BSidesNCL (Newcastle) 2021 - Fuzzing: Finding Your Own Bugs and 0days! - Rodolpho Concurde (ROd0X)

So, this is Rodolfo Concurli, Rodox on Twitter, and he's going to talk to us about finding your own bugs in Xerolease. So, I'll hide myself away if you want to start. Can I start the presentation? Yeah, you can start now. Okay. Hello everyone, welcome aboard to my talk. My talk is about fuzzing: find your own bugs in XeroDays. My name is Rodolfo Concurli, but you can call my nickname "Hodox". I read about me. I'm a presentation tester, instructor of IT, consultant of information security throughout 30 years. I'm certified digital hacker by the Council. I give talks at the Hacking in the Box, Arab Security Conference, Monitoring Reload Con, Redditing Village, Stack Conf, Besides Attentive, Besides Attacks. I'm an author, at the Hacking9

Magazine about Stack Overflow and the Paint Test Magazine about Covered Channel. From Fuzzy to Geita Shell, from SE8 over I to Geita Shell. And here we have my LinkedIn profile by email. For who want to contact me, for take out some doubts, you can write on my LinkedIn profile or my email. Our agenda. About fuzzing, we will see types of types, types of attacks, types of fuzzers, both overflow, and we have a POC. Types of attacks: Fuzzers would try combinations of attacks on numbers, charts, metadata, pure binary sequences, essential for the type to run each of the sequences of dangerous strings. Again, essential for the type to run each of the sequences of dangerous strings. and

here we have some some examples of the dangerous things the dangerous things that you will send against the target types of targets might be protocol application file format types protocols ftp pop3 smtp till net anywhere any protocol application any push of any application File Format: Any file format: MP3, MP4, MP3U, MP4, Quaditest, Software Reader. Types of Fuzzers: Characteristics: Dumb, Smart Fuzzing, Dumb and String Combination. Smart Fuzzing: Smart Fuzzers are a programmatic technology of input format, a protocol definition or rules for file format. Smart Fuzzing might be mutation generation evolutionary. Due this Smart Fuzzing as a complex topic, I won't get in depth in this subject, but I leave here the F-Secure website with more information

about Smart Fuzzing. I leave here a F-Secure website with more information about Smart Fuzzing. Burf Overflow. Burf Overflow is a numery where a program While writing data to a buffer, overrun the buffer's boundaries and overwrite adjacent memory locations. Might be rip-based and stack-based. Rip-based: Placed in memory which allocates a large amount of data and dynamics. Stack-based: Locate a limited or fixed size of data, such as data from local variables or a function. Here we have buffer for code example. In this code example, we have here variable "shar" buffer, variable buffer as "shar" with 5 bytes. What's problem with this code? This problem is that this code don't verify what should do if user insert more than 5 bytes.

So if user insert more than 5 bytes, the application will get the cache. Here we have an overflow image. Here we have the left image, the variable 4, with 11 eggs, and the right image, the variable 4, with 150 eggs. This is the variety of the ISP and the BP register. Occurs here a stack overflow. In this image we have here a stack overflow. Now we have a POC. Here we have a code, a Python code scripting that make a fuzz. This is a script that will make a fuzzing. Here we have variable buffer with character a, variable counter equals 100, and here we have counter equals 100, counter plus 200. We will send this a lot amount

of character a, we will send a lot amount of character a, unless it's type tp, in port 110. Again, we will send a lot amount of character "a" against this IP in port 110. Here we have a command "use" and a command "pass". Command "pass" plus "string". We will send a lot amount of character... Here we have four strings in buffer. We will send in command "pass" a lot amount of character "a". why use it from the user from the past from the user in common the path is specified in document of protocol pop 3 we have here rfc document rfc 10 and 1 this document rfc 10 and 1 is documented to specify a

characteristic of protocol pop 3 so in this document rfc 10 and 1 that is that tell us that it should use a common user, common path. Common user, common path is take out of document RPC-1081. And this, this fuzzing script will send, common path, will send a common path a lot amount of character A. Let's see the video POC. Let's see the video POC. Let's run an Nmap against the target for CD open ports.

Here we have a part 110 as open. This running protocol pop 3 in part 110. Let's open our fuzzing script. We have a variable buffer with character "a". Here we have 4 strings in buffer. We will send a lot amount of character "a" against this IP in part 110. and here we have a comedy user comedy pass in comedy pass we have plus string so we'll send we'll send the comedy pass a lot amount of character a with objective of cause crash in this application again you send a lot amount of character a in comedy pass comedy pass is specified a document of protocol pop3. Protocol pop3 make using common path. And we send a

fuzzing, Python fuzzing. We send a lot amount of character A. 5900 bytes of character A. Let's run the map again against the target IP. And as we can see, we have port 110 as down. Part 110 is down because of a crash in the community path. Let's continue with our slides. Here we have a vulnerable software to download. For who want it, I'll make available my LinkedIn profile the link for these slides. I'll make available my LinkedIn profile the link for these slides. Another POC now. We have vulnerable software to download and we're gonna open in Munari Debugger, we're gonna open in Munari Debugger the vulnerable software. Let's see another video POC. Let's see another video POC.

