实践——从fuzzing到0day漏洞挖掘

用户1423082

发布于 2024-12-31 18:30:21

2260

文章被收录于专栏：giantbranch's bloggiantbranch's blog

环境及工具

windows 7 32 企业版 Peach Fuzzer WinDbg SocketSniff Easy File Sharing Web Server 6.8

实践

安装完就可以打开页面，开启SocketSniff进行监听，跟着以guest模式登录

跟着我们就可以捕捉到请求（其实这个用wireshark也是可以的啦）

GET /vfolder.ghp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://192.168.52.143/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 192.168.52.143
If-Modified-Since: Thu, 01 Mar 2018 08:00:13 GMT; length=15959
DNT: 1
Connection: Keep-Alive
Cookie: SESSIONID=17936; UserID=; PassWD=

我们跟着作者fuzz最后一行——Cookie吧

接下来我们根据上面的请求编写Peach Pit，就是一个描述性的xml文件

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://peachfuzzer.com/2012/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://peachfuzzer.com/2012/Peach ../peach.xsd">

    <DataModel name="DataVfolder">
            <String value="GET /vfolder.ghp" mutable="false" token="true"/>                 
            <String value=" HTTP/1.1" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>

            <String value="User-Agent: " mutable="false" token="true"/>
            <String value="Mozilla/4.0" mutable="false" token="true"/>  
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Host: 192.168.52.143" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Accept: " mutable="false" token="true"/>
            <String value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" mutable="false" token="true"/>  
            <String value="\r\n" mutable="false" token="true"/> 
            
            <String value="Accept-Language: " mutable="false" token="true"/>
            <String value="en-us" mutable="false" token="true"/>    
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Accept-Encoding: " mutable="false" token="true"/>
            <String value="gzip, deflate" mutable="false" token="true"/>    
            <String value="\r\n" mutable="false" token="true"/>

            <String value="Referer: " mutable="false" token="true"/>
            <String value="http://192.168.52.143/" mutable="false" token="true"/> 
            <String value="\r\n" mutable="false" token="true"/>     

            <String value="Cookie: " mutable="false" token="true"/>
            <String value="SESSIONID=17936; " mutable="false" token="true"/>
            
            <!-- fuzz UserID -->
            <String value="UserID=" mutable="false" token="true"/>
            <String value="" />
            <String value="; " mutable="false" token="true"/>
            
            <!-- fuzz PassWD -->
            <String value="PassWD=" mutable="false" token="true"/>
            <String value="" />
            <String value="; " mutable="false" token="true"/>               
            <String value="\r\n" mutable="false" token="true"/>
            
            <String value="Conection: " mutable="false" token="true"/>
            <String value="Keep-Alive" mutable="false" token="true"/>   
            <String value="\r\n" mutable="false" token="true"/>
            <String value="\r\n" mutable="false" token="true"/>
    </DataModel>    
    
    <DataModel name="DataResponse">
        <!-- server reply, we don't care -->
        <String value="" />
    </DataModel>

    <StateModel name="StateVfolder" initialState="Initial">
        <State name="Initial">
            <Action type="output">
                <DataModel ref="DataVfolder"/>
            </Action>
            <Action type="input">
                <DataModel ref="DataResponse"/>
            </Action>
        </State>
    </StateModel>   

    <Agent name="LocalAgent">
        <Monitor class="WindowsDebugger">
            <Param name="CommandLine" value="C:\EFS Software\Easy File Sharing Web Server\fsws.exe"/>
            <Param name="WinDbgPath" value="C:\WinDDK\7600.16385.1\Debuggers" />  
        </Monitor>
        
        <!-- close the popup window asking us to buy the software before running tests --> 
        <Monitor class="PopupWatcher">
            <Param name="WindowNames" value="Registration - unregistered"/>
        </Monitor>
    </Agent>

    <Test name="TestVfolder">
        <Agent ref="LocalAgent"/>
        <StateModel ref="StateVfolder"/>
        <Publisher class="TcpClient">
            <Param name="Host" value="192.168.52.143"/>
            <Param name="Port" value="80"/>
        </Publisher>
        
        <Logger class="File">
            <!-- save crash information in the Logs directory -->
            <Param name="Path" value="efswLogs"/>
        </Logger>
        
        <!-- use a finite number of test cases that test UserID first, followed by PassWD -->
        <Strategy class="Sequential" />

    </Test> 
</Peach>

之后输入命令就可以开始fuzz了（TestVfolder是跟Test的name一致）

Peach.exe -DHOST=192.168.52.143 -DPORT=80 ./remotefuzz/efs_fuzz.xml TestVfolder

这软件垃圾，过不了几秒就蹦几个了

打开原始payload看看，一看就知道是缓冲区溢出了

reference

https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

原始发表：2018-03-01，如有侵权请联系 cloudcommunity@tencent.com 删除

mutable

本文分享自作者个人站点/博客前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体同步曝光计划，欢迎热爱写作的你一起参与！

登录后参与评论

0 条评论

热度

实践——从fuzzing到0day漏洞挖掘

实践——从fuzzing到0day漏洞挖掘

环境及工具

实践

reference

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