[Video] sickfuzz v0.2

Printable View

03-04-2011, 05:50 PM
g0tmi1k

[Video] sickfuzz v0.2

Links
Watch video on-line (sickfuzz v0.2): http://g0tmi1k.blip.tv/file/4828127
Download video (sickfuzz v0.2): http://www.mediafire.com/?8sa8l981w4r363d
Notes on sickfuzz v0.3: http://www.backtrack-linux.org/forum...tml#post191486
Install script (sickfuzz v0.3): https://code.google.com/p/sickfuzz/downloads/detail?name=sickfuzz_install.sh

Brief Overview
This video is a brief introduction into "fuzzing". The author, sickn3ss requested a video to demonstrate his latest project called sickfuzz. You can read what hes got to say about it here.

Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "34c96c@23" instead? The results of the programming miss-handling the input may crash the program leading it to a security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.

"A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp

Method
* Setup a web server
* Check status
* Fuzz it
* Watch for response
* Check status
* Repeat
* Analyse captured packets

What do I need?
* sickfuzz - Download here
* Python - Download here (Comes with backtrack 4 r2)
* SPIKE - Download here (Comes with backtrack 4 r2)
* tshark - Download here (Comes with wireshark that can be found in backtrack 4 r2)
* Web servers - Below are the ones used in the demostation
* Name: Savant Web Server
* Homepage: http://savant.sourceforge.net/
* Download: http://www.exploit-db.com/application/10434/
* Sickfuzz Script: 1

* Name: PMSoftware Simple Web Server
* Homepage: http://www.pmx.it/software/sws.asp
* Download: http://www.pmx.it/software/sws.asp
* Sickfuzz Script: 5

* Name: MiniShare
* Homepage: http://minishare.sourceforge.net/
* Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
* Sickfuzz Script: 1

Walk through
The user first downloads, installs and configures a web server of their choosing. After which scans the network for the server, and checks for the open port.

After downloading the latest and greatest version of sickfuzz (Don't forget to add it to your svn collection, which simplifies updating it) the user extracts it, runs it for the first time and sees the help screen.

After typing in all the necessity command line options, Before any fuzzing happens sickfuzz checks if the port is open, if it is then automatically starts capturing (using tshark - command line version of wireshark) allowing for the user to analyse how the web server responds.

Sickfuzz uses SPIKE to send a collection of known issues for web servers as it currently supports a mixture of techniques in URLs and header fuzzing fields:
* GET /
* GET /abc=
* HEAD /
* POST /
* GET / (HTTP/1.1)
* HEAD / (HTTP/1.1)
* POST / (HTTP/1.1)
* Authorization:
* Content-Length:
* If-Modified-Since:
* Connection:
* X-a:

During the fuzzing, sickfuzz checks to see whether the service has crashed (however some times this isn't until the program has closed. For example: PMSoftware's SWS, it wasn't until the user clicked "Okay" on the crashed message, did the web server stop responding). If it (the server) has crashed, sickfuzz will stop and exit.

After it has tried all the fields, depending on sickfuzz, it will either stop (-scripts x) or try the next field (--scripts all).

When sickfuzz has ended, the user can then analyse the collected packets for themselves to see what caused the crash.

Commands

Code:

nmap 192.168.0.0/24 -n -sP -sn nmap 192.168.0.104 -T5 clear tar zxvf sickfuzz_v02.tar.gz cd sickfuzz ./sickfuzz.py #Savant Web Server nmap 192.168.0.104 -p 80 -sV ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 1 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/ nmap 192.168.0.104 -p 80 -sV clear #PMSoftware firefox -> 192.168.0.104 firefox -> http://www.exploit-db.com/exploits/945/ ./sickfuzz.py --script-show ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 5 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/ wireshark -> Filter -> http && ip.addr == 192.168.0.104 firefox -> 192.168.0.104 clear #MiniShare ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script all --ip 192.168.0.104 --port 80 --iface eth0 --log /root/

Notes
* For more information on up on fuzzing, check fuzzing on wikipedia and owasp

Song: Clutch - 10001110101
Video length: 5:00
Capture length: 31:19
Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-sickfuzz-v02.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38311-%5Bvideo%5D-sickfuzz-v0-2-a.html#post190745

~g0tmi1k
03-06-2011, 10:53 AM
securityxxxpert

Re: [Video] sickfuzz v0.2

My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

Securityxxxpert
03-07-2011, 01:06 PM
sickness

Re: [Video] sickfuzz v0.2

Quote:

Originally Posted by securityxxxpert

My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

Securityxxxpert

Hmmm, well if you check g0tmi1ks post carefully you might notice this:

Quote:

You can read what hes got to say about it here.

