Fuzzy wuzzy wuz a fuzz
I suppose it’s been a few day’s since my last post. So much for going with the flow of exploitation on Linux. I’ve been working on that over here, but I’ve had some other stuff to work on as well. I’ve also been pretty caught up with family obligations. It’s hard to balance the time between everything.
One thing I’ve been hitting pretty hard is Fuzzing. I was never too intrigued by fuzzing until a few months ago. I started on a small scale with Comraider, which is a fuzzer but the need for knowledge to fuzz is virtually non existent. Hell, to an extent Comraider will even write the proof of concept code for you. SPIKE Fuzzer from Immunitysec is pretty old school, I played with that momentarily but the documentation was lacking at best, and it was more or less a lesson in code reading than anything else. You seriously have to walk through all the code of the other fuzzing templates and then attempt to decipher why certain variables are declared. My next attempt was Peach Fuzzer. Peach at first gave me great hope, despite it running on Windows only. I was using Peach to Fuzz some web servers since the HTTP protocol is somewhat easy to build simple templates for. Once I started going, I ran into an error with Peach, what’s worse it was an error with their code, and their HTTP Example. I did a quick fix on the error (that was, I cast the messed up variable to unicode) and I got passed that. However, I kept hitting snags. One snag after another until I finally just gave up on Peach. I even attempted to write to the author, he responded to my first email, but didn’t respond to my last two. The one really cool thing I have to say about peach was the ability to easily create XML files for the fuzzer. Peach works by accepting XML files of the protocol. Using Peachshark you can easily create the XML file based on a pdml file from Wireshark… Sniff, export, script and you’ve got a fuzzable XML file of the protocol. Nice!
Finally Sulley, Sulley is the new Rave. Uses block based fuzzing, is written in Python, Was released last year at Blackhat… Or Defcon. I can’t remember, that week seems fuzzy! Crazy people from work, crazy stories. Probably the most drinking I did all of 2007 no lie! Anyhow, Once you get past the whole path issues with python, and you RTFM Sulley really kicks ass. Sulley comes documented enough that if you read the API and the quick intro you can figure out how to work it. Sulley also comes with the SPIKE Method of documentation via two sample requests in the request folder, these allow you to explore more complex protocol fuzzing.
So far I’m really impressed with sulley, I was using it to Fuzz some web servers that I knew were vulnerable from the past. The first time I ran Sulley was using the (included) HTTP Request to go against Savant Web Server. Not even 100 tests in and I started to get results. The Next step I’m trying to take is to get post AUTH fuzzing going on protocols such as IMAP, FTP and POP3. Although not quite as delicious as Pre AUTH, POST Auth still count for something. I’ve been talking with Tebo on IRC and inspired him to do a little testing. He emailed me late in the evening saturday and woke my wife up when the blackberry started chirping. All in all it was a good email, with some code built off the stuff I had sent him. I noticed he enjoys using groups, whereas I build everything in blocks for my ftp example. I went to test some of the POST AUTH stuff he had sent me, and some of my POST AUTH code I was playing with saturday evening but my Box at work decided to not play well with others today. I didn’t really have time to look into it since I’ve been assigned a programming project at work. For taskings = sucks;
Example of my quick solution that seemed to work for POST AUTH can be found in hamsterswheel.com/code.
If you have solutions for the best method to hit POST AUTH on a protocol with sulley, let me know please!
1 Comment »
RSS feed for comments on this post. TrackBack URI
for post auth i just model the protocol and slap on some s_static in the beginning, much like you.