <p><meta content="text/html; charset=utf-8" http-equiv="CONTENT-TYPE" /><title /><meta content="OpenOffice.org 2.0 (Linux)" name="GENERATOR" /><meta content="20080405;23434700" name="CREATED" /><meta content="20080405;23592900" name="CHANGED" /><br /> <style> <!-- @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } --> </style> <p style="margin-bottom: 0in">Recently I watched a Keynote by Dave Aitel, in it he discussed the Hacker mindset. One of the things he pointed out was when a new vulnerability comes out to make sure your fuzzer can pick it up, and if not figure out why and then make the fuzzer pick up the vuln. Shixxnote 6.net had a <a href="http://secunia.com/advisories/12822/">buffer overflow</a>  quite a while ago by Luigi A who is amazing at finding vulns, I’ve Rss’ed to his site and That dude kicks out an average of two per day. I still had the software in my vuln software bank and I decided I’d break it out and play with it for the evening.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">The concept behind shixxnote is simple, you can create notes for yourself and even send them to other uses on a network. If the other user doesn’t have the software, it will default to sending it via the Messenger service. You can assume it runs over messenger service, but in reality it does that by default and has it’s own little protocol going on. No documentation available we turn to wireshark. Wireshark has this amazing ability at decoding data/ protocols. Unfortunately Wireshark had no f00 when it came to shixxnote. I installed shixxnote on two different boxes and sent a message to each other and sniffed the traffic. This is what I got:</p> <p style="margin-bottom: 0in"><img src="http://hamsterswheel.com/blogpics/wireshark.jpeg" /></p> <p style="margin-bottom: 0in">What I did was try to break it down as best as I could into a Sulley request. It ended up being too large to run on my VM image so I had to find some more ram for the only box in the house running windows. Eventually I got it up and going, and Sulley started kicking out the Fuzz! Somewhere around 618, and in the low 2000’s Shixxnote crashed. I’ve since started Sulley’s processmon and am monitoring for the exact cause of the crash. Anyway, I found it kind of cool taking apart the protocol (even though its not really a protocol per say, just a format of data sent over the wire)</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Request can be found <a href="http://hamsterswheel.com/code/sulley/shixxnote.py">here</a></p> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=58#respond" title="Comment on Awww Shixxnote">Comments (0)</a> </div> </div> <div class="post"> <h2 id="post-53"><a href="http://hamsterswheel.com/techblog/?p=53" rel="bookmark">Sulley Auth, Data Gen, Imap CRASH BANG!</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=5" title="View all posts in Code" rel="category">Code</a>, <a href="http://hamsterswheel.com/techblog/?cat=15" title="View all posts in Fuzzing" rel="category">Fuzzing</a> | Friday 21 March 2008 11:37 am </div> <div class="storycontent"> <p class="MsoNormal">There sure have been quite a few IMAP Vulnerabilities published the last few weeks. It’s interesting, a certain protocol will be attacked; go away for a while, then someone will hit a whole bunch of applications. With that I figured I’d get my sulley request for IMAP working.</p> <p class="MsoNormal"> <p class="MsoNormal">First, Something I found while browsing around for POST Authentication guidance on the internet. If for some reason or another you have the desire to view the exact strings Sulley is creating to Fuzz your protocol with, you can do this pretty easily.