In this video, in this video we will learn how write step by step our own exploit code. Let's open the exploit code. Let's open the exploit code. We have a buffer size variable of 50,000 and a variable buffer with a lot amount of characters. This a lot amount of characters are generated by two pattern create. Here we have output of the file. we're gonna use we're gonna learn a generate this a lot amount of characters with the tool pattern create let's use the two pattern create dash l the link 50 000 bytes 50 000 bytes and we generate a lot amount of characters this a lot amount of characters We will put in our exploit code and we will load this

a lot amount of characters in our vulnerable software. We will load this a lot amount of characters in our vulnerable software with objective of cause a crash in vulnerable software. You should copy and paste this a lot amount of characters in our exploit code.

Save this exploit code. Let's compile our exploit code with the name of the file. For compile our exploit code. We have the output file. Let's move our compiled exploit code to a desktop. Let's copy our compiled exploit code to a victim VM. Copy our compiled exploit code to a victim VM. Open Moodle debugger. Open Moodle debugger. Run vulnerable software. Click in file, attach. Let's attach our vulnerable software in Moonlight Debugger. Let's run vulnerable software in Moonlight Debugger. Then let's load our Compile Exploited Coder in vulnerable software. Let's load our Compile Exploited Coder in vulnerable software. And we have a crash. Here we have here a register ISP with a lot amount of characters and we have here in stack a

lot amount of characters. We have here in stack a stack overflow. Again we have here in stack a stack overflow. These characters are that characters that we put in exploit code. We loaded a lot amount of characters in vulnerable software and we have a cache in vulnerable software. We have here a stackoverflow and we have here a value of the register_eip. What's the function of register_eip? register_eip indicates the next address that the CPU will execute. Again, the register_eip indicates the next address that the CPU will execute. We want to put a value in registry_hype, we want to override the registry_hype with address that make a jump to ISP. Because here in ISP we will put

our shell code. Again, here in ISP we will put our shell code to make a reverse shell, to get a shell. So for this, we need to override the register EIP. We need to override the register EIP with address, with some address that make a jump for ISP. Because ISP will put our shell code to get a reverse shell. For this, we need to find an offset of the register EIP. For this, we use a tool pattern offset, pattern offset. slash dash parent offset dash l the length 50 000 dash q and the value of the registry ip 79533579 is the value of registry ip again we will use we will use a two pattern

of effects to find the offset of register yipe for this we typed pattern offset dash l the length 50 000 bytes that skill and the developer of registry ip for find an offset of registry ip. We found an offset 35,056. We found offset 35,056. Now we need to put this offset in our exploit code. We need to put this offset in our exploit code. And we We have here both sizes, the total of buffer size, both sizes 50,000 bytes, variable junk equals x for the one, x for the one means character A, again x for the one means character A, multiplied by 35,056, So we will fill in vulnerable software, we will fill vulnerable software, x.1 up

35,056. We will fill vulnerable software x.1, means character A, up 35,056. After we have here a variable yipe. In variable yipe, we have some address that we need to find this address. This address makes a jump isp. Now we will find this address, address that makes a jump isp. Let's learn how to find this address that makes a jump isp. Let's learn how to find this address. For finding this address, we type here exclamation, mona, modules, for cdmodules in our vulnerable software. we need to find some module that don't have secure mechanisms as true. We will use here this module msvolts.dll. We will use here the module msvolts.dll. Because this module has secure mechanisms as false, we have here

secure mechanisms safe as E8 as false, ASLR as false, NXCompate as false. For this, we need to find some modules that have secure mechanism as false. And we found the module msvolves.dll. So we will use the module msvolves.dll because this module has a secure mechanism as false. Now we need to find the opcode jump_isp in module msvotes.dll. We need to find the expression jump_isp inside the module msvotes.dll for making a jump from yipe to isp, because in isp we will put our shell code. For this, let's use a tool named shell, type the name shell, jump_isp. We want to find the opcode for jump_isp.

