In the previous 2 posts inwards this series, nosotros looked at the basics of buffer overflows. In this post, nosotros volition facial expression at 1 technique for finding buffer overflows. We volition essay to ship random, oversized, too invalid information at a variable to meet whether nosotros tin acquire into crash or overflow. This procedure is known equally fuzzing. It is oft the commencement pace to developing an exploit, equally nosotros postulate to notice roughly variable that is susceptible to overflowing. There are a set out of commercial fuzzing tools, nigh notably Peach, which I promise to do a tutorial on soon. It is an first-class fuzzing tool, but it is non free. On the other hand, Kali has a set out of fuzzing tools built in, including Bed, Sfuzz, too Powerfuzzer, amidst others.
Fuzzing amongst Spike
Among these costless fuzzers, Spike is perhaps the best. Spike is poorly documented too less than intuitive, but is powerful too adaptable 1 time you lot acquire familiar amongst it. In fact, adaptability is in all likelihood Spike's strongest feature, spell its remain of exercise is in all likelihood its weakest. In this tutorial, I promise to exhibit you lot the basics of using Spike to elevator the veil on its seemingly bewildering inner workings thence that you lot tin accept what you lot larn hither too run amongst this powerful tool to notice your really ain buffer overflow. Essentially, Spike is an API that enables us to apace prepare stress tests of the protocol or application of our choice. Since many of the protocols exercise similar information primitives, Spike gives us the capability likewise do these primitives too and thence vary them inwards ways they may locomote able to pause the protocol or application.
Step 1Download & Install Vulnserver
To larn too exercise our fuzzing amongst Spike, let's download too install a purposely Vulnerable server for a Windows system. This server, known equally vulnserver, tin locomote downloaded from here. Download it too install it on a Windows system. To start Vulnserver, exactly click on the .exe file or type vulnserver on the ascendence business followed yesteryear the port you lot desire Vulnserver to brain on. Vulnserver server listens on port 9999 yesteryear default, thence if you lot exactly execute the Vulnserver, it volition brain for connections on port 9999. If you lot desire Vulnserver to brain on a unlike port, exactly run the executable followed yesteryear the port set out such as: C:\vulnserver 2015 This volition do a vulnerable server listening on port 2015. In this lab, I volition locomote using the default port 9999, but you lot tin exercise whatever port you lot prefer. Now, let's essay to connect to the Vulnserver amongst Netcat from our Kali assail system. kali > nc 192.168.181.129 9999 As you lot tin meet below, Vulnserver displays its welcome banner too informs us that nosotros tin type HELP to acquire to a greater extent than information on the Vulnserver. Let's type HELP.
Vulnserver responds amongst its valid commands.
Step 2Fuzzing amongst Spike
Spike has the capability of generating custom scripts to examination the diverse protocols too applications. These custom scripts are actually the forcefulness of Spike. When a script is created inwards Spike, it is appended amongst the .spk extension. Therefore, if nosotros desire to notice ready-made Spike scripts earlier nosotros advance to writing our own, nosotros tin notice them yesteryear typing: kali >locate .spk This volition locate whatever file amongst .spk inwards it. When nosotros do thence inwards Kali, nosotros acquire the output seen below.
Each of these scripts is designed to "audit" diverse protocols too endeavor to "break" them. They are organized into directories based upon the protocol they are designed to "break." We tin notice them all at: /usr/share/spike/audits When nosotros navigate to that directory too do a long listing (ls -l), nosotros tin meet all of the sub-directories amongst scripts for auditing diverse protocols. kali cd /usr/share/spike/audits kali ls -l
As you lot tin meet inwards the screenshot above, in that place are many laid built "spikes" that you lot tin exercise to audit protocols such as:
Compaq
MS Exchange 2000
IMAP
Oracle
MS SQL Server
SMTP
FTP
POP3
And many others
Each directory too thence includes numerous scripts that tin used to examination too audit the given protocol.
Step 3Fuzzing TCP Applications
In this tutorial, nosotros volition locomote fuzzing a server, thence nosotros volition in all likelihood desire to exercise either TCP or UDP. Spike has a built-in script interpreter for each, namely generic_send_tcp too generic_send_udp, respectively. These interpreters are capable of sending information (in our case, fuzzed data) to the respective protocols when nosotros furnish an IP address too port number. In Kali, these commands tin locomote institute at /usr/bin, pregnant that nosotros tin run them from whatever directory. In addition, nosotros tin access them through the GUI at Applications -> Kali Linux -> Vulnerability Analysis -> Fuzzing Tools.
