The vulnserver.exe server is a vulnerable server that was written specifically for fuzing purposes. Therefore the software intentionally contains vulnerabilities that we can exploit to gain control over the target operating system. Peach is a fuzzer that is capable of performing both generation and mutation based fuzzing. It requires the Peach PIT file, which is an XML file used for fuzzing. Peach contains the following Peach elements:
Data Model: defines the protocol or file format we want to fuzz. State Model: used for controlling the flow of the fuzzing process. Publisher: I/O interface that we can use to read data from a file/socket, write data to a file/socket, etc. Mutators: takes an existing input test case and changes it a little bit to make it invalid. Agents: the Peach process that needs to run on the target system, which is used to restart the fuzzed server if it crashes. Monitors: are used to capture the network traffic, attaching a debugger to the target process, etc. Logger: saves the crashes and input test cases into a file for later analysis.
To install Peach on Windows, we need to satisfy the dependencies below:
Python (http://www.python.org/getit/releases/2.6/) PyWin32 (http://sourceforge.net/projects/pywin32/files/pywin32/Build216/ – choose a version appropriate to your installed python version) WinPcap (http://www.winpcap.org/install/default.htm) Windows Debugging Tools (http://msdn.microsoft.com/en-us/windows/hardware/gg463009 – choose “Install Debugging Tools for Windows as a Standalone Component”. Alternatively we can download windbg from here http://www.windowstipspage.com/2010/06/windbg-download.html.)
We also need to add the path to the windbg.exe, which is located in the C:/Program Files/Debugging Tools for Windows (x86) directory, to the system PATH. To install Peach on Linux, we first need to install the dependencies: [bash]
emerge twisted twisted-web 4suite pyasn1 wxpython zope-interface
[/bash] The above command installs the dependencies on Gentoo Linux distribution, but you need to install the equivalents of the named packages on your own Linux distribution. We also need to cd into the directory under peach/peach/ and install the additional dependencies that were not previously installed. We need to move into the directories 4Suite-XML, cDeepCopy, cPeach and vdebug (needs to be unzipped first) and run the commands below: [bash]
python setup.py build –debug
python setup.py install
[/bash] This will install all the dependencies. Afterwards we can successfully run the Peach fuzzer. 2. Presenting the vulnserver.xml Part of the input file into the Peach fuzzer is shown below. We must add that the file is by no means complete, because there is too much code to include into this article to still make it readable and clear. This is why we’re presenting only the KSTET data model, state model, etc. If we would like to check out the whole vulnserver.xml we can check it out on the Google Code git repository accessible here. The vulnserver.xml is accessible under the peach/ directory in git repository. The partial vulnserver.xml is presented below: [xml]
EXPLOITABLE PROBABLY_EXPLOITABLE UNKNOWN
The exploitable directory holds the test cases that discovered the vulnerabilities that are surely exploitable. The probably_exploitable holds the test cases that found the vulnerabilities that are probably exploitable, but can’t determine if they can truly be exploited. The last class is unknown and holds all the test cases that can’t be classified in the other two classes, because it can’t be determined if they found a vulnerability or not. We must manually check those to determine if vulnerability was found. Let’s choose the EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/ directory and analyze the results a little further. The command below lists all the existing files in that directory. [bash] $ find EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/ EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/ EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/1876 EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/1876/Agent_StackTrace.txt EXPLOITABLE_WriteAV_0x0a49666d_0x0a614c6d/1876/data_1_output_Named_107.txt [/bash] There is an 1876/ directory that denotes the number of the input test case used to cause the crash. In that directory are the files. The first file is Agent_StackTrace.txt that holds the trace of the program when the crash occurred. The data_1_output_Named_107.txt contains the actual input test cases that were used to cause a crash. This file contains the output below: [plain] HTER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [/plain] This is the input test case that crashes the vulnerable server. We won’t go into too much detail if this can be used to actually exploit the vulnerable server, because this is outside of this article. We can read more about that in the following articles about Vulnserver exploitability: part 1, part 2 and part 3. 5. Conclusion We’ve seen that Peach can successfully find all the vulnerabilities in vulnerable server, which proves that fuzzing is a useful method of discovering security vulnerabilities. In the next article we’ll present how to fuzz the vulnerable server with Sulley fuzzer and compare the results of Sulley and Peach fuzzers. pquot;p UNKNOWN_PossibleStackCorruption_0x05193a6e_0x05193975