Professional Documents
Culture Documents
,
-.
, ,
.
. ,
.
. ,
. , .
. , , ,
.
,
, .
, ,
.
TippingPoint.
: , .
PaiMei
Sulley.
:
:
:
,
:
.
. ,
,
.
-
,
. iDefense, ,
. . , ,
UNIX-.
FUZZING
www.symbol.ru
-
(812) 324-5353, (495) 945-8100
Cover_Fuzzing.indd 1
07.08.2009 11:52:32
FUZZING
Brute Force Vulnerability Discovery
FUZZING
2009
High tech
,
Fuzzing:
.
.
.
.
.
.
.
.
.
., ., .
Fuzzing: . . .
.: $, 2009. 560 ., .
ISBN: 978$5$93286$147$9
$
.
. , $
.
. $
, ,
. ,
, .
.
, , , $
.
, $
.
: ,
, , $
.
ISBN: 9785932861479
ISBN: 9780321446114 (.)
$, 2009
Authorized translation of the English edition 2007 Pearson Education Inc. This
translation is published and sold by permission of Pearson Education Inc., the owner of
all rights to publish and sell the same.
, $
. $
, , .
$. 199034, $, 16 , 7,
. (812) 324$5353, www.symbol.ru. N 000054 25.12.98.
30.07.2009. 701001/16. .
35 . . 1200 .
199034, $, 9 , 12.
.
, .
. ,
.
.
.
.
+,
,
,
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1. . . . . . . . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
, . . . . . . . . . . . . . . . . . . . . 38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2. ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . 58
,
. . . . . . . . . . . . . . . . . . . . . . . . 59
. . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5. . . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
. . . . . . . . . . . . . . . . . . . . . 85
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
, . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6. . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Ethereal/Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
libdasm libdisasm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Libnet/LibnetNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
LibPCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Metro Packet Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PTrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
7. . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
GNU (GDB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . 119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8. : . . . . . 124
iFUZZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10
9. . . . . . . . . . . . . . . . . . . . . . . . . 134
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
10. : . . . . . . . 159
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
XSS$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
. . . . . . . . . . . . . . . . . . . . . . . . . . . 187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
, . . . . . . . . . . . . . . . . . . . 191
, . . . . . . . . . . . . 192
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
? . . . . . . . . . . . . . . . . . . . . . . . . . 243
12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
2: . . . . . . . . . . . . . . . . . . . . . . . 247
3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
6: . . . . . . . . . . . . . . . . . . . . . . . . 249
7: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . 250
. . . . . . . . 251
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
( ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
( ) . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
16. :
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
18. : . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
ActiveX . . . . . . . . . . 309
, , . . . . . . . . . . . . . . . . . . . . . . . . . 312
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
19. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
: ?. . . . . . . . . . . . . . . . . . . . . 320
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
$ ? . . . . . . . . . . . . . 325
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
: . . . . . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
20. : . . . . . . . . . . . . . . 332
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
14
Windows . . . . . . . . . . . . . . . . . . . 337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
? . . . . . . . . . . . . . . . . . 341
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
? . . . . . . . 348
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
PyDbg, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
III. . . . . . . . . . . . . . . . . . . . . . . . . . 365
21. . . . . . . . . . . . . . . . . . . . . . . . . . . 367
? . . . . . . . . . . . . . . . . . . . . . 368
. . . . . . . . . . . . . . . . . . . . . . . . . 371
Antiparser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Dfuz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Peach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Autodafej . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
: Shockwave Flash . . . . . 389
SWF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley: . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
22. . . . . . . . . . . . . . . . . . . . . . . . . . 436
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
23. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
. . . . . . . . . . . . . . . . . . . . . . . . 455
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
PStalker Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24. . . . . . . . . . . . . . . . . . . . . 484
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . 493
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . 497
: . . . . . . . . . . . . . . . 500
. . . . . . . . . . . . . . . . . . . . . . 502
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
IV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
25. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
16
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
SDLC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
26. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
beSTORM Beyond Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
BPS$1000 BreakingPoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Codenomicon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
GLEG ProtoVer Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Mu Security Mu$4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Security Innovation Holodeck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
. . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
$
. ,
$
,
.
,
$
. $
$
,
. $
: , , .
, , $
. $
,
,
. $
.
.
. ,
.
. ,
. $
, , .
, $
.
$
Mac OS X. . $
,
$, .
$
$
. 2003 ,
18
UDP$ $
.
Microsoft WINS.
. , $
UDP
Computer Associates, Norton Ghost $
Mac OS X.
. $
2006
,
$. 2006
ActiveX (AxMan), $
100
Microsoft.
Month of Browser Bugs ( ), $
Metasploit Framework. $
AxMan , $
. , .
.
, , ,
$
. $
,
, $
. ,
, .
!
. .
,
.
$.,
, ,
29 2000
,
. $
, Microsoft Internet Explo$
rer, Microsoft Word Microsoft Excel, 2006 , $
. $
$
.
, , , $
.
, $
, $
, ,
. $
,
. $
,
, , , .
$
. ,
,
, $
.
20
: , $
, ,
.
, $
,
. , $
: ,
. $
. $
(SDLC), .
,
, ,
. , $
$
, ,
. ,
, $
.
SDLC $
, . $
, .
. $
, , , $
. ,
$
.
, , $
.
. $
, ,
.
,
, , .
, ,
. $
.
. $
,
Exploiting Software ( )
(Greg Hoglund) (Gary McGraw),
Hacking Exposed, The Shellcoders Handbook (
21
) (Jack Koziol),
(David Litchfield) .
, , $
. ,
, $
, .
$ ,
, , $
$
.
I $
, .
, , .
, . I
,
.
II . $
$ . $
, ,
, $
.
,
Windows UNIX. , ,
, 11, $
, . 12 $
: UNIX $
UNIX, 13
: Windows
, Windows.
III . ,
, $
, , $
, I II. III $
,
, $
.
, IV , , $
.
, , ,
.
22
,
, .
, ( , ,
) , ,
. $
43$
$ (a.k.a. Dubya). ,
, ,
,
, $
! 1 $
,
, . , , $
, ,
.
. (, ,
The L Word & Fish2 DailyDave.) $
, $
. $
. , , $
.
. (fuzzy) $
. ,
, , , $
.
: www.fuzzing.org
$ fuzzing.org , $
. , ,
, , $
,
. fuzzing.org
$ , $
. $
: .
1
2
http://tinyurl.com/33l54g
http://archives.neohapsis.com/archives/dailydave/2004+q1/0023.html
,
,
. ,
$. $
,
,
, : , , $
. $
, , $
.
(Peter DeVriews) :
. . $
. $
.
, , .
, $
, $
(Charlie Miller), $
.
. . (H. D. Moore) , ,
, . $
Addison$Wesley,
: (Sheri Cain), (Kristin
Weinberger), (Romny French), (Jana Jones)
(Lori Lyons). , $
,
, $
.
.
,
24
$ $
, .
,
, .
iDefense Labs SPI Dynamics, $
. , $
, , $
GOYA, GOMOA $
, $
.
( ),
JTHS, (Mark Chegwidden),
(Louis Collucci), (Chris Burkhart),
sgo, Nadwodny, (Dave Aitel), (Jamie
Breiten), , , Kloub and AE, , $
, , .
, .
(Cody Pierce),
(Cameron Hotchkies) (Aaron
Portnoy), TippingPoint
. (Peter Silberman), $
(Jamie Butler), Xo, (Halvar
Flake) (Ero Carrera) , $
. (David End$
ler), (Ralph Schindler), (Sunil
James) (Nicolas Augello), $
, , . $
, , $
, .
(Michael Sutton) SPI
Dynamics. , $
, $
.
, ,
.
$ (WASC),
$.
SPI Dynamics iDefense/Veri$
Sign, iDefense Labs, $
,
.
(ISAAS)
Ernst & Young.
.
; , ,
. $
.
(Adam Green) $ $
, .
iDefense Labs, ,
.
, $
, UNIX$
.
(Pedram Amini) $
TippingPoint.
26
$
iDefense Labs. ,
, :
, .
( ) $
PaiMei Sulley.
, OpenRCE.org, $
$, .
RECon, BlackHat, DefCon, ShmooCon ToorCon $
,
.
.
1.
2. ?
3.
4.
5.
?
$.,
29 2000
,
, . $
? , $
. ,
$
.
:
, . $
, . $
$
. , $
. , $
$
; . $
$
.
,
, .
, , .
30
1.
$
, $
, , , $
, .
,
.
, ,
.
, ,
.
. , $
,
.
$ . ,
, ,
. $
, $
$
. , $
, .
,
.
, $
C, test
10$ :
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, "test");
}
, $
:
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, argv[1]);
}
Microsoft
, $
, $
, 2004 .
, , , $
Mi$
crosoft Windows NT 4.0 Windows 2000. Microsoft $
, .
, $
$
. . $
.
, , CVE$2004$0566,
.bmp.1 $
, Microsoft , , $
.2 ? $
? $
, ,
, $
. ,
. , ,
TinyKRNL3 ReactOS4, $
Microsoft
Windows.
Microsoft, $
, $ $
Windows . Win$
dows ,
$
Windows.
1
2
3
4
http://archives.neohapsis.com/archives/fulldisclosure/2004+02/
0806.html
http://news.zdnet.com/2100+1009_22+5160566.html
http://www.tinykrnl.org/
http://www.reactos.org/
31
32
1.
strcpy(),
. strcpy()
C/C++, $
, .
, ,
, $
.
, test (
) 5, , 10$
, .
$
, .
, $
. $
strcpy() . $
, $
. ,
. $
, . $
, .
, $
, . ,
? : , ,
, , $
. $
. , $
, , ,
, . $
,
. , , $
.
$
: , $
.
(compile time checker)
. ,
$
. /analyze Microsoft Visual C++
.1 Microsoft PREfast for Drivers2,
1
2
http://msdn2.microsoft.com/en+us/library/k3a3hzw7.aspx
http://www.microsoft.com/whdc/devtools/tools/PREfast.mspx
33
$
, .
, $
.
,
$
. , , $
, strcpy(), $
. Cscope1 Linux
Cross$Reference2 .
$
. , $
, . ,
,
, $
. $
, Fortify3, Coveri$
ty4, KlocWork5, GrammaTech6 . . 1.1 $
, ,
, , .
1.1.
RATS (Rough
Auditing Tool
for Security)
C, C++,
UNIX,Win32
Perl, PHP,
Python
http://www.fortifysoftware.com/
security+resources/rats.jsp
ITS4
C, C++
UNIX,Win32
http://www.cigital.com/its4/
Splint
UNIX,Win32
http://lclint.cs.virginia.edu/
Flawfinder
C, C++
UNIX
http://www.dwheeler.com/flaw+
finder/
Jlint
Java
UNIX,Win32
http://jlint.sourceforge.net/
CodeSpy
Java
Java
http://www.owasp.org/software/
labs/codespy.htm
1
2
3
4
5
6
http://cscope.sourceforge.net/
http://lxr.linux.no/
http://www.fortifysoftware.com/
http://www.coverity.com/
http://www.klocwork.com/
http://www.grammatech.com/
34
1.
,
. $
.
. , $
, ,
, , ,
, . , , ,
Rough Auditing Tool for Security (RATS)
, . RATS
: $
strcpy(). $
.
, ,
.
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000131 seconds
53435 lines per second
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000794 seconds
8816 lines per second
35
, $
. ?
, . ,
, $
. ,
Microsoft Windows $
. ?
. , $
. $
. , , $
, $
.
. ,
.
:
. $
. , $
, , .
, $
.
, $
.
. . $
UNIX , $
, Win32, $
. $
$
.
, , $
. $
, , , $
, $
.
$ $.
HTML XML, $$
,
, .
:
Microsoft Office, $
36
1.
, , $
. ,
.
, $
. $
, .
, $.
$. $
$
, .
$
, $
, SQL$.
, $
, ( $
). ,
, (sweeping), $
. ,
. ,
LDAP, $
LDAP , . , $
, $
, .
CreateProcess() , $
Microsoft Windows (API). $
, CreateProcess()
.1 :
BOOL CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
1
http://msdn2.microsoft.com/en+us/library/ms682425.aspx
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
,
lpApplicationName NULL, ,
, $
lpCommandLine. , , Create
Process():
CreateProcess(
NULL,
"c:\program files\sub dir\program.exe",
...
);
CreateProcess() $
, :
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
, $
. , program.exe $
c:\,
CreateProcess() pro$
gram.exe. $
, .
2005 1, $
$
CreateProcess().
$
. ,
(, notepad.exe)
c:\.
. $
, , , Cre
ateProcess().
1
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=340
37
38
1.
,
, , , $
, $
. 2 ?
. , $
,
( ), .
,
,
. $
$, . 1.1.
. 1.1. +
Microsoft?
.
2005 The Trustworthy Computing Security Deve$
lopment Lifecycle document (SDL)1 , Microsoft
. SDL
, $
, $
, $
. SDL
,
. $
, $
SDL,
.
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/
dnsecure/html/sdl.asp
39
, Name () $
, Age () .
,
? $
ASCII? $
? ? $
$
. $
, .
, , .
. $
, ,
,
.
, ,
. :
.
, , ,
.
. $
, , , $
, FTP$, $
FTP$.
. , (reverse
code engineering, RCE), , $
.
, $
, $
, ,
$ , , .
$
. , :
. $
, , ,
. $
23 .
. , $
, .
, , $
; $
, .
40
1.
$
,
RCE.
, $
, $
(reverse code engineer$
ing RCE). , $
$
. ,
, , $
. $
, . $
, .
.
RCE ,
RCE , $
. RCE
. $
,
$
, ,
().
$
.
,
, $
, ,
. , ,
. $
,
. , $
. $
, , .
, $
, , $
().
, . $
,
, , DataRescues Interac$
41
http://www.datarescue.com
http://www.boomerang.sourceforge.net/
42
1.
. $
$
. Win32
OllyDbg1, . 1.3, Microsoft
WinDbg ( wind bag, , ).2
WinDbg Debugging Tools for Windows3,
Microsoft. OllyDbg $
,
. $
, $
OllyDbg.4 UNIX
, $
GNU Project Debugger5 (GDB). GDB $
UNIX/Linux.
. 1.3. OllyDbg
1
2
3
4
5
http://www.ollydbg.de/
http://www.openrce.org/forums/posts/4
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
http://www.openrce.org/downloads/browse/OllyDbg_Plugins
http://www.gnu.org/software/gdb/gdb.html
43
,
RCE
. , , $
, IDA Pro, $
. . 1.2 .
1.2.
LogiScan
LogicLibrary
LogicLibrary BugScan
2004 , $
Logidex SDA
BugScam $
IDC IDA Pro, $
,
$
$
.
$
BugScan
Inspector HB Gary
Inspector $
RCE,
RCE,
IDA Pro OllyDbg
Security$ Veracode
Review
VeraCode $
$
. $
$
,
Coverity.
Vera$
Code $
,
$
BinAudit . $
$$
SABRE Security
IDA Pro, $
$
, $
, $
. .
44
1.
, $
, $
RCE. ,
, . :
. $ $
, .
. , $
, $
.
:
. RCE , $
$
.
$
, . $
, .
, ,
$
. $
, , $
, $
RCE.
$
.
,
$
.
.
, , .
, $
, .
$
, RCE.
, $
. $
.
2
?
.
$.,
, ,
6 2000
,
, $
. ,
.
. $
, ,
$ , $
$.
fuzzing
$, , $
. $
$
$. $
.
(bo$
undary value analysis, BVA)1,
1
http://en.wikipedia.org/wiki/Boundary_value_analysis
46
2. ?
, $
. BVA $
, $
,
. BVA, $
, ,
.
.
$
, , $
. , , (very generic) , $
. $
: ,
, , $
, $
.
. 3
$
.
$
. ,
. ,
, , $
. , $
, $
, , $
. $
, .
, $
.
, , $
,
. ,
.
, $
$
, , $
. , ,
.
$
!
47
,
1989 . (Barton Miller) ( $
) , $
, $
UNIX.1 $
,
. $
, setuid $
. 1995 $
UNIX .
1995 ,
$ .
, ,
. , ,
, .
, . . .
, , ,
.
1999
PROTOS. PROTOS $
: ,
, ,
, .
, $
. $
, $
.
2002 Microsoft $
PROTOS2, 2003 PROTOS $
Codenomicon (Codenomicon) ,
. $ $
, , $
,
.3
Codenomicon
26 .
1
2
3
http://www.cs.wisc.edu/~bart/fuzz/
http://www.ee.oulu.fi/research/ouspg/protos/index.html
http://www.codenomicon.com/products/features.shtml
48
2. ?
PROTOS 2002
SPIKE1, $
GNU (GPL). $
2 $
. SPIKE ,
.
. SPIKE
, ,
. SPIKE
,
. Sun RPC Microsoft RPC
,
. SPIKE $
. $
, 21 $
.
, SPIKE,
UNIX, (sharefuzz). $
, , $
. ,
. $
,
( $
), , .
SPIKE
. $
(Michal Zalewski)3 ( lcamtuf) 2004
$
(mangleme)4 CGI, $
HTML,
$. $
. . . (Aviv Raff) Hamachi5
HTML (DHTML),
(Matt Murphy) (Therry Zol$
ler) CSSDIE6 $
(CSS).
1
2
3
4
5
6
http://immunityinc.com/resources+freesoftware.shtml
http://www.immunityinc.com/downloads/advantages_of_block_based_analy+
sis.html
http://lcamtuf.coredump.cx/
http://lcamtuf.coredump.cx/mangleme/mangle.cgi
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
49
2004 . Microsoft $
MS04$028, $
, JPEG.1 $
,
$ , $
Microsoft . $
,
.
, $
. $
$.
? , $
, Microsoft,
Microsoft Office,
. $
, $
.
Black Hat 2005 2 $
, ,
, File Fuzz,
SPIKEfile notSPIKEfile.3
2005 Mu Security
,
.4
$
. $
, ,
5,
(Gadi Evron). ,
.
ActiveX 2006 , $
COMRaider, . . AxMan.6 $
ActiveX, $
$
Microsoft Internet Explorer.
, $
. ActiveX, ,
1
2
3
4
5
6
http://www.microsoft.com/technet/security/bulletin/MS04+028.mspx
http://www.blackhat.com/presentations/bh+usa+05/bh+us+05+sutton.pdf
http://labs.idefense.com/software/fuzzing.php
http://www.musecurity.com/products/overview.html
http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
http://metasploit.com/users/hdm/tools/axman/
50
2. ?
,
, $
, $
. ActiveX $
17 $$
18 $: .
,
, . $
. 2.1, .
,
. $
,
$
.
.
, , $
, , $
.
$
$.
1999
2002
Black Hat
SPIKE
PROTOS
2000
2001
2002
2005
Black Hat
File
Fuzz, SPIKEfile
notSPIKEfile
2003
2005
(Codenomicon,
Mu Security . .)
2004
2005
2006
2006
ActiveX: COMRider
AxMan . .
2007
2007
PROTOS SNMP
2002
. 2.1.
(lcamtuf)
Mangleme
2004
. . ,
Hamachi
CSSDIE
2006
51
? $
. ,
. ,
, , .
:
1. . $
. $
$
, .
,
. $
$
. , Securi$
tyFocus1 Secunia2, . $
$, ,
, , , $
, . $
,
. ,
, $
, $
$ .
2. .
, $
$
.
. $
$
. $
. $
, . $
, , ,
. . ,
.
3. . $
, . $
, ,
,
1
2
http://www.securityfocus.com/
http://secunia.com/
52
2. ?
. $
.
4. . $
. .
,
.
. $
.
5. . , $
,
. $ 10 000 $
, $
, . $
;
.
6. . $
$
, .
$
. , $
,
.
. 2.2.
; $
.
. 2.2.
53
.
, , , 100%
. $
, , , .
$
. $
. ,
.
,
, $
. , , $, $
. $
, .
. $
. $
, $
.
, $
. $
,
,
. $
. $
,
. ? , .
,
.
, , , $
$
.
$
. , , ,
Veritas Backup Exec, $
Windows, ,
.1 , ,
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269
54
2. ?
. $ $
, TCP RPC,
, $
.
.
, , , $
Microsoft (Microsoft Interface Description Language, IDL), $
$
.
RPC ,
, , $
. , $
ActiveX 18 $: $
, $
, , .
, .
,
,
, , . $
, $
. , , $
, ,
, $
. , $
, , $
, .
.
,
. ,
, $
. , , , $
, $
.
. , $
x86 Linux , %n,
:
mov %ecx,(%eax)
55
$
, %n,
, $$
.
SIGSEGV. $
SIGSEGV, $
.
.
( ) $ $
, , , $
SIGSEGV.
, ; $
, ,
? , $
, , $
.
, .
$
.
, $
.
. $
,
, $
. ,
$
,
.
, $
,
. , ,
. ,
, $
. $
, .
.
.
$.,
$, ,
6 2004
.
$
.
, . $
, $
. $
II .
, $
: , $
, +
, ,
.
.
,
, .
57
, $
(pregenerated test cases) $
PROTOS. $
, , $
$
.
, $
. $
, $
. $
,
, ,
$
.
$
, . $
, $
.
, , , $
,
. $
$
,
. $
,
while [ 1 ]; do cat /dev/urandom | nc vv target port; done
Linux$$
urandom ,
netcat. while , $
.
, ,
. $
! $
, , . $
, 500 000 ,
. , , . , $
, $
. ,
, ,
58
3.
. . 3.1 $
$
,
. ? ,
.
. , .
. 3.1. ? /dev/urandom
, , /dev/urandom.
$
. , . $
,
$
. , , , $
. ,
.
$.
59
,
, , $
$
, , $
.
, $
. , ,
. , $
, . ., ,
, .
,
, $
. , $
. , $
. $
,
, $ $
.
FileFuzz notSPIKEfile Windows Linux .
.
: $
. ,
$
, , $
.
, , ,
.
,
. $
$
, $. $
SPIKE SPIKEfile.
SPIKE $
.
, $
.
60
3.
, , ,
. $
, .
, $
. $
.
, , $
.
UNIX setuid $
. $
,
setuid
.
setuid $
: 1) $
setuid $
; 2) UNIX $
, . , $
.
$
, . ,
1 ,
:
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, argv[1]);
}
setuid,
. , $
setuid, . ,
.
61
:
clfuzz1 warl0ck.
.
iFUZZ2 . $
. $
, $
,
(usage help messages).
setuid.
, , $
:
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, getenv("HOME"));
}
,
, . ,
, $
. $
. $
:
Sharefuzz3 . $
. getenv $
.
iFUZZ4 . $
,
. iFUZZ , Sharefuzz,
.
setuid 7
8 $
: .
1
2
3
4
http://warl0ck.metaeye.org/cb/clfuzz.tar.gz
http://fuzzing.org
http://www.immunitysec.com/resources+freesoftware.shtml
http://fuzzing.org
62
3.
, , , $
. , $
, $
, . , $
. $
,
.
. $
, $
$.
, $
.
:
FileFuzz1 .
(GUI) Win$
dows.
notSPIKEfile SPIKEfile2 . UNIX$, $
SPIKE .
PAIMEIfilefuzz3 . FileFuzz,
Windows GUI; PaiMei. PaiMei $
.
11
, 12 :
UNIX 13 :
Windows.
, $
. ,
. $
$
, $, ,
(DNS) . .
.
1
2
3
http://fuzzing.org
http://fuzzing.org
https://www.openrce.org/downloads/details/208
63
$
: . $
.
.
, ASCII.
. $
.
FTP. FTP $
ASCII.
.
$
ASCII. $
, ; $
.
Microsoft (MSRPC): , $
, $
. . $
, . $
:
SPIKE1 . SPIKE
. $
;
API.
Peach2 (Michaei Eddington).
, Python. ,
.
14
, 15 :
UNIX 16 :
Windows.
1
2
http://www.immunitysec.com/resources+freesoftware.shtml
http://peachfuzz.sourceforge.net/
64
3.
$ $
, $
. Web 2.0 ( )
, , $
.1
$ ,
, SQL, XSS . .
, HTTP
. $
$ :
WebScarab2 OWASP. $
.
SPI Fuzzer3 SPI Dynamics. HTTP
$, WebInspect.
Codenomicon HTTP Test Tools4 Codenomicon. $
HTTP.
$ 9 $
10 $ $
: .
$
, , $
$
. $ $
HTML . , $
lcamtuf mangleme, $
,
<META REFRESH>
. $
$
. $
.
$ HTML $
. , $
See$Ess$Ess$Die CSS, COM Raider
COM, Microsoft In$
1
2
3
4
http://www.google.com/a/
http://www.owasp.org/index.php/Fuzzing_with_WebScarab
http://www.spidynamics.com/products/webinspect/index.html
http://www.codenomicon.com/products/internet/http/
65
ternet Explorer. $
. $:
mangleme1 lcamtuf. HTML.
CGI,
HTML.
DOM+Hanoi2 . . . DHTML.
Hamachi3 . . . DHTML.
CSSDIE4 . . , , +
. CSS.
COM Raider5 (David Zimmer). $
COM ActiveX.
COM ActiveX 17
$ 18 $: $
. CSS $
;
, .
$ $
. $
. , $
. $
.
, . , $
. $
, $
. :
.
, ,
$
; .
. $
$
. ,
, $
, $
1
2
3
4
5
http://freshmeat.net/projects/mangleme/
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
http://labs.idefense.com/software/fuzzing.php#more_comraider
66
3.
, , , $
.
:
. $
, ,
.
. $
, $
.
.
. 19 $
20 : ,
.
()
.
,
. $
, ,
, SPIKE Peach.
, $
, $
. $
. , $
, $
. ,
. $
. :
. $
, $
.
. $
,
,
,
.
:
. $
, , ,
67
.
.
. , $
, , ,
.
,
.
.
, $
, , $
.
.
,
,
, $
. $
, .
$
, .
,
.
, $
. ,
, ,
. $
, .
.
$.,
, ,
21 2004
$
. ,
. $
, $
.
, .
, , $
,
. ,
$
.
?
.
,
, . $
, $
. ,
, ,
, , $
. $
69
, $
( $
). , $
, : .
$, 345. $
, , , $
. $
. $
. ,
. ,
.
: ,
, , $
$
.1
;
. , $
,
,
. $
, ,
. $
.
. ,
.
.
.
. , $
, $
,
.
, $
. ,
, , $
. , $
, . $
, $
.
, $
.
1
http://en.wikipedia.org/wiki/Protocol_%28computing%29
70
4.
.
, $
. , $
GIF , $
Microsoft Excel, .
, , $
. , $
. .
,
, $
, . ,
, $
, . $
:
, .
, .
$
, . , $
, $
, CSV ( ), $
$
, , , Microsoft Excel.
XML , ,
; XML
, , $
. ,
$
(< >), $
(=).
.
, Ethernet, $ (IP), $
(TCP)
(UDP), $
, $
. , Ethernet
, MAC$ ( $
), , $
MAC$ .
$
.
71
.
$
.
, $
, . $
$
,
;
, , $
, , $
.
$
, $
,
. , $
IPv6
32 . Intel,
3.41, $
Pentium:
Pentium.
, $
, 69 Pentium
Pro Pentium II. (DCU)
, 32 .
,
DCU, Pentium Pro Pen$
tium II. $
, ,
32 , $
32 ,
$
.1
RISC$ (RISC $
), SPARC, ,
,
.
1
http://download.intel.com/design/intarch/manuals/24281601.pdf
72
4.
(plain text protocol) $
,
ASCII. , , $
, ,
(\r, 0x0D), (\n $
0x0A), (\t, 0x09)
( 0x20).
,
, .
$
, ,
, $
. (FTP) $
.
, , . FTP $
$
. , FTP $
, ,
:
C:\>nc 192.168.1.2 21
220 Microsoft FTP Service
USER Administrator
331 Password required for Administrator.
PASS password
230 User Administrator logged in.
PWD
257 "/" is current directory.
QUIT
221
Netcat1 FTP$ Microsoft. $
FTP$, Netcat
, ,
.
, , ,
, ,
, . , $
.
, ,
.
http://www.vulnwatch.org/netcat/
73
, $
, $
.
$ . $
, $
.
,
$
, , $
, $
AOL (AIM) , ,
, .
, $
.
AIM, $
, $
. AIM
.1
,
$
. AIM OSCAR (
). $
, GAIM2
Trillian3. , ,
Wireshark,
. .
, , $
.
, $
, $
, . $
Google ,
.
Wotsit.org $
$
.
,
AIM. , $
.
1
2
3
http://en.wikipedia.org/wiki/AOL_Instant_Messenger
http://gaim.sourceforge.net/
http://www.ceruleanstudios.com/
74
4.
AIM , Wireshark
.
. . 4.1 $
Wireshark $
AIM AIM. ,
.
AOL, $
. , $
AIM Signon (0x0017) $
Signon (0x0006).
AIM Signon, Sign$on. $
(0x0001), (fuzz$
ingiscool) (13). $
. , $
.
, $
. , $
, ($
). $
,
75
,
. $
. , , $
,
;
.
, SPIKE1, .
. 4.2,
(3740020309). AIM$
, $
. , $
,
.
. 4.3 ,
,
. $
, ,
,
.
http://www.immunitysec.com/resources+freesoftware.shtml
76
4.
,
. $
(), $
AOL, 5.5.3591/WIN32.
.
FTP AIM
. ,
77
. , $
, , ,
,
. :
, . $
.
?
.
$
$
, . $
$ $
, ,
, $
. , $
, , $
$
. $
(IETF).1 IETF $
:
(RFC), $ $
, , $
. RFC $
IETF .
, , $
$
. , $
Microsoft Office. Microsoft
$
, Microsoft Office, Excel PowerPoint.
, OpenDocument (ODF)2,
OpenOffice.org
OASIS ( $
).3 OASIS , $
,
.
1
2
3
http://www.ietf.org/
http://en.wikipedia.org/wiki/OpenDocument
http://www.oasis+open.org
78
4.
OASIS Microsoft
2005 Mi$
crosoft Office, , Microsoft
Office Open XML.1 $
, ODF. Microsoft
Open XML Translator2
XML.
$
$
, OpenOffice Writer Microsoft Word 2003.
, fuz$
zing, , . $
OpenOfficeWriter OpenDocument Text
(*.odt). $
, . , $
*.zip , ,
XML, ,
$
:
Directory of C:\Temp\fuzzing.odt
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
12:07 AM <DIR>
.
12:07 AM <DIR>
..
12:07 AM <DIR>
Configurations2
04:05 AM
2,633 content.xml
12:07 AM <DIR>
METAINF
04:05 AM
1,149 meta.xml
04:05 AM
39 mimetype
04:05 AM
7,371 settings.xml
04:05 AM
8,299 styles.xml
12:07 AM <DIR>
Thumbnails
5 File(s)
19,491 bytes
5 Dir(s) 31,203,430,400 bytes free
$
. XML,
.
Content.xml , , $
, $
, ,
, $
(fuzzing):
1
2
http://www.microsoft.com/office/preview/itpro/fileoverview.mspx
http://sev.prnewswire.com/computer+electronics/20060705/
SFTH05506072006+1.html
<?xml version="1.0" encoding="UTF8"?>
<office:documentcontent
xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"
xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"
xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0"
xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xslfocompatible:1.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0"
xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"
xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svgcompatible:1.0"
xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0"
xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0"
xmlns:math="http://www.w3.org/1998/Math/MathML
xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0"
xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
xmlns:ooo="http://openoffice.org/2004/office"
xmlns:ooow="http://openoffice.org/2004/writer"
xmlns:oooc="http://openoffice.org/2004/calc"
xmlns:dom="http://www.w3.org/2001/xmlevents"
xmlns:xforms="http://www.w3.org/2002/xforms"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"
office:version="1.0">
<office:scripts/>
<office:fontfacedecls>
<style:fontface style:name="Tahoma1" svg:fontfamily="Tahoma"/>
<style:fontface style:name="Times New Roman"
svg:fontfamily="'Times New Roman'"
style:fontfamilygeneric="roman"
style:fontpitch="variable"/>
<style:fontface style:name="Arial"
svg:fontfamily="Arial"
style:fontfamilygeneric="swiss"
style:fontpitch="variable"/>
<style:fontface style:name="Lucida Sans Unicode"
svg:fontfamily="'Lucida Sans Unicode'"
style:fontfamilygeneric="system"
style:fontpitch="variable"/>
<style:fontface style:name="Tahoma"
svg:fontfamily="Tahoma"
style:fontfamilygeneric="system"
style:fontpitch="variable"/>
</office:fontfacedecls>
<office:automaticstyles/>
<office:body>
<office:text>
<office:forms form:automaticfocus="false"
form:applydesignmode="false"/>
79
80
4.
<text:sequencedecls>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Illustration"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Table"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Text"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Drawing"/>
</text:sequencedecls>
<text:p text:stylename="Standard">fuzzing</text:p>
</office:text>
</office:body>
</office:documentcontent>
000024d0h:
000024e0h:
000024f0h:
00002500h:
00002560h:
00002570h:
66 75 7A 7A 69 6E 67 0D 00 00 00 00 00 00 00 00 ; fuzzing.........
66
00
61
64
75
00
65
72
7A
00
6C
61
7A
00
2C
6D
69
1E
20
00
6E
00
41
00
67
00
64
00
00
00
61
00
1E
1C
6D
1E
00
00
20
00
00
00
61
00
00
00
6E
00
04
4D
64
04
00
69
20
00
00
63
50
00
00
68
65
00
;
;
;
;
fuzzing.........
............Mich
ael, Adam and Pe
dram............
4D 69 63 72 6F 73 6F 66 74 20 4F 66 66 69 63 65 ; Microsoft Office
20 57 6F 72 64 00 00 00 40 00 00 00 00 00 00 00 ; Word...@.......
?
. $
, , $
. $
, .
$
(, =12),
.
81
Content.xml,
XML.
$
, $
, .
, $
, . $
. $
AIM AIM Signon $
(0x0001) . $
, ,
AOL. $
, , , $
, $
.
$
, , $
, $
, .
, ,
, . $
$ . , $
,
, .
, $
, .
;
,
,
$
. PNG
, . $
,
, $
,
.
82
4.
, $
,
.
, ,
,
, . $
$
, , ,
, $
, . 22
.
,
.
$.,
, ,
21 2001
.
, $
. ,
, $
. $
, .
,
, , $
, , . , II
, , $
,
. , , $
,
,
, 12
: UNIX. $
, , $
, .
84
5.
,
$
. , $
.
$
, , ,
. $
. $
POST
, $
. $
$ , $
. ? , . $
, . , $
, $ . ,
$ ,
. $
, $
.
,
. $
$
1, $
. , $
$ $
.2
: , , , $
.
.
.
, , , $
, $
. , $
.
http://www.outsourceworld.org/, http://money.cnn.com/2003/09/17/news/
economy/outsourceworld/
Computer Science Students Outsource Homework, http://developers.slash+
dot.org/developers/06/01/19/0026203.shtml
85
,
,
. $
,
, . $
, ,
JPEG Microsoft Paint. $
, ,
, , ,
. 5.1.
JPEG
1.jpg
2.jpg
3.jpg
Microsoft
Paint
4.jpg
...
. 5.1.
JPEG $
JPEG. $
, $
Microsoft Paint
. ,
Microsoft Paint. $
,
.
,
. , $
, .
, , (SMTP),
(SIP) $
IP (VoIP):
86
5.
Excerpt of an SIP INVITE Transaction
49
6f
32
30
4e
70
2e
2f
56
65
30
55
49
6e
0d
44
54
72
0a
50
45
63
56
20
20
65
69
70
73
2e
61
61
69
6f
3a
6d
70
72
20
69
3a
67
53
6e
72
20
49
69
6f
53
50
4c
6f
49
2f
2e
74
50
32
75
40
2f
2e
6e
INVITE sip:root@
openrce.org SIP/
2.0..Via: SIP/2.
0/UDP voip.openr
, , $
( , $
). ,
,
,
?
, $
, , $
.
$
, :
. (. 5.2).
($
, ), , $
PIN$, ,
, $
. $
,
PIN
. 5.2.
87
. $
. $
,
. ,
, . ,
, . ,
, $
, PIN$.
SSH ( ). $
.
. $
, .
,
.
SSH, ,
. 5.3.
. 5.3. SSH
,
, $
. $
,
. $
.
MAIL FROM SMTP,
HELO EHLO. . 5.4,
SMTP MAIL
FROM , ,
.
88
5.
HELO openrce.org
SMTP
MAIL FROM:pedram@openrce.org
HELO openrce.org
. 5.4. 1 SMTP
. 5.4 1 , $
MAIL FROM.
. 5.5: SMTP $
MAIL FROM $
.
SMTP
HELO openrce.org
MAIL FROM:pedram@openrce.org
HELO openrce.org
MAIL FROM:pedram@openrce.org
. 5.5. 2 SMTP
. 7 2006 $
1, $
SMTP Ipswitch Collaboration Suite.
$ @ :
. $
,
EHLO. $
, . $
, $
EHLO HELO.
?
.
http://www.zerodayinitiative.com/advisories/ZDI+06+028.html
89
,
,
.
,
, $
, . $
, , , $
,
.
. (quality assurance, QA) $
, , $
. $
QA $, , $
, $
90% ,
25% . $
,
$
, . $
23 .
$
, , $
.
: ? ,
: ?
. $
, . ,
, $
, , $
. $
, , $
, , . (ping)
, . $
, .
ASCII, $
,
, , Windows Event Viewer, . 5.6.
90
5.
,
.
,
. , ,
, Microsoft Windows $
,
(Structured Exception Handling,
SEH).1
$
$ ,
. , $
FileFuzz, II, $
Microsoft Windows $
. $
,
, . ,
SMTP, Mac OS X, Microsoft Windows
Gentoo Linux, , ,
. , $
$ ,
, . VoIP,
1
http://msdn2.microsoft.com/en+us/library/ms680657.aspx
91
$
, $
.
,
DBI1 (dynamic binary instrumentation/translation) Valgrind2
Dynamo Rio3.
, $ .
DBI
$
$ . $
, $
, . .
, ,
, , $ $
, .
, , $
,
. Valgrind $
, $
, .
.
,
, $
.
, (, $
), .
. , $
,
, $
, $50 .
$
(software development lifecycle, SDLC)
. $
, .
, , $
. , SDLC $
, ,
1
2
3
http://en.wikipedia.org/wiki/Binary_translation
Valgrind: http://valgrind.org/
Dynamo RIO: http://www.cag.lcs.mit.edu/dynamorio
92
5.
. ,
, ,
, , .
,
,
,
. ,
SDLC .
,
$
.
, $
.
; $
, $
$
.
II
6.
7.
8. :
9. $
10. $ :
11.
12. : UNIX
13. : Windows
14.
15. : UNIX
16. : Windows
17. $
18. $:
19.
20. :
.
,
, .
$.,
, ,
5 2004
.
$
.
$
, . $
, . $
,
,
$
.
, $
, .
96
6.
, .
, , , , $
,
.
,
.
,
, $
. ,
, Java, .NET Python. $
,
. $ $
$
, .
,
. $
,
. ,
$
, $
.
. $
, :
FTP$,
, FTP$,
.
FTP$.
, $
, $
, . $
, $
, , .
, $
, $
. ,
97
, .
$
, .1 ,
,
. $
(
).
Ethereal2/Wireshark3
Wireshark ( Ethereal)4 $
.
,
, $
. Wireshark $
,
. , , , $
, ,
. $
$
, Wireshark. $
Wire$
shark, , Ethernet.5
libdasm6 libdisasm7
libdasm, libdisasm $
;
at&t Intel $
. Libdasm , libdisasm Perl. Libdasm
Python. $
,
1
2
3
4
5
6
7
http://www.threatmind.net/secwiki/FuzzingTools
http://www.ethereal.com
http://www.wireshark.org
http://www.wireshark.org/faq.html#q1.2
http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/
http://www.nologin.org/main.pl?action=codeView&codeId=49
http://bastard.sourceforge.net/libdisasm.html
98
6.
.
: 12 $
: UNIX, 19
, 20 : $
, 23 24 $
.
Libnet1/LibnetNT2
Libnet $
;
.
, $
IP ,
. $
, .
LibPCAP3
LibPCAP Microsoft Windows WinPCAP4 $
;
UNIX Microsoft Windows. $
, Wireshark, $
.
PTrace
UNIX
ptrace() ( ). $
ptrace() , , $
.
1
2
3
4
5
http://www.packetfactory.net/libnet
http://www.securityfocus.com/tools/1559
http://www.tcpdump.org
http://www.tcpdump.org/wpcap.html
http://sourceforge.net/projects/dotmetro
99
,
8 :
12 : UNIX.
