Saturday, March 19, 2011

Linux exploit development part 1 - Stack overflow.

I've started to write a series of tutorials about exploit development on Linux, this is the first part which contains a Stack overflow, with hardcoded ESP address (I know it's unreliable, that's why it's part 1).
Anyways here is the PDF: Linux exploit development part 1 - Stack overflow

Hope you enjoy it.

Saturday, March 12, 2011

Installing and Tweaking SPIKE and sickfuzz v0.3

Not sure how many tried out this "fuzzer", but the v0.3 is out with more pwnsauce.

Download link: http://code.google.com/p/sickfuzz/downloads/list
svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

New features:
- Some SPIKE tweak.
- Changed the SPIKE fuzzer.
- Modified the .spk scripts.
- More logs available.
- More detailed help screen as well as output.

Fixed bugs:
- Fixed tailing issue, now paths don't have to end with "/".
- Now stops when app crashes without going over the other scripts.

Install SPIKE and sickfuzz:

root@bt:~# apt-get install automake
root@bt:~# rm -rf /pentest/fuzzers/spike/
root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz
root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz
root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/


Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
Open up spike.c, there are 2 lines that look like this:

printf("tried to send to a closed socket!\n");

Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.
(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)

snapshot_1
snapshot_2
snapshot_3
snapshot_4

Now we can proceed with SPIKE:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make


If you get this error:

configure: creating ./config.status
cd && /bin/sh ./config.status Makefile
/bin/sh: ./config.status: No such file or directory
make: *** [Makefile] Error 127


Execute the following commands again:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make


Should have worked now.

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd
root@bt:~# rm -rf /pentest/fuzzers/SPIKE/

root@bt:~# cd /pentest/fuzzers/
root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz


Also if you are interested g0tmi1k made a nice script to automate the hole process:
http://code.google.com/p/sickfuzz/downloads/list

For more info on using SPIKE check out lupin's guides:
http://resources.infosecinstitute.com/intro-to-fuzzing/
http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

Thursday, March 3, 2011

sickfuzz - HTTP fuzzer.

Before we get started let's start with some basic knowledge which you might or might not know:

# What is fuzzing?

So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).

# How does this help us?

Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.

Before we begin some few answers to some questions that most of you will ask:

1. Why did I make a fuzzer, there are other fuzzers out there ?

Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.

2. Why is my fuzzer more special than other fuzzers out there ?

The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.

Ok now that we have covered these basic questions let's move on and see how it works and what features it has:

# What is sickfuzz?

sickfuzz is a wrapper around SPIKE written in python.

# How does it work?

It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.

# What other features does it have?

- tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.

- checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.

- It's really fast and has a lot of mutations (SPIKE rocks!)

# What do I need to run it?
- SPIKE
- Wireshark (tshark + editcap)
- Python
- Web server victims

Also g0tmi1k made a cool video, demonstrating how to use it, check it out:



Download sickfuzz

Ok not at the end I want to thank all who helped me with the fuzzer:
ArchangelAmael
Nullthread
Dinos
corelanc0d3r
g0tmi1k

g0tmi1k's blog post here.