3ps!l0nlambda a.k.a karthik ranganath€¦ · who am i? • certified ethical hacker, ceh v6...

3ps!L0nLaMbDa a.k.a Karthik Ranganath

Who am I?

•Certified Ethical Hacker, CEH v6

•Writer at searchsecurity.IN

•QA engineer at McAfee India R&D*

•Owner of 3ps!L0nLaMbDa blog


*On campus placement offered

Agenda

What is Fuzzing and Who should do it?

What are the various stages when Fuzzing a target?

Having a practical approach from the theory…

Different tools used in the process…

The future of Fuzzing…

Background

What are the entities that can be Fuzzed?

Phases

Classes

Automation

Tools and Demos

Future


Vulnerability Discovery Methodologies – White Box

• Source code review

• Static analysis

• Pros

• Coverage

• Cons

• Various dependencies

• Implementation scenarios

• Compiler issues

Also known as glass box, clear box and open box testing


Vulnerability Discovery methodologies – Black BoxA software testing methodology, where the internal working of the software

are not known to the tester

• Reverse Engineering

• Static analysis

• Pros

• Complex Vulnerabilities uncovered

• Cons

• Deep knowledge required

• Time consuming


Vulnerability Discovery methodologies – Black BoxA software testing methodology, where the internal working of the software

are not known to the tester

• Fuzzing

• Dynamic analysis

• Pros

• Relatively simple

• Realistic

• Cons

• Complex vulnerabilities missed

• Coverage


• A fail in the program calls for correction of certain vulnerabilities.

• Extremely simple test design

• As the saying goes, “Unexpected input causes unexpected results”

What is Fuzzing?A software testing technique, which is on the basis of attaching

random data (“Fuzz”) to the input of the target program.


• Security Researchers• Reactive Fuzzing

• QA Teams and Developers• Proactive Fuzzing

Fuzzing…Who should Fuzz??

• Few examples:

• CCM Player BOF vulnerability

• Windows RPC DCOM vulnerability

• And lots more….


Phases of FuzzingVarious phases involved in the process are described here.

Identify

Targets

Identify

Inputs

Generating

Fuzzed Data

Execute Fuzzed

Data

Monitor for

Exceptions

Determine

Exploitability


• Approach

• Templates are developed based on the protocol definitions

• Tools used in this approach

• SPIKE

• SPIKE comes bundled in the BackTrack Linux Security Distro.

Automation – ‘Intelligent’ FuzzingThis section covers various tools for automating the ‘Intelligent’

Fuzzing process over network protocols…


VulnserverA vulnerable application developed by Steven Bradshaw, that

helps us understand the process of Fuzzing better..


Identify the Target

Identify Inputs

Generate Fuzzed Data

Execute Fuzzed Data

Monitor for Exceptions

Determine exploitability




Identify the Target

Identify Inputs


Execute Fuzzed Data





The target listens for connections on

the port 9999 by default.

There is a list of various COMMANDS

within vulnserver.

Running FUZZ tools on each of the

inputs should give interesting results.


Identify the Target

Identify Inputs


Execute Fuzzed Data





Lets start with the first command called as

STATS and launch the SPIKE Fuzzer on the

BackTrack machine.

SPIKE Fuzzer is generally used for network

based fuzzing.


Identify the Target

Identify Inputs


Execute Fuzzed Data





SPIKE script for generating Fuzzed data:

Let’s save the file as STATS.spk

Lets use, generic_send_tcp, to send tcp

packets to the target, and analyze the

behavior of the target.


Identify the Target

Identify Inputs


Execute Fuzzed Data





In Backtrack, /pentest/fuzzers/spike/src

Contains generic_send_tcp module of spike.

On sending the packets, we see there is no

failure affect on the program.

This probably would mean, this function is

not susceptible to overflows, we next move

on to another function.


Identify the Target

Identify Inputs


Execute Fuzzed Data





Lets try the same process for TRUN

command.


Identify the Target

Identify Inputs


Execute Fuzzed Data





We generate the fuzzed data using SPIKE

Fuzzer and replace, in the previous spike

script STATS with TRUN, leaving the rest

the same.

Let’s examine the behavior of the program.


Identify the Target

Identify Inputs


Execute Fuzzed Data






Identify the Target

Identify Inputs


Execute Fuzzed Data





Next, we have to analyze the crash in a

debugger to help us determine its

exploitability.

Few things to note in this analysis are the

EIP ( Instruction Pointer) and also to

determine the JMP addresses.


Identify the Target

Identify Inputs


Execute Fuzzed Data






Identify the Target

Identify Inputs


Execute Fuzzed Data





Determining JMP instructions can be

automated by using the cygwin shell of the

Metasploit framework, and running

msfpescan on the DLL associated with the

target.


Identify the Target

Identify Inputs


Execute Fuzzed Data





We now have the EIP, and we also have the

ESP address where JMP call occurs.

We now know that the target is exploitable.

We can proceed to scripting an exploit.


• First, we need to determine the offset for the EIP recorded in the dump.

• Metasploit is a very robust exploit development tool, which comes with a module called pattern offset, to determine this.

• In Backtrack /pentest/exploits/framework/tools/ contains the pattern_offset module.

• Random unique patterns of set number of bytes can be created using pattern_create module under the same category.

Scripting an Exploit - PerlThis section covers exploit scripting in Perl.



Pattern_create

Pattern_offset


• We also need to generate shell code, for performing post exploitation tasks.

• Here, lets execute the windows calculator application. The same can be used for malicious purpose, may be launch a Trojan or a malware in the target system.

• We shall see the screenshot of the perl code, with encoded shell code. The shell code is encoded to strip itself from bad characters.



• Now we start writing the script “exploit.pl” using these information we have accumulated.

• On running the script, we should be able to launch the calculator.




Calculator is launched, as and

when the program is crashed.


• Since the metasploit framework is completely written in ruby language, we need to convert this perl exploit in to a module scripted in ruby and then, use the metasploitexploit development framework along with the exploit for an efficient exploitation.

• I have saved the same exploit re-written in ruby, in the /windows/misc directory of the metasploit.

• I have also, facilitated to use the list of payloads readily available for exploitation under this framework.

Integrating custom exploits with MetasploitThis section shows how to integrate any exploit in to the

metasploit framework.



metasploit framework.Custom vulnserver

exploit in use!

Remote host to be specified



metasploit framework.

Accessing the target remotely, with

meterpreter shell!


• The audience is increasing day by day

• Shift from Offensive to Defensive mode

• Commercialization of Fuzzing frameworks expected

Future of Fuzzing….This section throws light on what can be expected in future in

Fuzzing frameworks.


• http://grey-corner.blogspot.com – Steve Bradshaw’s blog

• http://Corelan.be – for theoretical aspects of Exploit writing

• Fuzzing – Brute force Vulnerability Discovery, by Michael Sutton

References:


http://grey-corner.blogspot.com/



http://corelan.be/

Thank You!Visit my blog at: http://www.epsilonlambda.wordpress.com


http://www.epsilonlambda.wordpress.com/

3ps!l0nlambda a.k.a karthik ranganath€¦ · who am i? • certified ethical hacker, ceh v6...

Documents