Let's essay typing generic_send_tcp too meet whether nosotros tin line a help concealment to give us roughly persuasion of how to exercise this command. kali > generic_send_tcp
As you lot tin meet above, when nosotros run this command, it returns a basic help screen. Note that to run this command, nosotros exactly postulate to supply:
Target IP address
Port number
A spike script an
SKIPVAR too SKIPSTR
Influenza A virus subtype H5N1 typical ascendence powerfulness facial expression something similar this: kali > ./generic_send_tcp 192.168.1.101 lxxx somespikescript.spk somevariable somestring All of the parameters here, I think, are self-explanatory amongst the exception of the concluding two, SKIPVAR too SKIPSTR. These 2 variables enable us to motility to the pump of a fuzzing session defined yesteryear a Spike script. In other words, nosotros tin start a script, halt it, too and thence render to it at a afterward time. In our case, nosotros volition buy the farm on things uncomplicated too laid these variables to 0. Let's essay using 1 of the built-in scripts against our Vulnserver to start. Let's essay fuzzing the SMTP protocol of our Vulnserver. kali > generic_send_tcp 192.168.181.129 9999 /usr/share/spike/audits/SMTP/smtp1.spk 0 0
As you lot tin meet inwards the screenshot above, this ascendence starts Spike sending random, oversized, too invalid input to the SMTP server to examination whether it tin "handle" these inputs. If nosotros buy the farm dorsum to our Vulnserver on our Windows system, nosotros tin meet that the Vulnserver handled this onset of irregular information without skipping a beat!
Step 4Creating Our Own Fuzzing Script
The beauty of Spike is that nosotros tin do our ain script to fuzz a detail protocol or application. Remember, when nosotros connected to the Vulnserver amongst Netcat above, Vulnserver responded amongst its banner, too when nosotros typed HELP, it responded amongst its commands. Let's essay creating a script that volition examination the TRUN ascendence inwards Vulnserver. We postulate to opened upward a text editor to do our script. Any text editor volition do, but I volition locomote using Leafpad for this tutorial. Our script will:
Read the banner that the server sends;
Simulate that the user sending the TRUN command;
Randomize the user input amongst the TRUN command.
Your uncomplicated script should facial expression similar that below. It reads the banner (line 1), ship the TRUN ascendence (line 2), too sends randomized input amongst the TRUN ascendence (line 3).
When you lot completed the script, relieve it equally spiketrunaudit.spk inwards the /usr/share/spike/audits directory. Once nosotros direct keep completed our uncomplicated script, nosotros postulate to ship it to our Vulnserver. We tin do this yesteryear typing: kali > generic_send_tcp 192.168.181.129 9999 /usr/share/spike/audits/spiketrunaudit.spk 0 0 Where:
192.168.181.129 is the target IP
9999 is the target port number
/usr/share/spike/audit/spiketrunaudit.spk is the absolute path to our audit script
0 is the SPKVAR value
0 is the SPKSTR value
When nosotros striking Enter, Spike volition laid about to ship the randomized too invalid information amongst the TRUN ascendence to our server, equally seen below. Eventually, nosotros volition meet the next message: "Couldn't tcp connect to target tried to ship to a shut socket!" Something has manifestly gone incorrect amongst our Vulnserver!
Now, let's buy the farm dorsum to our Windows machine too banking concern represent on our Vulnserver. As you lot tin meet below, the Vulnserver has stopped! Our fuzzing amongst randomized too invalid inputs to the TRUN ascendence has caused the server to crash. That's why nosotros received the message inwards Spike on our Kali arrangement that nosotros could no longer connect. We immediately know that the TRUN ascendence on this server is vulnerable!
Fuzzing is the procedure of sending unexpected information at an application or protocol unremarkably inwards the cast of randomized, oversized, too invalid input to meet whether nosotros tin do a buffer overflow or otherwise travail a error inwards the system. This is a fundamental pace inwards finding a vulnerable buffer that nosotros tin too thence afterward prepare an exploit for. Spike is an excellent, if under-documented, fuzzing framework for creating your ain unique fuzzers. Its flexibility too adaptability are its forcefulness too to notice unknown buffer overflows, you lot are probable going to postulate to generate your ain unique fuzzer.