begood Posted March 19, 2010 Report Posted March 19, 2010 Mike Zusman explains fuzz testing, a special type of negative software testing.HomeworkYour assignment for this section is the following: 1. Locate a stack overflow in an ActiveX control by fuzzing it. Choose your target machine carefully. If you run a clean and patched Windows box, you might have a harder time finding something exploitable. See if you can run your tools on someone else's machine - preferably a machine with a lot of garbage software installed on it. COMRaider will more easily find the low-hanging fruit - the basic stack smash - and you should probably run this tool first. If you find nothing, run other fuzzers like Dranzer, AxRub, or AxMan. 2. Determine the exploitability of the overflow by investigating the stack with a debugger. COMraider will show you debugger output in its own GUI. Double clicking on the exceptions will show a stack dump. AxMan will require use of an external debugger of your choosing. You get extra points if you use WinDBG and run the !exploitable plugin. 3. Reproduce the successful fuzz in a "Proof of Concept" that overwrites EIP with all A's. Even though COMraider might show EIP over written, we still want to see a stand-alone script that demonstrates the vulnerability in a web browser. Additionally, you should identify the vulnerable DLL on the machine and grab a copy of it. This will be important if you are not testing on your own machine - you will want to take the DLL with you for further testing. For more information on registering DLLs on a Windows box, check out the Regsvr32 documentation.What to hand in: One DLL, a PoC that crashes the DLL, a screenshot of the crash in a debugger.GoalsThe goal of the assignment is to introduce you to fuzzing and client-side attacks, not to develop working exploits against ActiveX objects. To that end, make sure that your homework demonstrates that you: * know how to operate a fuzzer (step 1) * know how to identify a successful fuzz (step 2) * know how to reproduce a successful fuzz (step 3) * are comfortable working with client-side "stuff" (in this case, ActiveX)That's it!WalkthroughIf you want a simple walkthrough before starting the assignment or if you've tried the assignment and can't find a vulnerable ActiveX, you can register the ActiveX included in this zip file which I guarantee is loaded with exploitable vulnerabilities. To make things simple, just register it and then point COMRaider directly at it. The vulnerable function is foobar() and pretty much anything it accepts will generate a stack overflow. If you don't see "ACCESS VIOLATION", you're doing something wrong. If you see error messages saying "Cannot Create Object", you have not registered the DLL correctly.If you're still having problems finding an ActiveX to fuzz, try some of these: * ActiveX 1 * ActiveX 2 * ActiveX 3Reading Material * Information on ActiveX * Fuzzing Software * Registering COM DLL's * Jared DeMott - The Evolving Art of Fuzzing (whitepaper) (slides)video&source: Penetration Testing and Vulnerability Analysis - Fuzzing - Fuzzing101 Quote