Also you ask what does sickfuzz do what spike can't do, if you ever tried spike you know that it's a fuzzing framework, you have to tell it what to fuzz. sickfuzz also includes custom .spk scripts to use in the fuzzing process.
03-07-2011, 06:22 PM
m0j4h3d

Re: [Video] sickfuzz v0.2

great work guys :D ,,, really like it , am gonna try
go fw boys
03-08-2011, 08:45 AM
fnord0

Re: [Video] sickfuzz v0.2

very nice! congrats both of ya (re: sickness & g0tmi1k) - enjoyed the vid and grabbin' sickfuzz now :D
03-09-2011, 09:38 PM
Scamentology

Re: [Video] sickfuzz v0.2

worked great

got a crash on my first try - There goes the rest of my week. :)
03-11-2011, 02:40 PM
g0tmi1k

Re: [Video] sickfuzz v0.2

Quote:

Originally Posted by securityxxxpert

My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

Securityxxxpert

sickness did all the hard work as he is the creator of it - I just made the video. :)
sickfuzz controls spike which helps automate it all. Sickfuzz also comes with some custom stuff + useful features (port & statues checking for example).
Wireshark was used during the video to show data is being sent from sickfuzz (because of spike). It can then be used to analyse in detail what cause the crash afterwords.
and Yes, fuzzing it a method of developing exploits. Here is a good break down of it all: http://www.pentest-standard.org/index.php/Exploitation

Quote:

Originally Posted by m0j4h3d

great work guys :D ,,, really like it , am gonna try
go fw boys

Quote:

Originally Posted by fnord0

very nice! congrats both of ya (re: sickness & g0tmi1k) - enjoyed the vid and grabbin' sickfuzz now :D

Quote:

Originally Posted by Scamentology

worked great

got a crash on my first try - There goes the rest of my week. :)

Thanks for the thanks!
Great to hear feedback on it all! =)

hehe Scamentology, sorry about that - Best of luck with it!
03-13-2011, 12:24 AM
sickness

Re: [Video] sickfuzz v0.2

sickfuzz v0.3 is out!

Download link: http://code.google.com/p/sickfuzz/downloads/list
svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

New features:
- Some SPIKE tweak.
- Changed the SPIKE fuzzer.
- Modified the .spk scripts.
- More logs available.
- More detailed help screen as well as output.

Fixed bugs:
- Fixed tailing issue, now paths don't have to end with "/".
- Now stops when app crashes without going over the other scripts.

Install SPIKE and sickfuzz:

Code:

root@bt:~# apt-get install automake root@bt:~# rm -rf /pentest/fuzzers/spike/ root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/

Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
Open up spike.c, there are 2 lines that look like this:

Code:

printf("tried to send to a closed socket!\n");

Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.
(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)

http://img156.imageshack.us/img156/6...shot1eu.th.png

http://img4.imageshack.us/img4/1401/snapshot2lr.th.png

http://img864.imageshack.us/img864/6...pshot3a.th.png

http://img689.imageshack.us/img689/2...pshot4g.th.png

Now we can proceed with SPIKE:

Code:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

If you get this error:

Code:

configure: creating ./config.status cd && /bin/sh ./config.status Makefile /bin/sh: ./config.status: No such file or directory make: *** [Makefile] Error 127

Execute the following commands again:

Code:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$ root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

Should have worked now.

Code:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/ root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd root@bt:~# rm -rf /pentest/fuzzers/SPIKE/ root@bt:~# cd /pentest/fuzzers/ root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz

For more info on using SPIKE check out lupin's guides:
http://resources.infosecinstitute.com/intro-to-fuzzing/
http://resources.infosecinstitute.co...on-with-spike/
04-14-2011, 08:22 PM
MREZA

Re: [Video] sickfuzz v0.2

Whew!!! that was NICE ! ;)