How To: The Art of 0-Day Vulnerabilities, Part2: Manually Fuzzing

The Art of 0-Day Vulnerabilities, Part2: Manually Fuzzing

welcome back my masters , teachers and classmates , in this second part of this 0-day series we will learn the basic of fuzzing, and i bought some gift for nullbyte(a 0 day vuln that will be released today exclusively on null-byte) .

INTRODUCTION

As i love wikipedia so much according to them Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software.

Fuzzers work best for problems that can cause a program to crash, such as buffer overflow, cross-site scripting, denial of service attacks, format bugs and SQL injection. These schemes are often used by malicious hackers intent on wreaking the greatest possible amount of havoc in the least possible time.

In my opinion Fuzzing is the first step to exploit unknown vulnerabilities in software. The more you get familiar with Fuzzing, the more bugs you will find

REMOTE AND LOCAL FUZZING

Depending on if the target is local or remote you will use different tools to fuzz. most of the time remote security bugs are very important, It means that to exploit the target machine we won't need user interaction, just sent the exploit to the remote machine and it will be attacked.

Local fuzzing deals with fuzzing applications locally or hosted on the target system. This can include, but isn't limited to:

Command Line Fuzzing - Fuzzing applications via the command line and/or environmental variables
File Format Fuzzing - Fuzzing applications that read files in a specific format or format(s)
Kernel Fuzzing - Fuzzing core kernel features, kernel modules, and
system calls

Remote fuzzing deals with fuzzing a target remotely or a the network. This can include, but isn't limited to:

Network Protocol Fuzzing - Fuzzing applications or even a kernel that implements a specific protocol
Database Fuzzing - Fuzzing database modules and/or database input sanitation policies
Web Application Fuzzing - Fuzzing input vectors of web applications hosted on a web server

if a target has input, it can probably be fuzzed

LOCAL FUZZING EXAMPLE

There are a bunch of tools which you can use to fuzz locally depending on the target's environment
you can use the command:
now as example we will use a simple c program that i wrote that is vulnerable to buffer overflow here is the code:

#include <stdio.h>
#include <string.h>

int main(void)
{
char buff15;
int pass = 0;

printf("\n Enter the password : \n");
gets(buff);

if(strcmp(buff, "mrnakupenda"))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}

if(pass)
{
printf ("\n welcome MrNakup3nda you got Root privileges \n");
}

return 0;
}
save this code as buffer.c, compile and run it

RUNNING OUR EXAMPLE

to compile use the following command:
cc buffer.c -o buffer
then run it with command
./buffer

From the above screenshot i tried to enter the correct and wrong password and it works just fine, but when i run an input of length greater than what buffer can hold (fuzzing technique) and at a particular length of input the buffer overflow so took place that it overwrote the memory of integer 'pass'. So despite of a wrong password, the value of 'pass' became non zero and hence root privileges were granted to an attacker, so now that we know that our program is vulnerable save it and in the next tutorial we will test it with automated tools that will show us the same vulnerability we found by manually buzzing.

0 DAY GIFT

today i was just hunting the web for bugs and i found that some websites made by a company suffer from an auth bypass vulnerability, im too lazy to contact them, plus i was lazy to find the perfect google dork for the other websites but i tested some of them and it works just perfectly. i guess websites running the 2009 footer are affected, again i did not have time to check all of them, so if you wanna know more about it let me know i will give you details about the vulnerability so you could practice by letting the company know about the bug then give them time to fix and we can later expose the vulnerability but do anything on your own, im not responsible for any damage you will make with this info.

the vulnerability can be exploited in this way

http://www.website.com/admin/
username:ADMIN' OR 1=1#
password:anything
contact me for more info

btw there is something on nullbyte, if you try to write special characters in your bio the characters will not appear, i guess it has to be something with the encode in the database, i did not go deep on it too, it might lead to some vulnerabilities..

ok for now thats all see you in the next tutorial
Mr__nakup3nda

14 Comments

lol that's really cool. Thank you for the article, can't wait to see more on this series

Good job on the 0-day exploit. Keep it up!

-Phoenix750

Great article , although its irresponsible to post about a vuln before you tell the company, and I doubt you have authorization from the website to use their website as a playground for a pen testing community.

Overall I really like this article put really think that you should remove the 0-day until you tell the company and give them time to fix it.

In my opinion this is considered full black hat.

Cheers,
Washu

I'd consider it grey hat. But he should still request permission from the company nontheless.

-Phoenix750

Well since there wasn't any reason, it wasn't for any good, he didn't have the permission of the company or of the website, and he exploited it just because he could I would consider that pretty black hat. (On the flip side though, it doesn't seem like there was malicious intend so I guess its more like really, really dark grey :P)

Cheers,
Washu

im sorry bro i know that sometimes i get paranoid, i did not mean any malicious intend as you said, and i was so tired when i discovered it that i did not have power to complete all this tasks about full path disclosure, so i thought as it is a community of white-hat someone would just do it, as the tutorial im running teach hackers how to find these bugs i thought it would be cool for others to use it as real world example, because of course i'd never post it in black-hat forum before it get fixed, but i guess i will just let them no with a limit-time, if they do not fix it on time im going to expose them, because i found this bug from a friends website, i often run penetest on his websites and i just noticed the bug and his website was not the only one affected..but anyway thank you -Phoenix750 and Washu for the advice and opinions.. i will not expose them for now..done editing the post

Mr__nakup3nda

Just because this is a white hat forum doesn't mean there aren't any blackhats around ;)

-Phoenix750

I'm really glad you didn't expose the website, it shows a good sense of responsibility that some hackers need more of. Congratulation on finding the 0-day, a great milestone is a hackers career :)

Cheers,
Washu

He didn't post anything illegal? He posted an exploit. He never mentioned the websites URL and /admin/ log in page. With this being said, he didn't do anything irresponsible.

no bro, actually i did post the link before, then i edited, i guess they r right..but anyway thank y'all for the comments, as it not the first time i find a bug on systems so i was ok on giving it away here but i guess its against the rules here.. i dont know exactly if its wrong or not , because before i thought it was irresponsible then someone post something about sql injection and he or she posted the link of the websites as an example and when i saw OTW commenting and not saying something against i thought it was ok to post it here, because i really dont care, but i have to obey the rules of nullbyte as it is a white-hat community..

Mr_nakup3nda

Try inurl=/admin I found a couple of vulnerable websites there

Just to be sure...
How possible is it that such a vulnerable website is a honeypot?

I mean, I like to play around, but not if they fetch my IP...

the website is not www.website.com i deleted the real website coz ppl around here advice me that i should not expose them until i give them time to fix the issue, but i can pm you the website that i was talking about before...

This is a great article. I'd love to see a followup to the sample code with shellcode that shows how you can manipulate values in memory to execute code.

Share Your Thoughts

  • Hot
  • Latest