HowTo: ExploitDev Fuzzing

6. März 2018

This is a short usage guide which should explain my simple wrapper for the spike fuzzer, which you can find here.

For this example i used the well known vulnserver ūüėČ

0x01 Determine possible commands

A simple nc && HELP command revealing all possible commands.

0x02 Create Text File containing commands

Just Copy&Paste ūüėČ

0x03 Fire Up my First helper and choose your variables for Fuzzing

Just type:

python netStream2spike.py -f [yourCommandFile]
After that you will find a fuzz.spk file which contains all your requests in the valid spike syntax. The next step is to choose your variables which should be fuzzed. Just alter s_string(„Var1“); into s_string_variable(„Var“);

You can also fuzz http services. For this purpose you can capture the request via wireshark, follow the tcp stream and copy it into yourCommandFile. After executing my script just delete all lines containing //New requestLine: except the first one.

original code altered code

0x04 Let’s break Things!

Time to Fuzz!

fuzzing.py -f fuzz.spk -p 9999 $ip

This wrapper will create single spike config files for each request from your fuzz.spk template. You can also submit another file which contains an auth request (for example: user user \n pass pass)
At the next stage it will fuzz through all config files and you only have to wait for your crash;-)

0x05 Find the Crashing Variable

You can choose several ways to find the right config file.

Ctrl + C last_spk file in your pwd

0x06 Retest the crash with the config file and start your exploitDev

Start your spike fuzzer manually and check the config while for the crash. After that you can proceed to develop your evil && fancy exploit (another tutorial for this will follow, at first you can look at this example ūüėČ

I hope this small wrapper will help you and maybe you follow me on Github or Twitter ūüėČ

√Ąhnliche Beitr√§ge

After gaining my OSCP in June i decided to go deeper into exploitDev and shellcoding. And here we are, this [...]

9. Oktober 2017

Welcome back to my second post for the SLAE certification. Today we are going to build a reverse_shell shellcode and [...]

9. Oktober 2017

Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting The third task [...]

9. Oktober 2017

Hey ho, it’s time for some low-level shellcode encoding. After going through the encoder examples of the SLAE material i [...]

9. Oktober 2017