Python
Python
. Pcapy, Scapy PyDbg.
Pcapy1 Python, LibPCAP\WinPCAP $
Python . Scapy2
, $
, .
Scapy ,
. PyDbg3 32$ Py$
thon Microsoft Windows,
. PyDbg $
PaiMei4, 19, 20,
23 24.
$
. $ $
. , $
,
, .
$
;
, : .
.
, $
. $
,
.
$
,
.
1
2
3
4
http://oss.coresecurity.com/projects/pcapy.html
http://www.secdev.org/projects/scapy
http://openrce.org/downloads/details/208/PaiMei
http://openrce.org/downloads/details/208/PaiMei
100
6.
,
: $
. , ++, $
.
, Libnet
.
, Python Ruby,
; $
. $
,
. ,
, , $
, , .
Java, PHP
C# .
, , $
. , $
. , , $
IMAP.
IMAP, ,
(CCR),
RCF 3501.1
7.5.
+
. ,
.
.
, .
,
.
,
.
.
, CRLF, ,
.
,
:
http://www.faqs.org/rfcs/rfc3501.html
101
RFC , {} ($
),
, .
, $
? $
? , ,
32$ 0xFFFFFFFF
(4,294,967,295).
, 136 !
$
100 ,
500 .
IMAP , $
. , $
,
.
$
.
,
.
(0 0xFFFFF$
FFF) $
.
? , $
. $
,
,
, :
int size = read_ccr_size(packet);
// save space for NULL termination.
buffer = (char *) malloc(size + 1);
,
. ,
102
6.
, $
. , $
(, $
32$ ) $
(, )
, $
, ,
0xFFFFFFFF$1, 0xFFFFFFFF$2, 0xFFFFFFFF$3 1, 2, 3, 4 . .
$
. , , ,
Unicode. $
2. $
, :
int size = read_ccr_size(packet);
// create space for the Unicode converted buffer
// plus Unicode NULL termination (2 bytes).
buffer = (char *) malloc((size * 2) + 2);
,
: 0xFFFFFFFF/2,
0xFFFFFFFF/2$1, 0xFFFFFFFF/2$2 . .
, 3? 4? , $
, $
16$ (0xFFFF)?
8$ (0xFF)?
.
:
MAX32 16 <= MAX32 <= MAX32 + 16;
MAX32 / 2 16 <= MAX32 / 2 <= MAX32 / 2 + 16;
MAX32 / 3 16 <= MAX32 / 3 <= MAX32 / 3 + 16;
MAX32 / 4 16 <= MAX32 / 4 <= MAX32 / 4 + 16;
MAX16 16 <= MAX16 <= MAX16 + 16;
MAX16 / 2 16 <= MAX16 / 2 <= MAX16 / 2 + 16;
MAX16 / 3 16 <= MAX16 / 3 <= MAX16 / 3 + 16
MAX16 / 4 16 <= MAX16 / 4 <= MAX16 / 4 + 16
MAX8 16 <= MAX8 <= MAX8 + 16;
MAX8 / 2 16 <= MAX8 / 2 <= MAX8 / 2 + 16;
MAX8 / 3 16 <= MAX8 / 3 <= MAX8 / 3 + 16;
MAX8 / 4 16 <= MAX8 / 4 <= MAX8 / 4 + 16,
MAX32 32$ (0xFFFFFFFF),
MAX16 16$ (0xFFFF), MAX8
8$ (0xFF), 16
103
.
. $
,
100 .
. ,
. $
$
, $
. $
22 $
.
1 2005
,
Novell NetMail IMAPD1, $
. ,
$
.
$
, $
$
MMalloc() (. ):
; ebx is
00402CA2
00402CA5
00402CA6
attacker controlled
lea ecx, [ebx+1]
push ecx
call MMalloc
MMalloc() $
.
,
$
. $
memcpy():
1
http://pedram.redhive.com/advisories/novell_netmail_imapd/
104
6.
, $
,
,
.
Novell
, $
. Novell, IMAP
. ,
1 0xFFFFFFFF, 2 0xFFFFFFFE
. . ,
:
x LOGIN {4294967295}
:
x LOGIN {1}
, 22 2006 Novell $
...1
$
, ,
? 12
:
perl e 'print "A"*5000'
$
. , $
ASCII, B. , $
, $
1
2
http://www.zerodayinitiative.com/advisories/ZDI+06+053.html
, Google: http://www.google.com/search?
hl=en&q=%22perl++e+%27print+%22A%22*%22
105
, $$
, .
. $
$
, $
, ,
. , ,
http$ :
!@#$%^&*()_=+{}|\;:'",<.>/?~`
, $, http?
HTTP$:
HTTP/1.1 200 OK
Date: Sun, 01 Oct 2006 22:46:57 GMT
Server: Apache
XPoweredBy: PHP/5.1.4pl0gentoo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
CacheControl: nostore, nocache, postcheck=0, precheck=0
Pragma: nocache
KeepAlive: timeout=15, max=93
Connection: KeepAlive
TransferEncoding: chunked
ContentType: text/html; charset=ISO88591
, , $
, $
0x0d 0x0a.
. ,
( ), (/) (.)
.
(:) , $
ContentType, Server Date . $
,
(,), (=), (;) ().
$
, $
(. ). , $
106
6.
. , ,
Sendmail (2003 ).1 $
<>, $
. $
:
void parse (char *inbuf)
{
char cpy[16];
char *cursor;
char *delim_index;
int length = 0;
for (cursor=inbuf; *cursor; cursor++)
{
if (*cursor == :)
delim_index = cursor;
else
length++;
}
// 2 for null termination and the : delimiter
if (length < sizeof(cpy) 2)
strcpy(cpy, inbuf);
}
,
(). $
.
length . $
$
,
,
strcpy(). $
, name:pedram amini.
, 16, ,
, strcpy().
: name::::::::::::::::::::::pedram? $
10, , $
strcpy().
,
strcpy(), 32, .
http://xforce.iss.net/xforce/alerts/id/advise142
107
$
; , , $
.
, %d,
10, %08x $
16. $
%s,
%n ( ).
, $
. $
. $
%s , $
, , $
. %s $
.
$
%s%n.
,
%d, %x, %s, ,
%n , $
.
.
$
, $
%n $
.
Microsoft $
%n $
printf. $
_set_printf_count_output()1, $
, %n. $
%n ,
.
1
http://msdn2.microsoft.com/en+us/library/ms175782.aspx
108
6.
, , $
, $
. , 0xFE 0xFF
4 UTF16.
.
,
, $
. , Microsoft Internet Explorer $
UTF$8 Unicode.1 ,
5$ 6$ UTF$8
. $
, , 5$ 6$ $
UTF$8, .
.
$
, $.
$. ,
$,
,
. Mitre CVE 2006 , $
, $
, .2
$, $
$. (OSVDB)
, .3
, , Computer Associates BrightStor
ARCserve backup. BrightStor $
TCP caloggerd. $
, ,
$
. $
1
2
3
http://www.zerodayinitiative.com/advisories/ZDI+06+017.html
http://cwe.mitre.org/documents/vuln+trends.html#table1
http://www.osvdb.com/searchdb.php?text=directory+traversal
109
, $
, $
. $
,
. UNIX, , $
/etc/passwd.
;
2007 .
$
, ../../ ..\..\.
, $
$, $
CGI. $
, $; $
. , $
, $
$
, exec() system(), $
. $
Python:
directory = socket.recv(1024)
listing = os.system("ls /" + directory)
socket.send(listing)
$
, ,
. $
, $
. UNIX $
&&, ; |. , var/lib ; rm rf /
ls /var/lib ; rm rf /, ,
.
.
,
,
.
II III $
. $
,
110
6.
. $
.
,
$, , $
, .
,
. $
, $
. $
, , ,
.
.
$.,
New York Daily News,
23 2002
, .
$
, ,
$
.
$, $
.
. $
, . . , $
.
, .
112
7.
, Windows,
,
. ;
argv, main C. $
argc . $
, , , $
. $
:
int main(int argc,char *argv[])
{
int ix;
for (ix=0;ix<argc;ix++)
printf("argv[%d] == %s\n",ix,argv[ix]);
}
, . 7.1.
. 7.1.
$
. ,
113
. $
, . $
( ) $
, $
. ,
. command.com $
Windows. UNIX $
, sh, csh, ksh bash.
HOME, PATH, PS1 USER. $
, ,
.
, $
, $
, .
, $
getenv, $
. Windows ,
UNIX, UNIX, $
Windows setuid,
, ,
. . 7.2
. 7.2. bash
114
7.
UNIX.
, bash set.
$
export. , , $
, $
.
: $
,
. ,
.
, .
$
.
, , $
, , ,
. $
, $
. $
,
.
,
. $
, , $
. 'su',
UNIX. $
, , $
,
,
$
.
C, , $
su $ :
int main(int argc,char *argv[])
{
[...]
if (argc >1)
become(argv[1]);
else
become("root");
[...]
}
115
,
, $
. . ,
$
? ?
.
. UNIX
, setuid
setgid.
setuid setgid ,
. setuid,
, , . set
gid, $
. , , setuid,
setgid, .
setuid
find,
UNIX .
setuid (setuid binaries) . $
, :
find / type f perm 4000 o perm 2000
find , $
,
.
, find.
, ,
/ . type
find, . ,
, .
perm , . $
o find or. $
setgid setuid, true
. , $
, setuid (4), setgid (2). $
Fedora
Core 4:
[root@localhost /]# find / type f perm 4000 o perm 2000
/bin/traceroute6
/bin/traceroute
/bin/mount
116
7.
/bin/su
/bin/ping6
/bin/ping
/bin/umount
/usr/bin/lppasswd
/usr/bin/gtali
/usr/bin/wall
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/glines
/usr/bin/gnibbles
, gnibbles
/usr/bin/at
...
/usr/bin/gnotravex
/usr/bin/gnobots2
/usr/bin/sudo
/usr/bin/samegnome
/usr/bin/gataxx
/usr/bin/rcp
/usr/bin/mahjongg
/usr/bin/iagno
/usr/bin/rlogin
/usr/bin/gnotski
/usr/bin/chage
/usr/bin/lockfile
/usr/bin/write
/usr/bin/gpasswd
/usr/bin/sshagent
/usr/bin/crontab
/usr/bin/gnomine
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/slocate
/usr/bin/newgrp
/usr/bin/rsh
/usr/X11R6/bin/Xorg
/usr/lib/vte/gnomeptyhelper
/usr/libexec/openssh/sshkeysign
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/sendmail.sendmail
/usr/sbin/usernetctl
/usr/sbin/lockdev
/usr/sbin/utempter
/sbin/pam_timestamp_check
/sbin/netreport
/sbin/unix_chkpwd
/sbin/pwdb_chkpwd
117
UNIX
UNIX
: , .
: $
, , . $
. $
, ,
. , ,
, .
,
:
rxx 2 dude staff 2048 Jan 2 2002 File
dude. ,
. ,
, $
.
, , . $
. ,
: , $
, .
UNIX
.
, . . 0 7.
4, 2, 1.
, .
, , $
, , , 666.
dude 510:
(5) = (4) + (1), (1) = (1), $
(0), . . .
setu
id setgid. setuid 4, setgid 2. $
, setuid setgid 6,755.
, ,
, .
; ASCII,
. $
HOME
118
7.
, , .
Perl, UNIX
:
HOME=`perl e 'print "X"x10000'` /usr/bin/target
,
HOME. , ,
, HOME. $
, ?
, ?
, $
.
, getenv
. getenv $
getenv,
.
,
.
GNU (GDB)
, . $
GDB getenv
. GDB
Solaris 10:
(08:55AM)[user@unknown:~]$gdb q /usr/bin/id
(no debugging symbols found)...(gdb)
(gdb) break getenv
Function "getenv" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (getenv) pending.
(gdb) commands
Type commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
>silent
>x/s $i0
>cont
>end
(gdb) r
Starting program: /usr/bin/id
[...]
Breakpoint 2 at 0xff2c4610
Pending breakpoint "getenv" resolved
(no debugging symbols found)...
0xff0a9064:
0xff0a9078:
0xff24b940:
0xff351940:
0xff351948:
0xff3518d8:
0xff3518e4:
0xff3518f0:
0xff3518f8:
0xff351904:
0xff351910:
uid=100(user)
119
"LIBCTF_DECOMPRESSOR"
"LIBCTF_DEBUG"
"LIBPROC_DEBUG"
"LC_ALL"
"LANG"
"LC_CTYPE"
"LC_NUMERIC"
"LC_TIME"
"LC_COLLATE"
"LC_MONETARY"
"LC_MESSAGES"
gid=1(other)
, GDB,
:
break $
. , $
getenv.
commands , $
.
i0 , x/s.
SPARC i0 ,
.
,
.
run, .
11 $
, /usr/bin/id. ,
, $
, , , $
$ . $
, $eax x86, $i0 SPARC $a0 MIPS.
, , , $
.
, $
, $
. ,
getenv. $
getenv , $
120
7.
getenv.
.
getenv.
environ, $
. environ , $
. ,
; , NULL, ,
:
extern char **environ;
char *getenv(char *variable)
{
int ix=0;
while (environ[ix])
{
if ( ! ( strncmp(string,environ[ix],strlen(string))) &&
(environ[ix][strlen(string)] == =) )
{
printf("%s\n",environ[ix]+strlen(string)+1);
return environ[ix]+strlen(string)+1;
}
ix++;
}
(preloading) . $
, , $
. $
,
.
. $
. $
, ,
. , $
. ,
strcpy $
,
strcpy, strcpy. $
,
. $
.
getenv; $
.
getenv; $
. $
121
,
getenv:
#define BUFFSIZE 20000
char *getenv(char *variable)
{
char buff[BUFFSIZE];
memset(buff,A,BUFFSIZE);
buff[BUFFSIZE1] = 0x0;
return buff;
}
, $
. environ, $
.
GRL$ sharefuzz, $
$
setuid. $,
C $
($
, , ). Linux $
:
gcc shared fPIC o my_getenv.so my_getenv.c
LD_PRELOAD=./my_getenv.so /usr/bin/target
/usr/bin/target, getenv
getenv.
, ,
, , $
. , . $
, $
.
, $
,
. $
.
.
. UNIX Linux, $
$ , $
128 . , $
139, SIGSEGV $
11. $ , $
132, SIGILL 4.
122
7.
: 132 139,
.
, , . SIGABRT $
glibc
. ,
(dump core).
$ (heap),
.
, $
, .
, C ,
, , wait waitpid.
: fork execve $
wait waitpid . $
,
, wait waitpid.
iFUZZ, .
, $
( $
),
signal. $
API, $
, $
. UNIX
ptrace. fork ptrace execve
waitpid ptrace
, , $
, .
waitpid, ,
.
waitpid, , . $
,
. $
ptrace. , SPIKEfile
notSPIKEfile, $
. $
12 :
UNIX. , $
.
ptrace $
. UNIX setuid $
, SIGSEGV SIGILL. , $
ptrace, ,
.
123
, ,
.
$
, $
UNIX C. $
getenv.
,
.
$
,
, $
.
8
:
+ !
$.,
, ,
24 2004
iFUZZ ,
.
UNIX c
setuid, 7 $
. iFUZZ,
, iFUZZ
IBM
AIX 5.3.
iFUZZ
iFUZZ , $
.
;
C, ;
, .
iFUZZ , $
UNIX , $
UNIX. IRIX,
iFUZZ
125
FUZZSTRING , $
iFUZZ. $
, ,
, , , $
.
getopt. $
: , $
getopt, $
, $
. $
,
.
. , , , $
$
$
f. usage $
, :
$ ./sample_program
Usage:
f <file> Input filename
o <file> Output filename
v Verbose output
d Debug mode
s Silent mode
, $
, getopt , , $
126
8. :
f:o:vds. , f o $
, v, d s . $
? getopt:
options , +
, .
(:),
, . +
(::),
, ; GNU.
iFUZZ getopt,
. iFUZZ
, $
, ,
.
iFUZZ
.
, , ,
$ . . ;
, .
iFUZZ getenv $
. ,
, .
sharefuzz :
, $
. $
iFUZZ, .
getopt,
getopt $
. ,
C; $
. , $
$
.
getopt , $
usage.
, , $
. $
iFUZZ, $
fuzzing.org, $
.
127
iFUZZ :
, , .
. $
, .
, $
, argv[0]. $
,
argv[0],
, QNX,
Linux AIX. $
.
$
, $
,
. , $
$
argv[0]:
int main(int argc,char *argv[])
{
if (argc >1) printf(argv[1]);
exit(0);
}
, $
.
,
. 1999
proftpd 1.2.opre6
(Tymm Twillman) $
BugTraq1,
. $
$ snprintf(),
.2
1
2
http://seclists.org/bugtraq/1999/Sep/0328.html
http://en.wikipedia.org/wiki/Format_string_attack
128
8. :
. $
,
UNIX. $
. ,
. $
.
, iFUZZ
, ,
, $
. :
getopt.
: , $
, $
. $
. $
, .
$
getopt. ,
, , $
,
, $
. $
, ,
.
. $
, ,
, $
UNIX ,
.
129
case SIGABRT:
case SIGSEGV:
fprintf (stderr, "CRASH ON SIGNAL #%d\n",
WTERMSIG (status));
break;
default:
break;
}
}
}
else /* child */
{
execle ("/bin/program","program",NULL, environ);
perror ("execle");
}
[...]
Fork, Ptrace/Execute
Wait/Ptrace
, ,
, $
, $
. notSPIKEfile SPIKEfile, $
12
: UNIX:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
waitpid (pid, &status, 0);
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}
130
8. :
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii
(WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal...\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) ==SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) == SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}
iFUZZ C.
, , $
, C $ ,
, , $
.
, ,
, ; , $
UNIX, , $
. , Python Ruby, $
. Perl, $
131
UNIX. , ,
Perl, .
, Python Perl, $
.
.
, ,
hack, , $
bash, ,
.
iFUZZ 50 $
IBM AIX 5.3,
, $
. $
argv[0]
argv[1]. $
. , ,
. $
, $
iFUZZ $
iFUZZ. (
setuid)
iFUZZ :
piomkpq A ascii p X d X D x q LONGSTRING;
piomkpq A ascii p LONGSTRING d X D X q.
$
,
printq, $
, .
$
getopt iFUZZ. $
getopt a:A:d:D:p:q:Q:s:r:w:v:
ls $
:
rsrx 1 root printq 32782 Dec 31 1969 /usr/lib/lpd/pio/etc/piomkpq*
iFUZZ $
. $
LONGSTRING
20 000 , X ,
132
8. :
x. X $
.
, ,
, ,
; ,
iFUZZ. $
iFUZZ argv[0], argv[1] $
setuid AIX 5.3, $
,
, .
IBM, ; $
iFUZZ $
, , ,
.
, ,
iFUZZ. ,
iFUZZ. , $
iFUZZ:
, iFUZZ $
,
, $
.
, ,
, $
.
, $
, $
. ,
.
, iFUZZ, $
setuid setgid. .
,
, , , $ $
. ,
iFUZZ , $
, $
.
, , $
. $
133
usage $
. , $
, $
.
,
C. C
,
. $
. $
, $
,
.
,
, ,
$
.
, ,
.
9
.
$.,
$1,
4 2003
$
. , $
$. , $
$, ,
$. $
, , , $
. $, $
, $
,
. $, $
, $
, $ $
. , $$
, , $
.
?
$ $
. (
14 )
135
<?
, $ $
, HTTP. $
$ $ $$
.
$,
, $
. $ $
, ,
. ,
ASP (application service provider $
).
$ $
, . $
,
. $
, $
.
, $
ASP. $
ASP,
,
. , $
$ .
, $
$, $
.
$
Microsoft Live
Microsoft $
$. $
GUI$ Microsoft Office,
2005 Microsoft
$: Windows Live Office
Live.1 Windows Live $
, Office Live $
. Microsoft $
. Live $
2002 Xbox Live $$
, Xbox.
1
http://news.com.com/2061+10805_3+6026895.html
136
9. <
,
.
. $
$ . $
, $ ,
$ . $
, , ,
,
. , $
$
.
. $
,
.
CGI
(Common Gateway Interface, CGI)
, $
(NCSA) $$
NCSA HTTP 1993 . CGI ,
$ ,
$.1 $
CGI , $
Perl.
PHP
(Hypertext Preprocessor, PHP2)
, $
$. , $
PHP
. PHP HTML
$, $
.
Flash
Flash FutureWave Soft$
ware, 1996 3 Macromedia.
1
2
3
http://en.wikipedia.org/wiki/Common_Gateway_Interface
http://www.php.net/
http://en.wikipedia.org/wiki/Adobe_Flash
<?
137
Flash
,
.
$.
Macromedia Macromedia Flash, $
Macromedia Flash Player. Flash
, ActionScript,
. Flash $
, Macromedia Flash Remoting
Flash Player $
.1 Macromedia 2005 Adobe
Systems.2
JavaScript
Netscape JavaScript 1995 $
$.3 JavaScript $
, .
JavaScript HTML, $
$, .
JavaScript ,
$ $
. , Mi$
crosoft ASP.Net (. ), JavaScript.
Java
Java (James Gosling) Sun Mi$
crosystems. Oak $
. $
$
Java, , Oak .4
Java $
. Java
,
Java Virtual Machine, . $
Java . $
$, $
.
1
2
3
4
http://www.macromedia.com/software/flashremoting/
http://en.wikipedia.org/wiki/Macromedia
http://en.wikipedia.org/wiki/Javascript
http://en.wikipedia.org/wiki/Java_programming_language
138
9. <
ASP.Net
.Net , .
CLR, , Visu$
al Basic C#. Microsoft .Net 2002 $
, $
, $. Java ,
, (Common Inter$
mediate Language, CIL), $
.1 $ ASP
.Net, . ASP.Net $
.Net$ .
1
http://en.wikipedia.org/wiki/Microsoft_.Net
$ $
, ,
$ ,
. $ $
, , $
. $
,
:
$
Microsoft Outlook Web Access Cross$Site Scripting Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=261
phpBB Group phpBB Arbitrary File Disclosure Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=204
139
AWStats Remote Command Execution Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=185
IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=268
Multiple Vendor Cacti Remote File Inclusion Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=265
, $$
, ,
, , $
.
$, $
.
$ $
. $
. ,
,
, $
. , $, $
, . $
, , ,
.
140
9. <
$
, .
: , $
$, $
. , , $
,
.
CPU$ / $
. , $
, ,
$
.
$ $
.
$ . $
, , , $
: , ,
, $.
. $
, $
, . ,
$ , $
, .
, Windows XP1
Linux, $, , $
$ $
.
(VM), VMWare2
Microsoft Virtual Machine3,
$. $$
$ VM,
. $
$. $,
, $, $
VM.
. , $
$
, , $
2
3
http://www.microsoft.com/resources/documentation/windows/xp/all/prod+
docs/en+us/iiiisin2. mspx
http://www.vmware.com
http://www.microsoft.com/windows/virtualpc/default.mspx
141
. , , $
, .
, $
$, $
. : $
? , $
, URL cookies, $
$? $? ,
.
, $ .
,
$, ,
. $
$ $, Microsoft Inter$
net Explorer Mozilla Firefox. $, $
$
URL . , $
$, $
. , , $$
. telnet$, $
. Telnet $
, TCP.
$
:
telnet www.fuzzing.org 80[Return]
GET / HTTP/1.1[Return]
Host: www.fuzzing.org[Return]
[Return]
. telnet$
: (fuzzing.org)
(80). Telnet TCP$ 23. $
$ ,
TCP$ 80. $
, HTTP. $
, (GET). $
.
/ $, $
. $ $
$ , .
$, HTTP
(HTTP/1.1).
, HTTP 1.0 , HTTP 1.1
142
9. <
. 1 ( $
Return), :
HTTP/1.1 200 OK
CacheControl: private
ContentType: text/html
SetCookie:
PREF=ID=56173d883ba96ae9:TM=1136763507:LM=1136763507:S=W43uFkQu1vexo
Pq; expires=Sun, 17Jan2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
TransferEncoding: chunked
Date: Sun, 08 Jan 2006 23:38:27 GMT
<html>
<head>
<meta httpequiv= "contenttype"
content="text/html;charset=UTF8">
<title>Google</title>
<style><!
body,td,a,p,.h{fontfamily:arial,sansserif;}
.h{fontsize: 20px;}
.q{color:#0000cc;}
//>
</style>
</head>
<body bgcolor=#ffffff text=#000000 link=#0000cc
vlink=#551a8b
alink=#ff0000 topmargin=3 marginheight=3>
<center>
[snip]
<a href=http://www.google.com/intl/en/about.html>About
Google</a>
<span id=hp style="behavior:url(#default#homepage)">
</span>
</font><p><font size=2>©2006
Google</font></p></center>
</body>
</html>
HTML$ $,
, $ $
. HTML$
$, $
, ,
URL. , , ,
, .
http://rfc.net/rfc2616.html#s14.23
143
, $
, HTTP$.
$? $
, $ Internet Explo$
rer. Ethereal :
GET / HTTP/1.1
Accept: */*
AcceptLanguage: enus
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727)
Host: www.google.com
Connection: KeepAlive
Cookie:
PREF=ID=32a1c6fa8d9e9a7a:FF=4:LD=en:NR=10:TM=1130820854:LM=1135410309:S=b9I4
GWDAtclpmXBF
? HTTP $
, $
. HTTP/1.1
176$ RFC 2616 Hypertext Transfer
Protocol HTTP/1.1.1 $
, , $
:
Accept: */*
Accept , $
. , $
(*/*).
, text/html image/jpeg.
AcceptLanguage: enus
AcceptLanguage
, . $
.
RFC 1766 Tags for the Identifi$
cation of Languages ( ).2
http://rfc.net/rfc2616.html
http://rfc.net/rfc1766.html
http://rfc.net/rfc1952.html
http://rfc.net/rfc1951.html
2
3
4
144
9. <
Host: www.google.com
, $
$. , $
$ . ,
IP$ .
Connection: KeepAlive
Connection $
.
, . Con
nection: close ,
.
, , $
$
. , ,
$, $
.
, (Uniform Resource
Identifier, URI), HTTP, HTTP $
. $
:
[Method] [RequestURI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]
145
$ GET POST.
,
$.
$. GET $
URI . , http://www.google.com/se
arch?as_q=security&num=10 Google $
, security (as_q=security) $
10 (num=10). $
GET URI $
?, &.
POST. $
, $
HTTP HTTP. $
, $
. HTTP
URI, $ $$
. $ 414 (URI
), URI .
POST , URI $
, .
, , $
URI Google Maps,
. ,
?
http://maps.google.com/maps?hl=en&q=1600+Pennsylvania+
Ave&near=20500
, $ $
. :
HEAD. GET, $
, HTML$ $.
PUT. $.
, $
, PUT ,
. ,
Microsoft Security Bulletin
MS05$006.1 , $
Microsoft SharePoint $
PUT.2
1
2
http://www.microsoft.com/technet/security/Bulletin/MS05+006.mspx
http://support.microsoft.com/kb/887981
146
9. <
DELETE.
$. ,
,
, .
$.
TRACE. , $
. $
,
, . 2003
(Jeremiah Grossman) WhiteHat Security $
Cross$Site Tracing (XST)1, $
, ,
$ cookies $
, TRACE.
, TRACE
.
CONNECT. , $
.
OPTIONS. $ $
, . $
, ,
.
OPTIONS, , ,
$ $
(Internet Information Services, IIS), $
WebDAV, $
HTTP, $. $
MS03$0072 (Unchecked Buffer in
Windows Component Could Cause Server Compromise $
Windows ).
OPTIONS * HTTP/1.0 , OPTIONS,
, WebDAV.3 , $
, WebDAV , $
Public:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST
ContentLength: 0
1
2
3
http://www.cgisecurity.com/whitehat+mirror/WH+WhitePaper_XST_ebook.pdf
http://www.microsoft.com/technet/security/bulletin/MS03+007.mspx
http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm
147
,
WebDAV. , WebDAV $
Microsoft IIS 5.0, $
, MS03$007,
:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
ContentLength: 0
AcceptRanges: bytes
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
CacheControl: private
(URI)
$ URI. URI
($), .
(, http://www.target.com/page.html)
(/page.html) . $
, $ $
. *
OPTIONS. $
. , , $
/dir/page.html?name1=value1&name2=value2
:
/[path]/[page].[extension]?[name]=[value]&[name]=[value]
$
. $ $
, $
, $ , ,
.
,
, ,
.
:
.
.
, $
../.
,
148
9. <
1
2
3
4
5
, , ,
.
. Macromedia JRun 4 Web Server
JRun 4 Updater 5 $
.1 $
, 65 536 .
$
.
.
3Coms Network Supervisor $
.2 $, $
TCP$ 21700; , Network Supervi$
sor 5.0.2 URL,
../, $
$. ,
, , , .
. $
,
.
. Microsoft IIS 4.0
, $
.htr, .stm .idc.
Microsoft
Security Bulletin MS99$0193, .
. 3Com OfficeConnect
Wireless 11g Access Point , $
$ $
$ $
.4 , /main/config.bin
, , $
.
Nikto5 ,
, $$
,
$.
. , $
, ,
. $
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=300
http://www.microsoft.com/technet/security/bulletin/MS99+019.mspx
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=188
http://www.cirt.net/code/nikto.shtml
149
$
HTTP, , HTTP $
, , , , $
. $
HTTP HTTP/1.1.
HTTP (HTTP/[major].[minor]).
.
:
[Header name]: [Header value]
150
9. <
, : $
, (:).
, $
. $
, HTTP, $
RFC:
RFC 1945Hypertext Transfer ProtocolHTTP/1.01
RFC 2616Hypertext Transfer ProtocolHTTP/1.12
, , $
, $
.
2006 iDefense Labs $
Novell
SUSE Linux Enterprise Server 9.3 $
POST $
ContentLength. , $
:
POST / HTTP/1.0
ContentLength: 900
[Data to overwrite the heap]
Cookies
Cookies ; HTTP,
$,
cookies. cookies :
Cookie: [Name1]=[Value1]; [Name2]=[Value2] ...
, .
, cookies ,
.
1
2
3
http://rfc.net/rfc1945.html
http://rfc.net/rfc2616.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id= 371
151
POST
,
$ URI GET, $
HTTP POST. :
[Name1]=[Value1]&[Name2]=[Value2]
(Greg MacManus) iDefense Labs
$, $
Linksys.1 $
, POST apply.cgi
10 000 .
$
, $
,
.
$ $
, $
, , . $
. , $
. $
.
$
:
$
$
cookies
http://www.idefense.com/intelligence/vulnerabilities/display.php?id= 305
152
9. <
$ $ $
. , $
$. , (
="hidden"),
. ,
,
. , $
, , .
$
/. , $
cookies, ,
HTTP $
. HTTP, $
Wireshark.1
$
, $, ,
$. $
, $ ($
$).
$, $
, $$
. $
, , . ,
, , $
. , $ wget.2 $
UNIX,
win32.3
, WebScarab.4 WebScarab, $
Open Web Application Security Project (OWASP),
$.
WebScarab $, $
. $
WebScarab, $
/ .
$,
, .
1
2
3
4
http://wireshark.org/
http://www.gnu.org/software/wget/
http://gnuwin32.sourceforge.net/packages/wget.htm
http://www.owasp.org/software/webscarab.html
153
$ $
, .
:
(Denial+of+service, DoS). DoS$ $
. DoS$
,
, $
, $
.
(Cross+site scripting, XSS). $
Mitre 2006 XSS 21,5% $
.1 , XSS$
$, $
. $ XSS$
, ,
$. , XSS, $
$, $
, , $
.
SQL. $
SQL , $
. Mitre 2006 ,
SQL (14%)
. $ $
$, ,
SQL,
. ,
SQL , , , $
;
.
SQL $
$
.
/ . ,
, $ $
, , , .
,
. , $
$
, .
1
http://cwe.mitre.org/documents/vuln+trends.html#table1
154
9. <
$ $
, $
.
.
, , $
. $
,
. $
, , $
$ :
,
.
. , HTTP $
, $
, $
$
.
cookies URI ,
, . Cookies
,
. $
cookies , $
.
. , ,
$ , $
. , $
$ , C#
Java, , $
. , $
. $
,
, C C++,
. ,
: $ $. $$
, $
.
HTTP. $$
GET POST. ,
, ,
RFC$. ,
. , $
$
, .
155
. $ $
.
, $
. PHP Perl
.
.
PHP$. ,
,
include() require(), PHP
, . ,
,
$ PHP. , $
, Mitre 2006 ,
9,5%.
. $
, . ,
, , $
,
, .
, ,
. $
,
, .
HTTP+. HTTP$
Sanctum Inc.
Divide and Conquer.1 ,
CRLF
. , , $
$ ,
$ $.
HTTP+ (Cross+Site Request Forgery, CSRF).
CSRF$ ; $
. ,
$ $
, $ , , $
. , $ $
$, $
. ,
.
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespon+
se.pdf
156
9. <
,
$ ,
. CSRF$ $$
$
, $
. $ $
$
.
$,
, $ $
. , , $
, $
. $
$, HTTP,
, $
. $
Web Application Secu$
rity Consortiums Threat Classification.1
$$
. $
, $ $
, $ 10 000 $
. , , ,
. , $
, $
:
HTTP. $ , $
.
10 RFC 2616 Hy$
pertext Transfer Protocol HTTP/1.1.2 $
, .
, (500) $
, $
. , 401
, , $
.
+. $ $
,
1
2
http://www.webappsec.org/projects/threat/
http://rfc.net/rfc2616.html
157
. $
HTML .
.
, , ,
. ,
,
.
, $
, $
.
. $ ,
. , $
, $
. , $
, . $
, ,
$ $
, .
, $
, .
.
$ , , $
,
. $
Microsoft Windows; $
Event Viewer.
. $
$
, . $
$
, $
. , $
, , $
,
, $
$
. , $
, .
$$
, ,
.
158
9. <
$ $$
,
$. , $
$ .
$
, $
.
; $
. $$
, ,
.
10
:
.
,
, .
$.,
, ,
13 2001
, .
.
. .
$.,
, ,
13 2002
, , $
, .
, ,
WebFuzz $.
,
. $
. $
.
,
160
10. < :
, $
. $?
, $$
, , WebFuzz .
$ . $
, . $
$:
SPIKE Proxy1. . SPIKE Proxy $
, Python. $
, $, $
$$ $
, SQL, $
XSS. SPIKE Proxy
, $
. SPIKE Proxy ,
. . 10.1
SPIKE Proxy.
http://www.immunitysec.com/resources+freesoftware.shtml
<
161
1
2
3
4
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
http://www.spidynamics.com/products/webinspect/toolkit.html
http://www.codenomicon.com/products/internet/http/
http://www.beyondsecurity.com/BeStorm_Info.htm
162
10. < :
, , WebFuzz $
. , ,
.
, , $
, $
. WebFuzz $
, $
. WebFuzz $
www.fuzzing.org.
,
,
HTTP, ,
.
163
. $ ,
. $
$. ,
(HTTP)
HTTP.
. $
.
,
.
. 10.3 WebFuzz.
:
. IP$ $ $
. $, WebFuzz
, . .
. $ TCP$$
80, TCP$. ,
$,
, ,
$.
, , WebFuzz, $
, .
+. $
, $, , $
, . ,
timeout, $
. $
,
: , ,
DoS.
(Request Headers). $
. $
, URI , $
. $
, ,
. $
, (Request
headers). ,
(point$and$click), $
, , $
. 10.3. $
(Default Headers),
$ .
164
10. < :
. 10.3. WebFuzz
,
. ,
$
. , $
$
, (, [Overflow]).
: (static lists)
(generated variables).
, $
. $
XSS. $
, $
XSS (, <script>alert('XSS')</script>), $
.
ASCII; ,
.
,
. Overflow
. ,
, $
. . 10.4 , $
.
165
. 10.4.
.
$
(, $
),
,
. WebFuzz
.
,
WebFuzz
. WebFuzz , $
:
[Methods] /file.php?var1=[XSS][SQL]&var2=[Format] HTTP/1.1
Accept: */*
AcceptLanguage: enus
UserAgent: Mozilla/4.0
Host: [Overflow]
ProxyConnection: KeepAlive
WebFuzz (responses)
. ,
.
$
(raw results), HTML $. . 10.5
, . 10.6 $$
. ,
. , $
( , 500 ), $
DoS. , $ $
, $
SQL. $
.
166
10. < :
. 10.5.
. 10.6. HTML
167
HTTP
,
.
,
$.
WebFuzz
HTTP, , $$
? $ ?
?
, ,
. $
, $, $
WebFuzz $
$. LiveHTTPHeaders1
HTTP $
Mozilla. . 10.7 , LiveHTTPHeaders
Firefox.
. 10.7. LiveHTTPHeaders
1
http://livehttpheaders.mozdev.org/
168
10. < :
,
, WebFuzz, $
. $
, Tamper Data1 Firebug2 Firefox Fiddler3
Internet Explorer, LiveHTTPHeaders
.
, $ $
, $
. WebFuzz , $
, $
.
$, ,
.
.
, , HTML$
, $
Responses ().
WebFuzz
:
HTML
,
WebFuzz
$
, ,
.
HTML
, HTML $
, $
. $
, WebFuzz $
, ,
.
, .
1
2
3
https://addons.mozilla.org/firefox/966/
http://www.getfirebug.com/
http://www.fiddlertool.com
169
$ $
$. $
$ ,
. , $
: $
. $
$ , $
, , .
( $
) (), $
.
SQL.
,
$
,
XSS. $ $
, , , $
. , HTML$
, WebFuzz, , $
XSS.
DoS$ ,
.
, $
DoS$. $
, $
, ,
, CPU.
, ,
$
DoS$.
WebFuzz
WebFuzz $
, $ . $
, $ $
, WebFuzz , $
. ,
DoS$.
170
10. < :
$
, , .
, . $
,
. , $
, ,
. , ,
$ $
. ,
, FileFuzz COMRaider,
. $
, WebFuzz $
. $
$, $
, ,
DoS$.
, , . $
$.
WebFuzz
$.
HTTP,
.
, $
.
,
.
WebFuzz GUI$$
. C# $
. $, C#
GUI . $, C#
. $
C# , Win$
dows. $ ,
, . ,
Windows
Windows.
171
,
. $
,
. ,
, , $.
TcpClient
C# WebClient,
HTTP. , $
,
.
, WebFuzz,
HTTP. C# $
HttpWebRequest HttpWebResponse.
,
, . $
WebFuzz? . $
TcpClient,
TCP$, HTTP.
$. ? $
?
, .
,
, . , $
.
HTTP, , , $$
. , , :
WebClient wclFuzz = new WebClient();
wclFuzz.Headers.Add("blah", "blah");
Stream data = wclFuzz.OpenRead("http:// www.fuzzing.org");
StreamReader reader = new StreamReader(data);
data.Close();
reader.Close();
, $
$ WebClient.
GET (blah:
blah). , $
, , :
GET / HTTP/1.1
blah: blah
Host: www.fuzzing.org
Connection: KeepAlive
172
10. < :
, : Host
Connection. $ , $
. $
,
.
TcpClient WebFuzz.
.
,
WebFuzz , $
.
. , ,
, ,
, .
,
$
$. , WebFuzz
, , , , $
. ,
.
, ,
. .
WebFuzz, $
:
TcpClient client;
NetworkStream stream;
ClientState cs;
try
{
client = new TcpClient();
client.Connect(reqHost, Convert.ToInt32(tbxPort.Text));
stream = client.GetStream();
cs = new ClientState(stream, reqBytes);
}
catch (SocketException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
173
return;
}
IAsyncResult result = stream.BeginWrite(cs.ByteBuffer, 0,
cs.ByteBuffer.Length, new AsyncCallback(OnWriteComplete), cs);
result.AsyncWaitHandle.WaitOne();
, $
:
try
{
result = stream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error",MessageBoxButtons.OK,
MessageBoxIcon.Error);
1
http://msdn.microsoft.com/library/en+us/cpref/html/frlrfsystemiofilestream+
classbeginwritetopic.asp
174
10. < :
ReadDone.Close();
return;
}
, $
$. Begin
Read(), , BeginWrite(),
OnReadComplete():
public void OnReadComplete(IAsyncResult ar)
{
readTimeout.Elapsed += new ElapsedEventHandler(OnTimedEvent);
readTimeout.Interval = Convert.ToInt32(tbxTimeout.Text);
readTimeout.Enabled = true;
ClientState cs = (ClientState)ar.AsyncState;
int bytesRcvd;
try
{
bytesRcvd = cs.NetStream.EndRead(ar);
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
catch (System.ObjectDisposedException ex)
{
return;
}
cs.AppendResponse(Encoding.ASCII.GetString(cs.ByteBuffer,
cs.TotalBytes, bytesRcvd));
cs.AddToTotalBytes(bytesRcvd);
if (bytesRcvd != 0)
{
cs.NetStream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
else
{
readTimeout.Enabled = false;
if (ReadDone.Set() == false)
ReadDone.Set();
}
}
OnReadComplete() (readTimeout), $
ReadDone.Set(),
. ,
175
, $
, .
