Sickfuzz v0.2

This video is a brief introduction into "fuzzing". The author, sickn3ss requested a video to demonstrate his latest project called sickfuzz. You can read what he has got to say about it here.

Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "34c96c@23" instead? The results of the programming miss-handling the input may crash the program leading it to security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.

"A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/sickfuzz_v02.mp4

Method

• Setup a web server
• Check status
• Fuzz it
• Watch for response
• Check status
• Repeat
• Analyse captured packets

Tools

• sickfuzz - Download here
• Python - Download here (Comes with backtrack 4 r2)
• SPIKE - Download here (Comes with backtrack 4 r2)
• tshark - Download here (Comes with wireshark that can be found in backtrack 4 r2)

• Web servers - Below are the ones used in the demostation

  • Name: Savant Web Server
  • Homepage: http://savant.sourceforge.net/
  • Download: http://www.exploit-db.com/application/10434/

  • Sickfuzz Script: 1

  • Name: PMSoftware Simple Web Server

  • Homepage: http://www.pmx.it/software/sws.asp
  • Download: http://www.pmx.it/software/sws.asp

  • Sickfuzz Script: 5

  • Name: MiniShare

  • Homepage: http://minishare.sourceforge.net/
  • Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
  • Sickfuzz Script: 1

Walkthrough

The user first downloads, installs and configures a web server of their choosing, after which they scan the network for the server and checks for the open port (Default is usually 80).

After downloading the latest and greatest version of sickfuzz (don't forget to add it to your svn collection, which simplifies updating it) the user extracts it, runs it for the first time and sees the help screen.

After typing in all the necessary command line options, before any fuzzing happens sickfuzz checks if the port is open, if it is then automatically starts capturing (using tshark - command line version of wireshark) allowing for the user to analyse how the web server responds.

Sickfuzz uses SPIKE to send a collection of known issues for web servers as it currently supports a mixture of techniques in URLs and header fuzzing fields:

• GET /
• GET /abc=
• HEAD /
• POST /
• GET / (HTTP/1.1)
• HEAD / (HTTP/1.1)
• POST / (HTTP/1.1)
• Authorization:
• Content-Length:
• If-Modified-Since:
• Connection:
• X-a:

During the fuzzing, sickfuzz checks to see whether the service has crashed (however sometimes this isn't until the program has closed, for example: PMSoftware's SWS, it wasn't until the user clicked "Okay" on the crashed message, did the web server stop responding). If it (the server) has crashed, sickfuzz will stop and exit.

After it has tried all the fields, depending on sickfuzz, it will either stop (-scripts x) or try the next field (--scripts all).

When sickfuzz has ended, the user can then analyse the collected packets for themselves to see what caused the crash.

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

nmap 192.168.0.0/24 -n -sP -sn
nmap 192.168.0.104 -T5
clear

tar zxvf sickfuzz_v02.tar.gz
cd sickfuzz
./sickfuzz.py
./sickfuzz.py --script-show

#Savant Web Server
nmap 192.168.0.104 -p 80 -sV
./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 1 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
nmap 192.168.0.104 -p 80 -sV
clear

#PMSoftware
firefox -> 192.168.0.104
firefox -> http://www.exploit-db.com/exploits/945/
./sickfuzz.py --script-show
./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 5 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
wireshark -> Filter -> http && ip.addr == 192.168.0.104
firefox -> 192.168.0.104
clear

#MiniShare
amap 192.168.0.104 -b 80
./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script all --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
amap 192.168.0.104 -b 80


#Programs===============================================================================
Program 2:  Savant Web Server
Homepage: http://savant.sourceforge.net/
Download: http://www.exploit-db.com/application/10434/
Exploit: http://www.exploit-db.com/exploits/10434/
Sickfuzz Script: 1

Program 7: PMSoftware Simple Web Server
Homepage: http://www.pmx.it/software/sws.asp
Download: http://www.pmx.it/software/sws.asp
Exploit: http://www.exploit-db.com/exploits/945/
Sickfuzz Script: 5 #But sickness said to use: 1 (exploit says 5?)

Program 4: MiniShare
Homepage: http://minishare.sourceforge.net/
Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
Exploit: http://www.exploit-db.com/exploits/616/
Sickfuzz Script: 1
#=======================================================================================

Notes

• For more information on fuzzing, check fuzzing on wikipedia and owasp

Song: Clutch - 10001110101

Video length: 5:00

Capture length: 31:19

Blog Post: https://blog.g0tmi1k.com/2011/03/sickfuzz-v02/