Results tagged “fuzzing” from Just Another Hacker

Doona - network protocol fuzzer

|
Doona is a fork of the Bruteforce Exploit Detector, it was renamed to avoid confusion as it has a large number of of changes. You should get a copy from github if you want to try it: https://github.com/wireghoul/doona.

It's currently a little short on documentation, so I will let the changelog details some of the many differences between Doona and BED:

[ 0.7 ]
- resolved the need for a hardcoded plugin list
- added max requests option to allow parallel execution (easier than hacking in thread support)
- added sigpipe handler to prevent silent exit if server unexpectedly closes the connection
- added http proxy module
- added more ftp test cases
- added more rtsp test cases
- added more http test cases
- added more irc test cases
- fixed a long standing BED bug where two test strings where accidentally concatenated
- fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended
- aliased -m to -s (-s is getting deprecated/reassigned)
- renamed plugins to modules (-m is for module)
- removed directory traversal testing code from ftp module
- rewrote/broke misc testing procedure to test specific edge cases, needs redesign
- added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests
- fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO
- added more smtp test cases
- fixed long standing BED bug in escaped Unicode strings
- added more large integer and formatstring fuzz strings
- fixed column alignment in the progress output


[ 0.6 first doona release ]
- added rtsp module
- added tftp module
- added whois module
- added more irc test cases
- added more finger test cases
- added more http test cases
- added more ftp test cases
- added progress indicator count to fuzz cases
- added resume feature (uses test case number)
- added crash indicators for test case number
- added signal handlers (displays testcase number on crtl^c or kill)
- added feature to dump what a test case number would send
- ftp module now uses anonymous login if username password not provided
- changed the order test cases are executed to allow corner cases to be tested earlier
- changed diagnostic output
- new and improved help text
- some code cleanup


Writing a better RFI scanner

|
So had this chat with the boys in the office the other day and mentioned my long standing thoughts on how automated remote file inclusion scans should be done right, and figured I might as well share it with everyone.

Most tools today will just try to fetch a web url, like http://www.google.com and claim that it has found a remote file inclusion. I suppose technically it is still accurate, but I mostly care for code execution, not so much web proxy scripts. To be honest, detecting code execution is pretty trivial. Sure it becomes more annoying as you try to support multiple languages, but for now, lets focus on the worst RFI offender; PHP.

Lets pretend I'm writing a scanner, and this scanner uses the normal crawl and replace querystring values with my RFI url approach. My first port of call is to create a code snippet that I will use for testing code execution with. I've picked the string just another remote file inclusion! as my signature. Now we add some complexity to ensure that we don't accidentally get a false positive on the remote chance that the webpage we're fuzzing happened to contain that string.

~$ echo -n 'just another remote file inclusion!' | md5sum -
8a7f7dc99a12132a94c88b931e92f463  -
~$ echo -n '8a7f7dc99a12132a94c88b931e92f463' | uuencode -m -
begin-base64 644 -
OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=
====
This gives me both the code exec and non code exec signatures. We stuff the base64 into a php file like so: [RFIproof.txt]
<?php echo(base64_decode('OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=')); ?>
Then I write a simple snippet to check for RFI:
sub check_RFI_exec {
    my ($url, $querystring, $fuzzparam) = @_;   #Function arguments
    $querystring =~ s!$fuzzparam=[^&]+!$fuzzparam=http://www.justanotherhacker.com/RFIproof.txt!;   #Using ! to avoid escaping characters
    my $content = get("$url?$querystring");    # Fetching url using lwp-simple 
    if ($content =~ m/8a7f7dc99a12132a94c88b931e92f463/) {    #md5sum means base64_exec'ed
        print "RFI code exec at: $url?$querystring\n";
   } elsif ($content =~ m/OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=/) {   #base64 string means no exec
       print "RFI without exec: $url?$querystring\n";
   }
}
I chose perl, but you can write yours in whatever language you choose. Adding some error handling is recommended, but I left it out as it's only a hypothetical code snippet. I'm not actually writing this scanner, but hopefully someone else will.

Dugong-fuzz

|
dugong.jpgDugong-fuzz is a simple genetic file fuzzer written in perl6 using the rakudo star early adopters release. It uses an simple genetic approach to mangle the "X and Y bits" or two parent files to produce a new file (a child). This is adopted from a similar qbasic file I had for pmars (core wars) back in the days.

Dugong-fuzz pays tribute to the gentle sea cow by the same name. You can find out more from wikipedia.

The dugong-fuzz project is available from github and you will need rakudo perl or another perl6 implementation to run it.


Playing with Fuzzdb

|
I suppose this could be called a tool review, as fuzzdb is a very useful collection of strings. I have played with fuzzdb before, in fact it was always my intention to write WWW::TamperData so I could leverage fuzzdb for specific penetration testing in the deep webs. The next release of TamperData should be functional for that, albeit, some elbow grease will be required.

Adrian Crenshaw of irongeek fame has inspired me to start yet another project based on fuzzdb. If you haven't already done so, grab yourself a copy right now from http://code.google.com/p/fuzzdb/

Tool review: Fuzzman

|
Fuzzman is a simple perl script from cipher.org.uk (the guys that brought you bugle). It is a simple perl script that inspects the man page for a command and enumerates through the combinations of command line options. It then creates a shell script that will run the commands with fuzzing data, such as buffer overflow or format strings. You then run the shell script and look for a crash. It's a simple automated script, with some simple changes you could even make it part of your automated testing suite.

For more information on fuzzman, examples and download go to:
http://www.cipher.org.uk/read/2007/04/18/fuzzman-man-pages-based-fuzzer/

Pros:
By generating the fuzzing script from man pages it can fuzz any binary that has a man page.

Cons:
Many binaries are missing or have inconsistent man pages.

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.