.
, . $
, . , $
BeginRead(). , .
, .
, , (Request Headers),
,
. $
, (Request)
btnRequest_Click():
if (rawRequest.Contains("[") != true || rawRequest.Contains("]") != true)
rawRequest = "[None]" + rawRequest;
while (rawRequest.Contains("[") && rawRequest.Contains("]")
{
fuzz = rawRequest.Substring(rawRequest.IndexOf('[' ) + 1,
(rawRequest.IndexOf(']') rawRequest.IndexOf('[')) 1);
, ,
,
. $
, , $
:
int arrayCount = 0;
int arrayEnd = 0;
Read fuzzText = null;
WebFuzz.Generate fuzzGenerate = null;
ArrayList fuzzArray = null;
string replaceString = "";
string[] fuzzVariables = { "SQL", "XSS", "Methods", "Overflow", "Traversal",
"Format" };
switch (fuzz)
{
case "SQL":
fuzzText = new Read("sqlinjection.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[SQL]";
break;
case "XSS":
fuzzText = new Read("xssinjection.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[XSS]";
176
10. < :
break;
case "Methods":
fuzzText = new Read("methods.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[Methods]";
break;
case "Overflow":
fuzzGenerate= new WebFuzz.Overflow(overflowFill, overflowLength,
overflowMultiplier);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Overflow]";
break;
case "Traversal":
fuzzGenerate= new WebFuzz.Overflow("../", 1, 10);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Traversal] ";
break;
case "Format":
fuzzGenerate= new WebFuzz.Overflow("%n", 1, 10);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Format]";
break;
case "None":
ArrayList nullValueArrayList = new ArrayList();
nullValueArrayList.Add("");
fuzzArray = nullValueArrayList;
arrayEnd = fuzzArray.Count;
replaceString = "[None]";
break;
default:
arrayEnd = 1;
break;
, (SQL,
XSS (Methods)), Read() $
ASCII, $
. ( (Overflow), $
(Traversal) (Format)), , $
Generate() ,
.
, WebFuzz ,
, HTML, , $
. , ,
, , ($
177
) ListView. , ,
ListView, Rich$
TextBox WebBrowser:
rtbRequestRaw.Text = reqString;
rtbResponseRaw.Text = dataReceived;
wbrResponse.DocumentText = html;
string path = getPath(reqString);
lvwResponses.Items.Add(lvwResponses.Items.Count.ToString());
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add(status);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add(reqHost);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add
(requestString.Substring(0, requestString.IndexOf("\r\n")));
lvwResponses.Refresh();
requestsRaw[lvwResponses.Items.Count 1] = reqString;
responsesRaw[lvwResponses.Items.Count 1] = dataReceived;
responsesHtml[lvwResponses.Items.Count 1] = html;
responsesHost[lvwResponses.Items.Count 1] = reqHost;
responsesPath[lvwResponses.Items.Count 1] = path;
, WebFuzz
. , $
HTTP.
www.fuzzing.org.
, , WebFuzz, $
. , .
, , $
$
, . $
,
$ $
, . , $
, , $
. ,
, $
, $
.
../, .
178
10. < :
URL, $
$. $
, , ,
.
, $
$. , Windows $
boot.ini win.ini, ASCII, $
Windows.
Trend Micro Control Manager1,
IMAGE rptserver.asp. $
WebFuzz get$ rptserver.asp,
IMAGE [Tra
versal], win.ini.
. 10.8: ,
.
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=352
179
, . Ipswitch
Imail Web Calendaring1 , $
, $ $
.
,
JSP. WebFuzz (. 10.9).
GET , $
$ blah.jsp, $
, , boot.ini.
. 10.9 , , $
$, .
$, $
$
GUI, . ,
1
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=242
180
10. < :
, $
. , $
. $
, ,
,
. , $
, DoS$ $
.
WebFuzz
, .
, PMSoftwares Simple Web
Server1?
GET . , ,
:
GET /[Overflow] HTTP/1.1
. 10.10. +
1
http://secunia.com/advisories/15000/
181
. 10.11. +
, $
Simple Web Server, ,
. 10.11.
( Simple Web Server). $
, $
. , DoS$.
? . 10.12, $
, EIP $
, .
, . $
. $
.
. 10.12. +
182
10. < :
SQL
SQL ,
SQL
.
, .
,
SQL.
SQL $
Ipswitch Whatsup Professional (SP1)1
. $
? LiveHTTPHeaders ,
Login.asp
POST, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.0.1)
Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://localhost/NmConsole/Login.asp
Cookie: Ipswitch={A481461B2EC640AEB36246B31959F6D1}
ContentType: application/xwwwformurlencoded
ContentLength: 81
bIsJavaScriptDisabled=false&sUserName=xxx&sPassword=yyy&btnLogIn=Log+In
,
, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
bIsJavaScriptDisabled=false&sUserName=[SQL]&sPassword=&btnLogIn=Log+In
: There was
an error while attempting to login: Invalid user name ( +
: ).
WebFuzz , , $
. 10.13,
. ,
.
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=268
183
SQL. $
' or 1=11 , $
UPDATE
. $
, SQL,
; ?
Google. $, Ipswitch $
.2
, $ $
, . :
Ipswitch , . $
Ipswitch3 ,
:
osql E D WhatsUp Q "UPDATE WebUser SET sPassword=DEFAULT
WHERE sUserName='Admin'"
, Ipswitch, $
,
, . ,
SQL.
, $
:
/: $$
. ?
/: SQL $
1
2
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.ipswitch.com/support/whatsup_professional/guides/WhatsUp+
DBSchema.zip
http://support.ipswitch.com/kb/WP+20041122+DM01.htm
184
10. < :
XSS
XSS . Mitre 2006 21,5% $
XSS, .1 slackers.org
XSS2, ,
.
$, XSS $
. $
$
.
, $
JavaScript. , , $
$ $
.
XSS $$
. SPI Dynamics $ http://zero.web+
appsecurity.com (. 10.14) WebInspect,
http://cwe.mitre.org/documents/vuln+trends.html#table1
http://sla.ckers.org/forum/read.php?3,44
185
$.
$. post login1.asp, $
rootlogin.asp.
XSS. , ,
txtName, Last Name:
rootlogin.asp. $
, $
XSS$.
XSS $
JavaScript ,
. ,
, $
, JavaScript
$. , XSS $
:
POST /rootlogin.asp HTTP/1.1
Host: zero.webappsecurity.com
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://zero.webappsecurity.com
ContentType: application/xwwwformurlencoded
ContentLength: 72
txtPassPhrase=first&txtName=<script>alert('Does fuzzing
work?')</script>&txtHidden=This+was+hidden+from+the+user
. 10.15, $
, .
, , $
.
, ,
. . .
, ,
. Java$
Script, ? ,
. , $
JavaScript, ,
. HTML? $
, , Java$
Script, XSS. HTML$
IMG .
186
10. < :
. 10.15.
HTML$ IMG,
$$
. , , ,
, voila! , XSS. .
WebFuzz .
WebFuzz $
. $
.
xssinjection.txt:
%3Cimg+src%3D%27http%3A%2F%2Flocalhost%2Fblah%27%3E
URL$ ,
$
:
<img src='http://localhost/blah'>
?
#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 20070131 00:57:34
187
WebFuzz , $
, ,
. , ,
HTTP,
, . ,
,
. $
, , $
.
Web$
Fuzz, .
, , $
. WebFuzz
$, $
, . ,
$
, . , $
,
, XSS.
, , . $
,
,
.
$ , $
. $
,
$
. WebFuzz , $
. $
WebFuzz
.
11
.
$.,
, ,
19 2000
. , $
, , $ $
. , $
, , $
. $
$
, .
2005 2006 $
,
:
$
. $
eEye, , $
Zero$
Day Tracker.1 , , $
$
. $
1
http://research.eeye.com/html/alerts/zeroday/
189
, $
.
,
.
. $
, $ ,
, .
, $
, . ,
,
.
Microsoft
Exchange TNEF, . 11.1
.
11.1.
http://www.tippingpoint.com/security/
$ advisories/TSRT+06+10.html
Microsoft
HLINK.DLL
http://www.idefense.com/intelligence/
vulnerabilities/display.php?id=318
CHM
Kaspersky
m3u Winamp
http://www.microsoft.com/technet/se+
curity/Bulletin/MS06+055.mspx
$
http://www.idefense.com/intelligence/
vulnerabilities/display.php?id=76
MIME WinZip
$ http://www.microsoft.com/technet/se+
TNEF
curity/Bulletin/MS06+003.mspx
Microsoft Exchange
http://www.idefense.com/intelligence/
vulnerabilities/display.php?id=377
190
11.
, $
. $
. ,
, $
. $
$: ,
.
!1
,
. , , $
, Microsoft Security
Bulletin MS06$055, Internet Explorer,
Outlook.
,
. $
, , $
: , $
. , $
,
$
.
, $
, .
.
, $
,
,
. $
, $
. $
$
, $
. $
:
1. , $
( ).
2. , .
3. , ,
.
1
http://www.clearswift.com/solutions/porn_filters.aspx
191
4. . $
, $
.
5. .
,
. , $
, , , $
, . ,
,
, , ,
.
,
, $
, .
, $
. , $
. $
, $
. , $
:
, 0xff. $
, $ .
,
. $
. , $
.
, $
.
, , ?
. $
, .
$
, $
, $$
.
. $,
, , , $
. ,
, Microsoft Word.
20 .
20 480 . ,
2 ,
11 , $
. 254 ?
192
11.
$
, $
. $
, ,
, : $
.
,
, $
, $
$, . $
$
. ,
$
, $
$
. $
, $
.
,
, ,
$
.
, , , $
.
, , $
. , $
.
, .
$
.
, $
,
, $
. , $
,
Google , $ .
$, Wotsits Format1,
. $
, $
$
. ,
1
http://www.wotsit.org
193
.
,
, SPIKEfile 12
: UNIX.
$
, .
$
, $
. $
. ,
, $
,
. $
,
, ,
.
$
. WinRAR1 ,
. ,
WinRAR , $ WinRAR.
.
zip, rar, tar, gz, ace, uue .
, Win$
RAR, . $
, $
.
: . $
, , $
, ,
, , $
. ,
, , $
. , $
;
, $ $
$
.
http://www.rarlab.com
194
11.
$
$
. :
( )
/
$
, ,
, $
.
, , $.
,
$
( ), $
null.
, , $
, $
.
,
,
, , $
. $
ClamAV.1
$
.
$
:
[...]
[1] size
[2] allocation_size
[3] buffer
[4] for (ix = 0; ix
1
=
=
=
<
read32_from_file();
size+1;
malloc(allocation_size);
size; ix++)
http://idefense.com/intelligence/vulnerabilities/display.php?id=333
195
[5] buffer[ix]
[...]
= read8_from_file();
$
, .
32$
(0xFFFFFFFF) size, [2] allocation_size $
$ .
, . $
[4] [5] $
, size, $
, .
. $
, .
. $ $
, $
. $ $
, , ,
.
, , ,
.
, , $
.
:
[0] #define MAX_ITEMS 512
[...]
[1] char buff[MAX_ITEMS]
[2] int size;
[...]
[3] size = read32_from_file();
[4] if (size > MAX_ITEMS)
[5]
{ printf("Too many items\n");return 1; }
[6] readx_from_file(size,buff);
[...]
/* readx_from_file: read 'size' bytes from file into buff */
[7] void readx_from_file(unsigned int size, char *buff)
{
[...]
}
,
, [4]
196
11.
( [1]), MAX_ITEMS (
[0]) , , , 1
512. ,
[7],
. 1, ,
42949672954294967295. , $
, ,
readx_from_file, $
.
, $
. . $
. $
. $ $
, . $
, $
. , $
, The Shallcoders
Handbook: Discovering and Exploiting Security Hotels (
$: $
).1
$
. $
$
, $
WMF Microsoft, MS06$001.2
. $
, ,
, $
.
, $
, ,
. , $
,
, US$CERT, $
1
2
ISBN$10: 0764544683.
http://www.microsoft.com/technet/security/Bulletin/MS06+001.mspx
197
$
%n.1
, , $
, , $
. $
Adobe2 RealNetworks3. $
,
, , $
. , $
, , $
, .
, $
,
.
.
,
Microsoft Internet Explorer.
, $ , Internet Explorer $
,
, , .
$
. $
, ,
, $
. , , $
. $
:
. $
Microsoft Windows, $
Event Viewer. ,
, $
, $
.
1
2
3
https://buildsecurityin.us+cert.gov/daisy/bsi/articles/knowledge/guidelines/
340.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=163
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=311
198
11.
(). $
. $
, $
, $
. $
$
24
.
. $
, $
, , $
.
, UNIX ,
.
. $
. , $
, , $
, , , , $
,
.
, $
.
$
$
PyDbg Microsoft Windows, $
PaiMei.1
, $
, , $
, $
, , . $
. , $
8$ 42$
, 8$42. $
. ,
, . $
.
http://www.openrce.org/downloads/details/208
199
, .
, $ $
, .
$
TCP/IP,
$
.
, , , $
$
,
.
12
:
UNIX
.
, , .
.
$.,
. .
Bush at War ( )
$
, $ ,
, $
. ,
. HTML, $
Microsoft Internet Explorer, , $
, $
. , $
UNIX, ,
.
,
notSPIKEfile SPIKEfile, $
.
, .
, $
,
. UNIX, $
notSPIKEfile SPIKEfile
201
$. $
.
notSPIKEfile SPIKEfile
,
UNIX, SPIKEfile notSPIKEfile.
, SPIKE,
SPIKE.1
:
, $
.
, $
, .
$
ASCII.
, $
,
.
?
notSPIKEfile SPIKEfile ,
. $
:
. $
x86 Linux ptrace,
. ,
$
.
.
, $
$
.
, , $
. $
,
.
.
http://www.immunityinc.com/resources+freesoftware.shtml
202
12. : UNIX
, $
, , .
Linux. $
, ,
.
.
,
$
. ? .
, .
, , ,
.
, , $
. , $
UNIX system , . $
$
, . $
, ,
, $
, ,
,
, $
.
, ,
:
(LIBC) , $
open, creat, system
. .
ptrace.
, $
, ,
, ,
. $
, $
, $
ptrace.
203
( )
, .
, $
. $
,
. , , $
. $
ptrace. $
, . $
x86. libdisasm1, $
, , $
, Google, $
. , libdisasm
, ,
.
, $
, $
. , $
notSPIKEfile, SPIKE$
file, SPIKEfile
SPIKE. ,
.
, , , SPIKEfile
, SPIKE.
, SPIKE,
. SPIKE
, .
notSPIKEfile . $
.
$
.
: .
,
. $
, , . $
,
1
http://bastard.sourceforge.net/libdisasm.html
204
12. : UNIX
, ,
URL , $
. $
, SPIKE notSPIKEfile,
. 12.1,
$
. ,
, $
.
12.1.
"A"x10000
"%n%n"x5000
. $
$
HTTP:// + "A"x10000
URL.
URL
.
$
0x20000000,0x40000000,
0x80000000,0xffffffff
,
. $
. , mal
loc(user_count*sizeof (struct blah));. $
, $
$
, $
"../"x5000 + "AAAA"
URL
, . , ,
, $
,
.
, , , $
.html .
SPIKEfile notSPIKEfile.
205
$
, . , $
, forking off $
. $
:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
waitpid (pid, &status, 0);
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii (WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status)
==SIGTRAP) ? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);
206
12. : UNIX
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status) == SIGTRAP)
? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}
, , $
. , , $
ptrace , $
, PTRA
CE_TRACEME. , ,
, ,
, $
$ .
, , $
, , $
PTRACE_TRACEME. $
,
. , $
. , $
. $
.
, , ,
, $
. $
, $
, ,
. $
, , $
.
, $
. : ,
?, .
? , $
,
, , $
, $ $
. , $
.
207
$
$
. $
, .
,
GLIBC. $
, $
.1
, $
, ,
, .
UNIX , .
UNIX
. 12.2 , $
, $
, .
12.2. UNIX
SIGSEGV
. $
SIGILL
.
; . $
, $
$
SIGSYS
.
,
($ ). $
, SIGILL
SIGBUS
. $ $
. $
.
RISC . $
RISC $
SIGBUS
SIGABRT
. $
, GLIBC
http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt
208
12. : UNIX
UNIX
. 12.2, . 12.3 ,
, , , $
.
12.3. UNIX
SIGCHLD
SIGKILL, SIGTERM
SIGFPE
, $
SIGALRM
, SIGCHLD, ,
, $
. $
, $ $
, $ .
$ ,
(. . ), ,
, wait
waitpid. $
,
. ,
. $
, , . 12.1.
, $
fork, , $
,
wait waitpid. , $
$.
notSPIKEfile $
,
,
. , ,
, $
8 .
. $ ,
.
SIGCHLD,
209
<
fork()
Parent()
Child()
wait(&status)
Code()
exit(0):
,
,
. 12.1.
.
SIGCHLD .
$
, $
. !
. wait
waitpid, , $
WHOHANG.
, , $
.
.
SPIKEfile $
, $
. $
SIGCHLD, .
SPIKEfile SPIKE, $
$ ,
, . , SPIKE
TCP/IP,
.
filestuff.c:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
210
12. : UNIX
#include <fcntl.h>
#include "filestuff.h"
#include "spike.h"
extern struct spike *current_spike;
int
spike_fileopen (const char *file)
{
int fd;
if ((fd =
open (file, O_CREAT | O_TRUNC | O_WRONLY,
S_IRWXU | S_IRWXG | S_IRWXO)) == 1)
perror ("fileopen::open");
return current_spike>fd = fd;
current_spike>proto = 69; /* 69==file,068 are reserved by
the ISO fuzzing standard */
}
int
spike_filewrite (uint32 size, unsigned char *inbuffer)
{
if (write (current_spike>fd, inbuffer, size) != size)
{
perror ("filewrite::write");
return 1;
}
return 1;
}
void
spike_close_file ()
{
if (current_spike>fd != 1)
{
close (current_spike>fd);
current_spike>fd = 1;
}
}
Makefile, , SPIKE, $
. , $
SPIKE, . 12.4.
12.4. , SPIKE
SPIKEfile
filestuff.c
util.c
notSPIKEfile
SPIKEfile . ptrace,
F_execmon
211
generic_file_fuzz.c
SPIKEfile. main
include/filestuff.h
filestuff.c
Libdisasm
, x86
$
SPIKEfile notSPIKEfile $
, , $
. Adobe Acrobat Reader RealNet$
works RealPlayer .
, ,
, . $
,
.
, $
.
. $
, $
. , $
, $
, $
.
, .
, Acro$
batReader RealPlayer.
.
Adobe Acrobat
Acrobat acro$
read, DEBUG. $
, $
acroread,
$PREFIX/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread.
$
, ,
acroread. .
notSPIKEfile $
UnixAppOpenFilePerform $
Adobe Acrobat Reader.1
1
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=279
212
12. : UNIX
RealNetworks RealPlayer
, realplay
. ,
realplay.bin.
user@host RealPlayer $ file realplay realplay.bin
realplay: Bourne shell script text executable
realplay.bin: ELF 32bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
RealPlayer $
HELIX_PATH RealPlayer.
real$
play.bin, RealPlayer. $
realplay.
notSPIKEfile $
RealPix RealNetworks Real$
Player/HelixPlayer.1
:
RealPix
RealPlayer
, notSPIKEfile
RealPlayer,
2005 . ,
RealPlayer. , , $
RealPix. Google
RealPix, $
$
notSPIKEfile. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="dd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>2
1
2
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=311
http://service.real.com/help/library/guides/realpix/htmfiles/tags.htm
RealPix
213
RealPlayer. $
RealPlayer, , $
. notSPIKE$
file .
, :
user@host $ export HELIX_PATH=/opt/RealPlayer/
user@host $ ./notSPIKEfile t 3 d 1 m 3 r 0 S s SIGKILL o FUZZY
sample1.rp sample1.rp "/opt/RealPlay/realplay.bin %FILENAME%"
[]
user@host $
t $
RealPlayer 3 . d $
1 $
. $
realplayer m, $
r ,
.
s SIGKILL
s.
, , $
, $
, sample1.rp, , $
RealPlayer, . $
! , ,
, $ .
, $
FUZZY$sample1.rp$0x28ab156b$dump.txt. $
,
.
, .
12288$FUZZY$sample1.rp.
.
, ,
. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="%n%n%n%n%n%n%n%n%n%n%n%ndd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>
214
12. : UNIX
%n, ,
. $
, Real$
Player GDB:
user@host ~/notSPIKEfile $ gdb q /opt/RealPlayer/realplay.bin
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r 12288FUZZYsample1.rp
Starting program: /opt/RealPlayer/realplay.bin 12288FUZZYsample1.rp
Program received signal SIGSEGV, Segmentation fault.
0xb7e53e67 in vfprintf () from /lib/tls/libc.so.6
(gdb) x/i $pc
0xb7e53e67 <vfprintf+13719>: mov %ecx,(%eax)
RealPlayer timeformat.
.
. $, Linux, , $
.
Linux , , , $
, Linux . $
, ptrace
, $
.
, ,
SPIKE . $ $
SPIKE, $ , $
, ,
,
$
.
. $
$ , ,
, .
13
:
Windows
,
,
.
$.,
, ,
28 2005
UNIX. $
$
Windows. , $
, . $$
, Windows $
, ,
, ,
$. $ ,
;
Windows, , Windows
. $
.
216
13. : Windows
Windows
$
,
.
.
,
. $
, $
.
$
, $
,
. , $
. $
, $
, .
.
$
,
. $
.
, , $
. $
.
$ , $
. ,
, $
. ?
$
? ,
. ,
Lynx?
, ,
.
Windows $
$ , .
,
.
, .
,
, .
, $
, Windows
.
Windows
217
. $
, Mi$
crosoft Windows.
FileFuzz $
. FileFuzz
. $,
. $,
, $
, . $, $
, , ,
. $
, $
Microsoft .NET. $
C#, $
, , C. . 13.1 $
.
. 13.1. FileFuzz
218
13. : Windows
,
Microsoft Windows
MS04*028. JPEG (GDI+)
.
2004 Microsoft
, $
, ,
GDI+
JPEG,
. JPEG
0xFFFE,
.
2 , $
2 , . $
, , ,
$
. $
Windows, GDI+ (gdiplus.dll) $
. $
$
.
MS05*009 PNG
.
, , Microsoft, $
, $
PNG ( $
), tRNS, $
.
Windows Messenger MSN Messenger , Mi$
crosoft
,
.
MS06*001.
.
2005 $
, WMF ($
Windows), , $
Internet Explorer .
$ Microsoft $
2006 . $
, .
219
WMF , $
GDI ($
) Windows. , Es
cape, SETABORTPROC $
. , $
$4000.1
Excel, eBay.
8 2005 fearwall eBay
, $
Microsoft Excel.2 ,
eBay , , $
3, $
.
1
2
3
http://www.securityfocus.com/brief/126
http://www.osvdb.org/blog/?p=71
http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerabi+
lity_auction/
FileFuzz
, ,
. , FileFuzz $
, , $
, $
. , , .
FileFuzz ,
.
FileFuzz .
: , , $
, $
. $
$
. ,
$
$. , $
, $
, .
,
220
13. : Windows
.
.
FileFuzz .
, , $
$
, ,
.
, .
FileFuzz
( , , ),
:
;
;
;
;
;
ASCII;
.
, FileFuzz
, ASCII.
: .
, $
. $
, $
. ,
, $
, . , , , $
.
, , $
, ,
.
. $
$
,
. , $
, ,
$ .
, .
, $
, ,
, $
221
. .
, , ,
, ,
$ . $
.
,
, $
.
, ,
. $
,
. $
$
, , $
,
.
FileFuzz ASCII: $
, $
, , $
, ,
. $
, ,
. . ASCII $
*.ini :
name = value
, . , $
A, 10.
Finf
=, . $
Replace 1010. 10 $
,
=. 10 10 100 $
A .
. ,
*.doc, $
Microsoft Word. FileFuzz
CreateProcess() Windows,
FileFuzz ,
, $
, ,
. $
.
222
13. : Windows
, .
$
, . $
,
, $
.
Execute , $
,
.
, $
. ,
, , ,
, , 10 $
? ,
.
,
.
,
, , . $
, ? . $
$ , ,
, $ .
, $
,
Windows Event Viewer. ,
( ) $
( ).
,
.
, $
$
. , $
,
. Windows $
. ,
,
, $
.
,
. $
223
, $
$
. , . $
$
.
, $
.
, $
, .
FileFuzz crash.exe, , $
,
, . $
, , $
FileFuzz , $
crash.exe .
FileFuzz : $
$
.
, $
. $
, $
File Types .
$
, .
, $
targets.xml.
:
<test>
<name>jpg iexplore.exe</name>
<file>
<fileName>JPG</fileName>
<fileDescription>JPEG Image</fileDescription>
</file>
<source>
<sourceFile>gradient.jpg</sourceFile>
<sourceDir>C:\WINDOWS\Help\Tours\htmlTour\</sourceDir>
</source>
<app>
<appName>iexplore.exe</appName>
<appDescription>Internet Explorer</appDescription>
<appAction>open</appAction>
<appLaunch>"C:\Program Files\Internet Explorer\iexplore.exe"</appLaunch>
<appFlags>{0}</appFlags>
</app>
<target>
224
13. : Windows
<targetDir>c:\fuzz\jpg\</targetDir>
</target>
</test>
$
. FileFuzz $
, ,
$
. $
$
.
XML : $
$
, . , $
,
, . $
.
XML.
XML .
, <test>.
$
$
. $
, $
, . $
,
. ,
, , ,
.
Windows UNIX ,
Windows
, .
, , $
, $
,
.
Microsoft Windows $
. $
, $
225
.
. , $
, $
$ ,
,
, $
. , , $
JPEG. $
, ,
, , $
$
. Windows XP , $
JPEG, Windows Picture and Fax Viewer. $
, , Windows Picture and Fax Viewer,
, $
, , $
Download.com. ?
Windows , $
.
Windows
,
Windows? $
, $
. , $
, ,
. $
, $
.
, $
.
Windows Explorer $
, , $
, . Win$
dows Explorer, , JPEG
Windows Picture and Fax Viewer. , $
, JPEG$
FileFuzz .
Windows Explorer. .
. 13.2 , .
. $
$
, . $
, $
226
13. : Windows
. 13.2.
, , $
:
. ,
,
,
.
, $
JPEG, , $
$
. , $
.
Windows $
.
$
. $
, Windows JPEG,
.
. 13.3, ,
.
227
. 13.3.
$! Windows , $
. , ,
. 13.4, , Windows Picture and Fax Viewer
. $
(DLL), $
rundll32.exe.
Windows Picture and Fax Viewer :
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
228
13. : Windows
. 13.4.
Windows
90 100
Windows Explorer,
, ,
Windows Explorer. , ,
*.cbo. CBO Microsoft Interactive
Training, Windows XP, $
, Dell. $
, Microsoft Interactive Training,
, CBO $
Windows Explorer, Windows Explorer $
CBO
Microsoft Interactive Training . $
?
, Windows Explorer? $
Windows. $
\HKEY_CLASSES_ROOT\.xxx, xxx
. $
, .
HKEY_CLASSES_ROOT\,
. \shell\open\com$
mand , $
, $
.
229
, $
Windows, $
. , $
FileFuzz,
FileFuzz
GDI+ JPEG,
Microsoft MS04$028.
FileFuzz,
, $
, $
. ,
, , $
. $
,
Windows, $
.
, $
.NET.
, , $
. $
C#. C,
$ $
Windows. .NET $
, $
, , $
.NET.
, File$
Fuzz. $
. ,
.
FileFuzz,
www.fuzzing.org.
230
13. : Windows
, FileFuzz $
Windows, , $
ASCII. Read.cs $
, write.cs $
.
FileFuzz , $
.
. , .NET $
. $
ASCII. BinaryReader $
.
ASCII , $
StreamReader. , , $
, , $
. Read:
private BinaryReader brSourceFile;
private StreamReader arSourceFile;
public byte [] sourceArray;
public string sourceString;
private int sourceCount;
private string sourceFile;
public Read(string fileName)
{
sourceFile = fileName;
sourceArray = null;
sourceString = null;
sourceCount = 0;
}
sourceArray $
, , sourceString
ASCII.
, $
. , FileFuzz $
,
:
;
;
231
;
.
Write,
.
BinaryWriter , $
. ASCII, $
, StreamWriter $
.
, $
, Main.cs, $
. , ,
, , ,
,
, , ,
. crash.exe $
.
Process.
executeApp() , $
.
,
, . ,
, crash.exe, , $
, crash.exe, $
, . $
crash.exe, $
crash.exe
rtbLog, $
FileFuzz:
Process proc = new Process();
public Execute(int startFileInput, int finishFileInput, string
targetDirectoryInput, string fileExtensionInput, int applicationTimerInput,
string executeAppNameInput, string executeAppArgsInput)
{
startFile = startFileInput;
finishFile = finishFileInput;
targetDirectory = targetDirectoryInput;
fileExtension = fileExtensionInput;
applicationTimer = applicationTimerInput;
executeAppName = executeAppNameInput;
executeAppArgs = executeAppArgsInput;
procCount = startFile;
232
13. : Windows
}
public void executeApp()
{
bool exceptionFound = false;
//Initialize progress bar
if (this.pbrStart != null)
{
this.pbrStart(startFile, finishFile);
}
while (procCount <= finishFile)
{
proc.StartInfo.CreateNoWindow = true;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.FileName = "crash.exe";
proc.StartInfo.Arguments = executeAppName + " " + applicationTimer + " " +
String.Format(executeAppArgs, @targetDirectory + procCount.ToString() +
fileExtension);
proc.Start();
//Update progress bar
if (this.pbrUpdate != null)
{
this.pbrUpdate(procCount);
}
//Update counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(procCount);
}
proc.WaitForExit();
//Write std output to rich text box log
if (this.rtbLog != null && (proc.ExitCode == 1 || proc.ExitCode == 1))
{
this.rtbLog(proc.StandardOutput.ReadToEnd());
this.rtbLog(proc.StandardError.ReadToEnd());
exceptionFound = true;
}
procCount++;
}
//Clear the progress bar
if (this.pbrStart != null)
{
this.pbrStart(0, 0);
}
//Clear the counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(0);
233
}
if (exceptionFound == false)
this.rtbLog("No excpetions found\n\n");
exceptionFound = false;
}
, FileFuzz
crash.exe, , C, $
, Win$
dows. libdasm, ,
.
, ,
, crash.exe
. FileFuzz
, ,
, , $
, $
. $
, $
$
.
CreateProcess DEBUG_PROCESS:
if (argc < 4)
{
fprintf(stderr, "[!] Usage: crash <path to app> <milliseconds> <arg1>
[arg2 arg3 argn]\n\n");
return 1;
}
// convert wait time from string to integer.
if ((wait_time = atoi(argv[2])) == 0)
{
fprintf(stderr, "[!] Milliseconds argument unrecognized: %s\n\n", argv[2]);
return 1;
}
// create the command line string for the call to CreateProcess().
strcpy(command_line, argv[1]);
for (i = 3; i < argc; i++)
{
strcat(command_line, " ");
strcat(command_line, argv[i]);
}
//
// launch the target process.
//
ret = CreateProcess(NULL,
234
13. : Windows
command_line,
NULL,
NULL,
FALSE,
DEBUG_PROCESS,
NULL,
NULL,
&si,
&pi);
crash.exe
. ,
, , $
. , $
. $
,
: , $
. $
, ,
. $
libdasm, , $
, $
:
while (GetTickCount() start_time < wait_time)
{
if (WaitForDebugEvent(&dbg, 100))
{
// we are only interested in debug events.
if (dbg.dwDebugEventCode != EXCEPTION_DEBUG_EVENT)
{
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
continue;
}
// get a handle to the offending thread.
if ((thread = OpenThread(THREAD_ALL_ACCESS, FALSE,
dbg.dwThreadId)) == NULL)
{
fprintf(stderr, "[!] OpenThread() failed: %d\n\n", GetLastError());
return 1;
}
235
236
13. : Windows
context.Edi, context.Esp, context.Ebp);
return 1;
}
}
}
, crash.exe,
$
. ,
$
. ,
, $
, , $
$
, $
, .
, ,
, $
. $
Microsoft MS04$028 $
JPEG (GDI+) .1 $
, ,
.
$
, ,
. $
, $
, $
, .
gdiplus.dll, $
, Microsoft Of$
fice, Internet Explorer Windows Explorer. JPEG $
, .
0xFFFE,
16$ , $
.
FileFuzz ? .
, $
. , ,
1
http://www.microsoft.com/technet/security/Bulletin/MS04+028.mspx
237
Windows.
Windows XP SP1.
11. ? ,
. $
, , $
, . $
631 $
. fuzz, $
:
0000009eh: FF FE 00 06 66 75 7A 7A ; p..fuzz
Breakdown:
FF FE
00 06
66 75 7A 7A
Comment preface
Length of comments in bytes
ASCII value of fuzz
, ,
Windows XP
JPEG. ,
, Windows Picture and Fax Viewer
JPEG (. 13.5):
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
FileFuzz .
FileFuzz JPEG, $
File Type,
FileFuzz,
.
Create
JPEG,
JPEG ,
. Create
:
. C:\Program Files\FileFuzz\Attack\test.jpg. $
JPEG.
. C:\fuzz\jpg\. ,
.
(), . 00 x 2.
1 ,
, 0x00
1
http://www.securityfocus.com/archive/1/375204
238
13. : Windows
0x01. ,
2 . $
, ,
0x0000, ,
.
. = 150170.
160.
150 170.
. 13.5.
, Create $
. Execute.
FileFuzz, Windows Pic$
ture and Fax Viewer. Execute
:
239
240
13. : Windows
, . Execute, , Windows
Picture and Fax Viewer .
21 , 21 $
. , , FileFuzz $
. $
, 160.jpg, $
. ,
160 JPEG,
160.jpg 0x0000:
[*] "crash.exe" rundll32.exe 2000
C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen c:\fuzz\jpg\160.jpg
[*] Access Violation
[*] Exception caught at 70e15599 rep movsd
[*] EAX:fffffffe EBX:00904560 ECX:3ffffe3c EDX:fffffffe
[*] ESI:0090b07e EDI:0090c000 ESP:00aaf428 EBP:00aaf43400
FileFuzz
.
,
, $
. ,
.
.
. , $
,
(,
0xFFFFFFFF). ,
. $
, , . $
, : $
,
, $
.
FileFuzz , $
,
. , $
. , $
Create Intelligent ( ) $
Create,
Create Brute Force ( ). $
; $
241
$
, $
. $
,
, , $
. , , $
$
, FileFuzz, , $
.
$
,
. $
, crash.exe, $
, $
,
, . $
, ,
.
, .
. .
Mi$
crosoft. $
Office, $
. , Microsoft
, $
, $
. , $
$
$
, $
.
14
?
. ?
$.,
,
$, ,
8 2004
,
setuid $
UNIX. , $
, .
$
, $
. ,
, $
$, , , .
, Microsoft Internet Explorer, $
, . $
, $
.
, .
,
. ,
,
$ , $
243
,
. $
,
, .
.
?
, $
, $
,
. , ,
$ $
, .
, $ .
,
$
$ DB9 .
Microsoft
,
, .
,
Y2K , .
Microsoft,
$
.
. $
$
,
.
,
Microsoft, , $
. ,
,
2002 Trustworthy Computing Initiative1,
Microsoft $
.
1
http://www.microsoft.com/mscorp/twc/2007review.mspx
244
14.
,
Microsoft,
.
.
1
2
3
4
5
6
7
http://research.eeye.com/html/advisories/published/AD20010618.html
http://www.microsoft.com/technet/security/bulletin/MS02+039.mspx
http://www.microsoft.com/technet/security/bulletin/MS02+061.mspx
http://en.wikipedia.org/wiki/SQL_slammer_worm
http://en.wikipedia.org/wiki/Blaster_worm
http://www.microsoft.com/technet/security/bulletin/MS03+026.mspx
http://weblog.infoworld.com/techwatch/archives/001035.html
245
. ,
.
, SPIKE1 ProtoFuzz,
16 : $
Windows. SPIKE , $
. $
, $
. ircfuzz2, dhcpfuzz3
Infigo FTPStress Fuzzer4. , $
, .
,
. $
, ,
21 . ,
.
, $
. . 14.1
, .
. $
, , ,
.
, , $$
, . . ,
, .
, $
, Open Systems Interconnection
Basic Reference Model ( OSI)5 (. 14.1). $
, $
,
, $
. ,
. $
, , .
1
2
3
4
5
http://www.immunitysec.com/resources+freesoftware.shtml
http://www.digitaldwarf.be/products/ircfuzz.c
http://www.digitaldwarf.be/products/dhcpfuzz.pl
http://www.infigo.hr/en/in_focus/tools
http://en.wikipedia.org/wiki/Osi_model
246
14.
$
, .
14.1. +
Sendmail $ http://xforce.iss.net/xforce/alerts/
id/216
$ http://archives.neohapsis.com/archi+
MySQL
ves/vulnwatch/2004+q3/0001.html
RPC$
RPC DCOM
$ http://bvlive01.iss.net/issEn/delive+
OpenSSH
ry/xforce/alertdetail.jsp?oid=20584
RealServer ../
DESCRIBE
http://www.zerodayinitiative.com/
$ advisories/ZDI+07+003.html
CA Bright$
Stor ARCserve Backup
http://www.microsoft.com/technet/
security/bulletin/MS03+026.mspx
http://www.service.real.com/help/
faq/security/rootexploit082203.html
. 14.1. OSI
247
2:
(data link
layer) Ethernet 802.11. 2 $
,
. $
2 Mitre, CVE$
2006$3507.1 $
AirPort Mac OS $ $
. $
, , $
. $
:
, . $
$
Mac OS ,
.
1
2
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CVE+2006+3507
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_mac+
book_in_60_seco.html
248
14.
3:
3, , IP Internet Control Message
Protocol (ICMP). TCP/
IP ,
. ,
Windows Vista , $
, . $
TCP/IP MS06$032 Vulnerability in
TCP/IP Could Allow Remote Code Execution ( TCP/IP $
).1
$ IP
4. ,
.
4:
4, : , $
TCP UDP. ,
TCP/IP ,
.
winnuke$, out$of$band TCP$
.2 winnuke$ , , $
DoS$ . $
, $
TCP$ TCP$.
API, ,
.
5:
, 5 OSI,
,
. , DCE/RPC (MSRPC Microsoft)
ONC RPC, Sun RPC.
Windows UNIX . $
.
Microsoft Security Bulletin MS04$0113,
Sasser4. $
lsass.exe, $
RPC, $
1
2
3
4
http://www.microsoft.com/technet/security/Bulletin/MS06+032.mspx
http://support.microsoft.com/default.aspx?scid=kb;[LN];168747
http://www.microsoft.com/technet/security/bulletin/MS04+011.mspx
http://en.wikipedia.org/wiki/Sasser_worm
249
Windows. , $
$ DsRolerUpgradeDown$
levelServer .
6:
6, $
, XDR, eXternal Data Representation (
), Sun RPC. $
XDR , ,
xdr_array, $
(Neel Mehta).1 $
.
, ,
.
.
7:
7, , ,
OSI. $
, FTP, SMTP, HTTP,
DNS . $
,
. ,
.
7,
, $
, $
.
$
, 11 . $
, , ,
, $
.
.
,
,
, $
. $ $
1
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
250
14.
$. $
, $
, .
$
. , , , .
, , , $
. $
, $
.
, $
, $
. $
, $ $
, $ .
. $
, , $
, ,
.
,
, $
.
.
, . $
, .
,
FTP, $
. , $
(USER, PASS, CWD . .), $
.
$
PEACH1 . $
,
. $
,
, .
,
, , $
, , . $
, , , $
, $
http://peachfuzz.sourceforge.net/
251
.
,
, , , ,
. , ,
, , $
, . $
, ,
$
.
