Spiking

Finding vuln parts

For example we have a program and we are looking to find some bugs or vulnerabilities in it. We need to interact with the program to notice errors or troubles.

So, in this example we are dealing with vulserver.exe (quick search and you found it), this is running on the 9999 port, so to interact with it, let's establish a connection:

nc 192.168.100.9 9999

And then, we receive an option to show HELP panel:

Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

We have a bunch of options to test and find vulnerable scopes, the idea is:

  • Take STATS and interact with it, send a lot of characters trying to broke it.

There are several ways to do this, let's list one of them:

SPIKE (generic_send_tcp)

With this tool we send a bunch of strings with symbols, numbers, characters, etc. This to find a possible bug with specific types of chars or length:

generic_send_tcp host port spike_script SKIPVAR SKIPSTR 
# generic_send_tcp 192.168.1.100 701 something.spk 0 0

We use an SPIKE file to set what we want to do in order to interact with vuln program and its functions.

To interact with STATS inside of .spk file we have:

s_readline();
s_string("STATS ");
s_string_variable("esteESelINDICADORdeDONDEdebeFUZZEARperoLITERALpuedeIResteTEXTO");

This will send a lot of requests with different size as payload, until (if we found it) something break.

generic_send_tcp 192.168.100.9 9999 spike_vulnserver.spk 0 0
...
Fuzzing Variable 0:906
Fuzzing Variable 0:907
line read=Welcome to Vulnerable Server! Enter HELP for help.
Fuzzing Variable 0:908
...

But if we doesn't found a vulnerable point, what we need to do? THAT'S IT! Move to the next option, in this case RTIME.

In this case when we use TRUN option, with Immunity we found a "Access Violation" when we hit the EIP register and fill it with 41414141 (AAAA) garbage content.

Immunity also show to us the payload executed to cause the crash:

We know the exact payload to crash the program:

TRUN /.:/AAAAAAAAAAAAAAbutHOWmanyAs?

NICE! Now we know that this program is exploitable :P

But, now we need to know... How many A we need?

Time of Fuzzing part.

PreviousIntroduction (Steps)NextFuzzing

Last updated