Exploits and Fuzzing

Printable View

04-04-2008, 01:23 AM
hhmatt

Exploits and Fuzzing

I recently came across a exploit writing tutorial that explained it using a FTP server. I understood it pretty well and feel confident that I could write an exploit for almost any FTP server. I seem to have trouble grasping the concept of fuzzing outside of FTP though.

Am I correct to assume that anything that listens and accepts input has the possibility to be exploited?

Example:
P2P programs, Do they accept input? Can they be exploited? I saw one on milw0rm for limewire but it looked more like a malformed http request and forced like a self DoS. Nothing that could return a shell.

Exploiting windows services like NetBIOS, This is what I've personally been struggling with lately. I'm trying to pwn my own box (XP Pro SP2 full updates) and I have shutdown almost every service I could, it has 3 listening ports for TCP 137, 139, and 445. Everytime I try to put the NetBIOS service into ollydbg I get a system error and about 45 seconds before automatic shutdown. I cant use the ipc exploit because it is patched. I believe this was done in sp2. But it would make sense to me that you could overflow the user ID and Password fields if it didn't shutdown windows. Couldn't you run the necessary code to get your reverse shell then use a seperate pointer to redirect NetBIOS back so that it doesn't shutdown?

Is there a fuzzer in BT that knows many different protocols?

What about those UDP ports that seem to be open? I can't seem to find anything that exploits UDP ports. I have found a couple things for TFTP but that would be it. Does nobody even consider using these ports? I know UDP is unreliable so couldn't UDP be used to spawn a listening TCP port?

I'm finding it really hard to get answers to these sort of questions. I'm guessing because of the possibility of damage that could be cause in the wrong hands. If this is too dangerous of information to be spread on a public forum I can get on any type of messenger, IRC, or e-mail if your willing to help me out with this.
04-06-2008, 04:58 AM
hhmatt

Well... Its been a while since I've posted this and was hoping for at least something on this matter. Is there anywhere anybody knows that I may be able to go and find the answers to these questions?

I've already read all kinds of papers on the internet on this, google searches, etc..., most point to the paper on milw0rm about smashing the stack for fun and profit. I've found this paper outside of milw0rm also but it was hard to tell which was the original.
04-07-2008, 03:20 PM
thorin

Quote:

Originally Posted by hhmatt81

I recently came across a exploit writing tutorial that explained it using a FTP server. I understood it pretty well and feel confident that I could write an exploit for almost any FTP server. I seem to have trouble grasping the concept of fuzzing outside of FTP though.

Am I correct to assume that anything that listens and accepts input has the possibility to be exploited?

Correct

Quote:

Example:
P2P programs, Do they accept input?

Yes in various ways. User input (keyboard and mouse), updates from other nodes, search results, etc

Quote:

Can they be exploited?

Likely

Quote:

I saw one on milw0rm for limewire but it looked more like a malformed http request and forced like a self DoS. Nothing that could return a shell.

A DoS isn't an exploit?

Quote:

Exploiting windows services like NetBIOS, This is what I've personally been struggling with lately. I'm trying to pwn my own box (XP Pro SP2 full updates) and I have shutdown almost every service I could, it has 3 listening ports for TCP 137, 139, and 445. Everytime I try to put the NetBIOS service into ollydbg I get a system error and about 45 seconds before automatic shutdown.

Did you try "shutdown -a" ? (Abort shutdown).

Quote:

I cant use the ipc exploit because it is patched. I believe this was done in sp2. But it would make sense to me that you could overflow the user ID and Password fields if it didn't shutdown windows. Couldn't you run the necessary code to get your reverse shell then use a seperate pointer to redirect NetBIOS back so that it doesn't shutdown?

Is there a fuzzer in BT that knows many different protocols?

IIRC there's an entire Fuzzing menu. I'm not on a BT box right now so I can't really tell ya off the top of my head.

Quote:

What about those UDP ports that seem to be open?

What about them.

Quote:

I can't seem to find anything that exploits UDP ports. I have found a couple things for TFTP but that would be it. Does nobody even consider using these ports?

Yes people do, however the nature of UDP makes things more difficult. (http://en.wikipedia.org/wiki/User_Datagram_Protocol)

Quote:

I know UDP is unreliable so couldn't UDP be used to spawn a listening TCP port?

Depends on how you exploit it.