</p> <p class="MsoNormal"> <p class="MsoNormal">Simply create a new python script just as you would if you were creating a fuzz script. Instead of creating a target, and starting a session and all that you can simply create a for loop and call s_render() like so:</p> <p class="MsoNormal"><code /></p> <p class="MsoNormal"> <p class="MsoNormal"> <p class="MsoNormal"><code /></p> <blockquote> <p class="MsoNormal">bleh = s_get("imap_simple")</p> <p class="MsoNormal">for i in range(bleh.names["blockname"].num_mutations()):</p> <p class="MsoNormal">print "%i" %i</p> <p class="MsoNormal">print(s_render())</p> <p class="MsoNormal">s_mutate()</p> </blockquote> <p class="MsoNormal"> <p class="MsoNormal"> <p class="MsoNormal"> <p class="MsoNormal">The reason I have a print “%i” % I in there is because I have actually been fuzzing embedded devices lately. Unless you have a JTAG debugger, or there is some type of integrated debugger on the device It’s hard to tell what’s going on. When you run Sulley without defining the vm_control, the proc_mon, or net_mon Sulley may crap out at some point, and it will state something along the lines of “Cannot connect, no vmcontrol waiting 5 minutes.” You can actually take the last number that Sulley Transmitted and start working from there.</p> <p class="MsoNormal"> <p class="MsoNormal">So, with IMAP you need to authentic to the IMAP server in order to get some of the latest Vulns being published (LSUB, FETCH, LIST). This means we are back into the same boat about authentication as I was last week. Well, I think I actually figured out how to take care of it. It’s an integration of some stuff that Tebo sent me, and some stuff from my LPR Request from Gray Hat Hacking SE which uses dependencies.</p> <p class="MsoNormal"> <p class="MsoNormal">What I did was really half assed, but it seemed to work and it got me some exceptions. What I basically did was from the LPR stuff I used the s_group() to create a list of commands, the thing was it only has one actual command, which is a long string to take care of the authentication sequence. It seemed to work though:</p> <p class="MsoNormal"><code /></p> <blockquote> <p class="MsoNormal">s_group('command', values=['0001 LOGIN bleh BLEH',])</p> </blockquote> <p class="MsoNormal"> <p class="MsoNormal">From there on out, when you define a new block you tell the block to be dependent on the command group. (I should probably change the name of that)</p> <p class="MsoNormal"> <p class="MsoNormal"><code /></p> <blockquote> <p class="MsoNormal">if s_block_start("list", dep="command"):</p> <p class="MsoNormal">s_string("a003")</p> <p class="MsoNormal">s_delim(" ")</p> <p class="MsoNormal">s_string("LIST \"")</p> <p class="MsoNormal">s_delim("")</p> <p class="MsoNormal">s_string("\" ")</p> <p class="MsoNormal">s_string("*")</p> <p class="MsoNormal">s_static("\r\n")</p> <p class="MsoNormal">s_block_end()</p> </blockquote> <p class="MsoNormal"> <p class="MsoNormal"> <p class="MsoNormal">I also ran into something that pissed me off. With both IMAP and FTP Requests they can be rather large. Since in some cases I’m re writing the spk files from Dave Aitels SPIKE, they are really long. I ran into an instance where Python was generating the Fuzz Strings for my requests before running but there actually so many string declarations that it would result in a Memory error and crap out. What I ended up doing was cutting my Imap request down from every block for every command, to about 4 blocks or 4 commands at a time. A few blocks required additional editing which I wasn’t happy about because there was certain field’s I wanted to play with. Oh well, Imap <a href="http://www.hamsterswheel.com/code/sulley/imap.py">Request here</a>.</p> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=53#comments" title="Comment on Sulley Auth, Data Gen, Imap CRASH BANG!">Comments (3)</a> </div> </div> <div class="post"> <h2 id="post-51"><a href="http://hamsterswheel.com/techblog/?p=51" rel="bookmark">Fuzzy wuzzy wuz a fuzz</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=15" title="View all posts in Fuzzing" rel="category">Fuzzing</a>, <a href="http://hamsterswheel.com/techblog/?cat=11" title="View all posts in Research" rel="category">Research</a> | Monday 17 March 2008 8:10 pm </div> <div class="storycontent"> <p><meta content="text/html; charset=utf-8" http-equiv="CONTENT-TYPE" /><title /><meta content="OpenOffice.org 2.0 (Linux)" name="GENERATOR" /><meta content="20080317;18274300" name="CREATED" /><meta content="20080317;19062400" name="CHANGED" /><br /> <style> <!-- @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } --> </style> <p style="margin-bottom: 0in">I suppose it’s been a few day’s since my last post. So much for going with the flow of exploitation on Linux. I’ve been working on that over here, but I’ve had some other stuff to work on as well. I’ve also been pretty caught up with family obligations. It’s hard to balance the time between everything.