实践——从fuzzing到0day漏洞挖掘

发表于 |

环境及工具

windows 7 32 企业版
Peach Fuzzer
WinDbg
SocketSniff
Easy File Sharing Web Server 6.8

实践

安装完就可以打开页面,开启SocketSniff进行监听,跟着以guest模式登录

跟着我们就可以捕捉到请求(其实这个用wireshark也是可以的啦)

1
2
3
4
5
6
7
8
9
10
11
GET /vfolder.ghp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://192.168.52.143/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 192.168.52.143
If-Modified-Since: Thu, 01 Mar 2018 08:00:13 GMT; length=15959
DNT: 1
Connection: Keep-Alive
Cookie: SESSIONID=17936; UserID=; PassWD=

我们跟着作者fuzz最后一行——Cookie吧

接下来我们根据上面的请求编写Peach Pit,就是一个描述性的xml文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://peachfuzzer.com/2012/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://peachfuzzer.com/2012/Peach ../peach.xsd">

    <DataModel name="DataVfolder">
            <String value="GET /vfolder.ghp" mutable="false" token="true"/>                 
            <String value=" HTTP/1.1" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>

            <String value="User-Agent: " mutable="false" token="true"/>
            <String value="Mozilla/4.0" mutable="false" token="true"/>  
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Host: 192.168.52.143" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Accept: " mutable="false" token="true"/>
            <String value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" mutable="false" token="true"/>  
            <String value="\r\n" mutable="false" token="true"/> 
            
            <String value="Accept-Language: " mutable="false" token="true"/>
            <String value="en-us" mutable="false" token="true"/>    
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Accept-Encoding: " mutable="false" token="true"/>
            <String value="gzip, deflate" mutable="false" token="true"/>    
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Referer: " mutable="false" token="true"/>
            <String value="http://192.168.52.143/" mutable="false" token="true"/> 
            <String value="\r\n" mutable="false" token="true"/>     

            <String value="Cookie: " mutable="false" token="true"/>
            <String value="SESSIONID=17936; " mutable="false" token="true"/>
            
            <!-- fuzz UserID -->
            <String value="UserID=" mutable="false" token="true"/>
            <String value="" />
            <String value="; " mutable="false" token="true"/>
            
            <!-- fuzz PassWD -->
            <String value="PassWD=" mutable="false" token="true"/>
            <String value="" />
            <String value="; " mutable="false" token="true"/>               
            <String value="\r\n" mutable="false" token="true"/>
            
            <String value="Conection: " mutable="false" token="true"/>
            <String value="Keep-Alive" mutable="false" token="true"/>   
            <String value="\r\n" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>
    </DataModel>    
    
    <DataModel name="DataResponse">
        <!-- server reply, we don't care -->
        <String value="" />
    </DataModel>

    <StateModel name="StateVfolder" initialState="Initial">
        <State name="Initial">
            <Action type="output">
                <DataModel ref="DataVfolder"/>
            </Action>
            <Action type="input">
                <DataModel ref="DataResponse"/>
            </Action>
        </State>
    </StateModel>   

    <Agent name="LocalAgent">
        <Monitor class="WindowsDebugger">
            <Param name="CommandLine" value="C:\EFS Software\Easy File Sharing Web Server\fsws.exe"/>
            <Param name="WinDbgPath" value="C:\WinDDK\7600.16385.1\Debuggers" />  
        </Monitor>
        
        <!-- close the popup window asking us to buy the software before running tests --> 
        <Monitor class="PopupWatcher">
            <Param name="WindowNames" value="Registration - unregistered"/>
        </Monitor>
    </Agent>

    <Test name="TestVfolder">
        <Agent ref="LocalAgent"/>
        <StateModel ref="StateVfolder"/>
        <Publisher class="TcpClient">
            <Param name="Host" value="192.168.52.143"/>
            <Param name="Port" value="80"/>
        </Publisher>
        
        <Logger class="File">
            <!-- save crash information in the Logs directory -->
            <Param name="Path" value="efswLogs"/>
        </Logger>
        
        <!-- use a finite number of test cases that test UserID first, followed by PassWD -->
        <Strategy class="Sequential" />

    </Test> 
</Peach>

之后输入命令就可以开始fuzz了(TestVfolder是跟Test的name一致)

1
Peach.exe -DHOST=192.168.52.143 -DPORT=80 ./remotefuzz/efs_fuzz.xml TestVfolder

这软件垃圾,过不了几秒就蹦几个了

打开原始payload看看,一看就知道是缓冲区溢出了

reference

https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/

打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问