,
. $
? , $
. , $
( ).
,
, ,
. ,
.
, $
, .
OpenSSH$ sshutuptheo1, GOBBLES,
$
SSH$.
,
SSH. ,
. , $
SSH 1, 2 SSH
. , ,
,
.
, $
$ 24
.
, $
, $
. $
1
http://online.securityfocus.com/data/vulnerabilities/exploits/sshutup+
theo.tar.gz
252
14.
$. , $
,
. ,
.
, , $
. ,
$.
, , , $
$
.
, , , $
, $.
,
$. $
$.
( )
$
.
, .
Ollydbg, Windbg, IDA GDB.
, $
.
( )
, .
,
, $
. .
.
.
, $
. 24.
, $
. $
$
. ,
, .
, $
, $
253
. , $
, , $
DoS. : $
, $
.
,
,
. , $
, $
, , $
. ,
, $
, . $
,
, .
15
:
UNIX
, , .
$.,
,
Dallas Morning News,
10 2000
Microsoft Win$
dows, UNIX $ $
. $ Apache, ,
UNIX, 30 Mic$
rosoft IIS NetCraft.1
UNIX
.
UNIX DNS, $. ,
, , BIND (Berkeley Internet Name
Domain) DNS$, $
$. ,
, ,
, .
UNIX
. $
http://news.netcraft.com/archives/2007/02/23/march_2007_web_server_
survey.html
SPIKE
255
, SPIKE,
, $
. $
, $
$
SPIKE.
SPIKE
SPIKE
, : , $
$,
.
:
$ .
$ ,
$.
$ ,
, .
, No$
vell NetMail1, , $
. , Net$
Mail Networked Messaging Application Protocol (NMAP). NMAP
Nmap2, $
. NetMail NMAP? $
, , , Novell $
.
NMAP Networked Messaging Application
Protocol ( ).
IP$, IANA 689, $
NIMS$.
NDS eDirectory NIMS$, $
,
, . $
$
NMAP $
1
2
http://www.novell.com/products/netmail/
http://insecure.org/nmap/
256
15. : UNIX
. NMAP
RFC NIMS.1
NMAP Novell
TCP.
. , $
.
$
, . $
, , $
, , ,
, .
Novell 90$ NetMail $$
2, $
. $
, Novell.
, , $
( $ ). $
, $
. NMAP.
NMAP SPIKE, , ,
. $
. ,
NMAP . $
, .
,
.
. Google , $
. , $
Wireshark ($
Ethereal). Wireshark Subversion, $
epan\dissectors3, , .
, ,
NMAP , , $
$ . $
, $
. , , NMAP $
TCP$ 689,
1
2
3
http://support.novell.com/techcenter/articles/ana20000303.html
http://download.novell.com/index.jsp
http://anonsvn.wireshark.org/wireshark/trunk/
SPIKE
257
. 15.1. nmapd.exe
1
2
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
http://www.vulnwatch.org/netcat/
258
15. : UNIX
,
.
$
, :
<argument>. . ,
.
[argument]. .
{CONSTANT1|CONSTANT2|CONSTANT3}. ; $
. $
|.
,
.
. $
. , PASS :
PASS {SYS | USER <Username>} <Password>
, $
SYS USER. Username $
USER, , $
USER. SYS, User
name . , Password
. PASS, ,
, , , . $
, .
,
, $
.
. ,
( ) $
, , .
,
, , $
, , $
.
, .
, . $
, , .
, USER,
PASS, FTP.
PASS. $
NMAP$ SYS $
PASS USER.
SPIKE 101
259
$
IDA, $
.
ASCII, +
. , .
+.
( ),
. , $
IDA.
NMAP, $
SPIKE NMAP$.
SPIKE 101
SPIKE, ,
21 . $
.
SPIKE ,
SPIKE
TCP.
SPIKE
. $
, , . .
.
, $
;
$
, $
. ,
ASCII, 64 000 $
A. $
,
. , $
. ,
XDR$ .
TCP
, ,
TCP. line_send_tcp.c,
SPIKE. , $
SPIKE. SPIKE
,
260
15. : UNIX
. $
. $
, SPIKE
.
, ,
SPIKE API.
, , $
, , , :
s_string(char * instring). SPIKE $
. .
s_string_variable(unsigned char *variable). SPIKE $
.
.
s_binary(char * instring). SPIKE .
.
s_xdr_string(unsigned char *astring). SPIKE
XDR.
. .
s_int_variable(int defaultvalue, int type). SPIKE
.
s_int_variable() $
:
Binary Big Endian. (Most signifi$
cant bit, MSB), 4 .
ASCII. ASCII.
One byte. .
Binary Little Endian Half Word.
(Least significant bit, LSB), 2 .
Binary Big Endian Half Word. MSB, 2 .
Zero X ASCII Hex. ASCII $
0x.
ASCII Hex. ASCII.
ASCII Unsigned. ASCII.
Intel Endian Word. LSB, 4 .
SPIKE $
C,
. SPIKE/SPIKE/include/listener.h
:
#define
#define
#define
#define
BINARYBIGENDIAN 1
ASCII
2
ONEBYTE
3
BINARYLITTLEENDIANHALFWORD 4
261
#define
#define
#define
#define
#define
BINARYBIGENDIANHALFWORD
ZEROXASCIIHEX
ASCIIHEX
ASCIIUNSIGNED
INTELENDIANWORD
5
6
7
8
9
SPIKE $
NMAP$.
SPIKE .
, SPIKE $
$
.
. $
, , , $
. ,
.
,
. s_block_start() s_block_end()
$
:
int s_block_start(char *blockname)
int s_block_end(char * blockname)
. ,
, $
blocksize. ,
, . , $
blocksizes , , $
blocksizes. ,
,
.
blocksizes, SPIKE:
s_blocksize_signed_string_variable(char * instring, int size)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)
s_binary_block_size_word_bigendian(char *blockname)
s_binary_block_size_word_bigendian_variable(char *blockname)
s_binary_block_size_halfword_bigendian(char * blockname)
s_binary_block_size_halfword_bigendian_variable(char *blockname)
s_binary_block_size_byte(char * blockname)
s_binary_block_size_byte_variable(char * blockname)
s_binary_block_size_byte_plus(char * blockname, long plus)
s_binary_block_size_word_bigendian_plussome(char *blockname, long some)
262
15. : UNIX
s_binary_block_size_intel_halfword(char *blockname)
s_binary_block_size_intel_halfword_variable(char *blockname)
s_binary_block_size_intel_halfword_plus_variable(char *blockname,long plus)
s_binary_block_size_intel_halfword_plus(char *blockname,long plus)
s_binary_block_size_byte_mult(char * blockname, float mult)
s_binary_block_size_halfword_bigendian_mult(char * blockname, float mult)
s_binary_block_size_word_bigendian_mult(char *blockname, float mult)
s_binary_block_size_intel_word(char *blockname)
s_binary_block_size_intel_word_variable(char *blockname)
s_binary_block_size_intel_word_plus(char *blockname,long some)
s_binary_block_size_word_intel_mult_plus(char *blockname, long some,
float mult)
s_binary_block_size_intel_halfword_mult(char *blockname,float mult)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)
SPIKE
SPIKE , ,
API ,
. $
$
. SPIKE $
SPIKE .
SPIKE $
:
HTTP
Microsoft RPC
X11
Citrix
Sun RPC
$
SPIKE. , $
,
.
SPIKE ,
SPIKE. :
CIFS
FTP
H.323
SPIKE NMAP
263
IMAP
Oracle
Microsoft SQL
PPTP
SMTP
SSL
POP3
, SPIKE , $
. :
() TCP$;
TCP/UDP$;
TCP$.
SPIKE NMAP
NetMail, SPIKE,
, $
HELP IDA Pro.
. $
:
s_string_variable("PASS");
s_string("");
s_string_variable("USER");
s_string(" ");
s_string_variable("devel_user");
s_string(" ");
s_string_variable("secretpassword");
s_string("\r\n");
s_string("QCREA ");
s_string_variable("test");
s_string("\r\n");
s_string("CREA ");
s_string_variable("inbox");
s_string("\r\n");
s_string("MBOX ");
s_string_variable("test");
s_string("\r\n");
s_string("LIST ");
264
15. : UNIX
s_string_variable("0");
s_string("\r\n");
s_string("GINFO ");
s_string_variable("0");
s_string(" ");
s_string_variable("test");
s_string("\r\n");
s_string("SEARCH BODY ");
s_string_variable("test");
s_string("\r\n");
s_string("DFLG ");
s_string_variable("0");
s_string(" ");
s_string_variable("SEEN");
s_string("\r\n");
s_string("CSCREA ");
s_string_variable("test");
s_string("\r\n");
s_string("CSOPEN ");
s_string_variable("test");
s_string("\r\n");
s_string("CSFIND ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string("\r\n");
s_string("BRAW ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string("\r\n");
NMAP
SPIKE .
TCP$
SPIKE nmap.spk $
:
./line_send_tcp 192.168.1.2 689 nmap.spk 0 0
$
, ! NMAP
OllyDbg . 15.2.
SPIKE NMAP
265
. 15.2. nmapd.exe
. 15.2 $
. EBP ( ), EBX, ESI, EDI $
EIP ( ) $
0x41 ASCII.
, , , $
. $
, $ ,
0x41414141. $
,
. ,
, , $
, .
.
SPIKE : SPIKE , $
. , $
SPIKE, ,
NetMail NMAP. $ $
, ,
SPIKE . $
266
15. : UNIX
, ,
SPIKE, NMAP.
, NMAP $
SPIKE :
snip
Fuzzing Variable 5:1
Read first line
Variablesize= 5004
Fuzzing Variable 5:2
Couldnt tcp connect to target
Segmentation fault
snip
,
, NMAP. $
. NMAP $
. SPIKE , ,
. , , ,
.
, , $
SPIKE Fuzzing Variable
5:1. ,
5. $
, , 1. ,
5, $
SPIKE , variable,
0. CREA, $
. , $
1
CREA.
. ,
. $
printf() line_send_tcp.c,
, $
. , ,
CREA <longstring>.
. $
$
CREA. : $
. , $
, $
.
NMAP, SPIKE ,
CREA, $
.
267
, $
$
. NMAP $
. $
SPIKE, $
NMAP. , ,
$
. $
. , $
. NMAP $
.
16
:
Windows
, +,
,
.
$.,
,
, ,
10 2001
,
UNIX,
Microsoft Windows,
. ,
Windows, $
. , , Slammer1,
Microsoft
SQL, Windows. $
$
Microsoft MS02$0392 24 2002 , Slammer
25 2003 . $
;
.3
1
2
3
http://www.cert.org/advisories/CA+2003+04.html
http://www.microsoft.com/technet/security/bulletin/MS02+039.mspx
http://pedram.openrce.org/__research/slammer/slammer.txt
269
,
, $
,
.
, Slammer $
,
.1 , Win$
dows .
SPIKE UNIX,
Novell NetMail NMAP.
, ,
Windows .
ProtoFuzz
,
. .
,
,
.
. $
, . $
, ProtoFuzz $
,
. .
, $
, .
:
. PROTOS Test Suite2, $
Codenomicon3 $
, .
, $
$
, , .
1
2
3
http://isc.sans.org/portreport.html?sort=targets; http://atlas.arbor.net/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.codenomicon.com/products/
270
16. : Windows
. ,
SPIKE
, $
.
.
. , $
:
.
, $
,
, $
,
.
, $
. $
,
, , $
. $
ProtoFuzz.
, ; $
. ProtoFuzz $
$ . $
,
,
$
.
$
, , ProtoFuzz $
.
ProtoFuzz, $
$
, . $
.
, ,
ProtoFuzz
. $
, .
, $
271
.
,
, $
, $
. $
, Wireshark,
. . 16.1
TCP, Wireshark.
Wireshark ,
. $
. , $
. $
. , Wire$
shark AOL Instant Messenger, $
TCP. ,
ASCII .
272
16. : Windows
, $
,
.
, $
$
.
. ,
, ProtoFuzz $
, $
. :
[XX] . , $
, $
. , $
256 , (2 ) $
65 536 .
<XX> . $
$
(Strings.txt). $
,
.
TCP,
,
:
00 0C F1 A4 83 57 00 13 49 25 D5 72 08 00 45 00 00 28<B0 3B>00 00 FE 06
89 40 C0 A8 01 01 C0 A8 01 02 08 A6 0B 35 14 9E E1 9F 9F 33 69 E5 50 11
10 00 09 4E 00 00 01 00 5E 00 00[16]
.
,
, IP$ MAC$ . $
RFC. HttpRequest
.NET. ,
URL, HTTP, $
Ethernet, TCP IP . $
,
, , $
, $
RFC. , $
273
,
, , ,
, .
Proto$
Fuzz, $
.
, $
$
. , $
, , $
. ,
, , , $
, , .
, $
, $
. $
$
, .
, $ $
,
, $ $
. ,
. $
,
. ,
.
,
, $
. , , , $
$
. , $
.
,
Performance Logs and Alerts System Monitor, $
Microsoft Management, $
.
274
16. : Windows
.
, , ,
, $ $
. $
. , $
, , $
.
$
. Metro Packet Library1,
ProtoFuzz, ndisprot.inf
NDIS ( ), $
Microsoft .
NDIS $
, $
Ethernet. ProtoFuzz
; , $
net start ndisprot. $
, $
, ,
. Metro
, , .
.
, $
, $, $
. ,
, ProtoFuzz $
:
. ProtoFuzz
. $
, $
.
. ProtoFuzz
.
.
1
http://sourceforge.net/projects/dotmetro/
275
. $
, $
. ProtoFuzz $
, Ethernet $
TCP/UDP.
, ProtoFuzz,
$
. , $
Windows, $
, , $
.
FileFuzz,
Windows , $
, C# Mic$
rosoft .NET Framework. .NET
$
, , $
, ,
. $
.NET , $
.NET Framework. $
, .NET,
, $
.
$
. : $
, . , ,
, $ , $
,
.
, ProtoFuzz Win$
dows, . $
Microsoft Windows
WinPcap1, , $
, (Piero Viano) $
libpcap Windows . WinPcap
http://www.winpcap.org/
276
16. : Windows
, $
.
,
, Wireshark (
Ethereal) Core Impact.1 $ WinPcap $
100 , $
, ,
!
WinPcap ProtoFuzz,
C#
. WinPcap
C, $
WinPcap , $
C#, , $
WinPcap. $
PacketX2, COM, $
WinPcap, $
, .
.
,
Metro Packet Library.
, WinPcap, # $
; $
. Metro $
. , $
$
, Ethernet, TCP, UDP, ICMP, IPv4 $
(ARP), , $
,
. , ProtoFuzz,
,
, Metro ,
,
.
. , $
ProtoFuzz $ www.fuzzing.org.
,
.
1
2
http://www.coresecurity.com/products/coreimpact/index.php
http://www.beesync.com/packetx/index.html
277
ProtoFuzz , $
. $
, , $
. $
, , $
. , Metro ,
, $
:
private const string DRIVER_NAME = @"\\.\ndisprot";
NdisProtocolDriverInterface driver = new NdisProtocolDriverInterface();
try
{
driver.OpenDevice (DRIVER_NAME);
}
catch (SystemException ex)
{
string error = ex.Message;
error += "\n";
error += "Please ensure that you have correctly installed the " +
DRIVER_NAME + " device driver. ";
error += "Also, make sure it has been started. ";
error += "You can start the driver by typing \"net start " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" at a command prompt. ";
error += "To stop it again, type \"net stop " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" in a command prompt. ";
error += "\n";
error += "Press 'OK' to continue... ";
MessageBox.Show(error, "Error, MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
foreach (NetworkAdapter adapter in driver.Adapters)
{
cbxAdapters.Items.Add(adapter.AdapterName);
if (cbxAdapters.Items.Count > 0)
cbxAdapters.SelectedIndex = 0;
}
NdisProtocolDriverInterface, $
OpenDevice() ndis
prot,
. , SystemException $
.
278
16. : Windows
Network
Adapter, $
. foreach ,
Adapter
Name .
, $
:
try
{
maxPackets = Convert.ToInt32(tbxPackets.Text);
capturedPackets = new byte[maxPackets][];
driver.BindAdapter(driver.Adapters[cbxAdapters.SelectedIndex]);
ThreadStart packets = new ThreadStart(capturePacket);
captureThread = new Thread(packets);
captureThread.Start();
}
catch (IndexOutOfRangeException ex)
{
MessageBox.Show(ex.Message +
"\nYou must select a valid network adapter.",
"Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
(capturedPackets), $
, , , $
. $
BindAdapter(),
NdisProtocolDriverInterface (driver).
capturePacket . $
, $
:
private void capturePacket()
{
while (packetCount < maxPackets)
{
byte[] packet = driver.RecievePacket();
capturedPackets[packetCount] = packet;
packetCount++;
}
}
$
ReceivePacket().
capturedPackets.
279
, $
. $
, Wireshark, $
,
TreeView
RichTextBox. $
,
. $
,
,
TreeView. ProtoFuzz
. 16.2.
. 16.2. ProtoFuzz
280
16. : Windows
TreeView
. , TreeView, packet
TvwDecode(),
: Ethernet, TCP, UDP, IP, ARP ICMP. $
, , $
Ethernet:
Ethernet802_3 ethernet = new Ethernet802_3(capPacket);
strSourceMacAddress = ethernet.SourceMACAddress.ToString();
strDestMacAddress = ethernet.DestinationMACAddress.ToString();
strEthernet = "Ethernet II, Src: " + strSourceMacAddress +
", Dst: " + strDestMacAddress;
strSrcMac = "Source: " + strSourceMacAddress;
strDstMac = "Destination: " + strDestMacAddress;
strEthernetType = "Type: " + ethernet.NetworkProtocol.ToString();
strData = "Data: " + ethernet.Data.ToString();
TreeNode
TreeNode
TreeNode
TreeNode
TreeNode
nodeEthernet = tvwDecode.Nodes.Add(strEthernet);
nodeEthernetDstMac = nodeEthernet.Nodes.Add(strDstMac);
nodeEthernetSrcMac = nodeEthernet.Nodes.Add(strSrcMac);
nodeType = nodeEthernet.Nodes.Add(strEthernetType);
nodeData = nodeEthernet.Nodes.Add(strData);
, Ethernet802_3 $
capPacket, , ,
TreeView, . $
, $
.
16 :
static string PrintData(byte [] packet)
{
string sData = null;
int nPosition = 0, nColumns = 16;
for (int i = 0; i < packet.Length; i++)
{
if (nPosition >= nColumns)
{
nPosition = 1;
sData += "\n";
}
else
nPosition++;
byte nByte = (byte) packet.GetValue(i);
if (nByte < 16)
sData += "0";
sData += nByte.ToString("X", oCulture.NumberFormat) + " ";
}
sData += "\n";
281
return (sData);
}
,
([]) ,
(<>) .
$
. $
.
$
, $
. .NET
Framework ToString("X")
,
$
.1 HexEncoding, $
$
$
C# www.codeproject.com.
, , $
, . ProtoFuzz ,
, $
. ,
, , $
, , . $
SMTP, RCPT
TO, :
220 smtp.example.com ESMTP
HELO mail.heaven.org
250 smtp.example.com Hello smtp.example.com
MAIL FROM:god@heaven.org
250 2.1.0 god@heaven.org... Sender ok
RCPT TO:[Ax1000]
SMTP. $
TCP HELO, MAIL FROM
RCPT TO, .
1
http://www.codeproject.com/csharp/hexencoding.asp
282
16. : Windows
, , $
RCPT TO ,
. $
SPIKE, $
, $
.
ProtoFuzz , $
,
. ,
$
, ,
.
, $
.
Mercury LoadRunner
HewlettPackard, Zero Day Ini$
tiative, TippingPoint,
.1 , $
TCP 54345, .
,
, , $
. , , , $
; $
, . $
, $
server_ip_name.
, ProtoFuzz
, server_ip_name $
.
, Mercury LoadRunner $
, $
, , , . $
,
ASCII , , $
server_ip_name, .
0070
0080
0090
00a0
2b
65
30
69
5b
72
00
70
b6
63
00
5f
00
75
00
6e
00
72
00
61
05
79
05
6d
b2
32
88
65
00 00 00 07 00 00 00 12 6d
3b 31 33 30 34 3b 31 33 30
28 2d 73 65 72 76 65 72 5f
3d
+[...... .......m
ercury2; 1304;130
0......( server_
ip_name=
, ser
ver_ip_name, .
(<>).
http://www.zerodayinitiative.com/advisories/ZDI+07+007.html
283
ProtoFuzz , $
, Strings.txt. $
,
.
Strings.txt.
, ,
. Magentproc.exe
,
TCP 54345, $
. , OllyDbg
:
Registers
EAX 00000000
ECX 41414141
EDX 00C20658
EBX 00E263BC
ESP 00DCE7F0
EBP 41414141
ESI 00E2549C
EDI 00661221 two_way_.00661221
EIP 41414141
Stack
00DCE7F0
00DCE7F4
00DCE7F8
00DCE7FC
00DCE800
00DCE804
00DCE808
00DCE80C
00DCE810
00DCE814
00000000
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141
, NetMail
, , $
. , $
, , ,
.
ProtoFuzz ,
.
, $
. Proto$
Fuzz, .
284
16. : Windows
ProtoFuzz
.
,
, $
.
, , $
. $
() $
, . ProtoFuzz
,
. ProtoFuzz $
, $
, $
.
$
, $ $
.
ProtoFuzz $
.
, .
, Proto$
Fuzz
. ,
$
, $
. $
,
, . $
, $
, , ,
, $
. Metro Proto$
Fuzz, .NET Framework
.
ProtoFuzz .
17
:
, , .
$.,
$,
27 2000
$
, $
,
(). $
, $
$
. $
$
,
$.
$ $
$.
, $
, $
,
.
, 2006 $
. , $
$, Microsoft Inter$
net Explorer Mozilla Firefox. $
HTML$, JavaScript, $
286
17. <
?
$
HTML$, $
.
HTML, , $
, Java, RSS$, FTP$$
.
, $ $
. Google
.
, $
2006 . .
(MoBB).1 $
, , $
$
. , $
Microsoft Internet Explorer, $
$, Safari, Mozilla, Opera Konqurer.2
$
, $ $
, .
1
2
http://browserfun.blogspot.com/
http://osvdb.org/blog/?p=127
287
$
, MoBB Skywing skape (
Metasploit, . . ) $
$
Internet Exp$
lorer , , $
, $
.1 ,
, $
, MoBB. $
, $ , $
, , , $
$ $
, .
1
http://www.uninformed.org/?v=4&a=5&t=sumry
, .
, $
, .
, , , Fi$
refox Internet
Explorer, , $
. $
, . $ $
, .
,
, $
. ,
, ,
, , $
Internet Explorer, Firefox
. , Internet Explorer ,
, $
. $
Firefox $ $
Internet Explorer. $, Netscape,
Opera, Safari Konqueror, $
, .
288
17. <
$ . $$
, , $
, $
. $$
, $
. $
.
$ ,
,
, .
, :
HTML+. $,
, $,
, ,
$
. , $
HTTPEQUIV META
. $
. Mangleme1,
,
HTML$ $, , ,
HEAD $, :
<META HTTPEQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">
mangleme mangleme.cgi, , $
$. $
JavaScript $
2000 :
<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!
var time = null
function move() {
window.location = 'http://localhost/fuzz'
}
//>
</SCRIPT>
</HEAD>
1
http://freshmeat.net/projects/mangleme/
289
. $
$
. , $$
$ ,
. ,
fuzz.html Internet Explorer:
C:\>"C:\Program Files\Internet Explorer\iexplore.exe" C:\temp\fuzz.html
.
, .
,
,
. , $
ActiveX, $
$, .
ActiveX , ,
. COMRaider1, ,
ActiveX, .
, $ $
. ,
. $ $
$, , , $
, . , ,
, HTML.
HTML
, , HTML.
,
,
$ .
CVE$2003$01132,
$
..
Microsoft MS03$0153. (Jouko Pynnnen) $
1
2
3
http://labs.idefense.com/software/fuzzing.php#more_COMRaider
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2003+0113
http://www.microsoft.com/technet/security/bulletin/MS03+015.mspx
290
17. <
, $ urlmon.dll
'
1 . $
, Internet Explorer 5.x 6.x $
.
HTML
HTML$
. $ $
, HTML, XML XHTML,
$ HTML.
HTML , $
.
, $,
, $ $
, , $
.
, , $
.
HTML .
HTML, ,
$, $
$
(DTD). DTD, ,
, $
HTML 4.01:
<!DOCTYPE html PUBLIC "//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/
html4/strict.dtd">
HTML, , $
. $
.
, $
. HTML $
:
<font color="red">Fuzz</font>
color font,
Fuzz . , $
, , HTML$
. $
HTML$,
,
HTML.
1
http://downloads.securityfocus.com/vulnerabilities/exploits/urlmon+ex.pl
291
Mangleme
$ HTML,
CVE$2004$10501, $
Microsoft MS04$040.2 $
mangleme ,
SRC NAME IFRAME, FRAME EMBED
. $
3 . , $
HTML $, DOM$
Hanoi4 Hamachi5, . . .
XML
XML , $
(SGML),
HTTP. XML $
, RSS, $
(AVDL), $
(SGL) . . HMTL, $
XML
. , $
$
, $
. (VML)
XML, .
, Internet Explorer
Outlook,
VML. 19 2006 Microsoft $
9255686, $
$
(vgx.dll), $
.
Mi$
crosoft .7 $
2007
.8
1
2
3
4
5
6
7
8
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2004+1050
http://www.microsoft.com/technet/security/bulletin/ms04+040.mspx
http://downloads.securityfocus.com/vulnerabilities/exploits/InternetExploit+
er.txt
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://www.microsoft.com/technet/security/advisory/925568.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06+055.mspx
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
292
17. <
ActiveX
ActiveX
Microsoft, Microsoft COM, $
.1 $
ActiveX
, $$
.
ActiveX , ,
, $
Internet Explorer Windows.
, $.
ActiveX ;
, , $
, .
$
ActiveX, Windows
. $
$, $
, $$
.2 , $
ActiveX $
, ,
,
$.
COMRaider , $
, $
ActiveX .
, ActiveX,
, ,
$,
. COMRaider $
Acti$
veX .
ActiveX .
$
ActiveX. COMRaider $
, , $
. COMRaider
,
. . 17.1 , $
COMRaider
1
2
http://en.wikipedia.org/wiki/ActiveX_Control
http://msdn.microsoft.com/workshop/components/activex/safety.asp
293
. 17.1. COMRaider
ActiveX, $
.
AxMan1 ActiveX. AxMan $
. . $
ActiveX, 2006 $
.2
CSSDIE3 CSS, . . , ,
;
Opera.4 , background $
1
2
3
4
http://metasploit.com/users/hdm/tools/axman/
http://browserfun.blogspot.com/2006/08/axman+activex+fuzzer.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
http://browserfun.blogspot.com/2006/07/mobb+26+opera+css+background.html
294
17. <
DHTML URL $
, .
, CSS, $
, CVE$2005$4089, MS06$0211,
Internet Explorer. ,
@import ,
CSS.
(Matan Gillon) ( hacker.co.il) ,
, $
$ Google Desktop Search (GDS).2
,
Google, , $
Internet Explorer
( GDS)
. CSS $
, $
. , anchor , {color: white}.
CSS
@import, Internet Explorer
CSS, , $
, $
cssText. ,
GDS, $
. Google News
CSS }{. ,
cssText, $
GDS . $
GDS ,
, @import, GDS.
$
$.
, $
JavaScript, , VBScript,
Jscript3 ECMAScript4.
, $
. , ECMAScript $
JavaScript, Jscript JavaScript
1
2
3
4
http://www.microsoft.com/technet/security/Bulletin/MS06+021.mspx
http://www.hacker.co.il/security/ie/css_import.html
http://en.wikipedia.org/wiki/Jscript
http://en.wikipedia.org/wiki/Ecmascript
295
Microsoft. $
$, $
.
, $
, , $
, $
, Ac$
tiveX. ,
. $
, , ,
Internet Explorer JavaScript $
1.
JavaScript:
for (var i in window.alert) { var a = 1; }
JavaScript Firefox, $
(Azafran), , $
$ $
.2 $,
replace(). , $
,
, .
,
, , $
.
,
,
. Java$
Script $
, $
. , $
. , , $
,
. ,
EAX:
1
2
http://browserfun.blogspot.com/2006/07/mobb+25+native+function+iterator.html
http://www.mozilla.org/security/announce/2005/mfsa2005+33.html
296
17. <
EAX ,
$
. $
,
$
. JavaScript $
heap $
. , JavaScript $
NOP $$
,
$. NOP
$
. $
NOD, $
NOD .
$ ( SkyLined) $
Internet Explorer1, 0x0D.
,
. $,
5$ NOP, OR EAX, 0D0D0D0D. $
, , $
. $
, .
OllyDbg Heap Vis2,
. 17.2.3 ,
Internet Explorer
, , $
.
Heap Vis $
.
1
2
3
http://www.milw0rm.com/exploits/930
http://www.openrce.org/downloads/details/1
http://pedram.openrce.org/images/olly_heap_vis/skylined_ie_heap_
fill.gif
297
500 ,
0x0D0A0020. 0x0D0D0D0D.
Heap Block 0D0A0020..0D12101F
$
0x0D $.
, $
EAX 0x0D0D0D0D. MOV
EAX, [EAX] , EAX $
, , ,
0x0D. , CALL [EAX+4], $
0x0D0D0D11, $
0x0D. $
$
, NOP, ,
$, .
0x0D0D0D0D $
,
298
17. <
. , $
, ,
, $
. ,
0x44444444, , $
, $
,
.
, $
: 0x01010101,
ADD [ECX], EAX, 0x0A0A0A0A, OR CL,
[EDX]. , , $ $
, ECX,
, $ , $
EDX.
0x05050505, ADD EAX, 0x05050505.
.
Flash
, Adobe Flash Player $$
, , $
, ,
$
Flash Player. Flash$ $
.swf ,
$,
$ Flash Player. $
.swf ,
11 , 12 $
: UNIX 13 :
Windows, $
. 2005 eEye $
Macromedia Flash 6 7. $
, $
, , . Flash$
ActionScript, ,
Flash $
.1
http://en.wikipedia.org/wiki/Actionscript
299
ActionScript,
Flash$.
2006 Rapid7 ,
, XML.addRequestHeader() $
HTTP
Flash.1 , ,
HTTP $
HTTP.
URL
URL .
MS06$0422 eEye , $
$
. , URL $
Internet Explorer, $ GZIP
,
, lstrcpynA() URL
2084 , 260 .3 , $
, ,
URL; , , $
Internet Explorer.
, $
$
, $
, , :
DoS (Denial$of$service). $
$ $
,
. , $
,
.
.
, $
$ ,
. $
, .
.
$. $
1
2
3
http://www.rapid7.com/advisories/R7+0026.jsp
http://www.microsoft.com/technet/security/bulletin/ms06+042.mspx
http://research.eeye.com/html/advisories/published/AD20060824.html
300
17. <
1
2
3
, $
, , $
.
. $
,
, $
. , (Albert Puigsech
Galicia) , FTP $
FTP URI, , Internet
Explorer 6.x $
FTP $
.1 , , $
. $
, $
,
. Microsoft MS06$042.
. $ $
, $
. ,
, ,
cookies , $
. , $
. $
GDS, ,
.
. Internet Explorer $
, . $
, , , $
, , , .
, , , ,
. 2005
,
, URL$ $
, Internet Explorer
, , $
.2 , , $
, $
. Microsoft
$
MS05$14.3
http://osvdb.org/displayvuln.php?osvdb_id=12299
http://jouko.iki.fi/adv/zonespoof.html
http://www.microsoft.com/technet/security/bulletin/ms05+014.mspx
301
. ,
$
, , $
.
$
, $
$, $
. , $
, ,
$ $
, . $
, $
.
$, , $
.
, . , $
:
.
Windows, Event Vie$
wer. Internet Explorer 7.0 Internet Exp$
lorer Event Viewer.
Internet Explorer , $
.
, $
, .
. $
, ,
$. $
$
. , ,
, $
, $
.
. $
$ $
, . $
, $
, ,
.
302
17. <
, $
,
, $
.
, . $
, ,
, .
$ $
. $
, $
$.
$.
18
:
.
,
.
$.,
, ,
20 2000
17 $ $
$ . $
,
$
, Mozilla Firefox Microsoft Internet Explorer.
,
ActiveX. Internet
Explorer ActiveX ,
, , $
. Internet Explorer
, Microsoft $
$.
ActiveX, $
ActiveX.
Microsoft COM ,
1990$ $
304
18. <:
. $
,
, COM,
, ,
, . COM , $
$
( ).
COM $
(Dynamic Data Exchange, DDE), , $
Win$
dows. DDE , clip$
book viewer (NetDDE) Microsoft Hearts ( NetDDE). 1991
Microsoft $
(Object Linking and Embedding, OLE). DDE $
, OLE $
. OLE $
(VTBL).
OLE COM, OLE 2, $
OLE, COM, VTBL. 1996 $
ActiveX. , , Microsoft
Distributed COM (DCOM)
COM Common Object Request Broker Architec$
ture1 (CORBA). DCOM RPC$ Distributed Com$
puting Environment/Remote Procedure Calls2 (DCE/RPC).
DCOM COM, $
$
, .
COM COM+,
Windows 2000. COM+
Microsoft Transaction Server Win$
dows 2000. DCOM, COM+ $
,
.
COM , . , $
ActiveX,
1
2
http://en.wikipedia.org/wiki/Corba
http://en.wikipedia.org/wiki/DCE/RPC
305
. $
COM, ,
. COM $
128$ , ID (CLSID).
, COM$ 128$
, ID (IID).
COM$ IStream, IDispatch IObjectSafety. ,
$
IUnknown.
CLSID $
(ProgID). ProgID $
, $
. :
000208D5$0000$0000$C000$000000000046
Excel.Application
CLSID, ProgID,
. , , ProgIDs
.
ActiveX
ActiveX COM, , ,
$. Ja$
va, ActiveX $
$
, . $
ActiveX $
.
ActiveX , , ,
$, $ , $$
, $ .
Microsoft Internet Explorer ,
ActiveX Docu$
ment Object Model (DOM) , $
. $
:
Pure DOM
<object classid = "clsid:F08DF954859211D1B16A00C0F0283628"
id
=" "Slider1"
width = "100"
height = "50">
<param name="BorderStyle" value="1" />
<param name="MousePointer" value="0" />
<param name="Enabled"
value="1" />
<param name="Min"
value="0" />
<param name="Max"
value="10" />
306
18. <:
</object>
Slider1.method(arg, arg, arg)
Outdated Embed
<embed type =
name =
align =
border =
width =
height =
clsid =
"application/xoleobject"
"foo"
"baseline"
"0"
"200"
"300"
"{8E27C92B1264101C8A2F040224009C02}">
ActiveX
COM. $
, $
Internet Explorer.
Microsoft COM $
, .
COM $ Microsoft
COM1 ,
http://www.microsoft.com/com/default.mspx
307
MSDN : 1,
.
ActiveX,
COM.
ActiveX . $
, $
ActiveX. COM$
Raider2 Visual Basic $
C++. AxMan3 C++, JavaScript HTML.
,
:
ActiveX.
ActiveX
.
$
.
.
.
,
, Python. ,
. Python $
, $
, Windows API. $
, , , COM,
win32api, win32com, pythoncom win32con. (
Python Win$
dows,
Python programming on win32.4 $
, Py$
thon COM.) . 18.1 18.2 Py$
thonWin$ COM , $
COM$
.
1
2
3
4
http://msdn2.microsoft.com/en+us/library/ms809980.aspx
https://labs.idefense.com/software/fuzzing.php#more_comraider
https://metasploit.com/users/hdm/tools/axman/
http://www.oreilly.com/catalog/pythonwin32/
308
18. <:
. 18.2. PythonWin
, $
Microsoft Excel $
Visible:
import win32com.client
xl = win32com.client.Dispatch("Excel.Application")
xl.Visible = 1
309
, ,
ActiveX, .
, , $
COM$, $
$ (http://www.fuzzing.org).
ActiveX
COM,
. COM $
Windows1, HKEY_LOCAL_
MACHINE (HKLM) SOFTWARE\Classes.
API Windows:2
import win32api, win32con
import pythoncom, win32com.client
from win32com.axscript import axscript
try:
classes_key = win32api.RegOpenKey( \
win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes")
except win32api.error:
print "Problem opening key HKLM\\SOFTWARE\\Classes"
$
COM. $
CLSID. CLSID , , $
:
skey_index = 0
clsid_list = []
while True:
try:
skey = win32api.RegEnumKey(classes_key, skey_index)
except win32api.error:
print "End of keys"
break
progid = skey
try:
skey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes\\%s\\CLSID" % progid)
except win32api.error:
print "Couldnt get CLSID key...skipping"
1
2
http://en.wikipedia.org/wiki/Windows_registry
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/sysinfo/
base/registry_functions.asp
310
18. <:
skey_index += 1
continue
try:
clsid = win32api.RegQueryValueEx(skey, None)[0]
except win32api.error:
print "Couldnt get CLSID value...skipping"
skey_index += 1
continue
clsid_list.append((progid, clsid))
skey_index += 1
$
,
COM. COM
, Internet Explorer.
, $
ActiveX , $
. Internet Explorer $
, $
. Internet Ex$
plorer ActiveX,
:1
Windows
.
Windows
.
COM$ IObjectSafety.
Windows Component Categories, $
, $
. : CATID_SafeForScripting
CATID_SafeForInitializing. , $
CLSID Internet Explorer:
def is_safe_for_scripting (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
except win32api.error:
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:
http://msdn.microsoft.com/workshop/components/activex/safety.asp
311
break
# CATID_SafeForScripting
if skey == "{7DD95801988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False
def is_safe_for_init (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
except win32api.error:
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:
break
# CATID_SafeForInitializing
if skey == "{7DD95802988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False
, ActiveX
Internet Explorer, $
IObjectSafety. , $
ActiveX IObjectSafety, $
. ,
ActiveX IObjectSafety $
, , Internet Explorer:
def is_iobject_safety (clsid):
try:
unknown = pythoncom.CoCreateInstance(clsid, \
None,
\
pythoncom.CLSCTX_INPROC_SERVER,
\
pythoncom.IID_IUnknown)
except:
return False
try:
objsafe = unknown.QueryInterface(axscript.IID_IObjectSafety)
except:
return False
return True
312
18. <:
Ac$
tiveX, . Microsoft kill
bitting1, CLSID Internet
Explorer HKLM\Software\Microsoft\Internet Explor$
er\ActiveX Compatibility\<CLSID of ActiveX Control>. CLSID,
,
. :
def is_kill_bitted (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Microsoft\\Internet Explorer"
\
"\\ActiveX Compatibility\\%s" % clsid)
except win32api.error:
return False
try:
(compat_flags, typ) = win32api.RegQueryValueEx(key, \
"Compatibility Flags")
except win32api.error:
return False
if typ != win32con.REG_DWORD:
return False
if compat_flags & 0x400:
return True
else:
return False
return False
, Acti$
veX ,
.
, ,
$
, ActiveX . $
, COM,
. ,
. COM
, ,
. $
ActiveX $
, ,
. ,
.
1
http://support.microsoft.com/kb/240797
313
COM ,
VARIANT. VARIANT
: , , , ,
, COM . PythonCOM
,
. . 18.1 $
Python VARIANT.
18.1. PythonCOM VARIANT
Python
VARIANT
Integer
VT_I4
String
VT_BSTR
Float
VT_R8
None
VT_NLL
True/False
VT_BOOL
pythoncom LoadTypeLib() $
COM. ,
COM, $
. , Adobe Acro$
bat PDF, . 18.2. Ac$
tiveX Adobe Acrobat Reader, Internet Explorer
, .
,
, Python, $
VARIANT:
adobe = r"C:\Program Files\Common Files" \
r"\Adobe\Acrobat\ActiveX\AcroPDF.dll"
tlb = pythoncom.LoadTypeLib(adobe)
VTS = {}
for vt in [x for x in pythoncom.__dict__.keys() if x.count("VT_")]:
VTS[eval("pythoncom.%s"%vt)] = vt
VARIANT
, .
, GetTy
peInfoCount(). ,
. 18.2. $
:
for pos in xrange(tlb.GetTypeInfoCount()):
name = tlb.GetDocumentation(pos)[0]
print name
314
18. <:
, Acrobat . $
, . 18.2, IAcroAXDocShim. $
, ,
. . , . $
$
:
info = tlb.GetTypeInfo(2)
attr = info.GetTypeAttr()
print "properties:"
for i in xrange(attr.cVars):
id = info.GetVarDesc(i)[0]
names = info.GetNames(id)
print "\t", names[0]
cVars ( $
), .
