3ps!l0nlambda a.k.a karthik ranganath€¦ · who am i? • certified ethical hacker, ceh v6...
TRANSCRIPT
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Who am I?
•Certified Ethical Hacker, CEH v6
•Writer at searchsecurity.IN
•QA engineer at McAfee India R&D*
•Owner of 3ps!L0nLaMbDa blog
3ps!L0nLaMbDa a.k.a Karthik Ranganath
*On campus placement offered
Agenda
What is Fuzzing and Who should do it?
What are the various stages when Fuzzing a target?
Having a practical approach from the theory…
Different tools used in the process…
The future of Fuzzing…
Background
What are the entities that can be Fuzzed?
Phases
Classes
Automation
Tools and Demos
Future
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Vulnerability Discovery Methodologies – White Box
• Source code review
• Static analysis
• Pros
• Coverage
• Cons
• Various dependencies
• Implementation scenarios
• Compiler issues
Also known as glass box, clear box and open box testing
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Vulnerability Discovery methodologies – Black BoxA software testing methodology, where the internal working of the software
are not known to the tester
• Reverse Engineering
• Static analysis
• Pros
• Complex Vulnerabilities uncovered
• Cons
• Deep knowledge required
• Time consuming
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Vulnerability Discovery methodologies – Black BoxA software testing methodology, where the internal working of the software
are not known to the tester
• Fuzzing
• Dynamic analysis
• Pros
• Relatively simple
• Realistic
• Cons
• Complex vulnerabilities missed
• Coverage
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• A fail in the program calls for correction of certain vulnerabilities.
• Extremely simple test design
• As the saying goes, “Unexpected input causes unexpected results”
What is Fuzzing?A software testing technique, which is on the basis of attaching
random data (“Fuzz”) to the input of the target program.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• Security Researchers• Reactive Fuzzing
• QA Teams and Developers• Proactive Fuzzing
Fuzzing…Who should Fuzz??
• Few examples:
• CCM Player BOF vulnerability
• Windows RPC DCOM vulnerability
• And lots more….
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Phases of FuzzingVarious phases involved in the process are described here.
Identify
Targets
Identify
Inputs
Generating
Fuzzed Data
Execute Fuzzed
Data
Monitor for
Exceptions
Determine
Exploitability
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• Approach
• Templates are developed based on the protocol definitions
• Tools used in this approach
• SPIKE
• SPIKE comes bundled in the BackTrack Linux Security Distro.
Automation – ‘Intelligent’ FuzzingThis section covers various tools for automating the ‘Intelligent’
Fuzzing process over network protocols…
3ps!L0nLaMbDa a.k.a Karthik Ranganath
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
The target listens for connections on
the port 9999 by default.
There is a list of various COMMANDS
within vulnserver.
Running FUZZ tools on each of the
inputs should give interesting results.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
Lets start with the first command called as
STATS and launch the SPIKE Fuzzer on the
BackTrack machine.
SPIKE Fuzzer is generally used for network
based fuzzing.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
SPIKE script for generating Fuzzed data:
Let’s save the file as STATS.spk
Lets use, generic_send_tcp, to send tcp
packets to the target, and analyze the
behavior of the target.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
In Backtrack, /pentest/fuzzers/spike/src
Contains generic_send_tcp module of spike.
On sending the packets, we see there is no
failure affect on the program.
This probably would mean, this function is
not susceptible to overflows, we next move
on to another function.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
Lets try the same process for TRUN
command.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
We generate the fuzzed data using SPIKE
Fuzzer and replace, in the previous spike
script STATS with TRUN, leaving the rest
the same.
Let’s examine the behavior of the program.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
Next, we have to analyze the crash in a
debugger to help us determine its
exploitability.
Few things to note in this analysis are the
EIP ( Instruction Pointer) and also to
determine the JMP addresses.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
Determining JMP instructions can be
automated by using the cygwin shell of the
Metasploit framework, and running
msfpescan on the DLL associated with the
target.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Identify the Target
Identify Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine exploitability
VulnserverA vulnerable application developed by Steven Bradshaw, that
helps us understand the process of Fuzzing better..
We now have the EIP, and we also have the
ESP address where JMP call occurs.
We now know that the target is exploitable.
We can proceed to scripting an exploit.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• First, we need to determine the offset for the EIP recorded in the dump.
• Metasploit is a very robust exploit development tool, which comes with a module called pattern offset, to determine this.
• In Backtrack /pentest/exploits/framework/tools/ contains the pattern_offset module.
• Random unique patterns of set number of bytes can be created using pattern_create module under the same category.
Scripting an Exploit - PerlThis section covers exploit scripting in Perl.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Scripting an Exploit - PerlThis section covers exploit scripting in Perl.
Pattern_create
Pattern_offset
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• We also need to generate shell code, for performing post exploitation tasks.
• Here, lets execute the windows calculator application. The same can be used for malicious purpose, may be launch a Trojan or a malware in the target system.
• We shall see the screenshot of the perl code, with encoded shell code. The shell code is encoded to strip itself from bad characters.
Scripting an Exploit - PerlThis section covers exploit scripting in Perl.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• Now we start writing the script “exploit.pl” using these information we have accumulated.
• On running the script, we should be able to launch the calculator.
Scripting an Exploit - PerlThis section covers exploit scripting in Perl.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Scripting an Exploit - PerlThis section covers exploit scripting in Perl.
Calculator is launched, as and
when the program is crashed.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• Since the metasploit framework is completely written in ruby language, we need to convert this perl exploit in to a module scripted in ruby and then, use the metasploitexploit development framework along with the exploit for an efficient exploitation.
• I have saved the same exploit re-written in ruby, in the /windows/misc directory of the metasploit.
• I have also, facilitated to use the list of payloads readily available for exploitation under this framework.
Integrating custom exploits with MetasploitThis section shows how to integrate any exploit in to the
metasploit framework.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Integrating custom exploits with MetasploitThis section shows how to integrate any exploit in to the
metasploit framework.Custom vulnserver
exploit in use!
Remote host to be specified
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Integrating custom exploits with MetasploitThis section shows how to integrate any exploit in to the
metasploit framework.
Accessing the target remotely, with
meterpreter shell!
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• The audience is increasing day by day
• Shift from Offensive to Defensive mode
• Commercialization of Fuzzing frameworks expected
Future of Fuzzing….This section throws light on what can be expected in future in
Fuzzing frameworks.
3ps!L0nLaMbDa a.k.a Karthik Ranganath
• http://grey-corner.blogspot.com – Steve Bradshaw’s blog
• http://Corelan.be – for theoretical aspects of Exploit writing
• Fuzzing – Brute force Vulnerability Discovery, by Michael Sutton
References:
3ps!L0nLaMbDa a.k.a Karthik Ranganath
Thank You!Visit my blog at: http://www.epsilonlambda.wordpress.com
3ps!L0nLaMbDa a.k.a Karthik Ranganath