Offensive Software

Exploitation
SEC-300-01/CSI-301-02

Ali Hadi
@binaryz0ne
 Fuzzing

what gibberish data can your application handle?

 Fuzzing
• Original research name “Boundary Value Analysis”
• “An automated method for discovering faults in software by
providing unexpected input and monitoring for
exceptions.” – Fuzzing

• Also said:
"Fuzzing is the process of sending intentionally invalid data to a
product in the hopes of triggering an error condition or fault.
These error conditions can lead to exploitable vulnerabilities.“
– HD Moore (MSF Founder)

ashemery.com 3
 Plz note
• Fuzzing has no rules!
• Not always successful!

ashemery.com 4
 Fuzzing History
• Fuzzing is not new
– It’s been named for about 20 years.
• Professor Barton Miller
– Father of Fuzzing
– Developed fuzz testing with his students at the University of
Wisconsin-Madison in 1988/89
– GOAL: improve UNIX applications

• Since 1999 with PROTOS till date, Fuzzing has managed to

discover a wide range of security vulnerabilities… (Check
Fuzzing 101 for further history information)

ashemery.com 5
 Fuzzing Methods
• Sending Random Data
– Least Effective
– Unfortunately, sometimes, code is bad enough for this to work

• Manual Protocol Mutation

– You are the fuzzer
– Time consuming, but can be accurate when you have a hunch
– Web App Pen-Testing

ashemery.com 6
 Fuzzing Methods – Cont.
• Mutation or Brute Force Testing
– Starts with a valid sample
– Fuzz each and every byte in the sample

• Automatic Protocol Generation Testing

– Person needs to understand the protocol
– Code is written to describe the protocol ( a “grammar”)
– Fuzzer then knows which piece to fuzz, and which to leave alone
(SPIKE)

ashemery.com 7
 What Data can be Fuzzed?
• Virtually anything!
• Basic types: bit, byte, word, dword, qword
• Common language specific types: strings, structs, arrays
• High level data representations: text, xml

ashemery.com 8
 Where can Data be Fuzzed?
Across any security boundary, e.g.:
• An RPC interface on a remote/local machine
• HTTP responses & HTML content served to a browser
• Any file format, e.g. Office document
• Data in a shared section
• Parameters to a system call between user and kernel mode
• HTTP requests sent to a web server
• File system metadata
• ActiveX methods
• Arguments to SUID binaries

ashemery.com 9
 What Does Fuzzed Data Consist Of?
• Fuzzing at the type level:
– Long strings, strings containing special characters, format strings
– Boundary case byte, word, dword, qword values
– Random fuzzing of data buffers
• Fuzzing at the sequence level
– Fuzzing types within sequences
– Nesting sequences a large number of times
– Adding and removing sequences
– Random combinations
• Always record the random seed!!

ashemery.com 10
 When to Fuzz?
Fuzzing typically finds implementation flaws, e.g.:
• Memory corruption in native code
– Stack and heap buffer overflows
– Un-validated pointer arithmetic (attacker controlled offset)
– Integer overflows
– Resource exhaustion (disk, CPU, memory)
• Unhandled exceptions in managed code
– Format exceptions (e.g. parsing unexpected types)
– Memory exceptions
– Null reference exceptions

ashemery.com 11
 When to Fuzz? – Cont.
• Injection in web applications
– SQL injection against backend database
– LDAP injection
– HTML injection (Cross-site scripting)
– Code injection

ashemery.com 12
 Two Approaches
Dumb (mutational) Fuzzing Smart (generational) Fuzzing
• Fuzzer lacks contextual • Fuzzer is context-aware
information about data it is – Can handle relations between
manipulating entities, e.g. block header
lengths, CRCs
• May produce totally invalid
test • Produces partially well-
formed cases test cases
• Up and running fast
• Time consuming to create
• Find simple issues in poor
– What if protocol is proprietary?
quality code
• Can find complex issues

ashemery.com 13
 Two Approaches – Cont.
• Which approach is better?
• Depends on:
– Time: how long to develop and run fuzzer
– [Security] Code quality of target
– Amount of validation performed by target
• Can patch out CRC check to allow dumb fuzzing
– Complexity of relations between entities in data format
• Don’t rule out either!
– My personal approach: get a dumb fuzzer working first
– Run it while you work on a smart fuzzer

ashemery.com 14
 ?
• How can we monitor the target?
• What to monitor?