. , $
;
:
print "methods:"
for i in xrange(attr.cFuncs):
desc = info.GetFuncDesc(i)
if desc.wFuncFlags:
continue
id
= desc.memid
names = info.GetNames(id)
print "\t%s()" % names[0]
i = 0
for name in names[1:]:
print "\t%s, %s" % (name, VTS[desc.args[i][0]])
i += 1
cFuncs $
, .
, wFuncFlags. ,
() , ,
. GetNames() ,
. $
, , names[1:], $
. , $
GetFuncDesc(), VARIANT $
( ). VARIANT $
,
VARIANT, .
315
IAcroAX$
DocShim ActiveX Adobe Acrobat PDF ActiveX
:
properties:
methods:
src()
LoadFile()
fileName, VT_BSTR
setShowToolbar()
On, VT_BOOL
gotoFirstPage()
gotoLastPage()
gotoNextPage()
gotoPreviousPage()
setCurrentPage()
n, VT_I4
goForwardStack()
goBackwardStack()
setPageMode()
pageMode, VT_BSTR
setLayoutMode()
layoutMode, VT_BSTR
setNamedDest()
namedDest, VT_BSTR
Print()
printWithDialog()
setZoom()
percent, VT_R4
setZoomScroll()
percent, VT_R4
left, VT_R4
top, VT_R4
setView()
viewMode, VT_BSTR
setViewScroll()
viewMode, VT_BSTR
offset, VT_R4
setViewRect()
left, VT_R4
top, VT_R4
width, VT_R4
height, VT_R4
printPages()
from, VT_I4
to, VT_I4
printPagesFit()
from, VT_I4
to, VT_I4
shrinkToFit, VT_BOOL
316
18. <:
printAll()
printAllFit()
shrinkToFit, VT_BOOL
setShowScrollbars()
On, VT_BOOL
GetVersions()
setCurrentHightlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
setCurrentHighlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
postMessage()
strArray, VT_VARIANT
messageHandler()
39 ()
.
. $
$
,
, $
. ,
(VT_I2) (VT_I4).
, ,
0xFFFF (65535), $
0xFFFFFFFF (4294967295).
,
, Internet Explorer $
ActiveX .
.
6
$
. $
.
, , $
, . $
. $
317
ActiveX,
,
Internet Explorer.
, , , WinZip FileView ActiveX
Control Unsafe Method Exposure Vulnerability.1 $
ActiveX ProgID WZFILEVIEW.FileViewCtrl.61 $
, $
$ $
. , ExeCmdForAllSelected
ExeCmdForFolder , ,
,
, $ FTP.
:
, $
. WinZip ,
kill bit.
, , $
, URL $
, , $
WinZip FileView. , $
,
, $ .
.
, $
. $
HTML,
ActiveX;
.
. $
,
Internet Explorer. $
.
Python ActiveX Acrobat PDF
:
adobe = win32com.client.Dispatch("AcroPDF.PDF.1")
print adobe.GetVersions()
adobe.LoadFile("c:\\test.pdf")
Adobe COM, adobe.
. $
GetVersions(),
PDF Acro$
http://www.zerodayinitiative.com/advisories/ZDI+06+040.html
318
18. <:
bat Reader. , $
.
. Python COM
PaiMei1 $
. $
, .
, ,
ActiveX. $
, , $
, .
PaiMei API.
. $
Microsoft, CreateFile()2
CreateProcess()3, ,
ActiveX .
API $
.
, $
.
GetURL(), DownloadFile(), Execute()
. ., , ,
.
COM Microsoft
ActiveX, $
$ Internet Explorer.
Python COM , $
ActiveX,
, , . ,
, $
COM$, $
$ (http://www.fuzzing.org).
1
2
http://www.openrce.org/downloads/details/208/PaiMei
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/fileo/fs/
createfile.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp
19
.
$.,
,
,
19 2001
$
,
. , , $
( ) $
, .
,
, $
, , $
, .
UNIX, Windows.
$
.
Microsoft Windows . $, $
,
Windows, UNIX. $, Windows
API $
. , API$ $
UNIX, ,
320
19.
. ,
, , , .
: ?
$
. 11 $
, 12 : $
UNIX 13 :
Windows $
. 14 , 15 $
: UNIX 16 $
: Windows
$. $
$
,
. , $
.
. $
$
, .
,
, . $
, $
$.
? , $
,
.
,
.
. $
$$
, , $
. $
,
. , $
,
, $ $
.
,
,
.
, . $
.
321
,
Microsoft Windows, $
Windows. $
, , , $
. ,
$
.
Windows 95 Windows
32$
4 . 4
. (0x00000000
0x7FFFFFFF) , (0x80000000
0xFFFFFFFF) . $
3 : 1 ( /3GB boot.ini1): 3 $
1
Oracle.
, , $
.
, , $
. $
$
, $
.
, Windows
. ,
$
4 .
(MMU). $
, $
4 .
. $
4096 (01000) Windows. , $
, RAM ( $
).
( )
RAM.
Windows
.
http://support.microsoft.com/kb/q291988/
322
19.
;
. , $
, , :1
PAGE_EXECUTE ( ). $
,
.
PAGE_EXECUTE_READ ( ).
,
.
PAGE_EXECUTE_READWRITE (, ).
: ,
, .
PAGE_NOACCESS ( ). $
. ,
.
PAGE_READONLY ( ).
. $
. $
( ),
.
PAGE_READWRITE ( ).
. PAGE_READONLY, $
,
$
.
PAGE_GUARD ($
), MSDN2 $
STATUS_GUARD_PAGE_VIOLATION $
,
. PAGE_GUARD
.
. $
PAGE_NOACCESS.
,
, .
, $
. $
. :
Windows 4 $
.
1
2
http://msdn2.microsoft.com/en+us/library/aa366786.aspx
.
323
,
0x00000000 0x7FFFFFFF, .
.
4 $
4096 (0x1000).
.
PAGE_GUARD
.
. 19.1, ,
Windows $
.
,
.
, .
,
. 19.1, , .
, 0x00010000
. , 7 $
, $
, $
. $
, 0x00030000 0x00150000. ,
, ,
malloc() HeapAlloc(). , $
. ,
0x0012F000, .
, $
. , $
.
2 0x00D8D000. 0x00400000
,.exe, $
. $
DLL
kernel32.dll ntdll.dll. DLL $
Microsoft, , $
. , DLL
Portable Executable (PE). , $
. 19.1 $
.
, $
. $
324
19.
0x00000000
0x00010000
0x00030000
0x0012F000
0x00150000
0x00400000
0x00D8D000
0x71AB0000
0x7C800000
KERNEL32.DLL
0x7C900000
NTDLL.DLL
0x7F000000
0x80000000
0xFFFFFFFF
. 19.1. Windows ( )
.1
, $ $
.
1
325
< ?
?
. $
. . $
. 19.2, $
, .
while(1):
accept()
recv()
func1()
unmarshal()
parse()
func2()
...
. 19.2.
$
. ,
,
j recv().
$
. unmarshal() $
,
. , , $
parse(), $
. parse() $
, $
, $
.
,
?
, $
, . $
$
,
326
19.
, . $
, ,
, .
, ,
, $
.
, $
$
. $
, $
; 22
.
.
$
, SMTP, POP HTTP, $
RFC, ,
, . ,
$
, , $
. ,
, $ $
, . , $
, $
.
, ,
? , $
? $
Skype1
. EADS/CRC $
2, $
Skype (SKYPE$SB/2005$003)3. $
, , $
, ? $
.
.
1
2
http://www.skype.com
http://www.ossir.org/windows/supports/2005/2005+11+07/EADS+CCR_Fabri+
ce_Skype.pdf
http://www.skype.com/security/skype+sb+2005+03.html
327
, $
, , $
$
, , $
. ,
, , $
.
:
$
(mutation loop insertion, MLI). MLI , $
, $
parse(). MLI$
mutate() . $
, ,
,
. MLI$ $
$
.
, $
, . 19.3.
, ? $
. $
.
.
while(1):
accept()
recv()
func1()
unmarshal()
parse()
func2()
...
mutate()
. 19.3.
328
19.
,
, , mutate().
, $
. , $
, , $
. 20
: , $
.
+
(snapshot restoration mutation, SRM).
MLI, , $
, $
parse(). , MLI, SRM
. ,
SRM$
. $
, , $
. $
, . 19.4.
, $
. 20 $
while(1):
accept()
recv()
func1()
unmarshal()
snapshot()
restore()
parse()
func2()
...
. 19.4.
329
, $
, . $
, , $
, .
, , $
.
$
. $ $
,
.
. , , $
POP, TCP$ 110. $
(, $
, ):
$ nc mail.example.com 110
+OK Hello there.
user pedram@openrce.org
+OK Password required.
pass xxxxxxxxxxxx
+OK logged in.
list
+OK
1 1673
2 19194
3 10187
... [output truncated]...
.
retr 1
+OK 1673 octets follow.
ReturnPath: <ralph@openrce.org>
DeliveredTo: pedram@openrce.org
[output truncated]
retr AAAAAAAAAAAAAAAAAAAAAAA
ERR Invalid message number. Exiting.
$
RETR, ,
. $
$
$
. ,
4 .
330
19.
.
, $
. MLI$, SRM$
, (
),
. $
,
. $
, , , $
Skype, .
. $
1 $
$
. $
,
, $
. . 19.5.
read string()
pedram
pedramAAAA...
mutate()
parse name()
read_string()
pedram%s%s%s
. 19.5.
http://en.wikipedia.org/wiki/Heisenberg_principle
331
, $
, $
.
.
$
, . $
, $
$
.
,
, $
.
.
,
HBGary LLC 1 $
2 Blackhat Security 2003 .
HBGary $
Inspector3. $
,
. , $
, $
.
$
. $
, , $
. , $
, $ http://www.fuzzing.org.
1
2
3
http://www.blackhat.com/presentations/bh+federal+03/bh+fed+03+hoglund.pdf
http://www.blackhat.com/presentations/bh+usa+03/bh+us+03+hoglund.pdf
http://hbgary.com/technology.shtml
20
:
, ,
.
$.,
,
$, ,
8 2004
$
. $
Windows UNIX, , $
, $
Windows. $
, 32$ Windows x86.
, ,
.
, .
$
, .
, , :
http://www.fuzzing.org.
.
, ,
x86 Windows,
. $
333
. , ,
, , , $
, 24
.
19
MLI SRM,
.
MLI ,
. SRM
, $
, $
.
. 20.1 20.2, $
recv()
func1()
unmarshal()
parse()
func2()
...
mutate()
. 20.1.
recv()
unmarshal()
func1()
parse()
func2()
...
. 20.2.
334
20. :
: , $
, , $
.
$
, Windows.
, , ,
.
.
. $
$
. 1 ,
,
(ESP), (ESP) (EBP)
(EAX, EBX, ECX, EDX,
ESI EDI). $
SRM. , , $
Windows $
, .
, $
SRM. $
, ,
MLI.
SRM MLI. ,
SRM,
MLI. MLI,
. $
, $
.
$
Windows,
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/context_str.asp
335
, ,
,
. , $
, C C++, $
, $
.
Perl, Python Ruby.
,
, , , . $
, Python, $
ctypes1 Python, . ctypes
Windows,
C $
Python . $
, , , $
GetCurrentProcessId(), kernel32.dll:
from ctypes import *
# create a convenience shortcut to kernel32.
kernel32 = windll.kernel32
# determine the current process ID.
current_pid = kernel32.GetCurrentProcessId()
print "The current process ID is %d" % current_pid
$
C. ctypes ,
, Python
(. 20.1).
20.1. , C ctypes
ctypes
Python
c_char
c_int
c_long
c_ulong
c_char_p
c_void_p
http://starship.python.net/crew/theller/ctypes/tutorial.html.
http://starship.python.net/crew/theller/ctypes/
336
20. :
$
. $
value.
byref().
, , c_char_p c_void_p, $
.
create_string_buffer().
raw. $
, ReadProcessMemory():
read_buf = create_string_buffer(512)
count
= c_ulong(0)
kernel32.ReadProcessMemory(h_process, \
0xDEADBEEF, \
read_buf, \
512,
\
byref(count))
print "Successfully read %d bytes: " % count.value
print read_buf.raw
ReadProcessMemory() $
, $
; , ; $
, ; ,
, , , ,
, .
$
, $
, :
c_data = c_char_p(data)
length = len(data)
count = c_ulong(0)
kernel32. WriteProcessMemory(h_process, \
0xC0CAC01A, \
c_data,
\
length,
\
by_ref(count))
print "Sucessfully wrote %d bytes: " % count.value
WriteProcessMemory() $
ReadProcessMemory().
,
; ; , $
; , , $
, ,
.
Windows
337
, $
.
, ,
, ,
.
Windows
19
Windows. $
, $ $
Windows, $
.
Windows Windows NT $
,
, . $
: 1, 2 3. $
,
. , , $
.
. $
, $
.
:
pi = PROCESS_INFORMATION()
si = STARTUPINFO()
si.cb = sizeof(si);
kernel32.CreateProcessA(path_to_file,
command_line, \
0,
\
0,
\
0,
\
DEBUG_PROCESS, \
0,
\
0,
\
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_functions.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_events.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_structures.asp
338
20. :
byref(si),
byref(pi))
A CreateProcess: $
Windows Unicode,
ANSI. $
.
ctypes $
. , $
ANSI,
Unicode, MSDN. $
MSDN, , , CreateProcess1, $
: CreateProcessW (Unicode) CreateProcessA
(ANSI). PROCESS_INFORMATION STARTUP_INFO $
CreateProcess $
, , $
(pi.dwProcessId)
(pi.hProcess). $
, ,
DebugActiveProcess():
# attach to the specified process ID.
kernel32. DebugActiveProcess(pid)
# allow detaching on systems that support it.
try:
kernel32.DebugSetProcessKillOnExit(True)
except:
pass
, $
, , $
A W. DebugActiveProcess() $
. DebugActiveProcess()
, , ,
. DebugSetProcessKillOnExit()2 $
Windows XP; $
, ($
, ).
try/except
,
,
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugsetprocesskillonexit.asp
Windows
339
, Windows 2000. $
, $
.
( ) $
. ,
. , , $
, $
. $ $
. ,
, . $
. , ,
. $
, , $
. $
:
debugger_active = True
dbg
= DEBUG_EVENT()
continue_status = DBG_CONTINUE
while debugger_active:
ret = kernel32. WaitForDebugEvent(byref(dbg), 100)
# if no debug event occurred, continue.
if not ret:
continue
event_code = dbg.dwDebugEventCode
if event_code == CREATE_PROCESS_DEBUG_EVENT:
# new process created
if event_code == CREATE_THREAD_DEBUG_EVENT:
# new thread created
if event_code == EXIT_PROCESS_DEBUG_EVENT:
# process exited
if event_code == EXIT_THREAD_DEBUG_EVENT:
# thread exited
if event_code == LOAD_DLL_DEBUG_EVENT:
# new DLL loaded
if event_code == UNLOAD_DLL_DEBUG_EVENT:
# DLL unloaded
if event_code == EXCEPTION_DEBUG_EVENT:
# an exception was caught
# continue processing
kernel32.ContinueDebugEvent(dbg.dwProcessId, \
dbg.dwThreadId, \
continue_status)
340
20. :
WaitForDebugEvent()1,
DEBUG_EVENT, , $
, $
. , $
DEBUG_EVENT dwDebug
EventCode. , ,
$
, , $
DLL . $
, ,
, u.Exception.Exception
Record.
ExceptionCode DEBUG_EVENT. MSDN2 $
, $
:
EXCEPTION_ACCESS_VIOLATION. , $
$
.
EXCEPTION_BREAKPOINT. $
.
EXCEPTION_SINGLE_STEP. $
.
EXCEPTION_STACK_OVERFLOW.
. $
;
.
$
. $
ContinueDebugEvent().
$
Windows, $
, ,
ctypes $
Windows. $
:
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/waitfordebugevent.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/exception_record_str.asp
341
?
$
?
$
?
?
?
,
$
. $
: . $
80x86 . $
, $
$, $, $
. $
, $
DR0 DR3 DR7. $
. DR7
, , $
, ,
(, ) . $
$
. , ,
; $
INT3, 0xCC.
$
, . ,
$ ,
. $
,
0xDEADBEEF. $
, ,
ReadProcessMemory, $
. 20.3.
, $
$ .
INT3 $
WriteProcessMemory, (. 20.4).
?
0xCC INT3.
342
20. :
debugger
8B
OxDEADBEEF
8B
OxDEADBEF1
55
OxDEADBEF2
8B
FF
EC
. 20.3.
debugger
8B
OxDEADBEEF
CC
OxDEADBEFO
FF
OxDEADBEF3
EC
INT3
55
8B
call [ebp75]
in al, dx
. 20.4. INT3
343
debugger
8B
OxDEADBEEF
CC
OxDEADBEFO
FF
OxDEADBEF3
EC
INT3
55
8B
call [ebp75]
in al, dx
EIP
. 20.5. EXCEPTION_BREAKPOINT
debugger
8B
OxDEADBEEF
8B
OxDEADBEFO
55
OxDEADBEF3
8B
FF
EC
EIP
. 20.6. EIP
$ . ,
(EIP, , $
, )
0xDEADBEF0, 0xDEADBEEF. $ ,
0xDEADBEEF INT3 $
, , EIP 0xDEAD$
BEEF+1. , EIP $
0xDEADBEEF, . 20.6.
0xDEADBEEF ,
. , $
EIP . ,
344
20. :
, $
, (EIP),
.
GetThreadCon
text()1, $
CONTEXT.
CONTEXT Set
ThreadContext()2, $
:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
kernel32.GetThreadContext(h_thread, byref(context))
context.Eip = 1
kernel32.SetThreadContext(h_thread, byref(context))
,
.
?
, $
: ? . $
.
, , . $
, .
. $
, VMWare3,
. $
. $
4 ,
. $
.
$
. , $
1
3
4
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/getthreadcontext.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/setthreadcontext.asp
http://www.vmware.com
Greg Hoglund, Runtime Decompilation, BlackHat Proceedings
345
. $
, ,
. , $
.1 $,
, TH32CS_SNAP
THREAD:
thread_entry = THREADENTRY32()
contexts
= []
snapshot = kernel32.CreateToolhelp32Snapshot( \
TH32CS_SNAPTHREAD,
\
0)
. ,
$
Thread32First(): dwSize
. Thread32
First(), $
:
thread_entry.dwSize = sizeof(thread_entry)
success = kernel32.Thread32First( \
snapshot,
\
byref(thread_entry))
, , $
, (pid) $
.
, $
, , :
while success:
if thread_entry.th32OwnerProcessID == pid:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
h_thread = kernel32.OpenThread( \
THREAD_ALL_ACCESS,
\
None,
\
thread_id)
kernel32.GetThreadContext( \
h_thread,
\
byref(context))
contexts.append(context)
kernel32.CloseHandle(h_thread)
http://msdn2.microsoft.com/en+us/library/ms686832.aspx
346
20. :
success = kernel32.Thread32Next( \
snapshot,
\
byref(thread_entry))
, ?,
$
.
. ,
32$ Windows x86
4 . 4 $
(0x00000000x7FFFFFFF).
$
, 4096 .
.
, , , $
, $
. , :
PAGE_READONLY
PAGE_EXECUTE_READ
PAGE_GUARD
PAGE_NOACCESS
, $
, .
$
VirtualQue
ryEx()1,
:
cursor
memory_blocks
read_buf
count
mbi
=
=
=
=
=
0
[]
create_string_buffer(length)
c_ulong(0)
MEMORY_BASIC_INFORMATION()
\
\
\
\
http://msdn2.microsoft.com/en+us/library/aa366907.aspx
347
if bytes_read < sizeof(mbi):
break
VirtualQueryEx() ,
, $
.
$
:
if mbi.State != MEM_COMMIT or \
mbi.Type == MEM_IMAGE:
save_block = False
if mbi.Protect & PAGE_READONLY:
save_block = False
if mbi.Protect & PAGE_EXECUTE_READ:
save_block = False
if mbi.Protect & PAGE_GUARD:
save_block = False
if mbi.Protect & PAGE_NOACCESS:
save_block = False
,
,
ReadProcessMemory()1
$
. , ,
, :
if save_block:
kernel32.ReadProcessMemory(
h_process,
mbi.BaseAddress,
read_buf,
mbi.RegionSize,
byref(count))
\
\
\
\
\
memory_blocks.append((mbi, read_buf.raw))
cursor += mbi.RegionSize
, , , . ,
, $
, PAGE_READONLY,
? $
; . $
, ? ,
,
http://msdn2.microsoft.com/en+us/library/ms680553.aspx
348
20. :
.
: $
, $
, , .
, $
$
.
?
,
.
$
. , ,
. $
, $
; , , $
. $
23 .
,
.
?
. $
, , $
. $
:
.
PyDbg,
, , , $
. , , $
( ),
Python PyDbg.1
? , $
. , . $
; , $
, , $ .
http://openrce.org/downloads/details/208/PaiMei
PyDbg,
349
PyDbg
Windows . $
PyDbg :
, ;
, , ;
, ;
, ;
$
( SRM);
;
PyDbg,
PID 123
:
from pydbg import *
from pydbg.defines import *
dbg = new pydbg()
dbg.attach(123)
dbg.debug_event_loop()
, , $
. , $
$
Winsock recv() ,
$
:
from pydbg import *
from pydbg.defines import *
ws2_recv = None
def handler_bp (pydbg, dbg, context):
global ws2_recv
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress
if exception_address == ws2_recv:
print "ws2.recv() called!"
return DBG_CONTINUE
dbg = new pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_bp)
dbg.attach(123)
ws2_recv = dbg.func_resolve("ws2_32", "recv")
dbg.bp_set(ws2_recv)
dbg.debug_event_loop()
350
20. :
$
. handler_bp(),
. PyDbg.
DEBUG_EVENT1 $
$
. $
, .
, ,
, $
Winsock recv(). , . $
PyDbg DBG_CONTINUE, $
,
PyDbg $
. ,
set_callback(), PyDbg.
,
PyDbg
. $
$
. , func_resolve()
bp_set(). $
recv() Windows ws2_32.dll
. $
. $
recv() Winsock
ws2.recv() $
. , ,
,
.
$
, , ,
.
$ fuzzing.org fuzz_client.exe fuzz_ser$
ver.exe, .
. $
, , $
. $ $
. TCP$ 11427 $
. $
, .
1
http://msdn2.microsoft.com/en+us/library/ms686832.aspx
351
? $ , , $
, $
. :
$ ./fuzz_server.exe
Listening and waiting for client to connect...
, .
IP$ . , $
:
$ ./fuzz_client.exe 192.168.197.1 'sending some data'
connecting....
sending...
sent...
192.168.197.1 $
sending some data ( $ ).
:
client connected.
received 17 bytes.
parsing: sending some data
exiting...
17 ,
. , $
, $
. , ,
TCP, $
, Ethereal1 . 20.7.
. 20.7. + Ethereal
1
352
20. :
, , , , $ $
, . ,
, ,
, $
.
.
, $
. ,
, ,
.
, , , $
.
,
( ,
, ). $
fuzz_ser$
ver.exe , .
fuzz_server.exe $
. .
$
? . $
,
? ,
. OllyDbg1, $
Windows, .
OllyDbg, $
, ,
. , , $
, fuzz_server.exe . ,
TCP, fuzz_server.exe OllyDbg
recv() WS2_32.dll. , ,
WS2_32.dll Ctrl+N,
(. 20.8).
recv() F2, .
F9, $
, fuzz_client ,
. OllyDbg $
fuzz_server,
. Alt+F9
.
1
http://www.ollydbg.de
353
fuzz_server, WS2_32. $
F8 , printf(), $
, $
. , . 20.9,
, fuzz_server
0x0040100F.
. 20.9. OllyDbg
354
20. :
OllyDbg , $
, Ethereal.
0x0040100F $
?
: $
, . ,
. 20.10, $
.
! ,
. $
, , $
0x00401005, , printf(). $
, exiting printf(), , $
fuzz_server, , $
.
. F9, $
0x00401450, $
, . 20.11.
, $
$
ESP+4.
.
. 20.10. OllyDbg
355
. 20.11. OllyDbg
, $
. $
, , $
. $
. Ctrl+9
, F7 F8,
, ,
. 20.12, printf() exiting[el].
printf()
0x004012b7, , fuzz_server $
exiting[el] . ,
, fuzz_server $
, .
, 0x0040100F $
. , 0x00401450 $
. $
.
0x004012b7 ,
printf("exiting[el]"). $
, , . 20.13 $
, .
356
20. :
. 20.12. OllyDbg
recv()
0x0040100F()
0x00401450()
printf(exiting...)
. 20.13.
PyDbg $
$
, .
,
357
$
. PyDbg, $
PyDbg, (
), , $
,
, , $
:
from pydbg import *
from pydbg.defines import *
import time
import random
snapshot_hook
restore_hook
snapshot_taken
hit_count
address
=
=
=
=
=
0x00401450
0x004012B7
False
0
0
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT,handle_bp)
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION,handle_av)
found_target = False
for (pid, proc_name) in dbg.enumerate_processes():
if proc_name.lower() == "fuzz_server.exe":
found_target = True
break
if found_target:
dbg.attach(pid)
dbg.bp_set(snapshot_hook)
dbg.bp_set(restore_hook)
print "entering debug event loop"
dbg.debug_event_loop()
else:
print "target not found."
.
$
. ,
PyDbg.
$
, : 1) $
, , 2) ,
, $ ($ $
), 3) , .
,
. , $
358
20. :
, $
.
, $
, (
), ( $
).
PyDbg $
http://pedram.redhi+
ve.com/PaiMei/docs/PyDbg/.
def handle_av (pydbg,
exception_record
exception_address
write_violation
violation_address
dbg, context):
= dbg.u.Exception.ExceptionRecord
= exception_record.ExceptionAddress
= exception_record.ExceptionInformation[0]
= exception_record.ExceptionInformation[1]
try:
disasm = pydbg.disasm(exception_address)
except:
disasm = "[UNRESOLVED]"
pass
print "*** ACCESS VIOLATION @%08x %s ***" % \
(exception_address, disasm)
if write_violation:
print "write violation on",
else:
print "read violation on",
print "%08x" % violation_address
try:
print pydbg.dump_context(context, 5, False)
except:
pass
print "terminating debuggee"
pydbg.terminate_process()
$
, OllyDbg.
$
, JIT (just$in$time)1 . $
:
def handle_av (pydbg, dbg, context):
pydbg.detach()
return DBG_CONTINUE
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_terminology.asp
359
, $
. 20.14.
. 20.14.
JIT$, ,
.
, $
. , $
fuzz_server
, .
PyDbg $
, .
, ,
,
exception_address:
def handle_bp (pydbg, dbg, context):
global snapshot_hook, restore_hook
global snapshot_taken, hit_count, address
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress
, , $
. ,
hit_count $
:
if exception_address == snapshot_hook:
hit_count += 1
print "snapshot hook hit #%d\n" % hit_count
snapshot_taken.
fuzz_server , $
, PyDbg process_snapshot().
360
20. :
True:
# if a process snapshot has not yet been
# taken, take one now.
if not snapshot_taken:
start = time.time()
print "taking process snapshot...",
pydbg.process_snapshot()
end = time.time() start
print "done. took %.03f seconds\n" % end
snapshot_taken = True
, if, $
.
.
hit_count, $
,
. .
( , $
), $
virtual_free() PyDbg:
if hit_count >= 1:
if address:
print "freeing last chunk at",
print "%08x" % address
pydbg.virtual_free( \
address,
\
1000,
\
MEM_DECOMMIT)
if hit_count >= 1,
fuzz_server $
virtual_alloc() PyDbg.
. $
? , $
, $
fuzz_server $
. $
:
,
:
print "allocating memory for mutation"
address = pydbg.virtual_alloc( \
None,
\
1000,
\
MEM_COMMIT,
\
PAGE_READWRITE)
print "allocation at %08x\n" % address
361
, $
ASCII
$
. A,
ASCII.
:
print "generating mutant..."
fuzz = A * 750
random_index = random.randint(0, 750)
mutant = fuzz[0:random_index]
mutant += chr(random.randint(32, 126))
mutant += fuzz[random_index:]
mutant += \x00
print done.\n
$
write_process_memory()
PyDbg:
print "writing mutant to target memory"
pydbg.write_process_memory(address, mutant)
print
, $
. , . 20.11
, ,
, 4, $
. :
print "modifying function argument"
pydbg.write_process_memory( \
context.Esp + 4,
\
pydbg.flip_endian(address))
print
print "continuing execution...\n"
,
, if, $
$
.
process_resto
re() PyDbg.
:
if exception_address == restore_hook:
start = time.time()
print "restoring process snapshot...",
pydbg.process_restore()
end = time.time() start
print "done. took %.03f seconds\n" % end
362
20. :
pydbg.bp_set(restore_hook)
return DBG_CONTINUE
$
:
$ ./fuzz_server.exe
Listening and waiting for client to connect...
:
$ ./chapter_20_srm_poc.py
entering debug event loop
:
$ ./fuzz_client.exe 192.168.197.1 sending some data
connecting....
sending...
sent...
,
, $
:
snapshot / mutate hook point hit #1
taking process snapshot... done. took 0.015 seconds
, .
, fuzz_server $
:
received 17 bytes.
parsing: sending some data
exiting...
, $
$
:
restoring process snapshot... done. took 0.000 seconds
fuzz_server
, . $
, hit_count 1,
:
snapshot / mutate hook point hit #2
allocating chunk of memory to hold mutation
memory allocated at 003c0000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant
363
continuing execution...
, $
fuzz_server, .
, fuzz_server
:
parsing:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
exiting...
), $
. Fuzz_server $
, , $
. $
,
, . $
, $
, $
, :
continuing execution...
restoring process snapshot... done. took 0.016 seconds
snapshot / mutate hook point hit #265
freeing last chunk at 01930000
allocating chunk of memory to hold mutation
memory allocated at 01940000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant
continuing execution...
*** ACCESS VIOLATION @41414141 [UNRESOLVED] ***
read violation on 41414141
terminating debuggee
265$ SRM$
, , $
364
20. :
. @41414141 ,
0x41414141,
,
. 0x41 $
ASCII A. , $
, $
. ,
, , $
, .
, , $
$
( $
).
$
.
. ,
. ,
$
.
, , .
, $
, , $
$
, . PyDbg $
,
. http://www.fuzzing.org
. ,
, , $
,
.
, , ,
.
24, $
.
III
21.
22.
23.
24.
21
,
, ,
: ,
.
.
$.,
, ,
17 2002
, $
.
; $
, $
, . , $
SMTP$ $
, Microsoft Exchange,
Sendmail, qmail . .
, $
, ,
, .
,
, $
$
.
.
368
21.
$
, SPIKE,
, (
, ).
, Autodafej GPF. $
, , $
$
, .
$
. ,
, $
, .
?
, $
, C, Python
Ruby. , $
$
. , $
Peach Python, dfuz $
( ,
).
, . $
;
. ,
,
.
$
.
,
, $
, $
. $
,
,
.
$
. $
TLV (type, length, value , , $
), ASN.1.1 :
http://en.wikipedia.org/wiki/Asn.1
369
, $
, 0x01 0x02 $
. , $
. ,
, , ;
. .
01
00 07
F U Z Z I N G
(Value)
. $
$
, $
. , $
,
(CRC, Calculat$
ing Cyclic Redundancy Check)1 $
. CRC
. PNG, $
, CRC, $
, CRC
. $
, $
, CRC $
. $
(DNP3, Distributed Network Protocol)2,
(SCADA, Supervisory Control and Data Acquisition). $
250$ ,
CRC$16! ,
: IP$ ,
,
.
, , $
$
.
1
2
http://en.wikipedia.org/wiki/Cyclic_redundancy_check
http://www.dnp.org/
370
21.
,
.
.
, ,
. $
$
(%n%n%n%n) (../../../).
, ,
;
.
; $
24 $
. $
,
.
. $
, $
, .
$
, $
. $
,
.
$
$
: 0x41 0x42, \x41 \x42, 4142 . .
(. 23 ) $
. $
, .
, $
$
$
.
$
, .
,
,
$
.
371
$
, , $
.
, , , $
. $
$
.
Antiparser1
Antiparser , Python
$
, .
, $
,
Python. $
.
antiparser; $
. antiparser ,
.
:
apChar() C;
apCString() , . . , $
;
apKeywords() , $
, ;
apLong() 32$ ;
apShort() 16$ ;
apString() .
apKey
words(). ,
,
, , . $
[ ] [] [ ] [$
].
Antiparser evilftpclient.py, $
apKeywords(). , $
,
. Python $
evilftpclient.py, $
1
http://antiparser.sourceforge.net/
372
21.
FTP$ $
FTP. $
, , , $
FTP$.
.
from antiparser import *
CMDLIST = ['ABOR',
'XCWD',
'MACB',
'PASV',
'RETR',
'SITE',
'SYST',
'ALLO',
'DELE',
'MODE',
'PORT',
'RMD',
'SIZE',
'TYPE',
'APPE',
'HELP',
'MTMD',
'PWD',
'XRMD',
'STAT',
'USER']
'CDUP',
'LIST',
'NLST',
'XPWD',
'REST',
'STOR',
'XCUP',
'MKD',
'NOOP',
'QUIT',
'RNFR',
'STRU',
'CWD',
'XMKD',
'PASS',
'REIN',
'RNTO',
'STOU',
$
antiparser, FTP, $
() $
( ). $
FTP
, antiparser. $
apKeywords(). $
, , $
( , $
). $
373
$ .
apKeyword() $
. FTP$
$
, , , .
, setMode('incremental') setMaxSize(65536), $
,
65 336. $
,
$
ap.permute(). , $
.
, , .
, apKeywords(), antiparser, $
. $
, ap.getPayload(),
sock.sendTCP().
, antiparser . FTP$$
Python $
. $
, , $
antiparser $
.
, $
, , $
TLV. ,
,
, , (
2.0, 2005 ).
,
.
Dfuz1
Dfuz C; $
. $
, $
, Mi$
crosoft, Ipswitch RealNetworks.
, $
$ $
.
http://www.genexx.org/dfuz/
374
21.
. , $
, , $
( README). $
, ,
. Dfuz $
UNIX/Linux $
. $
, $
.
; $
.
, Dfuz, $
, , , , . $
,
$
. $
:
var my_variable = my_data
var ref_other = "1234",$my_variable,0x00
var,
$ ( Perl PHP). $
. , , $
antiparser, ,
.
Dfuz ,
. , $
, (%).
:
%attach() , Enter Return.
,
. , $
,
,
%attach() , $
.
%length() or %calc() $
. , %length("AAAA") $
0x04 . $
32 , $
8 %length:uint8() 16
%length:uint16().
375
%put:<size>(number) $
. ,
uint8, uint16 uint32 .
%random:<size>() $
. , %put(),
, uint8,
uint16 uint32 .
%random:data(<length>,<type>)
. ,
. , $
; ASCII, $
, .
%dec2str(num) $
. , %dec2str(123) 123.
%fry() .
"AAAA",%fry(), , , $
AAAA
.
%str2bin() $
. ,
4141, 41 41 41$41 AA.
. $
, , ,
. $
$
$. $
,
( . ):
var my_variable1 = "a string"
var my_variable2 = 0x41,|0xdeadbeef|,[Px50],[\x41*200],100
list,
, begin, , $
,
end. $
. :
list my_list:
begin
some_data
more_data
even_more_data
end
376
21.
, ,
, ($). $
, , Perl PHP,
$
: $my_list[1]. $
rand: $my_list[rand].
.
:
keep_connecting , $
;
big_endian $
( );
little_endian
( );
tcp , $
TCP;
udp , $
UDP;
client_side ,
, , ;
server_side ,
, , , $
;
use_stdout $
(), ,
.
stdout.
,
, Dfuz FTP,
POP3, Telnet SMB ( ).
, ftp:user(), ftp:pass(),
ftp:mkd(), pop3:user(), pop3:pass(), pop3:dele(), telnet:user(), telnet:
pass(), smb:setup() . . (. Dfuz $
).
$
. $
, $
( ) $
FTP$:
port=21/tcp
peer write: @ftp:user("user")
peer read
peer write: @ftp:pass("pass")
peer
peer
peer
peer
peer
377
read
write: "CWD /", %random:data(1024,alphanum), 0x0a
read
write: @ftp:quit()
read
repeat=1024
wait=1
# No Options
, $
TCP, 21.
, , . peer read
peer write , $
, .
FTP $
FTP.
(CWD) $
. CWD 1024 $
$ , $
(0x0a). , .
, repeat, , $
1024 . $
Dfuz $
FTP$, CED $
1024 $
.
Dfuz ,
. stdout ( $
)
, $
. Dfuz
, $
. , $
, . $
,
;
$
, $
. Dfuz $
, $
, , $
Peach. : $
. , Dfuz
$
, .
378
21.
SPIKE1
SPIKE , , $
. SPIKE C
,
. $
SPIKE ,
(GPL)2
GNU. $
SPIKEfile, $
,
(. 12 : $
UNIX). SPIKE
, , . $
,
SPIKE, ,
. $
$
. $
, ,
$
:3
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_block_end("somepacketdata");
SPIKE ( SPIKE C) $
somepacketdata ( $ $
), 0x01020304
.
4 $
. ,
SPIKE s_, spike_.
s_binary() $
$
,
, 4141 \x41
0x41 41 00 41 00. , $
SPIKE. SPIKE
, $
1
2
3
http://www.immunitysec.com/resources+freesoftware.shtml
http://www.gnu.org/copyleft/gpl.html
http://www.immunitysec.com/downloads/advantages_of_block_based_analy+
sis.pdf
379
. $
:
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_blocksize_halfword_bigendian("innerdata");
s_block_start("innerdata");
s_binary("00 01");
s_binary_bigendian_word_variable(0x02);
s_string_variable("SELECT");
s_block_end("innerdata");
s_block_end("somepacketdata");
somepacketdata innerdata ($
). , $
. in$
nerdata (0x0001),
0x02,
SELECT. s_bina
ry_bigendian_word_variable() s_string_variable() $
( ) ,
. $
SPIKE
, .
, SPIKE $
. $
SPIKE/src/spike.c.
2.9 , $
700 , .
, $
, , $
$
. $
.
SPIKE.
: $
FTP, SPIKE. $
SPIKE,
, :
s_string("HOST ");
s_string_variable("10.20.30.40");
s_string("\r\n");
s_string_variable("USER");
380
21.
s_string(" v);
s_string_variable("bob");
s_string("\r\n");
s_string("PASS ");
s_string_variable("bob");
s_string("\r\n");
s_string("SITE ");
s_string_variable("SEDV");
s_string("\r\n");
s_string("ACCT ");
s_string_variable("bob");
s_string("\r\n");
s_string("CWD ");
s_string_variable(".");
s_string("\r\n");
s_string("SMNT ");
s_string_variable(".");
s_string("\r\n");
s_string("PORT ");
s_string_variable("1");
s_string(",");
s_string_variable("2");
s_string(",");
s_string_variable("3");
s_string(",");
s_string_variable("4");
s_string(",");
s_string_variable("5");
s_string(",");
s_string_variable("6");
s_string("\r\n");
SPIKE , $
$
, . , $
,
, $
.
$
, SPIKE $
, $
, .
.
$
SPIKE $
Microsoft Windows, SPIKE $
UNIX, $
381
SPIKE Windows
Cygwin.1 , $
, $
, , $
.
. , $
,
.
SPIKE
, $
. SPIKE $
, proxy$, $
$$
. $
, SPIKE,
, . $
, , , $
: SPIKE
.
Peach2
Peach, IOACTIVE 2004 , $
, Py$
thon. Peach , $
.
Peach, , $
, $
. , ,
(peach, fuzz ?3).
,
, , , $
, .
$
.
. $
$
$
. , ,
, SMTP$. $
1
2
3
http://www.cygwin.com/
http://peachfuzz.sourceforge.net
Peach ,
fuzz . . .
382
21.
$
, .
$.
base64, gzip HTML. $
$
. ,
, URL,
gzip. $
$
. $
, $
.
(publishers) $
.
TCP.
$
.
Peach , $
. , , $
GIF. $
$
.
$
, , $
. Peach $
. , Script, $
, $
,
group.next() protocol.step().
