Fuzzing Advice (trying to BOF SLmail 5.5.0.4433 - known to be vulnerable)

[sophanox]

Hey guys, I'm trying to practice my BOF technique and so have downloaded some software that is known to be vulnerable - SLmail 5.5.0.4433 I've set it up on a windows xp vm, and am trying to force a crash from my bt vm.

I made my own python script to flood it with a command then x amount of As, but it got to the point where my counter was so large the script just wouldn't run.

As such I turned to the tools on BT; first off I tried bed, which couldn't force a crash and since then I have been trying with spike.

From what I've read spike is the most commonly used, but I can't find a clear guide on how to use it - or one that I understand anyway. I'm pretty sure I'm out of my depth here but that's the best way to learn really. There is a runspkwizard.py which is meant to be helpful, but running that produced errors, which I'd fixed, only to find there were further errors which were beyond my current grasp of python.

In any case I just gave it a go with these command:

./line_send_tcp 192.168.x.x 25 blocktest1.spk 0 0

and this is connecting to the server and working (currently reading: Fuzzing variable 0:146666). It's been going for about 8 hours though with no joy, so my questions really are am I on the right track? Is my command ok? Are there any other avenues I could explore?

There are working exploits out there for this software, but I really don't want to cheat and would much rather someone point me in the right direction =)

Any help is much appreciated!

Thanks!

[sophanox]

Well I gave up trying to fuzz it with a program and googled it, which revealed which command was vulnerable. After that I just adapted my original script which to find the number of chars necessary to cause a BOF.

I guess the moral is in these situations you're best off trying to fuzz each command one by one, as oppose to using a program to do it for you.

Cheers

[sickness]

Bed usually shows at what command the crash occurs, at least it worked for me.