Fuzzing the Application

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
fuzzing the application
00:03
are learning objective is to understand how to fuzz an application and find the offset where E. I. P. Is overwritten.
00:12
So we had our proof of concept test script that just sent a message to
00:18
the vulnerable program and it sent a message back. Our objective now is to see if we can actually overwrite the buffer of the application
00:26
and cause it to crash.
00:28
What we like to do is figure out how we can control E. I. P. Which I'll show you in the d bugger. But what this program that I wrote, this python script does is it sends an array of buffers. It sends 50 days over and over and over in increments with fifties until the program crashes.
00:48
So we want to figure out where exactly uh we crashed this program with our A's.
00:53
So what I'll do
00:56
is I will start up this program again
01:00
with our desktop
01:10
hoops, not set up. We're just going to start immunity bugger.
01:15
If you get stuck here you can always go to see.
01:19
And what we'll do again is we will open
01:25
do stack buffer overflow. Good. Some mouthful
01:29
cancel out of this,
01:33
make sure it's running.
01:37
So what I'm gonna do now is
01:42
going to go back
01:45
and run the fuzz er
01:49
Yeah
01:51
Now you see it fuzzing and now it stops at 1:50.
01:56
So if we go back to immunity d bugger
02:01
really
02:02
we see
02:05
the chip is overwritten here and so is
02:08
E. V. P.
02:09
With a Space 41 41 41 41.
02:15
So now we need to figure out exactly where it caused it to crash and we see it's around 1 50 now what you have or. And what's in the guide is he sends I think 1024 A's which crashes the program so I'm going to use that as our test
02:31
next. So what we'll do
02:37
is we need to use
02:38
it's in here. Users share medicine point framework tools exploit.
02:45
So we're going to create a long string of characters to find are offset.
02:51
So what we'll do here is we'll do pack,
02:54
we'll do pattern,
03:01
create
03:04
The length of 1024, which is what's in the guide. Right?
03:07
So we take this
03:10
and we make a script out of that.
03:14
So what I did,
03:24
yeah,
03:30
is create another script.
03:32
So you should have that that script where he sent 1024 A's. This is taking
03:42
all these characters
03:44
copying it.
03:45
And now I'm just putting it here where it said A times 10 24 and just
03:50
putting this long string of
03:53
Alpha Numeric characters 1 24 to be exact.
03:57
And we're now we're gonna send this to try to find exactly where we overwrite e I p.
04:04
So if I go back
04:08
a lot of back and forth with the buffer overflow
04:15
so I'm going to go back.
04:18
Yes
04:20
hit the play button again,
04:23
make sure you're up and running
04:31
now. I'm going to go back
04:34
and I'm going to send the pattern create python script.
04:45
Yeah.
04:46
So now we see e type was overwritten here. 3965
04:50
4138
04:55
39654138.
04:59
So what I have to do now is figure out
05:02
where it was overwritten
05:05
and we can use another module in medicine Floyd called pattern offset to find exactly
05:13
where
05:15
we've crashed the program and controlled the chip.
05:18
Mhm.
05:25
So we do now is we do pattern
05:30
offset?
05:32
Our length is 1024
05:38
tak Q. Of where we crash the program 39654138
05:44
And we see there is an exact match of 146. Was was around that 150 mark where we saw the program crash
05:50
from our father.
05:57
So we want what we want to do now is be sure that the offset is 146.
06:02
So I've created this other program and you may have seen that me launched this earlier.
06:08
But here's our offset.
06:10
We have eight times 146. Which is
06:15
Right here are exact match at 1:46. and I want to send four bees
06:19
And I'm gonna send 90 sees. You could make that less than that if you wanted.
06:25
But the important thing is making seeing if our four bees land and overwrite the I. P. To make sure that we have controlled the I. P.
06:38
So we'll go back
06:41
like I said a lot of back and forth here
06:50
it will start this again
07:05
and now we will send
07:09
are offset script
07:11
and see if we've overridden E. I. P. With those bees which should be hex character 42 we sent four of them.
07:25
So going back we see IP was overridden by our four babies
07:30
42-42-42-42. So now we know that our offset is correct.
07:42
So now we should understand how we can cause a vulnerable application to crash. You saw me do that with the fuzz er
07:49
you saw how we can use medicine. Ploy to do that pattern create so it creates a unique pattern of
07:57
characters. Then we can send that payload and crash the application
08:01
and from that determined from ip
08:05
where it crashed exactly by using pattern offset
08:09
and then setting setting another payload where we not only send the exact amount of A's but the four B's and the seas after that. To ensure that we're cleanly overwriting e i. P.
08:22
And in summary, we should understand how to fund an application and find the offset where the I. P. Is overwritten.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By