Notes for some fuzzing research...
Software to be fuzzed:
Easy File Share - FileCopa - Serv-U - Vulnserver - WingFTP - WiseFTP -
Running Peach Pit Validation:
peach -t fuzzers\vulnserver_peachpit.xml
Start the Peach Remote Agent(For Instrumentation):
peach -a tcp
Run the Peach fuzzing session:
peach fuzzers\vulnserver_peachpit.xml TestHTER
Results:
- Example Peach Logs - https://github.com/f47h3r/fuzzing_notes/blob/master/results/vulnserver/PeachLogs
- Example of Fuzz test case that is exploitable - https://github.com/f47h3r/fuzzing_notes/blob/master/results/vulnserver/PeachLogs/vulnserver_peachpit.xml_TestHTER_20150302155506/Faults/EXPLOITABLE_0x264d5172_0x00000000/726/action_2_Output_Unknown%20Action%202.txt
-
Vulnserver HTER Crasher: https://github.com/f47h3r/fuzzing_notes/blob/master/results/vulnserver/exploits/crasher.py
-
Vulnserver HTER Exploit: https://github.com/f47h3r/fuzzing_notes/blob/master/results/vulnserver/exploits/vulnserver_exploit_calc.py
Finding a "jmp eax" instruction:
sudo ./msfpescan -j eax ~/Research/fuzzing/results/vulnserver/bin/essfunc.dll
-- Output --
[/fuzzing/results/vulnserver/bin/essfunc.dll]
0x62501084 call eax
0x625011b1 jmp eax
0x625015b1 call eax
- Write Exploit for Vulnserver
- Setup EFS Server
- Fuzz EFS Server