There sure have been quite a few IMAP Vulnerabilities published the last few weeks. It’s interesting, a certain protocol will be attacked; go away for a while, then someone will hit a whole bunch of applications. With that I figured I’d get my sulley request for IMAP working.
First, Something I found while browsing around for POST Authentication guidance on the internet. If for some reason or another you have the desire to view the exact strings Sulley is creating to Fuzz your protocol with, you can do this pretty easily.
Simply create a new python script just as you would if you were creating a fuzz script. Instead of creating a target, and starting a session and all that you can simply create a for loop and call s_render() like so:
bleh = s_get("imap_simple")
for i in range(bleh.names["blockname"].num_mutations()):
print "%i" %i
print(s_render())
s_mutate()
The reason I have a print “%i” % I in there is because I have actually been fuzzing embedded devices lately. Unless you have a JTAG debugger, or there is some type of integrated debugger on the device It’s hard to tell what’s going on. When you run Sulley without defining the vm_control, the proc_mon, or net_mon Sulley may crap out at some point, and it will state something along the lines of “Cannot connect, no vmcontrol waiting 5 minutes.” You can actually take the last number that Sulley Transmitted and start working from there.
So, with IMAP you need to authentic to the IMAP server in order to get some of the latest Vulns being published (LSUB, FETCH, LIST). This means we are back into the same boat about authentication as I was last week. Well, I think I actually figured out how to take care of it. It’s an integration of some stuff that Tebo sent me, and some stuff from my LPR Request from Gray Hat Hacking SE which uses dependencies.
What I did was really half assed, but it seemed to work and it got me some exceptions. What I basically did was from the LPR stuff I used the s_group() to create a list of commands, the thing was it only has one actual command, which is a long string to take care of the authentication sequence. It seemed to work though:
s_group('command', values=['0001 LOGIN bleh BLEH',])
From there on out, when you define a new block you tell the block to be dependent on the command group. (I should probably change the name of that)
if s_block_start("list", dep="command"):
s_string("a003")
s_delim(" ")
s_string("LIST \"")
s_delim("")
s_string("\" ")
s_string("*")
s_static("\r\n")
s_block_end()
I also ran into something that pissed me off. With both IMAP and FTP Requests they can be rather large. Since in some cases I’m re writing the spk files from Dave Aitels SPIKE, they are really long. I ran into an instance where Python was generating the Fuzz Strings for my requests before running but there actually so many string declarations that it would result in a Memory error and crap out. What I ended up doing was cutting my Imap request down from every block for every command, to about 4 blocks or 4 commands at a time. A few blocks required additional editing which I wasn’t happy about because there was certain field’s I wanted to play with. Oh well, Imap Request here.