, $
Peach, $
FTP $
:
from
from
from
from
from
Peach
Peach.Transformers
Peach.Generators
Peach.Protocols
Peach.Publishers
import
import
import
import
import
*
*
*
*
*
loginGroup = group.Group()
loginBlock = block.Block()
loginBlock.setGenerators((
static.Static("USER username\r\nPASS "),
dictionary.Dictionary(loginGroup, "dict.txt"),
383
static.Static("\r\nQUIT\r\n")
))
loginProt = null.NullStdout(ftp.BasicFtp('127.0.0.1', 21), loginBlock)
script.Script(loginProt, loginGroup, 0.25).go()
Peach.
. $
, . $
.
.
FTP
, . $
FTP.
, $
. ,
,
.
,
Peach. Peach $
, Autodafej Dfuz.
Peach , $
$
, , $
. , , $
$
, , ,
, $
. , gzip $
, $
, HTTP $
. Peach.
, .
Peach Python,
Python. , $
, $
Python, Microsoft COM1 Microsoft .NET, Peach
Active X $
. DLL
Microsoft Windows, Peach C/C++
, .
Peach , $
0.5
1
http://en.wikipedia.org/wiki/Component_Object_Model
384
21.
( 2006 ). Peach
, , , $
$
. $ $
, $
, .
Peach
. ,
Ruby Peach, $
.
1
(GPF, General Purpose Fuzzer)
Applied Security.
.2
GPF , $
GPL;
UNIX. , GPF $
; SPIKE, $
.
, ,
. $
GPF ,
, , $
. GPF $
, PureFuzz ( $
), Convert (), GPF ( ), Pattern
Fuzz ( ) SuperGPF.
PureFuzz ;
, /dev/urandom . $
, $
, $
. $
PureFuzz netcat /dev/urandom $
, PureFuzz $
, $
. , , PureFuzz $
,
, .
1
2
http://www.appliedsec.com/resources.html
general purpose fuzzer $
general protection fault.
. .
385
http://www.ethereal.com
http://www.wireshark.org
386
21.
GPF .
GPF, .
tokAids , $
SPIKE, , ,
. , $
$
:
GPF ftp.gpf client localhost 21 ? TCP 8973987234 100000 0 + 6 6 100 100 5000
43 finish 0 3 auto none G b
, GPF
. $
, , $
.
ASCII
. $
GPF ,
!
, PureFuzz GPF, $
,
, .
,
, BrightStor ARC$
serve Backup Computer Associates. 2005 $
, Microsoft
SQL Server1, $
. , , $
, 3168 $
, TCP 6070.
,
.
$
, PureFuzz, ,
.
1
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=287
387
$
. $
22 .
Autodafe1
Autodafej : SPIKE $
,
. Autodafej
, GPL
GNU $
UNIX. SPIKE,
Autodafej .
Autodafej,
2 ,
Autodafej; SPIKE
:
string("dummy");
string_uni("dummy");
hex(0x0a 0a \x0a);
block_begin("block");
block_end("block");
block_size_b32("block");
block_size_l32("block");
block_size_b16("block");
block_size_l16("block");
block_size_8("block");
block_size_8("block");
block_size_hex_string("a");
block_size_dec_string("b");
block_crc32_b("block");
block_crc32_l("block");
send("block");
recv("block");
fuzz_string("dummy");
fuzz_string_uni("dummy");
fuzz_hex(0xff ff \xff);
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
;
$
.
Autodafej $
$
,
1
2
http://autodafe.sourceforge.net
http://autodafe.sourceforge.net/docs/autodafe.pdf
388
21.
.
. Autodafej:
fuzz_string("GET");
string(" /");
fuzz_string("index.html");
string(" HTTP/1.1");
hex(0d 0a);
$ $
HTTP, $
. , Autodafej $
, 500 .
, ,
500 , 1000
. $
, , ,
. Autodafej $
$
. Autodafej ,
, ( ). $
$
,
,
.
Autodafej $
adbg. $
,
, FileFuzz (. 13
: Windows), Autodafej $
, $
. Autodafej
,
strcpy(), , fprintf(),
.
.
$
, , .
. $
, $
, . , $
, $
. $
,
. $
, , $
: Shockwave Flash
389
. $
,
,
.
Autodafej ,
. $
, PDML2AD, PDML (
), Ethereal
Wireshark Autodafej.
750 ,
,
$
. , PDML2AD
, $
hex(),
string() . . , TXT2AD
, Autodafej. $
, ADC Autodafej. ADC
Autodafej, $
,
.
Autodafej , $
, SPIKE. $
Autodafej SPIKE. $
, $
. ,
, Microsoft
Windows
. $
; $
, .
:
Shockwave Flash
. $, $
, http://www.fuzz+
ing.org. ,
. $
, , $
. ,
390
21.
, , ,
. $
.
,
, , $
.
$
$
. $
Mac$
romedia Shockwave Flash (SWF)1 Adobe
,
.
Shockwave Flash
, Flash Player $
. $
Microsoft Windows
Flash Player .
SWF $
, $
.
, $
2 $ $
http://www.fuzzing.org.
SWF $
. $, SWF
Adobe Macromedia
Flash (SWF) Flash Video (FLV).3 $
8$ . $
,
,
. $
$
, Adobe Macromedia. $
, SWF $
, $
,
1
2
http://www.macromedia.com/software/flash/about/
Tipping$
Point.
http://www.adobe.com/licensing/developer/
: Shockwave Flash
391
. SWF
, $
, . $
, $
, , .
SWF
$
SWF ,
. SWF ,
; $
:
[Header]
<magic>
<version>
<length>
<rect>
[nbits]
[xmin]
[xmax]
[ymin]
[ymax]
<framerate>
<framecount>
[FileAttributes Tag]
[Tag]
<header>
<data>
<datatypes>
<structs>
...
[Tag]
<header>
<data>
<datatypes>
<structs>
...
...
[ShowFrame Tag]
[End Tag]
:
magic SWF
FWS;
version , $
Flash, ;
392
21.
length ,
SWF ;
rect :
nbits ;
:
xmin, xmax, ymin ymax. $
,
Flash. ,
, , Flash,
1/20 .
rect
. nbits 3, rect
5 + 3 + 3 + 3 + 3 = 17 .
nbits 4, rect 5 + 4 + 4 +
4 + 4 = 21 .
.
SWF.
, $
Flash. , FileAttributes, $
8$ Flash; , $
. $, , SWF$
, . $
, ,
, $
. $, , Flash
Player SWF$ . $
SWF ,
: $
. : , ,
. ,
. Flash Player , $
ShowFrame, $
. SWF End.
,
2 , . $
.
63 , $
: [ $
] [ ] [].
, $
, : [$
] [111111] [$
] []. , $
: Shockwave Flash
393
SWF $
.
.
. ,
SWF, ( $
). , $
! .
, $
$
. , $
, $
, .
Python $
.
,
(), (), (), $
(), 8$, 16$, 32$
64$ . $
Sulley ( $
Sulley,
):
BIG_ENDIAN
= ">"
LITTLE_ENDIAN = "<"
class bit_field (object):
def __init__ (self, width, value=0, max_num=None):
assert(type(value) is int or long)
self.width
self.max_num
self.value
self.endian
self.static
self.s_index
=
=
=
=
=
=
width
max_num
value
LITTLE_ENDIAN
False
0
if self.max_num == None:
self.max_num = self.to_decimal("1" * width)
def flatten (self):
394
21.
else:
bit_stream = "0" * (8 (self.width % 8))
bit_stream += self.to_binary()
flattened = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
flattened += struct.pack("B", self.to_decimal(chunk))
# if necessary, convert the endianess of the raw bytes.
if self.endian == LITTLE_ENDIAN:
flattened = list(flattened)
flattened.reverse()
flattened = "".join(flattened)
return flattened
def to_binary (self, number=None, bit_count=None):
@type number:
Integer
@param number:
(Opt., def=self.value) Number to convert
@type bit_count: Integer
@param bit_count: (Opt., def=self.width) Width of bit string
@rtype: String
@return: Bit string
if number == None:
number = self.value
if bit_count == None:
bit_count = self.width
return "".join(map(lambda x:str((number >> x) & 1), \
range(bit_count 1, 1, 1)))
def to_decimal (self, binary):
return int(binary, 2)
def randomize (self):
: Shockwave Flash
395
smart_cases = \
[
0,
self.max_num,
self.max_num / 2,
self.max_num / 4,
# etc...
]
self.value
= smart_cases[self.s_index]
self.s_index += 1
class byte (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "B", value)[0]
bit_field.__init__(self, 8, value, max_num)
class word (bit_field):
def __init__ (self, value=0, max_num=None:
if type(value) not in [int, long]:
value = struct.unpack(endian + "H", value)[0]
bit_field.__init__(self, 16, value, max_num)
class dword (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "L", value)[0]
bit_field.__init__(self, 32, value, max_num)
class qword (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "Q", value)[0]
bit_field.__init__(self, 64, value, max_num)
# class aliases
bits = bit_field
char = byte
short = word
long = dword
double = qword
bit_field (width), $
, (max_num),
(value), (endian), , ,
(static), , , $
(s_index). bit_field $
:
396
21.
flatten() $
.
to_binary() $
.
to_decimal() $
.
randomize()
.
smart() $
,
.
bit_field,$
. $
flatten() .
, $
SWF, RECT RGB.
, $
, ( , $
):
class RECT (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields
[
("Nbits",
("Xmin" ,
("Xmax" ,
("Ymin" ,
("Ymax" ,
]
= \
sulley.numbers.bits(5, value=31, static=True)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),
= \
sulley.numbers.byte()),
sulley.numbers.byte()),
sulley.numbers.byte()),
,
. $
: Shockwave Flash
397
.
bit_field depen
dent_bit_field, :
class dependent_bit_field (sulley.numbers.bit_field):
def __init__ (self, width, value=0, max_num=None, static=False, \
parent=None, dep=None, vals=[]):
self.parent = parent
self.dep
= dep
self.vals = vals
sulley.numbers.bit_field.__init__(self, width, value, \
max_num, static)
def flatten (self):
# if there is a dependency for flattening (including) this
# structure, then check it.
if self.parent:
#
VVV object value
if self.parent.fields[self.dep][1].value not in self.vals:
# dependency not met, dont include this object.
return ""
return sulley.numbers.bit_field.flatten(self)
,
.
, dep, $
vals, . MATRIX $
:
class MATRIX (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields = \
[
("HasScale"
("NScaleBits"
("ScaleX"
("ScaleY"
("HasRotate"
, sulley.numbers.bits(1)),
, dependent_bits(5, 31, parent=self, \
dep=0, vals=[1])),
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
, sulley.numbers.bits(1)),
398
21.
("NTranslateBits" , sulley.numbers.bits(5, value=31)),
("TranslateX"
, sulley.numbers.bits(31)),
("TranslateY"
, sulley.numbers.bits(31)),
]
, NScaleBits MATRIX
5 31,
,
0 (HasScale) 1. ScaleX, ScaleY, skew1 skew2
HasScale. , HasScale $
1, .
. , NRotateBits
4 (HasRotate). 200 $
SWF .1
, $
. $,
, :
class base (structs.base):
def __init__ (self, parent=None, dep=None, vals=[]):
self.tag_id = None
(structs.base).__init__(self, parent, dep, vals)
def flatten (self):
bit_stream = structs.base.flatten(self)
# pad the bit stream to the next byte boundary.
if len(bit_stream) % 8 != 0:
bit_stream = "0" * (8(len(bit_stream)%8)) + bit_stream
raw = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
raw += pack("B", self.to_decimal(chunk))
raw_length = len(raw)
if raw_length >= 63:
# long (record header is a word + dword)
record_header = self.tag_id
record_header <<= 6
record_header |= 0x3f
flattened = pack('H', record_header)
record_header <<= 32
record_header |= raw_length
flattened += pack('Q', record_header)
flattened += raw
: Shockwave Flash
399
else:
# short (record_header is a word)
record_header = self.tag_id
record_header <<= 6
record_header |= raw_length
flattened = pack('H', record_header)
flattened += raw
return flattened
flatten()
$
. 50 $
SWF .
:
class PlaceObject (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.tag_id = 4
self.fields = \
[
("CharacterId"
("Depth"
("Matrix"
("ColorTransform"
]
,
,
,
,
sulley.numbers.word(value=0x01)),
sulley.numbers.word()),
structs.MATRIX()),
structs.CXFORM()),
,
,
,
,
,
sulley.numbers.word()),
sulley.numbers.byte()),
sulley.numbers.word()),
sulley.numbers.word()),
structs.dependent_byte( \
parent=self, dep=1, vals=[3])),
, structs.COLORMAPDATA( \
parent=self, dep=1, vals=[3])),
, structs.BITMAPDATA( \
parent=self, dep=1, vals=[4, 5])),
]
class DefineMorphShape (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.tag_id = 46
400
21.
self.fields = \
[
("CharacterId"
("StartBounds"
("EndBounds"
("Offset"
("MorphFillStyles"
("MorphLineStyles"
("StartEdges"
("EndEdges"
]
,
,
,
,
,
,
,
,
sulley.numbers.word()),
structs.RECT()),
structs.RECT()),
sulley.numbers.word()),
structs.MORPHFILLSTYLE()),
structs.MORPHLINESTYLES()),
structs.SHAPE()),
structs.SHAPE()),
. SWF,
bit_field. $
, , . bit_field
dependent_bit_field, , ,
.
SWF. $
, $
SWF.
. 21.1.
, $
, SWF.
.
, $
byte, word, . .
bit_field
dependent_byte, . .
dependent_bit_field
base
base
. 21.1. SWF
: Shockwave Flash
401
SWF . $
randomize()
smart() . , $
flat
ten().
.
$
SWF, . $
SWF , $
. $
, .
$
, .
Google SOAP1, SWF$ ,
filetype:swf ( :swf). $
a filetype:swf, b filetype:swf
z filetype:swf. ,
SWF. $
MD5, $
.
10 000 SWF$,
3 . SWF
, $
. 21.1.
21.1.
Flash+ SWF
SWF
Flash 8
< 1%
Flash 7
~ 2%
Flash 6
~ 11%
Flash 5
~ 55%
Flash 4
~ 28%
Flash 1 Flash 3
~ 3%
http://www.google.com/apis/index.html
402
21.
. ,
$
Flash Player. , $
, $
.
SWF.
PaiMei1
.
PaiMei Python, $
.
23. $
, PaiMei FileFuzz.
:
1. SWF Flash Player
PaiMei, PyDbg.
2. $
. ; $
,
SWF, .
3. ,
.
4. $
, Flash Player.
5. .
$
SWF 0x000C $
0xFFFF. , SWF $
,
. $
SWF $, Microsoft Internet Exp$
lorer Mozilla Firefox. , $
, ,
ActionScript2, $
SAFlashPlayer.exe. $
Macromedia Studio.3
1
2
3
http://openrce.org/downloads/details/208/PaiMei
http://en.wikipedia.org/wiki/ActionScript
http://www.adobe.com/products/studio/
Sulley:
403
SWF $
.
.
$
SWF ,
. $
,
SWF,
SWF SWF. $
, SWF $
$ $
.
SWF .
$
.
, $
.
Sulley:
Sulley $
, $
. Sulley ( )
, . $
, $
. Sulley
Monsters, Inc. ( )1,
, .2 Sulley
$ http://www.fuzzing.org/sulley.
, , $
. Sulley
,
, $
. Sulley $
. Sulley
, $
. Sulley ,
1
2
http://www.pixar.com/featurefilms/inc/chars_pop1.html
. fuzzy , $
fuzz, .
. .
404
21.
. Sulley $
, . Sulley $
,
. Sulley
$
. , Sulley :
1. : $
. , , $
.
Sulley.
2. : ,
; $
Sulley (, , . .)
.
3. : $
. .
Sulley http://
www.fuzzing.org, . $
, , $
.
Sulley
Sulley , . $
, ,
, $
. ,
:
archived_fuzzies: ,
, $
, :
trend_server_protect_5168: $
.
trillian_jabber: , $
.
audits:
PCAP, , . $
archived_fuzzies.
docs:
Epydoc.
requests: Sulley. $
,
.
Sulley:
405
__REQUESTS__.html: $
. $
.
http.py: $.
trend.py: , $
, .
sulley: . $
.
legos: , .
ber.py: ASN.1/BER.
dcerpc.py: Microsoft RPC NDR.
misc.py: ,
.
xdr.py: XDR.
pgraph: Python.
.
utils: .
dcerpc.py: Microsoft RPC, $
.
misc.py: , $
CRC$16 UUID.
scada.py: ,
SCADA, DNP3.
__init__.py: s_, $
.
blocks.py: $
.
pedrpc.py: , $
Sulley $
.
primitives.py: ,
, , .
sessions.py:
.
sex.py: $
Sulley.
unit_tests: Sulley.
utils: .
crashbin_explorer.py: ,
, $
.
406
21.
pcap_cleaner.py: ,
PCAP , $
.
network_monitor.py: ,
PedRPC.
process_monitor.py: $
, PedRPC.
unit_test.py: Sulley.
vmcontrol.py: , VMWare,
PedRPC.
, ,
, Sulley .
.
SPIKE .
, , $
$
,
. Sulley $
,
. :
s_initialize("new request")
,
.
. $
. $
. $
, $
. , $
,
, , .
, s_static(),
.
Sulley $
. s_dunno(), s_raw() s_unknown() s_static():
# these are all equivalent:
s_static("pedram\x00was\x01here\x02")
s_raw("pedram\x00was\x01here\x02")
s_dunno("pedram\x00was\x01here\x02")
s_unknown("pedram\x00was\x01here\x02")
Sulley:
407
, . . $
. $
request.names["name"] ,
, . $
,
s_binary(), , $
. SPIKE, , $
, (, $
, ) , $
:
# yeah, it can handle all these formats.
s_binary("0xde 0xad be ef \xca fe 00 01 02 0xba0xdd f0 0d")
Sulley
, , .
s_random(),
.
, 'min_length'
'max_length',
,
, . $
:
num_mutations ( , 25): , $
,
;
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
num_mutations ,
,
. $
, $
'min_length' 'max_length'.
ASCII
, , HTTP.
, Sulley $
:
: s_byte(), s_char();
: s_word(), s_short();
408
21.
,
. $
:
endian (, <): $
. <, >;
format (, binary): ,
ascii, , $
. , 100 $
100 ASCII \x64 ;
signed (, False):
, ascii;
full_range (, False):
(
);
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
full_range
. ,
DWORD; 4 294 967 295 .
, 10
, , $
, 13 !
Sulley
. 10 $
; (MAX_VAL); MAX_VAL,
2; MAX_VAL, 3; MAX_VAL, $
4; MAX_VAL, 8; MAX_VAL, 16,
MAX_VAL, 32. $
141
.
. , $
, , . $
, , .
Sulley s_string(),
. , $
Sulley:
409
. $
:
Size ( , 1): $
.
1;
padding (, \x00):
, $
, ;
encoding (, ascii): $
. ,
str.encode() Python. Microsoft Unicode
utf_16_le;
fuzzable (, True):
;
name (string, default None): , $
Sulley,
.
.
, ,
HTTP: GET /index.html HTTP/1.0. (/)
(.) . $
Sulley , $
s_delim(). , $
, $
. $
, s_delim()
'fuzzable' 'name'. ,
. $
,
HTML.
# fuzzes the string: <BODY bgcolor="black">
s_delim("<")
s_string("BODY")
s_delim(" ")
s_string("bgcolor")
s_delim("=")
s_delim("\"")
s_string("black")
s_delim("\"")
s_delim(">")
, , $
.
s_block_start(),
410
21.
s_block_end(). ,
s_block_start().
:
group (, None): , $
( );
encoder ( , None): $
,
;
dep (, None): ,
;
dep_value (, None): ,
dep, $
;
dep_values ( , []): ,
dep, $
;
dep_compare (, ==): , $
. $
: ==, !=, >, >=, <, and <=.
, $
, ; $
.
$
, ,
. $
, ,
$
. s_group()
. ,
,
. $
Sulley, $
$.
# import all of Sulleys functionality.
from sulley import *
# this request is for fuzzing: {GET,HEAD,POST,TRACE} /index.html HTTP/1.1
# define a new block named "HTTP BASIC".
s_initialize("HTTP BASIC")
# define a group primitive listing the various HTTP verbs we wish to fuzz.
s_group("verbs", values=["GET", "HEAD", "POST", "TRACE"])
Sulley:
411
# define a new block named "body" and associate with the above group.
if s_block_start("body", group="verbs"):
# break the remainder of the HTTP request into
individual primitives.
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
# end the request with the mandatory static sequence.
s_static("\r\n\r\n")
# close the open block, the name argument is optional here.
s_block_end("body")
Sulley. $
HTTP BASIC.
.
GET, HEAD, POST TRACE.
$
. , s_block_start()
True,
, $
. , s_block_end()
.
. $
$
, .
Sulley, $
, , $
.
, . $
, $
. $
. DcsProces$
sor.exe Trend Micro Control Manager
TCP 20901 , $
XOR. $
$
XOR:
412
21.
def trend_xor_encode (str):
key = 0xA8534344
ret = ""
# pad to 4 byte boundary.
pad = 4 (len(str) % 4)
if pad == 4:
pad = 0
str += "\x00" * pad
while str:
dword =
str
=
dword ^=
ret +=
key
=
struct.unpack("<L", str[:4])[0]
str[4:]
key
struct.pack("<L", dword)
dword
return ret
Sulley , $
, . $
, $
, , $
,
.
$
. , $
, ,
dep. $
Sulley ,
$
. $
dep_value. $
dep_values. , $
dep_compare. , $
, $
:
s_short("opcode", full_range=True)
# opcode 10 expects an authentication sequence.
if s_block_start("auth", dep="opcode", dep_value=10):
s_string("USER")
s_delim(" ")
s_string("pedram")
s_static("\r\n")
s_string("PASS")
Sulley:
413
s_delim(" ")
s_delim("fuzzywuzzy")
s_block_end()
# opcodes 15 and 16 expect a single string hostname.
if s_block_start("hostname", dep="opcode", dep_values=[15, 16]):
s_string("pedram.openrce.org")
s_block_end()
# the rest of the opcodes take a string prefixed with two underscores.
if s_block_start("something", dep="opcode", dep_values=[10, 15, 16],
dep_compare="!="):
s_static("__")
s_string("some string")
s_block_end()
(, , ) .
, $
, Sulley, .
, .
SPIKE s_sizer()
( s_size()). ,
, $
:
length ( , 4): ;
endian (, <): .
< > ;
format (, binary): , $
ascii, , $
;
inclusive (, False):
?
signed (, False):
, ascii;
fuzzable (, False):
;
name (, None): ,
Sulley,
$
.
, $
$
414
21.
s_repeat() ( s_repeater()) $
. , , $
$
. $
: , , $
.
, :
step (integer, default=1): $
;
fuzzable (boolean, default, False): $
;
name (, None): ,
Sulley,
$
.
Sulley:
415
,
.
, . $
, ,
, , CRC$32, $
.
, $
. , $
Sulley:
# table entry: [type][len][string][checksum]
if s_block_start("table entry"):
# we dont know what the valid types are, so well fill
this in with random data.
s_random("\x00\x00", 2, 2)
# next, we insert a sizer of length 2 for the string field to follow.
s_size("string field", length=2)
# block helpers only apply to blocks, so encapsulate the string
# primitive in one.
if s_block_start("string field"):
# the default string will simply be a short sequence of Cs.
s_string("C" * 10)
s_block_end()
# append the CRC32 checksum of the string to the table entry.
s_checksum("string field")
s_block_end()
# repeat the table entry from 100 to 1,000 reps stepping 50 elements
# on each iteration.
s_repeat("table entry", min_reps=100, max_reps=1000, step=50)
Sulley
,
.
Sulley
, ,
, Microsoft RPC,
XDR, ASN.1 . ASN.1 / BER $
[0x04][0x84][ ][]. $
ASN.1$ $
.
:
s_lego("ber_string", "anonymous")
, $
options,
416
21.
. $
tag,
XML:
class tag (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.tag DEFAULT VALUE")
#
# [delim][string][delim]
self.push(primitives.delim("<"))
self.push(primitives.string(self.value))
self.push(primitives.delim(">"))
, , $
$
.
self.push().
ASN.1 / BER1 Sulley.
$
, $
: [0x02][0x04][ ], 0x02 $
, 0x04 ,
, $
. , sul$
ley\legos\ber.py:
class integer (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.ber_integer DEFAULT VALUE")
self.push(primitives.dword(self.value, endian=">"))
def render (self):
# let the parent do the initial render.
http://luca.ntop.org/Teaching/Appunti/asn1.html
417
Sulley:
blocks.block.render(self)
self.rendered = "\x02\x04" + self.rendered
return self.rendered
, $
self.push(). , $
render() , $
\x02\x04,
, $
. Sulley . $
,
,
. .
,
. Sulley
$
. $
. $
, pgraph,
, $
uDraw, . 21.2:
ROOT_NODE
helo
ehlo
mail from
rcpt to
data
. 21.2. SMTP+
418
21.
from sulley import *
s_initialize("helo")
s_static("helo")
s_initialize("ehlo")
s_static("ehlo")
s_initialize("mail from")
s_static("mail from")
s_initialize("rcpt to")
s_static("rcpt to")
s_initialize("data")
s_static("data")
sess = sessions.session()
sess.connect(s_get("helo"))
sess.connect(s_get("ehlo"))
sess.connect(s_get("helo"), s_get("mail from"))
sess.connect(s_get("ehlo"), s_get("mail from"))
sess.connect(s_get("mail from"), s_get("rcpt to"))
sess.connect(s_get("rcpt to"), s_get("data"))
fh = open("session_test.udg", "w+")
fh.write(sess.render_graph_udraw())
fh.close()
, Sulley $
: , $
, .
helo. Sulley $
mail from, $
helo. Sulley $
rcpt to.
helo
mail from. data
ehlo. Sulley $
$
. , $
, , Ipswitch Collaboration
Suite 2006 .1
,
, @ :. $
,
EHLO, HELO.
, $
.
http://www.zerodayinitiative.com/advisories/ZDI+06+028.html
Sulley:
419
:
session_filename (, None): ,
.
, $
;
skip ( , .0): $
, ;
sleep_time ( , 1.0): , $
;
log_level (integer, default 2):
$; , $
;
proto (, tcp): ;
timeout ( , 5.0):
send() recv() .
, Sulley, $
.
$
, , , . $
:
def callback(node, edge, last_recv, sock)
node , , edge
$
node, last_recv , $
, sock . $
, , , $
. :
IP$ , , $
IP sock.getpeername()[0].
$
callback session.connect().
, $
. ,
,
VMWare, :
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
420
21.
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :
}
= \
"SpntSvc.exe",
[net stop "trend serverprotect"],
[net start "trend serverprotect"],
sess.add_target(target)
sess.fuzz()
Sulley:
421
: (process_monitor.py)
,
. $
TCP 26002 Sulley
PedRPC.
Sulley
, $
, $ . ,
, , $
Sulley $$
( ). $
$
. $
.
:
ERR> USAGE: process_monitor.py
<c|crash_bin FILENAME> filename to serialize crash bin class to
[p|proc_name NAME]
process name to search for and attach to
[i|ignore_pid PID]
ignore this PID when searching for
the target process
[l|log_level LEVEL]
log level (default 1), increase for
more verbosity
: VMWare (vmcontrol.py)
VMWare $
TCP 26003 Sulley
PedRPC. $
$
; , ,
, , $
.
, , Sulley
$
.
$
422
21.
,
.
:
ERR> USAGE: vmcontrol.py
<x|vmx FILENAME>
<r|vmrun FILENAME>
[s|snapshot NAME>
[l|log_level LEVEL]
Sulley $,
26000.
fuzz() $ $
, , $
. . 21.3 , $
.
. $
. $
, $
. , , $
; $
.
.
. 21.3. + Sulley
Sulley
. $
$
Sulley:
423
, ,
. $
, .
crashbin_explorer.py, $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg
, , $
, , , , $
, $
. $
, Trillian
Jabber, :
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin
[3] ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused
access violation 1415, 1416, 1417,
[2] ntdll.dll:7c910e03 mov [edx],eax from thread 664 caused
access violation 3780, 9215,
[24] rendezvous.dll:4900c4f1 rep movsd from thread 664 caused
access violation 1418, 1419, 1420, 1421, 1422, 1423, 1424,
1425, 3443, 3781, 3782, 3783, 3784, 3785, 3786, 3787, 9216,
9217, 9218, 9219, 9220, 9221, 9222, 9223,
[1] ntdll.dll:7c911639 mov cl,[eax+0x5] from thread 664 caused
access violation 3442,
, . $
,
t.
1416:
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin t 1416
ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused access violation
when attempting to read from 0x263b7467
CONTEXT DUMP
EIP: 7c910f29 mov ecx,[ecx]
EAX: 039a0318 ( 60424984) > gt;>>...>>>>>
(heap)
EBX: 02f40000 ( 49545216) >
PP@ (heap)
ECX: 263b7467 ( 641430631) > N/A
EDX: 263b7467 ( 641430631) > N/A
EDI: 0399fed0 ( 60423888) > #e<root><message>>>>
...>>& (heap)
ESI: 039a0310 ( 60424976) > gt;>>...>>>>>
(heap)
424
21.
EBP: 03989c38 ( 60333112) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
P (stack)
ESP: 03989c2c ( 60333100) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
(stack)
+00: 02f40000 ( 49545216) >
PP@ (heap)
+04: 0399fed0 ( 60423888) > #e<root><message>>>>
...>>& (heap)
+08: 00000000 (
0) > N/A
+0c: 03989d0c ( 60333324) > Hg9I Pt]I@"ImI,IIpHsoIPnIX{ (stack)
+10: 7c910d5c (2089880924) > N/A
+14: 02f40000 ( 49545216) >
PP@ (heap)
disasm around:
0x7c910f18 jnz 0x7c910fb0
0x7c910f1e mov ecx,[esi+0xc]
0x7c910f21 lea eax,[esi+0x8]
0x7c910f24 mov edx,[eax]
0x7c910f26 mov [ebp+0xc],ecx
0x7c910f29 mov ecx,[ecx]
0x7c910f2b cmp ecx,[edx+0x4]
0x7c910f2e mov [ebp+0x14],edx
0x7c910f31 jnz 0x7c911f21
stack unwind:
ntdll.dll:7c910d5c
rendezvous.dll:49023967
rendezvous.dll:4900c56d
kernel32.dll:7c80b50b
SEH unwind:
03989d38 > ntdll.dll:7c90ee18
0398ffdc > rendezvous.dll:49025d74
ffffffff > kernel32.dll:7c8399f3
,
, ,
ECX, , $
ASCII &;tg. , ?
, $
, $
g.
. 21.4 Trillian
Jabber.
, , ,
, , , . $
. $
XMPP (
). Trillian $
_presence mDNS (
DNS) UDP 5353. $
mDNS,
425
Sulley:
[30] kernel32.d11:7c80b50b
[5] rendevous.d11.4900c56d
[24] rendevous.d11.4900c4f1
[1] rendevous.d11.49023afd
[5] rendevous.d11.49023967
[3] ntd11.d11:7c910d5c
[1] rendevous.d11.49023b1f
[2] ntd11.d11:7c910e03
[1] ntd11.7c911639
[3] ntd11.d11:7c910f29
. 21.4. , Sulley
; strlen(message+1) + 128
,
, +128, $
, expatxml.xmlCompos
eString(), :
plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *);
struct xml_string_t {
unsigned int struct_size;
char *string_buffer;
struct xml_tree_t *xml_tree;
};
xmlComposeString() expatxml.
19002420(), HTML &, > < &, > < $
.
:
426
21.
19002492
19002494
19002496
1900249B
190024A0
190024A1
push
push
push
push
push
call
0
0
offset str_Amp
offset ampersand
eax
sub_190023A0
; "&"
; "&"
190024A6
190024A8
190024AA
190024AF
190024B4
190024B5
push
push
push
push
push
call
0
0
offset str_Lt
offset less_than
eax
sub_190023A0
; "<"
; "<"
190024BA
190024BC
190024BE
190024C3
190024C8
190024C9
push
push
push
push
push
call
offset str_Gt
; ">"
offset greater_than ; ">"
eax
sub_190023A0
,
rendez$
vous.dll ,
:
4900C4EC
4900C4EE
4900C4F1
4900C4F3
4900C4F5
4900C4F8
mov
shr
rep
mov
and
rep
ecx, eax
ecx, 2
movsd
ecx, eax
ecx, 3
movsb
, Sulley, $
. $
, $
. ,
, PCAP, $
, . pcap_cleaner.py
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>
,
, $
, PCAP $
. ,
,
.
Sulley:
427
, $
Sulley; ,
. ,
, $
, $
Sulley. $
Trend Micro Server Protect, ,
Microsoft DCE/RPC TCP 5168,
SpntSvc.exe. RPC
TmRpcSrv.dll, $
, IDL ( ):
// opcode: 0x00, address: 0x65741030
// uuid: 25288888bd5b11d19d530080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
// not sent on wire
[in] long trend_req_num,
[in][size_is(arg_4)] byte some_string[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
// not sent on wire
[in] long arg_6
);
arg_1 arg_6
. , $
.
, trend_req_num $
. ,
$
RPC.
:
0x0001,
1
21;
0x0002,
1
18;
0x0003,
1
84;
0x0005,
1
24;
428
21.
0x000A,
1 48;
0x001F,
1
21.
$
,
DCE/RPC.
, .
utisl.dcerpc.request() , $
, :
# dce rpc request encoder used for trend server protect 5168 RPC service.
# opnum is always zero.
def rpc_request_encoder (data):
return utils.dcerpc.request(0, data)
$
, Sulley.
requests\trend.py, $
, Trend, $
. $
(
), Python
$
trend_req_num:
for op, submax in [(0x1, 22), (0x2, 19), (0x3, 85), (0x5, 25), (0xa, 49),
(0x1f, 25)]:
s_initialize("5168: op%x" % op)
if s_block_start("everything", encoder=rpc_request_encoder):
# [in] long trend_req_num,
s_group("subs", values=map(chr, range(1, submax)))
s_static("\x00")
# subs is actually a little endian word
s_static(struct.pack("<H", op)) # opcode
# [in][size_is(arg_4)] byte some_string[],
s_size("some_string")
if s_block_start("some_string", group="subs"):
s_static("A" * 0x5000, name="arg3")
s_block_end()
# [in] long arg_4,
s_size("some_string")
# [in] long arg_6
Sulley:
429
.
s_group() $
subs,
trend_req_num, .
.
trend_req_num,
;
, . $
some_string NDR.
DCE/RPC NDR Sulley,
RPC , $
NDR . some_string.
,
. $
A ( 20 ). $
s_string(),
, Trend
, $
. ,
size_is arg_4. ,
$
. ,
.
Sulley , $
fuzz_trend_server_protect_5168.py.
archived_fuzzies, $
. Sulley $
Trend :
from sulley import *
from requests import trend
, $
DCE/RPC
.
, , . $
utils.dcerpc.bind(),
Sulley:
def rpc_bind (sock):
bind = utils.dcerpc.bind("25288888bd5b11d19d530080c83a5c2c", "1.0")
sock.send(bind)
utils.dcerpc.bind_ack(sock.recv(1000))
430
21.
$
. , $
Trend Server Protect, $
VMWare 10.0.0.1.
$
. ,
, $
:
sess = sessions.session(session_filename="audits/
trend_server_protect_5168.session")
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
VMWare, Sulley $
$
,
. VMWare ,
, Sulley
. $
stop_commands start_commands :
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :
= \
"SpntSvc.exe",
['net stop "trend serverprotect"'],
['net start "trend serverprotect"'],
proc_name , $
; , $
, ,
.
VMWare, , Sulley $
, $
.
, , $
restart_target() VMWare. $
, $
, $
. , $
fuzz() :
# start up the target.
target.vmcontrol.restart_target()
print "virtual machine up and running"
sess.add_target(target)
sess.pre_send = rpc_bind
Sulley:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.fuzz()
431
op1"))
op2"))
op3"))
op5"))
opa"))
op1f"))
$
. $
$
:
network_monitor.py d 1 \
f "src or dst port 5168" \
p audits\trend_server_protect_5168
process_monitor.py c audits\trend_server_protect_5168.crashbin \
p SpntSvc.exe
, ,
Sulley, $
. BPF ( ) $
, ,
, . $
,
PCAP . $
$
, sulley ready and waiting
(sulley ).
VMWare VM$
Ware ( ). $
vmrun.exe, $
, , , ,
,
:
vmcontrol.py r "c:\\VMware\vmrun.exe"
x "v:\vmfarm\Trend\win_2000_pro.vmx"
snapshot "sulley ready and waiting"
, , !
, . fuzz_trend_server_protect_
5168.py $ http://127.0.0.1:26000
. ,
.
432
21.
221 $
, , 19 $
. crashbin_explorer.py, $
, :
$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin
[6] [INVALID]:41414141 Unable to disassemble at 41414141 from thread 568
caused access violation 42, 109, 156, 164, 170, 198,
[3] LogMaster.dll:63272106 push ebx from thread 568 caused
access violation 53, 56, 151,
[1] ntdll.dll:77fbb267 push dword [ebp+0xc] from thread 568 caused
access violation 195,
[1] Eng50.dll:6118954e rep movsd from thread 568 caused access violation
181,
[1] ntdll.dll:77facbbd push edi from thread 568 caused access violation
118,
[1] Eng50.dll:61187671 cmp word [eax],0x3b from thread 568 caused
access violation 116,
[1] [INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation 70,
[2] Eng50.dll:611896d1 rep movsd from thread 568 caused access violation
152, 182,
[1] StRpcSrv.dll:6567603c push esi from thread 568 caused
access violation 106,
[1] KERNEL32.dll:7c57993a cmp ax,[edi] from thread 568 caused
access violation 165,
[1] Eng50.dll:61182415 mov edx,[edi+0x20c] from thread 568 caused
access violation 50,
,
, , $
EIP, 0x41414141. 70 ,
,
Unicode ($, $
, , ). ,
,
,
. $
. $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg
, , $
$
70:
Sulley:
433
$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin t 70
[INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation
when attempting to read from 0x0058002e
CONTEXT DUMP
EIP: 0058002e Unable to disassemble at 0058002e
EAX: 00000001 (
1) > N/A
EBX: 0259e118 ( 39444760) > A.....AAAAA (stack)
ECX: 00000000 (
0) > N/A
EDX: ffffffff (4294967295) > N/A
EDI: 00000000 (
0) > N/A
ESI: 0259e33e ( 39445310) > A.....AAAAA (stack)
EBP: 00000000 (
0) > N/A
ESP: 0259d594 ( 39441812) > LA.XLT.......MPT.MSG.OFT.PPS.RT (stack)
+00: 0041004c ( 4259916) > N/A
+04: 0058002e ( 5767214) > N/A
+08: 0054004c ( 5505100) > N/A
+0c: 0056002e ( 5636142) > N/A
+10: 00530042 ( 5439554) > N/A
+14: 004a002e ( 4849710) > N/A
disasm around:
0x0058002e Unable to disassemble
SEH unwind:
0259fc58 > StRpcSrv.dll:656784e3
0259fd70 > TmRpcSrv.dll:65741820
0259fda8 > TmRpcSrv.dll:65741820
0259ffdc > RPCRT4.dll:77d87000
ffffffff > KERNEL32.dll:7c5c216c
, $ , $
Unicode . $
PCAP .
. 21.5 Wireshark,
PCAP.
434
21.
, , , ,
PCAP, ,
. pcap_cleaner.py $
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>
,
, ,
PCAP .
, $
, Trend. $
:
TSRT$07$01. StCom$
mon.dll Trend Micro ServerProtect;
TSRT$07$02. eng50.dll
Trend Micro ServerProtect.
, $
.
.
,
s_string(), .
, ;
, .
$
, ,
.
, $
, , $
, $
. SWF Shock$
wave Flash Adobe Macromedia , $
$ ,
, ,
. , , ,
$
,
. , $
435
$
,
.
$
Sulley. $
,
$
. Sulley $
; $
. http://www.fuzzing.org
,
.
22
, .
$.,
$,
27 2000
$
. , $
, $
, $
. $
$. , $
.
$
$
.
$
.
?
$
,
,
. $
SMB$ Microsoft, , 1992
437
Samba.1 $
$ Samba
Windows$ SMB$$. $
$
?
.
, , ,
.
, HTTP, $
, RFC2 $
. $
. , , $
,
, , $
. $
Ipswitch I$Mail. 2006 $
Ipswitchs SMTP $
.3 $
$
, @ :. , $
, .