Again, we will use a module msvols.dll because it has a secure mechanism as false. And we found our code sse4. Sse4 means jump isp. Again, sse4 means jump isp. So let's type in command bar exclamation mona, exclamation mona, find. dash s the search xffxe4 that means jumpisp dash m the modules msvose.dll so we want to find exclamation mark find want to find -fsearch find ffe4, means jump-isp. We want to find jump-isp inside the module ms-volves.dll. So we want to find an expression jump-isp, that means ffe4. We want to find a jump-isp inside the module ms-volves.dll. And we found the address 01BA135B. we found the address 01BA135B. This address has an opcode FFE4 with secure mechanisms as false.

Again, this address 01BA135B, this address has an FFE4, that means jump and spin, with secure mechanisms as false. We use this address 01BA135B.

For this, we write in variable yipe the address 5B13BA01. We typed this address unlike because the architect x86 should write this address unlike. 5B13BA01, this address is like 5B13BA01, it's an address that makes a jump ISP. For this, we typed the variable YIP, this address 5B13BA01, this address that makes a jump ISP, because we want to make a jump from YIP to ISP, because in ISP we put our shellcode.

Before generating our shell code to get our first shell, we need to find these bad characters for avoid error. So let's learn what means bad characters. Here, now we need to search for bad characters. Depending on the application, type of vulnerability and the protocols in use, maybe certain characters which are considered bad, should not be used in your buffer or shell code. One example of bad characters is a "00". This character is considered bad, because its new byte is also used to terminate a string cooperation. which will truncate our buffer whenever each new byte appears. So, it has some characters that in this application should be considered bad. And one example of this bad character is

00. So we need to find other bad characters. We need to find other bad characters. in this application. For this we will send in this application, we will load in this application all these characters from 01 up ff. We will load in our vulnerable software from 01 up ff with objective of find a bad character.

For this, we will put in variable bad chars, we put in variable bad chars, all these values from the one up ff. We will load in our vulnerable software, we will have exploit equals junk, concatenate with y, concatenate with bad chars. We will load all these characters in our vulnerable software. Let's save the exploit code, compile our exploit code,

We generated our CompileXPlat code. Let's move the CompileXPlat code to our desktop. Now let's restart the Moodle debugger. Let's restart the Moodle debugger. Let's run the VulnerableSoft in Moodle debugger. Let's run VulnerableSoft in Moodle debugger. Let's copy our CompileXPlat code to a victim VM. Let's copy the CompileXPlat code to a victim VM.

Let's click the right button in Moodle Debugger. Right button, go to expression to find the address of jumpisp01ba13.b. We find the address for jumpisp and here we have the address 01ba13.b with opcode ffe4 jumpisp. Here we have A address 01BA135B is an address that will make a jump ISP. Here we have an opcode FFE4 that means jump ISP. It's an address that will make a jump ISP. Make a double click in FFE4 to put a black point in address jump ISP. Give a double click in FFE4. Give a double click in FFE4 to put a black point in jump ISP. Backpoint for stopping the flow of execution in JMP-ISP, for stopping a flow of execution in

JMP-ISP. And now let's load a CompactXPlat code in Vulnerable Software. Let's load a CompactXPlat code in Vulnerable Software. And here we have a flow of execution stopped in JMP-ISP address. We have in Yipe, here we have in register Yipe, the flow execution stopped in jumpisp address. We have in register Yipe a flow of execution stopped in jumpisp address. Clicking with right button in register Yipe following the link. Again, clicking right button in register Yipe and following the link. write the bottom register isp following dump for cd buffer isp and the east we have here zero one zero two zero three zero four zero five zero six zero seven zero eight and after zero zero zero zero we

don't have here zero nine occur here some error occur here some error because we don't have here zero nine should have here 090, 0a, 0b, 0c, etc. But we don't have here 090 because there is some error here. Because we have some crashes in some bad characters. We have here some crashes in some bad characters. I know that this character 0a is a bad character. Character 0a is a bad character. So we need to erase the 0a. We need to erase the 0a for see if it occurs some error again. We need to erase the 0a for see if it occurs some error again. So let's compile our exploit code. Compile our exploit code. Move our compiled exploit code to our

desktop. Let's restart the Immunery Debugger. Run Vulnerable Software Immunery Debugger again. Run Vulnerable Software Immunery Debugger again. Click with right button. Go to Expression. And find the jump-isp address. Find the jump-isp address. Give a double click in FFE4 to put a back point jump-isp. Give a double click in FFE4 to put a back point jump-isp.

