search

Spiking

hashtag
Finding vuln parts

For example we have a program and we are looking to find some bugs or vulnerabilities in it. We need to interact with the program to notice errors or troubles.

So, in this example we are dealing with vulserver.exe (quick search and you found it), this is running on the 9999 port, so to interact with it, let's establish a connection:

nc 192.168.100.9 9999

And then, we receive an option to show HELP panel:

Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

We have a bunch of options to test and find vulnerable scopes, the idea is:

  • Take STATS and interact with it, send a lot of characters trying to broke it.

There are several ways to do this, let's list one of them:

hashtag
SPIKE (generic_send_tcp)

With this tool we send a bunch of strings with symbols, numbers, characters, etc. This to find a possible bug with specific types of chars or length:

We use an SPIKE file to set what we want to do in order to interact with vuln program and its functions.

To interact with STATS inside of .spk file we have:

This will send a lot of requests with different size as payload, until (if we found it) something break.

But if we doesn't found a vulnerable point, what we need to do? THAT'S IT! Move to the next option, in this case RTIME.

In this case when we use TRUN option, with Immunity we found a "Access Violation" when we hit the EIP register and fill it with 41414141 (AAAA) garbage content.

Immunity also show to us the payload executed to cause the crash:

TRUN /.:/AAAAAAAAAAAAA FIREEEE

We know the exact payload to crash the program:

NICE! Now we know that this program is exploitable :P

But, now we need to know... How many A we need?

Time of Fuzzing part.

PreviousIntroductionNextFuzzing

Last updated