SAMBA
SAMBA 10 1992 ,
(Andrew Tridgell)
vmsnet.net$
works.desktop.pathworks newsgroup.4 $
UNIX$
PATHWORKS DOS.
nbserver, 1994 ,
Syntax Corp. , $
Samba.5 Sam$
ba $
$ .
1
2
3
4
http://www.samba.org
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://www.zerodayinitiative.com/advisories/ZDI+06+028.html
http://groups.google.com/group/vmsnet.networks.desktop.pathworks/msg/
7d939a9e7e419b9c
http://www.samba.org/samba/docs/10years.html
438
22.
,
Ipswitch $ ,
.
, ,
, .
, $
. ,
, , $
: $
. , $
$
. , $
. , HTTP, $
, . $
, , $
GET POST, HEAD, OPTIONS
TRACE .
?
. $
, . $
, $
, , $
$
.
$
,
, . ,
, $
, $ .
, , .
, , $
.
Wotsit.org, $
, .
, $
Wireshark Ethereal,
,
.
$
,
. $
, $
$
.
439
, ,
,
$
. ,
.
, , $
1 ,
ProxyFuzzer. $$
,
. 22.1.
. 22.1.
, ProxyFuzzer $
, $
. ,
2 ,
. ,
, . ,
, . 22.2.
, $
. 22.2,
, .
ProxyFuzzer
, $
,
. , $
,
1
2
Tipping Point.
IP
, .
440
22.
. 22.2.
(PCAP). , $
$
Matasanos Protocol Debugger (PDB).1
ProxyFuzzer $
, $
. ProxyFuzzer ,
;
,
ASCII . $
$
, .
. 22.3 .
, ProxyFuzzer ,
$
. , ()
, $
, .
. 22.3.
1
http://www.matasano.com/log/399/pdb+blackhat+talk+materials+as+promised/
441
ProxyFuzzer
ProxyFuzzer $
, .
, , $
( ) .
$ ProxyFuzzer
Computer Associates Brightstor.
$
, . $
$ TCP 6050
UnivAgent.exe.
igateway.exe
HTTP, TCP 5250. $
,
.
fprintf(), $ $
.
, $
; , $
ProxyFuzzer .
, $
. , , $
,
. $
, , $
, , . , $
$
, .
ProzyFuzzer.
$
.
.
, $
, . . $
442
22.
. $
.
, $
. ( TCP/IP$) $
IP$ . ,
, $
, ASCII.
, $
, ,
. 22.4, $
.
raw data
plaintext
delimited
char
binary
padded
static
TLV
XML
. 22.4.
,
SMB, , $
, , ,
, ,
.
,
(|):
|00 04|user|00 06|pedram|0a 0a 00 01|code rev 254|00 00 00 00 be ef|END
|00 04|user|00 04|cody|0a 0a 00 02|code rev 11|00 00 00 00 00 de ad|END
|00 04|user|00 05|aaron|0a 0a 00 03|code rev 31337|00 00 00 c0 1a|END
(, , ) $
$
. , $
.
443
IP$ (0a 0a 00 01 = $
IP 10.10.0.1). 4 ASCII$: , [user],
[pedram],[ code rev 254] END. $
, $,
$ , , . ,
( $
), IP$ . $
.
, ASCII$ , $
. .
, 10$ $
ASCII. , ENG,
. ,
ASCII . 0xbeef,
, $
. , $
, . , ,
,
:
;
;
IP$ ;
10$
;
$
;
ASCII .
$
. $
. $
,
. ,
, .
,
, $
. . $
runtime ( ,
), .
. $
$.
.
, , $
444
22.
. $
:
0040206C
00402072
00402079
0040207C
00402081
00402083
00402088
call ds:__imp__sscanf
mov eax, [esp+5DA4h+var_5CDC]
add esp, 0Ch
cmp eax, 3857106359
; string prefix check
jz short loc_40208D
push offset 'string'
; "access protocol error"
jmp loc_401D61
sscanf() API
. $
3857106359, , $
$
. $
.
.
.
$
PyDbg $
PaiMei.1
http://www.fuzzing.org.
,
.
, $
, , $
, , , $
, , $
, .2 ,
,
,
, , , . $
$
. $
?
$
. . $
:
1
2
http://openrce.org/downloads/details/208/PaiMei
http://en.wikipedia.org/wiki/Bioinformatics
445
: ACAT
TACAGGA.
: ACATTCCTACAGGA.
$
. $
; , 1 (Needleman Wun$
sch (NW)), 1970 2 (Saul Needle$
man) 3 (Christian Wunsch). NW$ $
.
, . .
.
,
2004
ToorCon4 , .
(Marshall Beddoe)
Python Protocol
Informatics (PI), , , ,
Wired.5 $
, . PI $
Mu Security6,
, , $
$ . ,
$ PI Packet Storm.7
PI $
$
. $
8 (SW), NW$
, PI $
, HTTP, ICMP SMB. $
, ,
PI, , $
.
$
. $
. SW$
1
2
3
4
5
6
7
8
http://en.wikipedia.org/wiki/Needleman+Wunsch_algorithm
http://en.wikipedia.org/wiki/Saul_Needleman
http://en.wikipedia.org/wiki/Christian_Wunsch
http://www.toorcon.org
http://www.wired.com/news/infostructure/0,1377,65191,00.html
http://www.musecurity.com
http://packetstormsecurity.org/sniffers/PI.tgz
http://en.wikipedia.org/wiki/Smith+Waterman
446
22.
, $
.
NW$ . $
.
, Percent Accepted Mutation (PAM) Blocks
Substitution Matrix (BLOSUM), PI $
, .
, ,
ASCII$ ASCII.
$
. PI , $
. $
NW, , $
,
(Unweighted Pairwise Mean by
Arithmetic Averages, UPGMA).
. $
.
ICMP1
PI. $
ICMP:
# tcpdump s 42 c 100 nl w icmp.dump icmp
PI:
# ./main.py g p ./icmp.dump
Protocol Informatics Prototype (v0.01 beta)
Written by Marshall Beddoe <mbeddoe@baselineresearch.net>
Copyright (c) 2004 Baseline Research
Found 100 unique sequences in '../dumps/icmp.out'
Creating distance matrix .. complete
Creating phylogenetic tree .. complete
Discovered 1 clusters using a weight of 1.00
Performing multiple alignment on cluster 1 .. complete
Output of cluster 1
0097 x08 x00 xad x4b x05 xbe x00 x60
0039 x08 x00 x30 x54 x05 xbe x00 x26
0026 x08 x00 xf7 xb2 x05 xbe x00 x19
0015 x08 x00 x01 xdb x05 xbe x00 x0e
0048 x08 x00 x4f xdf x05 xbe x00 x2f
0040 x08 x00 xf8 xa4 x05 xbe x00 x27
0077 x08 x00 xe8 x28 x05 xbe x00 x4c
0017 x08 x00 xe8 x6c x05 xbe x00 x10
0027 x08 x00 xc3 xa9 x05 xbe x00 x1a
0087 x08 x00 xdd xc1 x05 xbe x00 x56
1
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
447
:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 1 byte ] [ 1 byte ]
:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 2 byte ]
$ $
ICMP$.
16$ . 100 $
, .
,
.
$
. $
, $
.1 PI $
, .
1
http://www.matasano.com/log/294/protocol+informatics/
448
22.
() $
, , . $
, $
.
, $
. ,
.
:
, ;
, $
;
, $
.
$
. , $
, $
10.
. $
, .
3 6 .
,
. $
, $
. :
1. .
2. ,
.
3. .
4. , $
.
,
() :
0100100000
1000001010
1110100111
0000001000
2
3
7
1
( )
, ( $
). 3 ,
6 :
449
1000001010
1110100111
3
7
1000001010
1110100111
3
7
(
). :
1000100111
1110001010
1000000111
1110101010
>
>
>
>
1010100111
1110000010
1000001111
1110101110
6
4
5
7
, , $
.
.
, $
$ .
, $
. , ,
.
, ,
$ .
$
(); $
BlackHat US 2006 .1 $
, Sidewinder,
. $
$, $
$ . $
. $
, API (, strcpy), $
. ,
Autodafej
, . $
(control$flow graph, CFG; $
2) ,
( recv) $
. . 22.5 CFG, $
. CFG
23 .
1
2
http://www.blackhat.com/html/bh+usa+06/bh+usa+06+speakers.html#Embleton
http://en.wikipedia.org/wiki/Context+free_grammar
450
22.
recv
strcpy
. 22.5. ,
$
, . . 22.6
CFG $
.
CFG. $
$
. ,
. . 22.7
CFG . $
.
CFU, .
, $
,
CFU . $
.
, ,
.
, . $
. $
,
, , $
.
451
recv
strcpy
. 22.6.
recv
strcpv
. 22.7.
452
22.
Sidewinder , $
$
. , $
,
. $, CFG
. ,
$
. $, $
CFG. CFG $
. ,
$
, TLV. ,
,
CRC.
, .
, Sidewinder
, ,
,
.
, $
$
. $
, , $
.
, . , $
, $
. $
http://www.fuzzing.org.
23
, , ,
+ ,
.
$.,
$ CNN,
30 2000
,
, $
.
. $
, $
. ,
.
, $
. ,
, , $
, $
.
?
,
. . .
. , $
IA$32/x86 (Complex In$
454
23.
CISK RISC
CISC ( ) $
RISC ( ); $
1970 IBM.
, RISC$$
, CISC$
. $
$ $
, Apple Mac, $
PowerPC RISC.
, ,
x86$ , $
.3
1
2
http://www.intel.com/intelpress/chapter+scientific.pdf
,
. CISC $
, RISC.
http://www.openrce.org/blog/view/575
455
,
. $
,
.
, OllyDbg, $
, $
. , $
. $
, $ VoIP , $
,
.
$
;
$
, .
, , ,
.
$
, , +
. ,
.
, ,
, $.
, ,
, $
.
() .
, $
.
,
(. 23.1).
, . 23.1, , $
sub_ 8$ , $
. $
DataRescue Interactive Disassembler Pro (IDA Pro)1,
.
.
. . 23.1 $
1
http://www.datarescue.com
456
23.
sub_00000010()
sub_00000440()
_snprintf()
sub_00000220()
sub_00000110()
sub_00000AE0()
sub_00000550()
recv()
sub_00000330()
. 23.1.
; snprintf() recv().
, sub_00000110()
sub_00000330(), recv().
CFG
CFG$
. , $
. $
: ? $
,
, .
, :
;
;
.
:
;
.
.
, $
.
.
CFG
$
sub_00000010. [el] . 23.2
. $
+.
. 23.2.
457
00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h
00000025
jz 00000050
0000002B
mov eax, 0Ah
00000030
mov ebx, 0Ah
00000050
xor eax, eax
00000052
xor ebx, ebx
. 23.2. + sub_00000010
$ $
. , $
0x00000010,
0x00000025.
0x0000002B, 0x00000050,
. $
CFG, . 23.2, ,
. 23.3.
00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h
00000025
jz 00000050
0000002B
0000002B
00000030
00000050
00000050
00000052
. 23.3. sub_00000010
458
23.
$
.
, , . .
,
. , $
.
$
. , $
, , ,
$
. , OllyDbg $
debug\trace into debug\trace over.
PyDbg,
20 : $
, :
1. .
2. , $
.
3. $
.
4.
.
, PyDbg $
50 Python. $
, $
; .
, , $
http://www.fuzzing.org.
, $
. $
.
, $
:
.
, .
, ,
$
.
459
, ,
;
?
,
. , $
.
, :
?
?
?
?
?
$
?
?
$
.
, $
. $
, .
$
IDA Pro. $
IDA. $
, ,
, .
, $ , :
? $
,
. $
, .
$
. $
PyDbg, :
1. .
2. .
3. .
460
23.
4. $
.
5. $
.
$
$
,
, OlltDbg. $
, ,
.
PyDbg
PyDbg, $
. $
. $
.
$
PyDbg $
. , $
sysenter. $
, Microsoft Win$
dows. sysenter,
, ,
(. . ).
. :
from pydbg import *
from pydbg.defines import *
# breakpoint handler.
def on_bp (dbg):
ea
= dbg.exception_address
disasm = dbg.disasm(ea)
# put every thread in single step mode.
if dbg.first_breakpoint:
for tid in dbg.enumerate_threads():
handle = dbg.open_thread(tid)
dbg.single_step(True, handle)
dbg.close_handle(handle)
print "%08x: %s" % (ea, disasm)
dbg.single_step(True)
return DBG_CONTINUE
# single step handler.
461
, ,
, $
. $
, .
, $
. $
, . ,
,
.
,
, . $
$
. $
. $
,
.
.
462
23.
$
.
, $
, $
.
( ,
. .). , $
.
, , $
, :
?
?
?
$
?
$
, $
. ,
.
, Mi$
crosoft Outlook Express Network News
Transfer Protocol (NNTP)1, 14 2005 .
$
. $
Microsoft:
Outlook
Express, .
,
, +
. +
+
. , +
.
1
http://www.microsoft.com/technet/security/bulletin/MS05+030.mspx
463
, $
, , , IDS$
IPS$. , ,
Outlook Express NTTP$. $
, $ , $
Process Stalker.1
Process Stalker ; $
OpenRCE.2
, $
Outlook Express ,
, MSOE.DLL.
Process Stalker IDA Pro
4800 58 000 . $
, , . $
, , Process Stalker $
, Outlook
Express NTTP$. . $
, $
. $
, NTTP$
news:// URI$, Internet Explorer, $
$
Outlook Express, , $
, , $
, . NTTP$
,
. 23.4.
. 23.4.
1
2
http://www.openrce.org/downloads/details/171/Process_Stalker
https://www.openrce.org/articles/full_view/12
464
23.
,
. $
Process Stalker , $
GUI. NTTP$
Outlook Express. $
GUI
, $
NTTP$. $
91 . 1337 ,
, 747 .
58 000, , $
.
, $
,
26 . $
:
16$ .
!
$
( 1).
1PyDg, ,
$
PaiMei. PaiMei Python $
2. PaiMei $
, $
(
24 ). $
PAIMEIpstalker ( Pro$
cess Stalker, PStalker). ,
, , $
, $
. :
http://www.hbo.com/sopranos/
http://openrce.org/downloads/details/208/PaiMei
465
PIDA: pGRAPH , $
(DLL EXE), $
, $
. ,
.
PyDBG . $
PIDA . PIDA
, $
, . :
import pida
module = pida.load("target.exe.pida")
# step through each function in the module.
for func module.functions.values():
print "%08x %s" % (func.ea_start, func.name)
# step through each basic block in the function.
for bb in func.basic_blocks.values():
print "\t%08x" % bb.ea_start
# step through each instruction in the
# basic block.
for ins in bb.instructions.values():
print "\t\t%08x %s" % (ins.ea, ins.disasm)
PIDA$ .
, .
, $
. $
, ,
PyDbg PIDA $
. PaiMei $
:
: $
. process_stalker.py, ,
$
;
: WxPython $
GUI$.
pstalker;
. $
pida_dump.py IDA$, Python. $
IDA Pro .PIDA.
PStalker $
WxPython GUI , , $
466
23.
PaiMei. $
$
.
PStalker Layout
PStalker , $
PaiMei. PStalker
(. 23.5) .
Data Source
, $
PIDA. Data Exploration
. Data Capture .
:
, .
, $
.
.
PIDA .DLL$ .EXE$, $
.
.
$
.
467
.
.
,
PStalker .
$
.
PaiMei, 1, , $
PStalker.
, .
MySQL$ Con'
nections Retrieve Target List
. $
.
Available Targets. , $
.
:
Load hits. $
.
Append hits. ,
, .
Export to IDA. $
IDA .
Sync with uDraw. $
uDraw.
.
Use for stalking. $
.
.
Filter tag. $
. $
.
Clear tag. , ,
. PStalker , $
. $
.
Expand tag. $
,
( ).
1
http://pedram.openrce.org/PaiMei/docs/PAIMEIpstalker_flash_demo/
468
23.
Target/tag properties. ,
, .
Delete tag. .
PIDA PIDA,
.
, $
PIDA. $
PIDA $
. PIDA $
.
.
. . $
.
,
, $
,
PIDA.
PIDA. $
.
Retrieve List $
, .
$
. Functions
Basic Blocks .
Restore BPs ,
. . $
.
Heavy , $
.
. Unhandled Only, $
,
.
,
Attach and Start Tracking. $
.
469
$
. $
, DataRescues IDA Pro, , $
IDA Pro. , $
, .
. $
IDA Pro Make final pass , $
. , , $
,
.
,
PStalker. $
. $
. ,
.
MySQL.
: cc_hits, cc_tags, cc_targets.
, cc_targets $
, $
, :
CREATE TABLE 'paimei'.'cc_targets' (
'id' int(10) unsigned NOT NULL auto_increment,
'target' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;
SQL$ cc_tags,
, $
, :
CREATE TABLE 'paimei'.'cc_tags' (
'id' int(10) unsigned NOT NULL auto_increment,
'target_id' int(10) unsigned NOT NULL default '0',
'tag' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;
, cc_hits $
:
CREATE TABLE 'paimei'.'cc_hits' (
'target_id' int(10) unsigned NOT NULL default '0',
'tag_id' int(10) unsigned NOT NULL default '0',
470
23.
'num' int(10) unsigned NOT NULL default '0',
'timestamp' int(10) unsigned NOT NULL default '0',
'eip' int(10) unsigned NOT NULL default '0',
'tid' int(10) unsigned NOT NULL default '0',
'eax' int(10) unsigned NOT NULL default '0',
'ebx' int(10) unsigned NOT NULL default '0',
'ecx' int(10) unsigned NOT NULL default '0',
'edx' int(10) unsigned NOT NULL default '0',
'edi' int(10) unsigned NOT NULL default '0',
'esi' int(10) unsigned NOT NULL default '0',
'ebp' int(10) unsigned NOT NULL default '0',
'esp' int(10) unsigned NOT NULL default '0',
'esp_4' int(10) unsigned NOT NULL default '0',
'esp_8' int(10) unsigned NOT NULL default '0',
'esp_c' int(10) unsigned NOT NULL default '0',
'esp_10' int(10) unsigned NOT NULL default '0',
'eax_deref' text NOT NULL,
'ebx_deref' text NOT NULL,
'ecx_deref' text NOT NULL,
'edx_deref' text NOT NULL,
'edi_deref' text NOT NULL,
'esi_deref' text NOT NULL,
'ebp_deref' text NOT NULL,
'esp_deref' text NOT NULL,
'esp_4_deref' text NOT NULL,
'esp_8_deref' text NOT NULL,
'esp_c_deref' text NOT NULL,
'esp_10_deref' text NOT NULL,
'is_function' int(1) unsigned NOT NULL default '0',
'module' varchar(255) NOT NULL default '',
'base' int(10) unsigned NOT NULL default '0',
PRIMARY KEY ('target_id','tag_id','num'),
KEY 'tag_id' ('tag_id'),
KEY 'target_id' ('target_id')
) ENGINE=MyISAM;
cc_hits:
target_id tag_id. $
.
num. , $
, $
.
timestamp. UNIX$ (1 $
1970 , 00:00:00 GMT) , $
.
eip. , $
. $
.
471
tid. ,
eip. Windows $
, $
.
eax, ebx, ecx, edx, edi, esi, ebp esp.
$
. $
deref, ASCII$, $
. ASCII$
(stack), (heap) (global), $
. N/A , $
, $
.
esp_4, esp_8, esp_c esp_10. $
(esp_4 = [esp+4], esp_8 = [esp+8], . .).
is_function. . 1 ,
( eip) .
module. , .
base. ,
. $
eip , $
.
$
, Pstalker.
Pstalker $
. $
Gizmo Project1, VoIP Instant Messaging
(IM). . 23.6 $
Gizmo Project, .
Gizmo ,
. $
Skype2, Gizmo $
VoIP, Session Initiation Protocol (SIP RFC 3261),
. Gizmo
SIP$ . $
Gizmo VoIP.
, , $
.
1
2
http://www.gizmoproject.com/
http://www.skype.com/
472
23.
Gizmo
Map it
Gizmo
SIP$. , VoIP$$
, , SIP,
. $
SIP$. $
, $
, PROTOS
Test$Suite: c07$sip.1 4527 $$
, Java JAR$. $
INVITE$,
. PROTOS $
,
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
473
Codenomicon.1 SIP$
$
31 971 $.
, Utilize PStalker $
PROTOS. $
, $
.
.
$ PROTOS
20 .
:
$ java jar c07sipr2.jar h
Usage java jar <jarfile>.jar [ [OPTIONS] | touri <SIPURI> ]
touri <addr>
Recipient of the request
Example: <addr> : you@there.com
fromuri <addr>
Initiator of the request
Default: user@pamini.unity.local
sendto <domain>
Send packets to <domain> instead of
domainname of touri
callid <callid>
Call id to start testcase call ids from
Default: 0
dport <port>
Portnumber to send packets on host.
Default: 5060
lport <port>
Local portnumber to send packets from
Default: 5060
delay <ms>
Time to wait before sending new testcase
Defaults to 100 ms (milliseconds)
replywait <ms>
Maximum time to wait for host to reply
Defaults to 100 ms (milliseconds)
file <file>
Send file <file> instead of testcase(s)
help
Display this help
jarfile <file>
Get data from an alternate bugcat
JARfile <file>
showreply
Show received packets
showsent
Show sent packets
teardown
Send CANCEL/ACK
single <index>
Inject a single testcase <index>
start <index>
Inject testcases starting from <index>
stop <index>
Stop testcase injection to <index>
maxpdusize <int>
Maximum PDU size
Default to 65507 bytes
validcase
Send valid case (case #0) after each
testcase and wait for a response.
May be used to check if the target is still
responding. Default: off
http://www.codenomicon.com/
474
23.
, $
,
java jar c07sipr2.jar touri 17476624642@10.20.30.40
teardown
sendto 10.20.30.40
dport 64064
delay 2000
validcase
\
\
\
\
\
( touri).
delay Gizmo , $
, GUI $.
validance , PROTOS $
, $ .
, $
. , Gizmo $
. Gizmo, $
. 250 $.
$, !
Gizmo
[*] 0x004fd5d6 mov eax,[esi+0x38] from thread 196 caused access violation
when attempting to read from 0x00000038
CONTEXT DUMP
EIP: 004fd5d6
EAX: 0419fdfc
EBX: 006ca788
ECX: 00000000
EDX: 00be0003
EDI: 00000000
ESI: 00000000
EBP: 00000000
ESP: 0419fdd8
+00: 861c524e
+04: 0065d7fa
+08: 00000001
+0c: 0419fe4c
+10: 0419ff9c
+14: 0061cb99
mov eax,[esi+0x38]
( 68812284) > <CCallMgr::IgnoreCall() (stack)
( 7120776) > e(elllllllllllllllllllll (PGPlsp.dll.data)
(
0) > N/A
( 12451843) > N/A
(
0) > N/A
(
0) > N/A
(
0) > N/A
( 68812248) > NR (stack)
(2250003022) > N/A
( 6674426) > N/A
(
1) > N/A
( 68812364) > xN (stack)
( 68812700) > raOo|hoho||@ho0@*@b0zp (stack)
( 6409113) > N/A
disasm around:
0x004fd5c7
0x004fd5c9
0x004fd5ca
0x004fd5ce
0x004fd5d4
0x004fd5d6
0x004fd5d9
xor eax,esp
push eax
lea eax,[esp+0x24]
mov fs:[0x0],eax
mov esi,ecx
mov eax,[esi+0x38]
push eax
475
0x004fd5da
0x004fd5de
0x004fd5df
0x004fd5e4
lea eax,[esp+0xc]
push eax
call 0x52cc60
add esp,0x8
SEH unwind:
0419ff9c > 006171e8: mov edx,[esp+0x8]
0419ffdc > 006172d7: mov edx,[esp+0x8]
ffffffff > 7c839aa8: push ebp
touri dport , $
5060 ( SIP$)
Gizmo.
. 23.7 $
.
17476624642 Gizmo, 64064
SIP$.
, , $
, .
.
SIP, $
. , , $
SIPPhoneAPI.dll.
IDA Pro
pida_dump.py SIPPhoneAPI.pida. $
,
. PaiMei $
476
23.
. PaiMei
$.1 (. 23.8) $
Gizmo Idle,
Gizmo .
,
,
. Idle (. 23.9)
SIPPhoneAPI PIDA (. 23.10).
. 23.9. Idle
1
http://pedram.openrce.org/PaiMei/docs/
477
. 23.11.
,
.
. 23.11 ,
. Refresh Process List $
. $
Gizmo, .
Coverage Depth Basic Blocks $
. . 23.10,
25 000 . ,
, ,
, .
Restore BPs , $
. , $
.
, Heavy. ,
. ,
,
$ .
478
23.
Start Stalking
Gizmo . $
,
PaiMei. $
PStalker. $
:
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
...
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
10221d31
10221d4b
10221d67
10221e20
10221e58
10221e5c
10221e6a
10221e6e
10221e7e
10221ea4
1028c2d0
1028c30d
1028c369
1028c37b
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12
#13
#14
. , $
, SIP,
Gizmo, .
,
479
. 23.12.
, PROTOS 6% 9% $
SIPPhoneAPI. $
, ,
$ .
$ , $
, ,
. , $
,
$. , Gizmo
$ PROTOS $
, Gizmo ,
.
$
, .
, PROTOS 1/7 $
, , $
7 ? , . ,
, $
.
,
?
.
, .
QA $
480
23.
, $
, $
.
, $
$, Codenomicon. $
,
, . $
:
.
, $
. $
, $
, ,
. .
, , $
, VoIP, ,
. $
, $
. ,
: VoIP 45 000 $
$. $
? , 45 000 $ 5000
. , , $
$
. , $
. $
$
: VoIP
45 000 $, 90% .
QA$ , $
$. $
. , $
, $, $
, parse_sip(). $
, , ,
, . $
. $
$
, .
,
,
$
. QA$ $
, . $
QA , $
481
,
.
, .
, $
, ,
.
, $
. ,
, . ,
, ,
.
, ,
.
$
.
$
, , , $
. , , $
, . ,
, $
$.
.
. 18.5.2
3B1 2
Intel IA32, Pentium 4 Xeon
:
BTF (single*step on branches) flag (bit 1)
TF EFLAG
,
. $
, (.
18.5.5 , $
).
, , $
.
1
2
ftp://download.intel.com/design/Pentium4/manuals/25366919.pdf
http://www.intel.com/products/processor/manuals/index.htm
482
23.
,
. , $
,
. , $
,
.
, ;
$ .
. $
PyDbg, ,
Branch Tracing with Intel MSR Registers1 OpenRCE $
. $
.
( ). ,
, ; $
, , $
. ,
. , ,
, . 23.13.
. 23.13.
, $
A, B, D $. $
? ,
$? $
http://www.openrce.org/blog/view/535
483
, $
, :
ABD
ABCD
ACD
, , $
, .
, , ,
66% .
$.
$
, , $
Python. , $
$
.
, $
. : ? $
: ?
, $
.
PaiMei
Pstalker . ,
. $
, .
$
.
$
,
, $
.
24
, .
$.,
, ,
31 2000
, . , .
, , $
. , $
. ,
$
. :
. $
, , , $
, $
.
$
, .
, , $
(dynamic binary instrumentation (DBI)). , $
, , , $
, , .
485
, 50 000
IMAP$,
IMAP$ ,
$? . .
, $ , $
, $
. , , .
$. , , $
$, PROTOS $
. IMAP, ,
, $ :
x001 LOGIN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
x001 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
TCP$
$ 143 ( IMAP$). $
, $ $
. , Codenomi$
con, , $
($ ) $. $
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.tcp_connect(143):
fuzzer.log_fault(case)
,
. , ,
paimei whiteeyebrow IMAP$, $
, , $
paimei.
,
$.
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.imap_login("paimei", "whiteeyebrow"):
fuzzer.log_fault(case)
, , $
, $
. .
, , , IMAP$$
500$ $ . !
486
24.
, !
, ,
, 500$ $, , $
, . ? $
. , , $
$ IMAP$$
, 500$ $ $
. 500$ $
.
, +
.
: , $ $
1$ 499$ IMAP$, 500$ $
, , $
. ,
. :
# find the upper bound:
for i in xrange(1, 500):
for j in xrange(1, i + 1):
fuzzer.send(j)
fuzzer.send(500)
if not fuzzer.tcp_connect(143):
upper_bound = i
break
fuzzer.restart_target()
# find the lower bound:
for i in xrange(upper_bound, 0, 1):
for j in xrange(i, upper_bound + 1):
fuzzer.send(j)
fuzzer.send(500)
if fuzzer.tcp_connect(143):
lower_bound = i
break
fuzzer.restart_target()
,
.
1$ n$ , 500$, n 1.
, $
.
. $
$, $
500$
487
. , , , $
, $
$. , , $
$ 15$ 20$ 500, $
15$ 20$ $
. .
$
. ,
, . ,
, .
?
, , $
.
. , ,
, $
, .
, , $
. $
, . $
, ,
, $ .
,
. $
. , $
.
, , $
,
$
.
IMAP$. $
,
, ,
. $
, . $
, $
, :
;
.
. C
488
24.
0x12FFFEEE
arg2
arg1
EIP
EBP
int x
char buf[16]
int y
0x12000000
. 24.1.
, , $
. 24.1.
void taboo (int arg1, char *arg2)
{
int x;
char buf[16];
int y;
strcpy(buf, arg2);
}
, $
, $
,
.
taboo() , $
. CALL $
(
EIP) . , , $
. $
($
EBP) . ,
($
ESP). ,
. 24.1.
489
. 24.1,
.
. arg2 16 ($
buf), strcpy()
buf , $
x, ,
, . . $
, arg2 A, EIP $
0x41414141 (0x41 $
ASCII$ A).
taboo() , RETN $
EIP $
, 0x41414141.
0x41414141
.
, $
0x41414141 $
ACCESS_VIOLATION. , $
arg2, 16, 20 ,
.
, $
(NX1) , $
0x4141414 ACCESS_VIO$
LATION. ,
, . , $
. $
.
$
C, (. . 24.1):
void taboo_two (int arg1, char *arg2)
{
int *x;
char buf[] = "quick brown dog.";
int y = 10;
x = &y;
for (int i = 0; i < arg1; i++)
printf("%02x\n", buf[i]);
strcpy(buf, arg2);
printf("%d\n", *x)
}
http://en.wikipedia.org/wiki/NX_bit
490
24.
, $
,
x y. $
buf, $
arg1. $
, ,
, 16 printf().
, , $
, .
x,
, $
, . . arg1
ACCESS_VIOLATION ,
, ,
, $
.
, $
. , , , arg2
20 A ( 4 , buf),
$ x; $
,
. , printf(), $
, $
ACCESS_VIOLATION 0x41414141.
, $
, $
:
void syslog_wrapper (char *message)
{
syslog(message);
}
API$ syslog() $
.
syslog() ,
message, , ,
. $
, $
, , . , $
%s%s%s%s%s, 5
,
. $
%s ACCE_VIOLATION.
, , $
, NULL$, ,
491
NULL. , $
$
.
$
C, (. . 24.1):
void taboo_three (int arg1, char *arg2)
{
int x;
char buf[] = "quick brown dog.";
int y;
buf[arg1] = \0;
}
, $
, , $
buf , arg1. $
, 16 $
.
, , $
, , .
, ,
.
;
, , $
:1
char *A = malloc(8);
char *B = malloc(16);
char *C = malloc(24);
strcpy(A, "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP");
free(B);
, .
, $
. 24.2.
. 24.2.
http://doc.bughunter.net/buffer+overflow/free.html
492
24.
strcpy(), ,
A, ,
P. ,
. $
? free(B)
B A C. :
B>backward>forward = B>forward
B>forward>backward = B>backward
, , strcpy(),
B 0x50505050 (0x50 $
ASCII$ P). $
.
,
.
. $
, $
$
C$
.1 $
, .
,
, $
, $
DoS. , $
, .
1
http://www.cs.drexel.edu/~spiros/research/papers/WCRE03a.pdf
, $
$
, $
. , , ,
, $
493
, $
. $
.
, . . ,
, .
, , , $
, , $
. A
0x41414141.
, , $
ACCESS_VIOLATION; $
, . $
, $
, , .
4
, ?
( 0x800000000xFFFFFFFF),
.
, $
. , $
%s, $
.
%s ,
, , $
, .
? , $
,
%n .
%n ,
$
. %n, %s, $
, $
. %n%s
, %n $
(. 6 )
, .
6
.
,
,
494
24.
. ,
,
. , $
PaiMei.1 $
,
, . 24.3. ,
Windows$, ,
, Intel IA$32.
. 24.3.
, , $
IMAP$.
, .
. $
,
,
, $
, , $
. , $
Python:
from pydbg import *
from pydbg.defines import *
import utils
def av_handler (dbg):
crash_bin = utils.crash_binning.crash_binning()
crash_bin.record_crash(dbg)
https://www.openrce.org/downloads/details/208/PaiMei
495
PaiMai $
, , Python .
,
$
Windows PyDbg1.
. PaiMei.utils2 ,
. $
crash_binning, .
while, $
PyDbg av_handler()
ACCESS_VIO$
LATION. , $
, .
$
.
$
, , .
$
run() ( debug_event_loop()).
$
av_handler().
$
PyDbg.
PaiMei$ crash_binning.
, $
. , , $
record_crash():
. , ,
, ACCESS_VIOLATION.
. , ,
.
1
2
http://pedram.redhive.com/PaiMei/docs/PyDbg/
http://pedram.redhive.com/PaiMei/docs/Utilities/
496
24.
. , $
.
. $
, . 4
1234
0xDEADBEEF 0xC0CAC01A
.
64 Windows
32$ Win$
dows ,
. .
EBP. $
EBP. $
EBP+4. $
(TEB), FS1: FS[4] $
FS[8] .
, $
, EBP$ .
, , $
EBP $
. EBP$ $
EBP:
MOV EAX, [EBP0xC]
; EBPbased framing
MOV EAX, [ESP+0x440xC] ; frame pointer omitted
, $
,
. Microsoft 64$$
,
MSDN.2 , $
( $
)
, Portable Executable$$
(PE)3, .
1
2
3
http://openrce.org/reference_library/files/reference/Windows%20Me+
mory%20Layout,%20User+Kernel%20Address%20Spaces.pdf
http://msdn2.microsoft.com/en+us/library/7kcdt6fy.aspx
http://www.uninformed.org/?v=4&a=1&t=sumry
497
. .
. , .
. $
, . $
.
. .
32$$
Windows$, , $
, . $
23 $
.
SEH+. (Structu$
red Exception Handler (SEH)). ,
, ,
, ,
.
,
, $ , $
.
, , $
$.
, , $
, record_crash(), $
, . while $
. PyDbg,
20 : .
, . PyDbg
$
. , .
, $
, $
, , $, .
,
.
.
IMAP, . $
: , 50 000 $
$. $
, 1000 $
. $
, , .
:
498
24.
Test case 00005: x01 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=11223300 ECX=FFFF7248
EIP=0x00112233: REP SCASB
Test case 00017: x01 AUTHENTICATE %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=00000000 ECX=FFFFFF70
EIP=0x00112233: REP SCASB
Test case 00023: x02 SELECT %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=47392700 ECX=FFFEEF44
EIP=0x00112233: REP SCASB
. $
$
( ). , $
, ,
$ , $
. ,
REP SCASB, $
, 1000 .
.
. SCASB IA$32
, AL (
EAX). AL=0.
REP ECX,
ECX 0. ECX
. ,
. ,
.
. 1000 $, ,
,
( ).
(, ). ? , .
, PaiMei$ crash binning
.
.
record_crash() $
. . $
1000 50 000 $ :
50 000 $ 650 0x00112233,
300 0x11335577, 20 0x22446688 . . $
:
from pydbg import *
from pydbg.defines import *
import utils
499
crash_bin = utils.crash_binning.crash_binning()
def av_handler (dbg):
global crash_bin
crash_bin.record_crash(dbg)
# signal the fuzzer.
for ea in crash_bin.bins.keys():
print "%d recorded crashes at %08x" % \
(len(crash_bin.bins[ea]), ea)
print crash_bin.crash_synopsis()
dbg.terminate_process()
while 1:
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATON, av_handler)
dbg.load(target_program, arguments)
# signal the fuzzer.
dbg.run()
,
. : $
$
.
,
. $
,
. $
,
crash_synopsis().
$
$
, . $
. $
$
, (. 24.4).
. 24.4
.
. $
, . $
50 000 $ 650
0x00112233, 300 0x11335577, 20
0x22446688 50 000 $ 650
0x00112233, 400 x, y, z, 250 a, b, z
. . , $
.
500
24.
0x33234567
0x77234567
0x66234567
0x11234567
0x55234567
0x11234567
0x22234567
0x44234567
logger()
0x00112233
0x11335577
0x22446688
. 24.4.
0x00112233 0x11335577. $
,
.
logger(). ? , $
.
IMAP$, , $
IMAP$
. , $
,
. $
.
:
.
, , Mi$
crosoft Windows , $
501
.1 ,
. , ,
. , $
, , .
, $
, . $
, $
, EXCEPTION_DEBUG_INFO.2
PyDbg $
:
def access_violation_handler (dbg):
if dbg.dbg.u.Exception.dwFirstChance:
# first chance
else:
# last chance
dwFirstChance , $
. $
? , ,
. , ,
IMAP$
$
logger():
void logger (char *message)
{
try
{
// format string vulnerability.
fprintf(log_file, message);
}
except
{
fprintf(log_file, "Log entry failed!\n");
}
try/except fprintf() $
. , fprintf() $
, fprintf() .
, $
, IMAP$
1
2
http://msdn.microsoft.com/msdnmag/issues/01/09/hood/
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/wcecore+
os5/html/wce50lrfexceptiondebuginfo.asp
502
24.
. , $
! , .
, , $
. $
, . $
, .
, $
, $
.
.
. ,
5 ,
DBI. , $
,
. , $
, $
. DBI $
.
23 , $
,
, , $
. DBI
, $
$ .
. $
$
RISC$ .
DBI
$ . API DBI $
.
DBI$, DynamoRIO1, DynInst2 Pin3. DynamoRIO,
,
HewlettPackard. DynamoRIO $
1
2
3
http://www.cag.lcs.mit.edu/dynamorio/
http://www.dyninst.org/
http://rogue.colorado.edu/pin/
503
,
strcpy(). , $
. $
.
$
$
, free().
DBI $
.
$
.
,
.
$
.
, , .
,
DBI, . , $
1
2
3
http://www.determina.com/products/memory_firewall.asp
http://www.determina.com/
http://www.determina.com/products/memory_firewall.asp
504
24.
. $
, IBM Rational Purify1, Compuware DevPartner
BoundsChecker2, OC Systems RootCause3 Parasoft Insure++4. Purify,
, Static Binary Instrumentation (SBI), BoundsChe$
cker SBI DBI. ,
$
. , $
Valgrind5. Valgrind
DBI, ,
Memcheck, $
. Valgrind
, $
Annelid.6
, $
$, $
.
, $
. DBI, DBI$
, $
.
, ,
$
$. $
, $ , $
, .
$
.
1
2
3
4
5
6
http://www+306.ibm.com/software/awdtools/purify/
http://www.compuware.com/products/devpartner/visualc.htm
http://www.ocsystems.com/prod_rootcause.html
http://www.parasoft.com/jsp/products/home.jsp?product=Insure
http://valgrind.org/
http://valgrind.org/downloads/variants.html?njn
IV
25.
26.
25
: ?
$.,
, ,
11 2000
, $
, ,
.
, $
: , $
. $
(SDLC, software development life$
cycle) , $
.
$ $
$
,
, SDLC. Microsoft $
Trustworthy Computing Security
Development Lifecycle (
, ).1 $
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dnsecure/
html/sdl.asp
508
25.
, , $
, $
(Security Development Lifecycle, SDL). Microsoft
SDL, SDLC; $
. 25.1.
, Microsoft
SDLC. $
, $
SDLC.
SDLC,
. ,
$
.
SDLC ,
(Winston Royce)1 $
1
http://en.wikipedia.org/wiki/Waterfall_process
509
. $
: $
. . 25.2.
.
Microsoft
, Microsoft
SDLC. Microsoft
, , $
. , Mi$
crosoft , $
,
.
, , Microsoft Internet Information Services (IIS)1,
$ Microsoft. 14 $
5.x.2 6.x,
2003 , 3, $
.
