Modeling Arbitrary Network Protocols

Other Fuzzer Possibilities

There are many other things you can do with fuzzers and you can use code that others have put together to save yourself time.

Bit Flipping

Imagine you have a network protocol that looks like this:

 <length><ascii string><0x00> 

Bit flipping is the practice of sending that string to the server, each time flipping on a bit in it. So, at first the length field is modified to be very large (or very negative), then the string is mutated to have strange characters , and then the 0x00 is deformed into large (or negative) values. Any of these may trigger a crash, or consequently, an exploitable security bug.

One major benefit of bit flipping is that it is a very simple fuzzer to write and still may find some interesting bugs . Obviously, however, it has severe limitations.

Modifying Open Source Programs

The open source community has heavily invested in implementing many of the protocols that a hacker would want to analyze, most often in C. By modifying these open implementations to send longer strings or larger integers or otherwise manipulate the client side of the protocol, you can often quickly find vulnerabilities that would have been very difficult to find even with a very good fuzzer written from scratch. This is often because you have much documentation on the protocol, written directly into the client side itself. You don't have to guess at the proper field values ”they are given to you automatically. In addition, you don't have to bypass any authentication or checksum measures inherent in the protocol, as the client side has all the authentication and checksum routines you'll need. For a protocol that is heavily layered in anti-reverse engineering protection or encrypted, modifying an existing implementation is often your only real choice.

It should be noted that via ELF or DLL injection, you might not even need an open source client to modify. You can often hook certain library calls in a client to allow you to both see and manipulate the data the client will send. In particular, network gaming protocols (Quake, Half-Life, Unreal, and others) are often layered in protective measures in order to prevent cheaters, which makes this method especially useful.

Fuzzing with Dynamic Analysis

Dynamic analysis (debugging your target program as you fuzz it) provides a lot of useful data and also allows you a chance to "guide" your fuzzer. For example, RPC programs typically unwind their variables from a data block you provide by using xdr_string , xdr_int , or other similar calls. By hooking those routines, you can see what kind of data the program expects in your data block. In addition, you can disassemble the program as it executes and see which code is executed, and if a particular code path is not being followed, you can potentially discover why. For example, perhaps there is a compare in the program that is always falling in one direction. This kind of analysis is somewhat underdeveloped and is being pursued by many people in order to make the next generation of fuzzers more comprehensive and intelligent .



The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net