ashemery.com 15
 Determining Exploitability
• This process requires experience of debugging security issues,
but some steps can be taken to gain a good idea of how
exploitable an issue is...
• Look for any cases where data is written to a controllable
address – this is key to controlling code execution and the
majority of such conditions will be exploitable
• Verify whether any registers have been overwritten, if they do
not contain part data sent from the fuzzer, step back in the
disassembly to try and find where the data came from

ashemery.com 16
 Determining Exploitability – Cont.
• If the register data is controllable, point the register which
caused the crash to a page of memory which is empty, fill that
page with data (e.g., ‘aaaaa...’)
• Repeat and step through each operation, until another crash
occurs, reviewing all branch conditions which are controlled
by data at the location of the (modified) register to ensure
that they are executed

ashemery.com 17
 Determining Exploitability Notes
• Are saved return address/stack variables overwritten?
• Is the crash in a heap management function?
• Are the processor registers derived from data sent by the
fuzzer (e.g. 0x61616161)?
• Is the crash triggered by a read operation?
• Can we craft a test case to avoid this?
• Is the crash triggered by a write operation?
• Do we have full or partial control of the faulting address?
• Do we have full or partial control of the written value?

ashemery.com 18
 Fuzzer Classifications

Fuzzer Types

In-Memory
Local Fuzzers Remote Fuzzers
Fuzzers

Command Line Network Protocol

Fuzzers Fuzzers
Simple Protocol
File Format
Web App. Fuzzers Complex
Fuzzers
Protocol
Environment Web Browser
Var. Fuzzers Fuzzers

ashemery.com 19
 Types of Fuzzers
• Local Fuzzers
– Lets you fuzz applications on the command line
• To what end?
– Make sure the target has some value (setuid)
• Environment Variable Fuzzers
• Because:

#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, getenv("HOME"));
}

ashemery.com 20
 Types of Fuzzers – Cont.
• File Format Fuzzers
– Fuzz valid files
– Pass them to an executable
• Remote Fuzzers (might make you famous  )
– Listen on a network connects
– When client connects, fuzz them!

ashemery.com 21
 Types of Fuzzers – Cont.
• Network Protocol Fuzzers
– The Fuzzer is the client
– Need to understand the protocol
– Simple Protocols
• Text Based: Telnet, FTP, POP, HTTP
– Complex Protocols
• Binary Data (some ASCII)
• Complex authentication, encryption, etc

ashemery.com 22
 Types of Fuzzers – Cont.
• Other types of fuzzers:
– Web Application and Server Fuzzing
– Web Browser Fuzzing
– In-Memory Fuzzing

ashemery.com 23
 Common Fuzzers
• Publicly available fuzzing frameworks:
– Spike, Peach Fuzz, Sulley, Schemer, etc
• Publicly available fuzzing applications
– Fuzz, FileFuzz, iFuzz, WebFuzz, JBroFuzz, WebScarab,
– BurpSuite (includes a fuzzer), notSPIKEFile, SPIKEProxy, ProtoFuzz
– SMUDGE, mangleme, FileP, FileH, MalyBuzz,
– Dfuz, AxMan, bugger, fuzzdb
– And the list goes on and on …

ashemery.com 24
 The Fuzzing Process
• Identify Targets
• Identify Inputs
• Generate Fuzzed Data
• Execute Fuzzed Data
• Monitor for Exceptions
• Determine Exploitability

ashemery.com 25
 The Fuzzing Process
• Determine Exploitability – Remotely
– You need to know what data you sent
• Record all fuzzed strings, making note of exceptions
• Network Captures (Wireshark)
– Try and reproduce the scenario
– Is it a memory corruption bug?
– Is it an application logic flaw?
• Determine Exploitability – Locally
– Attach a debugger

ashemery.com 26
 Protocol Fuzzing
• Find as much data as you can about the target application
– Google is your friend
– Maybe someone has fuzzed it
– Maybe it uses some standard protocol

• What is the transport layer?

– TCP or UDP?
• Effects anomaly detection

• What type of protocol (simple or complex)?

ashemery.com 27
 Protocol Fuzzing – Cont.
• Do we need to authenticate?
– What authentication protocol?
• Scoping your assessment
– You may only care about pre-auth

• Reversing the Protocol

– Generate Traffic and Sniff
– Use wireshark (check for plug-ins!)
– Google

• Once you understand how to communicate with a service, you

can send packets to it
ashemery.com 28
 Why ???
• Writing a network protocol fuzzer, means eventually you’ll be
re-inventing the wheel!!!

