Fuzzing the Application

00:00

fuzzing the application

00:03

are learning objective is to understand how to fuzz an application and find the offset where E. I. P. Is overwritten.

00:12

So we had our proof of concept test script that just sent a message to

00:18

the vulnerable program and it sent a message back. Our objective now is to see if we can actually overwrite the buffer of the application

00:26

and cause it to crash.

00:28

What we like to do is figure out how we can control E. I. P. Which I'll show you in the d bugger. But what this program that I wrote, this python script does is it sends an array of buffers. It sends 50 days over and over and over in increments with fifties until the program crashes.

00:48

So we want to figure out where exactly uh we crashed this program with our A's.

00:53

So what I'll do

00:56

is I will start up this program again

01:00

with our desktop

01:10

hoops, not set up. We're just going to start immunity bugger.

01:15

If you get stuck here you can always go to see.

01:19

And what we'll do again is we will open

01:25

do stack buffer overflow. Good. Some mouthful

01:29

cancel out of this,

01:33

make sure it's running.

01:37

So what I'm gonna do now is

01:42

going to go back

01:45

and run the fuzz er

01:49

Yeah

01:51

Now you see it fuzzing and now it stops at 1:50.

01:56

So if we go back to immunity d bugger

02:01

really

02:02

we see

02:05

the chip is overwritten here and so is

02:08

E. V. P.

02:09

With a Space 41 41 41 41.

02:15

So now we need to figure out exactly where it caused it to crash and we see it's around 1 50 now what you have or. And what's in the guide is he sends I think 1024 A's which crashes the program so I'm going to use that as our test

02:31

next. So what we'll do

02:37

is we need to use

02:38

it's in here. Users share medicine point framework tools exploit.

02:45

So we're going to create a long string of characters to find are offset.

02:51

So what we'll do here is we'll do pack,

02:54

we'll do pattern,

03:01

create

03:04

The length of 1024, which is what's in the guide. Right?

03:07

So we take this

03:10

and we make a script out of that.

03:14

So what I did,

03:24

yeah,

03:30

is create another script.

03:32

So you should have that that script where he sent 1024 A's. This is taking

03:42

all these characters

03:44

copying it.

03:45

And now I'm just putting it here where it said A times 10 24 and just

03:50

putting this long string of

03:53

Alpha Numeric characters 1 24 to be exact.

03:57

And we're now we're gonna send this to try to find exactly where we overwrite e I p.

04:04

So if I go back

04:08

a lot of back and forth with the buffer overflow

04:15

so I'm going to go back.

04:18

Yes

04:20

hit the play button again,

04:23

make sure you're up and running

04:31

now. I'm going to go back

04:34

and I'm going to send the pattern create python script.

04:45

Yeah.

04:46

So now we see e type was overwritten here. 3965

04:50

4138

04:55

39654138.

04:59

So what I have to do now is figure out

05:02

where it was overwritten

05:05

and we can use another module in medicine Floyd called pattern offset to find exactly

05:13

where

05:15

we've crashed the program and controlled the chip.

05:18

Mhm.

05:25

So we do now is we do pattern

05:30

offset?

05:32

Our length is 1024

05:38

tak Q. Of where we crash the program 39654138

05:44

And we see there is an exact match of 146. Was was around that 150 mark where we saw the program crash

05:50

from our father.

05:57

So we want what we want to do now is be sure that the offset is 146.

06:02

So I've created this other program and you may have seen that me launched this earlier.

06:08

But here's our offset.

06:10

We have eight times 146. Which is

06:15

Right here are exact match at 1:46. and I want to send four bees

06:19

And I'm gonna send 90 sees. You could make that less than that if you wanted.

06:25

But the important thing is making seeing if our four bees land and overwrite the I. P. To make sure that we have controlled the I. P.

06:38

So we'll go back

06:41

like I said a lot of back and forth here

06:50

it will start this again

07:05

and now we will send

07:09

are offset script

07:11

and see if we've overridden E. I. P. With those bees which should be hex character 42 we sent four of them.

07:25

So going back we see IP was overridden by our four babies

07:30

42-42-42-42. So now we know that our offset is correct.

07:42

So now we should understand how we can cause a vulnerable application to crash. You saw me do that with the fuzz er

07:49

you saw how we can use medicine. Ploy to do that pattern create so it creates a unique pattern of

07:57

characters. Then we can send that payload and crash the application

08:01

and from that determined from ip

08:05

where it crashed exactly by using pattern offset

08:09

and then setting setting another payload where we not only send the exact amount of A's but the four B's and the seas after that. To ensure that we're cleanly overwriting e i. P.