Let's copy our Compile Exploited Code to a victim VM. Copy our Compile Exploited Code to a victim VM. And then let's load our Compile Exploited Code in our vulnerable software. The flow of execution stopped in jump-easp. The IP has the address of jump-easp. Click the right button in easp, following dump. right bottom in ISP following the AMP. And now we have 01020304050607080. And now 090B0C0D and et cetera. Now we don't have error more. After 090, we have 0B0C0D0E0F and et cetera up SF. We have value from 01 up SF. we don't have error more because we discovered that the 0a is a bad character. 00 and 0a is a bad character. Again, 00 and 0a is a bad character. So we need to

avoid in our buffer, we need to avoid 00 and 0a. we need to avoid in our buffer a 00 and a 0a, because 00 and 0a are bad characters. So now we need to generate our shell code without 00 and without 0a. Let's restart the Moodle debugger. Start the Moodle debugger. Run vulnerable software in Moodle debugger again. Right button, go to expression. Let's find a jumpisp address. 01BA135B is a jumpisp address. FFE4 means jumpisp. Let's put a backpoint in jumpisp address. Give a double click in FFE4 to put a backpoint in jumpisp. Put a backpoint in jumpisp. With a double click in jumpisp. So now, let's generate our shell code to make our voice shell.

Now we're gonna generate our shell code to make a reverse shell, to get a shell. For this, for generating our shell code, we will use a tool MSF Vino. We will use a tool MSF Vino. For this type, msfvino -p of payload, windows shell versus TCP is our shell code, is our payload, sorry, is our payload shell versus TCP, windows shell versus TCP, any host, our local IP, any port, 5555, the connect back is important 5555, file per, e-e encode shikataga9, and e-b for avoid bad chars 0800. So we will generate our shell code avoiding bad chars 0800.

So we will generate our shell code avoid bad characters -b, the bad characters, avoid bad characters 0a, 0, 0. Because 0a, 0, 0 is that bad characters that we discovered. Let's open our exploit code. And now we have here a variable shell. In this variable shell, we will erase this old shell code for paste our new shell code. We have here a variable of both sizes, 50,000 bytes. It's a total of bytes. Variable junk is X41. X41 means character A multiplied by 35,056. The variable "eip" is the address that makes the jump "e-sprey". We overwrite the variable "eip" with the address that makes the jump "e-sprey", address 5B13BA01. It's the address that makes the jump "e-sprey". And here we have the

variable "loops", with 90. 90 means loops, loops means no operations because do nothing. We will put in isp some loops and after our shell. Again, we will put in our isp some loops that do nothing and after our shell. Forget our reverse shell. Here we have variable yipe. If you are address that make a jump, isp jump from yipe to isp. After we have some loops, we will put in "isp" some loops that do nothing. And after "in" "isp", we will put our shell, for make a verse shell. So let's erase this old shell code. Let's erase this old shell code, for put a new shell code. And here we have our new shell code. Let's

copy this new shell code. copy this new shell code shell code to to make a reverse shell to get a reverse shell let's paste in our exploit code this new shell code let's paste in our exploit code our new shell code shell code to get a reverse shell and here we have here a variable exploit equals junky concatenate with y concatenate with loop to concatenate with shell

We will load in our enabled software this shell code. We will load all these junk, yipe, loops and shell. We will load all these in our enabled software. Let's save the exploit code. Save this exploit code. And let's compile our exploit code. We have a POC file. Output, POC file. Let's move this POC file to a desktop.

and now let's put the net catch to listen on party five five five five with netcat dash l nvp five five five five to put a net catch to listen on port five five five five to get a reverse shell get a connected back to get a reverse shell let's copy a pop file to a victim vm copy pop files copy to a pop file to a v2 vm

Let's load our Compact Exploited Code to vulnerable software. Let's load our Compact Exploited Code to vulnerable software. And we have here a flow of execution stopped in JMP-ISP. We have in the registry IP 01-BA-13-5-VB. 01-BA-13-5-VB is an address that makes JMP-ISP. this is that make a jump isp so let's click if you right button isp following dumping right button is following dump for cd buffer isp the isp in isp we have it now 999 our nooks we have in isp our loops and the after ba b0 97 is our shell code as we as we can see Here we have in our shell code, we have BA B097 and we have in our buffer of ISP BA B097, we

have here our shell code. So we have in our buffer of ISP our loops, because do nothing, and after our loops we have our shell code together versus shell. we have after our loops, we have our shell code to get the reverse shell. Now let's run a vulnerable software. Let's run vulnerable software. And we have a shell. We have a reverse shell. Let's see the IP config, IP of victim VM. Let's see the user. With net user, we have user, the administrator. So we see, we get a reverse shell.

So we have in this slides, we have a step by step of how you can write your own exploiting code. We have step by step of how you can write your own exploiting code. For who want to see step by step, I'll became available on my LinkedIn profile this link for this slide. That's it. Thank you everyone for watching me. Now I open for the questions. now i open for the question thank you very much