• Why do that when you can use:

SPIKE

ashemery.com 29
 SPIKE
• SPIKE fuzzer released in 2002
– Written by Dave Aitel (Immunity Inc.)
• SPIKE is a genius
• SPIKE is a fuzzing framework/API
• Ability to describe data
• Built in libraries for known protocols (*RPC)
• Fuzz strings designed to make software fail

ashemery.com 30
 SPIKE – Cont.
• Simple Text Based Protocol Fuzzing
• Accepts a “script” of SPIKE commands
• Example: ./generic_send_tcp <IP> <PORT> script.spk 00
s_readline()
s_string_variable("USER");
s_string(" ");
s_string_variable("devel_user");
s_string(" ");
s_string_variable("PASS");
s_string(" ");
s_string_variable("secretpassword");
s_string("\r\n");
ashemery.com 31
 SPIKE’s Real Value
• Complex Protocols have length fields and data fields
• Tracking length fields while Fuzzing data is complicated
• SPIKE does this for you
• Block Based Protocol Representation

ashemery.com 32
 What is a SPIKE?
• “A SPIKE is a simple list of structures which contain block size
information and a queue of bytes.”

s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

ashemery.com 33
 What is a SPIKE? – Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

• Push 4 NULLs onto BYTE queue (size place holder)

• Then a new BLOCK listener is allocated named
“somepacketdata”

ashemery.com 34
 What is a SPIKE? – Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

• Script starts searching the block listeners for one named

“somepacketdata”
• Block “start” pointers are updated to reflect the blocks
position in the queue

ashemery.com 35
 What is a SPIKE? – Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

• 4 bytes of data are pushed onto the queue

ashemery.com 36
 What is a SPIKE? – Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

• The block is ended, and the sizes are finalized

• The original 4 null bytes are updated with the appropriate size
value

ashemery.com 37
 What is a SPIKE? – Cont.
s_block_size_binary_bigendian_word(“somepacketdata”);
s_block_start(“somepacketdata”)
s_binary(“01020304”);
s_block_end(“somepacketdata”);

Block 2 Block 1
Morepacketdata Somepacketdata
Big Endian word Big Endian word
Start Pointer: 1008 Start Pointer: 1000

ashemery.com 38
 Existing Challenges
• How to measure effectiveness of a fuzzer?
– Number of test cases?
– Number of bugs?
– Severity of bugs?
– % Code coverage?
• How many test cases to run?
– How to balance complexity vs. time constraints?

ashemery.com 39
 SUMMARY
• Explained what do we mean by Fuzzing, and Fuzzing History
• Also talked about Fuzzing Methods, Types and the Fuzzing Process
• Talked about howto fuzz a protocol, and finally talked about SPIKE

ashemery.com 40
 References
• A Bug Hunter’s Diary, Tobias Klein, No Starch Press
• Fuzz Testing, http://en.wikipedia.org/wiki/Fuzz_testing
• Fuzzing: Brute Force Vulnerability Discovery, Michael Sutton, et al, Addison-Wesely
• University of Wisconsin Fuzz Testing (the original fuzz project)
• Fuzzing 101, NYU/Poly.edu, Mike Zusman, http://pentest.cryptocity.net/fuzzing/
• Fuzzing for Security Flaws, John Heasman, Stanford University
• EVERYONE HAS HIS OR HER OWN FUZZER, BEIST (BEISTLAB/GRAYHASH), www.codeengn.com
• An Introduction to SPIKE, the Fuzzer Creation Kit, Dave Aitel,
http://www.docstoc.com/docs/2687423/An-Introduction-to-SPIKE-the-Fuzzer-Creation-Kit---
PowerPoint
• Common Vulnerablities and Exposures, http://cve.mitre.org/
• Common Weakness Enumeration, http://cwe.mitre.org/
• Seven kingdoms of weaknesses Taxonomy,
http://cwe.mitre.org/documents/sources/SevenPerniciousKingdomsTaxonomyGraphic.pdf
• Common Configuration Enumeration, http://cce.mitre.org/
• National Vulnerability Database, http://nvd.nist.gov/home.cfm
• Exploit Database, http://exploit-db,com
• http://www.security-database.com/toolswatch/+-Fuzzers-+.html
• http://caca.zoy.org/wiki/zzuf
• https://code.google.com/p/ouspg/wiki/Radamsa

ashemery.com 41