$
$
/GS4, (Data Execution
Prevention, DEP) $
(Safe Structured Exception Handling, SafeSEH)5; $
Windows Vista $
(Address Space
Layout Randomization, ASLR).6 Microsoft $
$
, , Secure Windows Initia$
tive.7 , $
$
, .
1
2
3
4
5
6
http://www.microsoft.com/WindowsServer2003/iis/default.mspx
http://secunia.com/product/39/?task=advisories
http://secunia.com/product/1438/?task=advisories
http://msdn2.microsoft.com/en+US/library/8dbf701c.aspx
http://en.wikipedia.org/wiki/Data_Execution_Prevention
http://www.symantec.com/avcenter/reference/Address_Space_Lay+
out_Randomization.pdf
http://www.microsoft.com/technet/Security/bestprac/secwinin.mspx
510
25.
. 25.2.
,
. $
, $
. SDLC , $
,
,
.
$
. $
,
. $
,
.
, $
. $
, .
, $
. ,
. , $
Linux, .
Windows,
ActiveX,
$? ,
COM$.
$
SDLC. , , $
511
, , , $
$
(Extensible Messaging and Presence Protocol, XMPP). $
XML$,
1999 Jabber.1
.
$
XMPP XMPP .
. , $
. , ,
.
, . $
, , $ $
. ,
.
$
.
,
. $
$
.
,
. $
, . $
ActiveX, .
19 20
: ,
. $
$
,
, , $
.
, $
, $
, $
http://www.jabber.org/
512
25.
. ,
, , $
. ,
, $
,
. ,
SLDC ,
. ,
.
, $
. $
, . . . $
, $
. ,
, SLDC, . .
.
,
, $
, . SDLC $
$
, $
, .
,
$
, . $
. ,
$
, $
, $
. $
, , $
, , ,
.
, $
, , $
, , $
. $
, ,
, . $
, $
. ,
513
$
$
. , $
, ,
$ . ,
32$ , 64$.
,
.
$
.
, ,
. $
,
, $
,
.
SDLC
, $
,
. , $
, SDLC , $
. , $
. .
$
SDLC, .
$
. $
, .
, $
$
, .
$
(IDE), $
. , Microsoft Visual Studio IDE $
C# Visual Basic Windows, Eclipse
Java $
.
IDE$$
,
514
25.
. DevInspect1
SPI Dynamics, ,
. DevInpect , $
Visual Studio Eclipse ,
, $
ASP.Net Java .
$
, . , , $
$ ,
,
.
, $
, .
$
. , $
$
. ,
, .
, $
. $
, ,
,
,
. $
. $
.
$ .
$
$
.
SDLC. $
. SDLC $
,
. , Microsoft
BlueHat Security Briefings2,
.
1
2
http://www.spidynamics.com/products/devinspect/
http://www.microsoft.com/technet/security/bluehat/sessions/default.mspx
515
$
SDLC.
, , $
, . 25.3.
,
$
.
, $
,
.
100X
15X
6.5X
1X
. 25.3. SDLC
, $
: , $
. ,
, . $
,
.
$
SDLC. $
, .
,
,
.
26
, .
$.,
3 11 .
, ,
20 2001
?
,
SDLC. $
, ,
, $
.
, , $
.
,
. $
$
. Microsoft $
SDLC, ,
$
.
, .
517
1
2
3
http://www.beyondsecurity.com/
http://www.securiteam.com/
http://www.beyondsecurity.com/beSTORM_FAQ.pdf
518
26. ,
http://www.breakingpointsystems.com/
519
BPS$1000 AC$
,
$.
Codenomicon1
Codenomicon , ,
. Codenomicon
PROTOS2, , $
. (, ). PROTOS $
2002 , $
,
SNMPv1. PROTOS
SNMPv1 $
.
, $
, , $
, .3
, $
, ,
. $
PROTOS SNMPv1 ,
, $
$
.4 PROTOS
$
, :
WAP Wireless Application Protocol ( $
)
HTTP Hypertext Transfer Protocol ( $
)
LDAPv3 Lightweight Directory Access Protocol v3 (
)
SNMPv1 Simple Network Management Protocol v1 ( $
)
SIP Session Initiation Protocol ( )
H.323 , $
1
2
3
http://www.codenomicon.com/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
#h+ref2
http://www.cert.org/advisories/CA+2002+03.html
520
26. ,
, PROTOS.
, $
, . 26.3.
Codenomicon
( ). $
$30 000 .
, $
, $
, , , , $
. $
. Codenomicon $
, ,
. 24 $
521
, $
.
Mu Security Mu4000
Mu Security Mu$40004, $
,
. Mu$4000 $
, BreakingPoint,
$ ,
. $
Mu$4000 $
Linux,
Mu ,
. Mu ,
. , DHCP,
. 26.5.
1
2
3
4
http://www.gleg.net/protover_pro.shtml
http://www.gleg.net/products.shtml
http://www.immunitysec.com/products+canvas.shtml
http://www.musecurity.com/products/mu+4000.html
522
26. ,
. 26.5. Mu SecurityMu+4000
523
http://www.securityinnovation.com/holodeck/
524
26. ,
, ,
, $
.
$ , , $
. $
.
, , $
, $
. , $
. $
.
, ,
? 23 $
,
. , $
.
. $
,
,
$
. ,
$,
$
. , $
.
, , $
; $
. $
, ,
, ,
. $
$
, $
, $
. ,
, Microsoft Visual Studio Eclipse. $
$
525
$
, IBM Mercury. , $
,
.
DevInspect SPI Dynamics QAInpect,
.
? $
, .
$
. $
, , $
, $
,
. $
, .
, $
,
.
, $
24. $
. ,
.
. , $
( 24), IBM, Compuware, Para$
soft OC Systems , ,
, .
, , $
. $
, $
. ,
$
. ? $
, , $
$
: $
, .
Accept, , 143
Accept$Encoding, , 143
Accept$Language, , 143
ActiveX, , 304
Adobe Acrobat PDF,
, 313
WinZip FileView, 317
, 304
, 307
, 316
, 309
, 317
, ,
, 312
, 316
, 292
Adobe Acrobat PDF
, 313
, ,
211
AIM (AOL Instant Messenger), ,
73
, 74
, 75
, 75
ap.getPayload(), , 373
apKeywords(), , 371
Apple Macbook, , 247
argv, , 125
ASCII, , 221
ASP (application service provider), 135
ASP.Net, 137
Autodafej, 387
av_handler(), , 495
AWStats Remote Command Execution
Vulnerability, $, 139
AxMan, 49
BeginRead(), , 174
BeginWrite(), , 174
beSTORM, 161, 517
BinAudit, 43
BindAdapter(), , 278
bit_field, , 395
Blaster, , 244
BoundsChecker, 504
bp_set(), , 350
BreakingPoint, 518
btnRequest_Click(), , 175
BVA (boundary value analysis), 45
byref(), , 336
C
cc_hits, , 469
CCR (
), , 100
cc_tags, , 469
CFG (control$flow graph)
, 450
, 450
, 449
CFG (control$flow graphs), 456
$,
456
CGI (Common Gateway Interface), 136
CISC (Complex Instruction Set Computer),
, 454
clfuzz, 61
Code Red, , 244
Codenomicon, 64, 519
, 47
HTTP, 161
COM (Component Object Model), 303
527
ActiveX,
Adobe Acrobat PDF,
, 313
WinZip FileView, 317
, 305
Raider, 292
VARIANT, , 313
, 304
, 304
, 304
commands, , 119
Common Gateway Interface (CGI), 136
Computer Associates Brightstor,
, 441
CONNECT, , 146
Connection, , 144
ContinueDebugEvent(), , 340
Convert, 385
Cookie, , 144
cookies, 150
crashbin_explorer.py, , 423
CRC (Calculating Cyclic Redundancy
Check), , 369
CREA, , 266
CreateFile(), , 318
CreateProcess(), , 36, 318
CreateProcess, , 338
create_string_buffer(), , 336
CSRF (Cross$Site Request Forgery), 155
CSS (Cascading Style Sheet)
CSSDIE, , 48, 65, 293
, 294
CSSDIE, 48, 65, 293
ctypes, , 335
D
DataRescue Interactive Disassembler Pro
(IDA Pro), 455
DBI (Dynamic Binary Instrumentation),
91, 502
DynamoRIO, 502
Pin, 502
, , 503
, 503
, 91
DebugActiveProcess(), , 338
DEBUG_EVENT, , 340
DebugSetProcessKillOnExit(), ,
338
DELETE, , 146
DevInpect, , 514
Dfuz, 373
, 373
, , 374
, , 376
, , 375
, 376
, 374
DHTML ( HTML), 48
Distributed COM (DCOM), 304
DOM (Document Object Model), 305
DOM$Hanoi, 65
DoS (Denial$of$service)
$, 299
$, 153
DownloadFile(), , 318
Dynamic Data Exchange (DDE), 304
DynamoRIO, , 502
E
Enterprise Resource Planning (ERP), 139
ERP (Enterprise Resource Planning), 139
Ethereal, , 351
Excel, , eBay, 219
Execute(), , 318
eXternal Data Representation (XDR), 249
F
File Transfer Protocol (FTP), 72, 377
FileAttributes, (Flash), 392
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221
, 222
, 89
, 236
, 229
, 230
, 231
, , 230
, 233
, 229
, 230
528
, 229
, , 229
, 217
, 240
find, , 115
Flash, 298
flatten(), , 396
FTP (File Transfer Protocol), 379
func_resolve(), , 350
fuzz_client.exe, 350
fuzz_server.exe, 350
OllyDbg, 352
WS2_32.recv(),
, 352
, 362
, 355
, 352
, 361
, 352
fuzz_trend_server_protect_5168.py, 431
G
GDB (GNU Debugger), 42, 118
GDI+ , ,
236
GET, , 145
GetCurrentProcessId(), , 335
getenv, , 118119
getopt, , 125
GetThreadContext(),
, 344
GetURL(), , 318
Gizmo Project, , 471
SIP
, 475
, 472
, 476
, , 476
, 478
, 479
, 471
, 472
, , 476
GNU Debugger (GDB), 42, 118
GPF (General Purpose Fuzzer), 384
H
Hamachi, 48, 65
handler_bp(), , 350
HEAD, , 145
HewlettPackard Mercury LoadRunner,
, 282
Holodeck, 523
Host, , 144
HTML (Hupertext Markup Language)
, 168
, , 290
HTTP (Hypertext Transfer Protocol)
, , 167
, 156
, 154
, 149
I
IAcroAXDocShim, , 314
IBM
AIX 5.3, , 131
ICMP, , 446
IDA (Interactive Disassembler), 41
IDA Pro (DataRescue Interactive Disas$
sembler Pro), 455
IDE (
), 513
iFUZZ, 61
getopt, , 126
argv, 125
getenv,
, 126
/
,
125
, 132
, 127
Fork, Exe$
cute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace, 129
, 131
, 124
, 130
IID (ID ), 305
Inspector, 43
INT3, , , 341
IObjectSafety, , 311
Ipswitch
I$Mail
, 437
Imail
529
Web Calendaring,
, 179
Whatsup Professional,
SQL, 182
Whatsup Professional SQL Injection
attack, 139
J
Java, 137
JavaScript, 137
K
kill bitting, 312
L
libdasm, , 97
libdisasm, , 97
Libnet, , 98
LibPCAP, , 98
LogiScan, 43
M
Macbook, , 247
Macromedia Flash, 298
mangleme, 65
Matasanos Protocol Debugger, 440
MATRIX, , 397
Metro Packet Library, 98
Microsoft
NDIS, , 274
SAMBA, 437
Windows
Live/Office Live, 135
, 321
, 509
(MSRPC), 63
, 31
WMF, 218
, 38
, 243
MLI (mutation loop insertion), 327, 333
MMalloc(), , 103
MSRPC (
), 63
Mu Security, 49
Mu$4000, 521
Multiple Vendor Cacti Remote File Inclu$
sion Vulnerability, $, 139
mutation loop insertion (MLI), 333
N
NDIS, , 274
Netcat, 72
Network News Transfer Protocol (NNTP),
462
NMAP (NetMail Networked Messaging
Application Protocol), 255
SPIKE NMAP, ,
263
, 255
NNTP (Network News Transfer Protocol),
462
notSPIKEfile, 62
UNIX, 207
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208
, 201
, 202
RealPix, 212
, 214
NW (Needleman Wunsch), ,
445
O
OASIS (
), 77
ODF (OpenDocument format), 77
Office Live, 135
530
OllyDbg, 352
WS2_32.recv(), ,
352
, 354
, 354
, 355
, 355
OnReadComplete(), , 174
open XML, , 78
OpenDocument format (ODF), 77
OpenSSH,
, 246
OPTIONS, , 146
OSCAR (
), 73
Outlook Express NTTP,
, 463
OWASP (WebScarab), 64
P
PAGE_EXECUTE, , 322
PAGE_EXECUTE_READ, , 322
PAGE_EXECUTE_READWRITE,
, 322
PAGE_NOACCESS, , 322
PAGE_READONLY, , 322
PAGE_READWRITE, , 322
PaiMei, 464
PIDA, , 465
PaiMei,
ActiveX, 318
PaiMei,
, 464
, , 494
, , 497
crash binning, 498
SWF, 402
PAIMEIfilefuzz, 62
PAM (Percent Accepted Mutation), 446
parse(), , 325
Pattern Fuzz (PF), 385
PDB (Protocol Debugger), 440
PDML2AD, 389
Peach, , 381
, 381
, 382
, 383
, 381
, 382
, 382
Percent Accepted Mutation (PAM), 446
PF (Pattern Fuzz), 385
PHP (Hypertext Preprocessor), 136
phpBB Group phpBB Arbitrary File Dis$
closure Vulnerability, $, 138
PI (Protocol Informatics), 445
PIDA, , 465
Pin DBI, , 502
PNG, , 218
POST, , 151
printf(), , 266
process_restore(), , 361
process_snapshot(), , 359
ProgID ( ),
305
Protocol Debugger (PDB), 440
Protocol Informatics (PI), 445
ProtoFuzz
NDIS, , 274
, 270
,
, 275
, 272
, , 275
, 269
, 272
, 284
, 281
, 270
, 276
, 279
, 281
, 278
, 277
/,
281
, 274
, 275
PROTOS, 47, 519
ProtoVer Professional, 521
ProxyFuzzer, 439
PStalker
Gizmo Project,
SIP, , 475
SIP$, , 472
, 476
, , 476
, 478
531
, 479
, 471
, 472
, , 476
, 468
, 468
, 467
, 469
, 469
ptrace, , 122
PTRACE_TRACEME, , 206
PureFuzz, 384
PUT, , 145
PyDbg, , 348
, 356
Python
ctypes, , 335
PaiMei, , 464
PIDA, , 465
,
494
, 464
, 497
crash binning, 498
SWF, 402
Protocol Informatics (PI), 445
PyDbg, , 348
, , 460
, 356
COM, 307
, 99
PythonWin COM, , 307
PythonWin,
, 307
R
randomize(), , 396
Rational Purify, 504
RATS (Rough Auditing Tool for Security),
33
RCE (reverse code engineering),
, 43
, 40
ReadProcessMemory(), , 336
RealPlayer
, ,
212
RealPix, 212
RealServer ../ DESCRIBE, ,
246
ReceivePacket(), , 278
record_crash(), , 498
RECT, , 396
Reduced Instruction Set Computer
(RISC), , 454
RFCs ( ), 77
RGB, , 396
RISC (Reduced Instruction Set Comput$
er), , 454
S
SAMBA, 437
SAP Web Application Server sap$exiturl
Header HTTP Response Splitting, $
, 139
s_block_end(), , 261, 410
s_block_start(), , 261, 410
s_checksum(), , 414
SDL (Security Development Lifecycle),
508
SDLC
, 91
SDLC (Software Development Lifecycle)
Microsoft SDL, 508
, 508
, 510
, 512
, 510
, 511
, 512
SDLC (software development lifecycle), 91
SecurityReview, 43
SEH (Structured Exception Handler), 497
self.push(), , 416
set_callback(), , 350
setgid, , 115
setMaxSize(), , 373
setMode(), , 373
SetThreadContext(), , 344
setuid
, 115
, 60
Sharefuzz, 61
532
Sidewinder (), 452
SIGABRT, , 207
SIGALRM, , 208
SIGBUS, , 207
SIGCHLD, , 208
SIGFPE, , 208
SIGILL, , 207
SIGKILL, , 208
SIGSEGV, , 207
SIGSYS, , 207
SIGTERM, , 208
Simple Web Server,
, 180
SIP
, 475
, 472
SIPPhoneAPI, , 475
smart(), , 396
SPI Dynamics Free Bank,
, 184
SPI Fuzzer, 64, 161
SPIKE, 48, 63, 378
Proxy, 160
, 261
,
, 262
, 381
, 263
TCP, 259
, 378
FTP, 379
UNIX, 254
SPIKE NMAP,
, 263
, 255
, 259
SPIKEfile
UNIX, 207
, 202
, 203
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208
, 201
, 214
s_repeat(), , 414
SRM (snapshot restoration mutation),
328, 333
sscanf(), , 444
SSH ( ), , 87
s_sizer(), , 413
strcpy(), , 32
Structured Exception Handler (SEH), 497
'su', , , 114
Sulley, , 403
RPC, ,
, 427
, 431
, 431
, 428
, 429
, 410
, 410
, 412
, 411
, 403
$, 403
, 431
, 409
, 428
, 417
, 419
$, 422
, 419
, 417
, 429
, 419
, 408
, 404
, 406
, 422
, , 431
, 413
, 414
, 415
, 414
, 413
, 407
, 415
SuperGPF, 384
SW (Smith Waterman),
, 445
SWF (Shockwave Flash), 390
533
bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391
, 401
, 391
, 391
, 403
,
400
, 402
, 400
, 391
syslog(), , 490
T
taboo(), , 488
TCP/IP, , 248
TcpClient, , 171
Thread32First(),
, 345
to_binary(), , 396
to_decimal(), , 396
TRACE, , 146
Trend Micro Control Manager,
, 178
Trustworthy Computing Security Devel$
opment Lifecycle document (Microsoft),
38
TXT2AD, 389
type, length, value (TLV),
, 368
U
UNIX
,
207208
, 255
, 117
unmarshal(), , 325
UPGMA (Unweighted Pairwise Mean by
Arithmetic Averages), , 446
URL, , 299
User$Agent, , 144
V
Valgrind, 504
VARIANT, , 313
VirtualQueryEx(), , 346
VML ( ), 291
W
WebFuzz
, , 180
, 187
HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL, , 182
,
170
, 165
, 164
, 169
, 170
, 176
, 175
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
WinDbg, 42
Windows
Explorer, ,
225, 228
Live, 135
WMF, , 218
, 321
,
337
, ,
228
, 216
, 228
winnuke, 248
WinPcap, , 275
WinRAR, 193
WinZip
534
MIME, 189
WinZip,
FileView ActiveX Control Unsafe
Method Exposure, 317
Wireshark, 97
$, 351
, 256
WMF, , 218
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, $, 139
Wotsit, $, 438
write_process_memory(), , 361
WriteProcessMemory(), , 336
WS2_32.recv(), , 352
X
XDR (eXternal Data Representation), 249
xmlComposeString(), , 425
XML$, , 291
XSS (Cross$site scripting), 153, 184
, 33
, 30
, 368
, 494
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 95
, 96
, 95
, 445
, 448
, 439
, 59
, 251
, 491
, 489
, ,
301
(), 448
CFG ,
450
CFG
, 450
CFG
, 449
Sidewinder, 452
, 449
, 448
, 449
, 446
, 445
,
, 445
, ,
444
ProtoFuzz, , 270
(BVA), 45
, 341
, 112
, , 189
(WebFuzz), 172
, , 223
(), 154
/ , 456
, 456
, 459
cc_hits, 469
cc_tags, 469
, , 445
(SSH), 87
Microsoft, 509
, , 300
, 514
libdasm, 97
libdisasm, 97
Libnet, 98
LibPCAP, 98
Metro Packet Library, 98
535
PyDbg, 459
SIPPhoneAPI, 475
WinPcap, 275
, 97
, 275
, 120
, 109
, 108
, 108
, 104
, 105
, 107
, 101
, 43
, 40
, 444
, 403
Sulley, , 410
, 410
, 412
, 411
, 413
/ , 456
, 456
, 459
, 81
, 261
, 378
, 81
, 413
, 414
, 415
, 414
, 413
ActiveX, , 307
, 316
, 309
, 317
, ,
, 312
, 316
, 64
, 289
CSS, 293
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 286
, 301
, 287
, 295
, 288
, 299
$, 299
(MLI), 327
, 51
$ , 64
ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316
, 289
CSS, 293
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 295
, 299
, 286
536
, 301
, 287
, 295
, 288
, 299
$ , 139
$ (Sulley), 422
$, , 138
$ , 64
$ , 160
beSTORM, 161, 517
Codenomicon, 161
HTML, , 168
HTTP, , 167
SPI Fuzzer, 161
SPIKE Proxy, 160
WebScarab, 161
XSS$, , 184
cookies, 150
, 141
, 149
, 151
, 145
, 149
POST, 151
, 147
, 139
, ,
169
, 163
SQL, , 182
, 134
, 156
, 170
Ipswitch Imail Web Calendaring,
179
Trend Micro Control Manager, 178
, 138
, 165
, 164
, 154, 180
, 169
TcpClient, , 171
, 172
, 170
, 176
, 175
, ,
170
, 169
, 169
, 187
, 136
, 153, 168
$
CodeSpy, 33
Flawfinder, 33
ITS4, 33
Jlint, 33
Splint, 33
Wotsit, 438
RATS download, 33
AWStats Remote Command Execution
Vulnerability, 139
IpSwitch WhatsUp Professional 2005
(SP1) SQL Injection, 139
Microsoft Outlook Web Access Cross$
Site Scripting, 138
Multiple Vendor Cacti Remote File In$
clusion, 139
phpBB Group phpBB Arbitrary File
Disclosure, 138
SAP Web Application Server sap$exi$
turl Header HTTP Response Split$
ting, 139
Sulley, , 403
Tikiwiki tiki$user_preferences Com$
mand Injection, 138
Wireshark, 351
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, 139
OpenSSH, 246
RealServer ../ DESCRIBE, 246
RPC DCOM, 246
MIME WinZip, 189
, , 138
, 140
, 508
, 510
, 512
, 510
, 511
537
, 512
, 496
, 66
,
66
,
, 66
, 84
, 96
, 39
, ,
346
, 344
,
, 346
fuzz_server.exe, 352
OllyDbg, 355
(RCE), 40
$
cookies, 150
, 141
POST, 151
, 149
, 151
, 145
, 149
, 147
, 193
$
CSS, 294
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 275
, 348
$,
141
cookies, 150
POST, 151
, 149
, 145
, 149
(URI), 147
, 71
, 493
(), 450
, 95
( ), 448
CFG
, 450
, 450
, 449
Sidewinder, 452
, 449
, 448
, 449
, 381
, 370
SWF, , 401
, 518
CCR, , 100
, 109
, 108
, 108
, 104
, 105
, 107
, 101
, 524
(PHP),
136
, 86
Sulley,
, 424
SMTP$, 417
, 455
, , 61
Peach, , 382
, 410
538
ProtoFuzz, , 279
, 270
ProtoFuzz, , 276
, 270
, 381
, 370
SWF, , 401
CCR, , 100
, 109
, 108
, 104
, 105
, 107
, 101
PStalker, 468
, 468
PStalker, 467
Dfuz, 373
, , 247
, 108
apKeywords(), 371
Sulley, , 403
, 409
, 109
, 108
, 108
, 335
, 105
, 409
, 103
, 104, 408
, 107
, 413
, 101
, 407
, 415
, 469
POST,
$, 151
(FileFuzz), 220
, 73
, 40
adbg, 388
DBI
DynamoRIO, 502
Pin, 502
, 503
GDB, 42
OllyDbg, 42, 352
WS2_32.recv(),
, 352
, 354
, 355
, 355
WinDbg, 42
,
493
DBI, 502
PaiMei$ crash binning, 495
, 494
, , 494
, 488
, , 497
$ , 301
, 198
, 252
$, 157
$, 456
, 40
, 40
, 455
, 443
, 84
, 53
, 357
, 35
, 44
, 39
, 139
$, 157
(), 412
539
Accept, 143
Accept$Encoding, 143
Accept$Language, 143
Connection, 144
Cookie, 144
Host, 144
SWF$, , 391
User$Agent, 144
$,
149
HTTP, 144
,
, 503
, 492
, , 48
, 491
, , 336
GetTypeInfoCount(), 313
LoadTypeLib(), 313
(CCR), , 100
ap.getPayload(), 373
av_handler(), 495
bp_set(), 350
ContinueDebugEvent(), 340
DebugActiveProcess(), 338
DebugSetProcessKillOnExit(), 338
flatten(), 396
func_resolve(), 350
GetFuncDesc(), 314
GetNames(), 314
GetThreadContext(), 344
handler_bp(), 350
HTTP, 167
MMalloc(), 103
parse(), 325
process_restore(), 361
process_snapshot(), 359
randomize(), 396
record_crash(), 498
s_checksum(), 414
self.push(), 416
set_callback(), 350
setMaxSize(), 373
setMode(), 373
SetThreadContext(), 344
smart(), 396
s_repeat(), 414
sscanf(), 444
s_sizer(), 413
strcpy(), 32
syslog(), 490
Thread32First(), 345
to_binary(), 396
to_decimal(), 396
unmarshal(), 325
VirtualQueryEx(), 346
WebFuzz, 175, 177
write_process_memory(), 361
xmlComposeString, 425
, 169
$, 163, 165
(RFC), 77
, 57
, , 49, 65
(), 493
, , 48, 65
$, 208
, 442
Sulley, 404
Microsoft, 31
, . , 459
.
Autodafej, 387
beSTORM, 161, 517
BinAudit, 43
BoundsChecker, 504
BreakingPoint, 518
BugScam, 43
clfuzz, 61
Codenomicon, 519
, 47
HTTP, 64
COM Raider, 65
COMRaider, 49, 292
Convert, 385
crash binning, 498
crashbin_explorer.py, 423
CSSDIE, 293
DevInpect, 514
540
Dfuz, 373
fuzz_trend_server_protect_5168.
py, 429
GPF, 384
PDML2AD, 389
TXT2AD, 389
, 373
, , 374
, , 375
, 376
, 374
, 376
DOM$Hanoi, 65
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221
, 222
, 236
, 229
, 217
, 240
Hamachi, 65
Holodeck, 523
iFUZZ
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
iFuzz, 61
Inspector, 43
LogiScan, 43
mangleme, 65
Mu$4000, 521
Netcat, 72
notSPIKEfile, 62
forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201
,
, 211
$, 208
, 201
, 202
RealPix, 212
, 214
PAIMEIfilefuzz, 62
Pattern Fuzz, 384
Peach, 63, 381
, 381
, 382
, 383
,
381
, 382
, 382
ProtoFuzz
NDIS, , 274
, 270, 279
,
, 275
, 272
, , 269
, 272, 281
, 278
, 284
, 281
, 270
, 277
, 274
/,
281
, 275
PROTOS, 472, 519
ProtoVer Professional, 521
ProxyFuzzer, 439
PStalker, 473
Gizmo Project, , 471
, 468
, 468
, 467
, 466
, 469
, 469
ptrace(), 98
PureFuzz, 384
SecurityReview, 43
Sharefuzz, 61
Sidewinder, 452
SPI Fuzzer, 64
SPIKE, 63, 378
Proxy, 160
,
, 261
, 380
, 263
TC, 259
, 378
FTP, 379
UNIX, 254
, 262
, 259
SPIKE Proxy, 160
SPIKEfile
forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201
, 202
,
, 211
, 203
$, 208
, 201
, 214
Sulley, , 403
RPC, ,
, 427
, 409
$, 403
, 431
, 409
, 428
, 408
541
, 404
, 406
, 422
, , 431
, 413
, 407
, 415
SuperGPF, 384
WebFuzz
HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL
, 182
,
170
, 178
, 165
, 164
, ,
180
, 169
, 170
, 175
, 187
, 169
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
, 33
Python, 99
542
, 458
, 482
(IDE), 513
, 39
,
, 500
, ,
487
, 487
, 250
, 192
IObjectSafety, 311
PIDA, 465
ID (IID), 305
COM, 304
IAcroAXDocShim, 314
SQL
, 182
, 155
$, 156, 170
, 340
, 52
, 202, 222
, 203
,
500
, . , 454
, 52
, 514
COM, 304
SAMBA, 437
, 47
ActiveX, 49
Codenomicon, 47
PROTOS, 47
SPIKE, 48
, , 47
, 49
, 48
, 30
, 32
(CSS)
CSSDIE, 48
apKeywords(), 371
bit_field, 395
PyDbg, 348, 357
TcpClient, 171
, 242, 294, 299
Ethereal, 351
, 351
Peach, 381
, 371
(), 411
, 198
, 60
break, 119
commands, 119
CREA, 266
, , 300
, 109
, 516
beSTORM, 517
BreakingPoint, 518
Codenomicon, 64, 519
, 47
Holodeck, 523
Mu$4000, 521
ProtoVer Professional, 521
( ), 456
,
(SPIKE), 263
,
, 262
, 514
, , 487
, 414
, , 198
, 485
$, 139
, , 415
,
, 252
, , 196
, 60
getenv, , 118
iFUZZ
getenv,
, 126
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
, 60, 112
ptrace, 122
, 117
, 121
, 115
, 61, 112
GDB, 118
, 120
, 114
, 122
, 62
, 48
,
, 300
(XSS), 153, 184
, , 48
, , 424
, 198
ActiveX, 312
BeginRead(), 174
BeginWrite(), 174
btnRequest_Click(), 175
CONNECT, 146
CreateFile(), 318
CreateProcess(), 318
DELETE, 146
543
DownloadFile(), 318
Execute(), 318
forking off
, 205
GET, 145
GetURL(), 318
HEAD, 145
HTTP, 154
OnReadComplete(), 174
OPTIONS, 146
POST, 145
ptrace, 122
PUT, 145
TRACE, 146
, 59
, 30
, 30
, 43
, 40
, 35
, 32
$ , 288
, 289
, 288
($),
141
, 59
,
57
, 58
, 327
, 334
, 329
, 328
, 334
, 40
, 44
,
59
, 57
SWF, 402
, 249
, 249
544
, 251
, 249
, 250
, 250
, 190
, 193
, 191
, 192
, 35
, 39
(beSTORM), 161, 517
, 36
, 38
, 370
, , , 47
(iFUZZ), 125
, 55
, 251
ctypes, 335
iFUZZ, 125
(SRM), 328
,
493
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 52
, 139
ActiveX, 316
, . ., 49, 65
, 46, 249
( ), 456
$ , 105
HTTP,
154
(NX)
, 489
, 60
, , 445
, 202
, 273
DBI, 503
$, 301
, , 488
, 424
, 491
,
, 500
, ,
487
, ,
487
, 485
, 487
, 330
, 252
, 273
,
, 488
, 370
, 489
, 197
, , 249
fuzz_server.exe, 352
, ,
346
, 334
,
, 346
, 344
, 352
, 357
, 359
, 419
Ipswitch Imail Web Calendaring, 179
Trend Micro Control Manager, 178
, 179
, 108
setuid, , 60
Sulley, , 419
UNIX, 255
, 115
,
493
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 326
, 513
, 459
, 245
$
, 138
, 138
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 189
PStalker, 469
, 91
, 53
, 53
,
55
, 54
, 54
, 66
(iFUZZ), 125
, 65
WS2_32.recv(), ,
352
OllyDbg, 352
, 352
PyDbg, 356
, , 351
, , 352
, 66
, 329
, 66
, 327
, 334
545
, 328
, 334
, 333
, 320
, ,
348
, 330
/ ,
344
, 326
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, 65
fuzz_client, , 362
fuzz_server, , 362
fuzz_server, , 359
, 360
, , 351
, 355
, 357
, 359
,
361
/
, ,
346
, , 346
, 65
, 329
, 66
, 352
, 352
, , 348
, , 335
, 65
,
, 252
, 89
$, 90
DBI, 91
546
(OASIS), 77
, 263
TCP, 259
, ,
169
, 169
, 194
(OSCAR), 73
, 77
(Win$
dows), 337
, 349
, 198
, , 339
, , 340
, 205
, 89
, 203
, 35
, 44
, 39
, 273
,
DBI, 488
, 424
,
, 500
, , 487
, , 424
, 330
, 252
, 273
$, 301
, , 488
, 491
, ,
487
, 485
, 487
, 489
,
, 488
, 370
, , 89
$, 90
, 89
DBI, 91
, 275
, 269
, 322
Windows, 321
,
, ,
336
, 334
, 334
,
, 348
, , 348
. /
, 336
/
, 344
, 341
, , 348
, , 335
, 327
, 329
,
325
, 328
, 320
, 330
, 326
, 319
, 329
, 491
, ,
487
, 489
, 54
, 361
, , 346
, , 370
, 80
, 335
, 72
, 70
, 374
, 272
, 61
, 118
getenv, , 118
GDB, 118
, 120
, 276
$, 164
, 112
GDB, 118
, 120
getenv, 119
GDB, 118
, 120
getenv, 119
(), 264
($), 180
,
, 196
Novell Net$
Mail IMAPD, 103
, 150
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
, 342
, 89
, , 89
, , 62
, 154
, 120
ActiveX, 309
547
GDB, 118
, 120
getenv, 119
, 105
, 70
, 77
, 46
, forking off
, 205
, 444
, 346
, , 376
, 424
, 424
, ,
249
, 382
'su', , 114
setuid, 60
(ASP), 135
$, 64
, 139
, 134
, 156
, 138
,
151
, 150
, 136
, 153
, 114
ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 368
, 341
, 487
, 491
548
, ,
487
, 489
Antiparser, 371
CreateProcess(), 338
Windows, 337
$, 439
, 485
,
, 196
, 63
AIM (AOL Instant Messenger)
, , 48
, 340
AIM, 73
, 74
,
75
FTP, 72
HTTP, 149
ICMP, 445
NMAP, 255
SPIKE NMAP,
, 263
, 255
NNTP, 462
SIP
, 475
, 472
, 444
, 448
, 439
$,
149
, 73
, 274
, 442
, 69
, 368
, 68
, 68
, 77
, 72
, 70
, 77
, 63
, 76
, 270
, 274
, 249
, 251
,
, 247
,
, 249
, 245
, 243
, 272
, , 251, 273
, 272
,
, 249
, 270
, 269
,
, 248
, ,
248
, 243
,
, 248
, 63
, 63
, 63
TLV, 368
, 438
, 58
, 59
, 436
, 81
, 81
, 80
, 81
Dfuz, 376
, 197
$, 157
, 459
, 86
549
, 208
, , 421
/
, ,
346
,
, 346
, 344
, 336
, 336
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, , 348
, forking off
, 205
, 86
, 370
, 52
FileFuzz, 229
, 230
, 231
, , 230
, 233
, 229
, 230
, 229
, , 229
iFUZZ, 126
, 458
, 459
, 459
,
459
, 462
, , 462
DBI, 503
,
524
ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316
forking off/
, 205
UNIX, 207
, 203
, 202
UNIX,
208
, 203
, 513
, 103
, 49
, , 65
(PaiMei), 464
, , 414
, 91
, , 62
, 36
(ActiveX), 312
Microsoft, , 243
, 351
, , 352
, , 246
,
, 246
Sulley,
, ,
419
, 429
Sulley, , 417
, 419
, 419
, 413
, ,
420
550
, 417
, , 248
, 277
, 242
, 139, 420
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 245
, 242
UNIX, 254
SPIKE NMAP,
, 263
, 255
, 243
, , 247
, 63
, 249
, 273
, 243
, , 251
, 63
, , 274
, 63
, 269
SIGSEGV, 55
UNIX, 207
, 122
, 55
, 108
, 455
, 35
, 44
, 66
, 67
, 63
, , 386
, 406
,
, 445
, 157
, 243
$, 156
, 86
, , 197
,
341
, 346
,
198
, 346
, 438
, 32
, 406
NMAP, , 264
, 496
, , 488
, 438
Sulley, , 408
, 104
, 400
, 107
, 107
, 196
RealPix
RealPlayer, 212
, 488
, 54
,
HTML, 290
XML, 291
SLDC, 512
, 30
, 35
, 32
, 30
, 40
551
, 40
, 44
, 35
, 36
, 39
, 38
RCE, 40
, 36
, 58
, 57
, 348
WS2_32.dll recv(), 352
ws2_32.dll, recv(), 350
, 341
, 350, 359
, 341
, 62
$, 64
$, 64
, 63
, 524
,
524
,
($),
147
, 247 249
FileFuzz
, 230
, 231
, , 230
, 233
, 230
ProtoFuzz, 276, 281
, 279
, 281
, 278
, 277
/,
281
WebFuzz
TcpClient, , 171
, 172
, 176
, 175
, 53
552
SPI Dynamics Free Bank,
, 184
TCP/IP, 248
winnuke$, 248
WinZip FileView, 317
WMF, 218
, 155
$, 139
$, 138
$, 153
, 138
, 138
, 300
, 301
, 242, 299
, 294
, 109
, 300
, 246
, 247
, 249
, 108
,
300
, 299
, 487
, 491
, ,
487
, 489
, 154, 299
, 249
, 246
, 248
, 245
, 139
, 248
NMAP, , 264
,
NMAP, , 264
XML, 291
, 248
, 247 249
, 301
RealPix
RealPlayer, 212
, 107
Windows, 218
, 196
, 194
, 196
, 194
, 189
, 196
, 197
, 196
ActiveX, 292
(SLDC), 512
(GPF), 384
, 62
FileFuzz
ASCII, , 221
, , 223
, 219
, 220
, 231
, 222
, 217
notSPIKEfile
, 201
,
, 211
, 201
RealPix, 212
, 214
ODF, 77
Open XML, 78
SPIKEfile
, 201
,
, 211
, 201
, 214
Windows, 218
, 240
UNIX, 207
forking off/
, 205
, 190
, 193
, 191
, 192
UNIX, 208
, 197
, 224
Windows Explorer, 225
Windows, 228
, 236
$, 208
, 229
, 230
, 231
, , 230
, 203
, 202, 233
, 229
, 230
, 229
, , 229
, 196
, 194
, 194
, 196
, 189
, 196
, 197
, 196
, 240
Codenomicon, 47
SPIKE, 48
, , 47
PROTOS,
47
, 49
, 48
, 39
, 53
, 53
,
55
, 54
, 54
, 51
$
, 48
, 250
, 191
553
, 486
, , 493
,
52
, 52
, 51
, 52
, 51
,
51
.
SWF, 391
bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391
, 401
, 391
, 403
,
400
, 402
, 400
, 391
, 392
, 398
, 117
, 376
, 49
, , 462
, 301
,
RealPix RealPlayer, 212
, ,
107, 127
, 107
, 488
, 196
, 66
Antiparser, 371
,
370
Autodafej, 387
CRC, , 369
Dfuz, 373
, 373
, , 374
, , 376
554
, , 375
, 376
, 374
GPF, 384
PaiMei
SWF$, 391
, , 494
,
, 497
crash binning, 495
Peach, 381
, 381
, 382
, 383
,
381
, 382
, 382
SPIKE, 378
, 380
, 378
FTP, 379
Sulley, 403
, 409
, 403
$, 403
, , 428
, 409
, 417, 429
, , 431
, 408
, 404
, 406
, 422
, , 431
, 407
, 415
,
368
,
66
, 66
, 67
,
370
, 370
, 368
, 368
, 370
, 66
, 370
, 368
, 67
, 370
, 368
.
BindAdapter(), 278
byref(), 336
CreateProcess(), 36, 221
create_string_buffer(), 336
Dfuz, 374
GetCurrentProcessId(), 335
getenv, 118
printf(), 266
ReadProcessMemory(), 336
ReceivePacket(), 278
s_block_end(), 261, 410
s_block_start(), 261, 410
taboo(), 488
WriteProcessMemory(), 336
,
, 295
, , 331
(), 469
, 101
Sulley, , 407
, , 194
, 51
, 339
(CRC),
, 369
(Microsoft), 243
, 489
, , 336
555
/
, 281
, 370
, 100
ActiveX, 316
, 109
, 108
, 108
, 104
, 105
, 439
, 441
, 443
, 442
$, 439
, 107
, 101
, , 49
, , 63
ActiveX
, 49
, 169
(VML), 291
ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 335
, 368
Books.Ru
ISBN 9785932861479, Fuzzing:
Books.Ru .
,
. ,
(piracy@symbol.ru),
.