2

I have been doing a lot of reading into how to find vulnerabilities in closed source applications. And the term that comes up a lot is "fuzzing".

I want to get started with fuzzing and I looking for any tips and hints on where and how to start. What tools to use, etc .

Stolas
  • 2,331
  • 14
  • 34
Sreyan
  • 203
  • 2
  • 7

2 Answers2

1

Just find points of interest and reverse the flow back to find if there is something in the environment you can manipulate to your will alter the poi.

Eg, if you find a memcpy(a, b, c); check where b and c are coming from, are they from user generated input or system generated input, maybe they are statics. If it they are generated from user input you can manipulate the flow of the program as you can copy arbitrary data into the memory. This might allow you to alter the stack and thus alter the flow of the program.

Leading into a security vulnerability.

Stolas
  • 2,331
  • 14
  • 34
  • Are there any such tutorials describing techniques like what you have described. Your answer is okay but only describes one technique and not in very much detail. – Sreyan Dec 03 '14 at 10:48
  • Sreyan, Vulnerability Research has many shapes. This is a common technique. Another one is to write a fuzzer and do fault injection, hoping the program will crash after which you try to find a way to use this crash to gain code execution. Fuzzing however is done so much that it yields way worse results than hand analysis. For training materials have a look at http://www.binary-auditing.com/ – Stolas Dec 03 '14 at 14:15
0

A small list of tools often used to dynamic RE:

  1. PWNGDB - plug-in to one of the most popular debugger DBG. It gives you the ability to check registers values, asm code, set breakpoints, look up stack, and much more.
  2. (AFL) American Luzzy Lop - It's a very popular tool used to fuzzing binaries with genetic algorithms, It helps you find bugs and strange behavior which can be used in exploitation. For example when AFL detects that when you send a specific message to the fuzzed app then it will crash. And this information can be used to DoS attack.
  3. Ltrace - linux debugging utility used to display calls to shared libraries (for example libc).
  4. Ptrace - linux debugging system call that allows you to get control the execution of another process and debug it.
  5. x64dbg - 64 bit debugger with many extensions like scyllahide
  6. Cheat Engine - mostly used in game hacking offer debugging, memory scanning, and code injection.
  7. Windbg - advanced windows debugger works in user and kernel space
  8. Lldb - high-performance debugger that is part of LLVM project

Where to learn:
I learned a lot from LiveOverflow and Gynvael Coldwind videos on YouTube and participants in CTF-s and read write-ups. You can practice at: HackTheBox, Crackmes, CTF-s competitions, applications that allow you to do RE without breaking their ToS/license.

Filip Poplewski
  • 21
  • 2