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">One thing I’ve been hitting pretty hard is Fuzzing. I was never too intrigued by fuzzing until a few months ago. I started on a small scale with Comraider, which is a fuzzer but the need for knowledge to fuzz is virtually non existent. Hell, to an extent Comraider will even write the proof of concept code for you. SPIKE Fuzzer from Immunitysec is pretty old school, I played with that momentarily but the documentation was lacking at best, and it was more or less a lesson in code reading than anything else. You seriously have to walk through all the code of the other fuzzing templates and then attempt to decipher why certain variables are declared. My next attempt was Peach Fuzzer. Peach at first gave me great hope, despite it running on Windows only. I was using Peach to Fuzz some web servers since the HTTP protocol is somewhat easy to build simple templates for. Once I started going, I ran into an error with Peach, what’s worse it was an error with their code, and their HTTP Example. I did a quick fix on the error (that was, I cast the messed up variable to unicode) and I got passed that. However, I kept hitting snags. One snag after another until I finally just gave up on Peach. I even attempted to write to the author, he responded to my first email, but didn’t respond to my last two. The one really cool thing I have to say about peach was the ability to easily create XML files for the fuzzer. Peach works by accepting XML files of the protocol. Using Peachshark you can easily create the XML file based on a pdml file from Wireshark… Sniff, export, script and you’ve got a fuzzable XML file of the protocol. Nice!</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Finally Sulley, Sulley is the new Rave. Uses block based fuzzing, is written in Python, Was released last year at Blackhat… Or Defcon. I can’t remember, that week seems fuzzy! Crazy people from work, crazy stories. Probably the most drinking I did all of 2007 no lie! Anyhow, Once you get past the whole path issues with python, and you RTFM Sulley really kicks ass. Sulley comes documented enough that if you read the API and the quick intro you can figure out how to work it. Sulley also comes with the SPIKE Method of documentation via two sample requests in the request folder, these allow you to explore more complex protocol fuzzing.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">So far I’m really impressed with sulley, I was using it to Fuzz some web servers that I knew were vulnerable from the past. The first time I ran Sulley was using the (included) HTTP Request to go against Savant Web Server. Not even 100 tests in and I started to get results. The Next step I’m trying to take is to get post AUTH fuzzing going on protocols such as IMAP, FTP and POP3. Although not quite as delicious as Pre AUTH, POST Auth still count for something. I’ve been talking with Tebo on IRC and inspired him to do a little testing. He emailed me late in the evening saturday and woke my wife up when the blackberry started chirping. All in all it was a good email, with some code built off the stuff I had sent him. I noticed he enjoys using groups, whereas I build everything in blocks for my ftp example. I went to test some of the POST AUTH stuff he had sent me, and some of my POST AUTH code I was playing with saturday evening but my Box at work decided to not play well with others today. I didn’t really have time to look into it since I’ve been assigned a programming project at work. For taskings = sucks;</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Example of my quick solution that seemed to work for POST AUTH can be found in hamsterswheel.com/code.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">If you have solutions for the best method to hit POST AUTH on a protocol with sulley, let me know please!</p> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=51#comments" title="Comment on Fuzzy wuzzy wuz a fuzz">Comments (1)</a> </div> </div> </div> <div id="footer"> © Copyright 2009 | <a href="http://hamsterswheel.com/techblog">Phn1x – Hamsterswheel</a> | Theme by <a href="http://clubparexcellancetech.com/">Club Par Excellance</a> | All Rights Reserved | Sponsored by <a href="http://www.voipkit.ca/">VoIP</a> </div> </body> </html>