Fuzzing Issledovanie Uyazvimostei Metodom Gruboi Sily

SPI Dynamics : ,
,
-.
, ,
.
. ,
.
. ,
. , .
. , , ,
.
,

, .
, ,
.

TippingPoint.

: , .
PaiMei
Sulley.
:
:
:
,
:

.
. ,
,
.
-
,
. iDefense, ,
. . , ,
UNIX-.
FUZZING
www.symbol.ru
-
(812) 324-5353, (495) 945-8100
Cover_Fuzzing.indd 1
07.08.2009 11:52:32
FUZZING
Brute Force Vulnerability Discovery
Michael Sutton, Adam Greene

and Pedram Amini
FUZZING

2009
High tech
,
Fuzzing:

.

.

.
.
.
.
.
.
.
., ., .
Fuzzing: . . .
.: $, 2009. 560 ., .
ISBN: 978$5$93286$147$9
$
.
. , $
.
. $
, ,
. ,
, .
.
, , , $
.
, $

.
: ,
, , $
.
ISBN: 9785932861479
ISBN: 9780321446114 (.)
$, 2009
Authorized translation of the English edition 2007 Pearson Education Inc. This
translation is published and sold by permission of Pearson Education Inc., the owner of
all rights to publish and sell the same.
, $
. $
, , .
$. 199034, $, 16 , 7,
. (812) 324$5353, www.symbol.ru. N 000054 25.12.98.
30.07.2009. 701001/16. .
35 . . 1200 .

199034, $, 9 , 12.
.
, .
. ,
.
.

.
.

+,
,

,
.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1. . . . . . . . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
, . . . . . . . . . . . . . . . . . . . . 38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2. ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . 58
,
. . . . . . . . . . . . . . . . . . . . . . . . 59
. . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5. . . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
. . . . . . . . . . . . . . . . . . . . . 85
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
, . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6. . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Ethereal/Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
libdasm libdisasm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Libnet/LibnetNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
LibPCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Metro Packet Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PTrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
7. . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
GNU (GDB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . 119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8. : . . . . . 124
iFUZZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10
9. . . . . . . . . . . . . . . . . . . . . . . . . 134
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
10. : . . . . . . . 159
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
XSS$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
. . . . . . . . . . . . . . . . . . . . . . . . . . . 187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
, . . . . . . . . . . . . . . . . . . . 191
, . . . . . . . . . . . . 192
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12. : UNIX . . . . . . . . . . 200

notSPIKEfile SPIKEfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
. . . . . . . . . . . . 202

( ) . . . . . . . . . . . . . . . . . . . . 203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
UNIX . . . . . . . . . . . . . . . . . . . . . . . . 207
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Adobe Acrobat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
RealNetworks RealPlayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
:
RealPix RealPlayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
13. : Windows . . . . . . 215

Windows . . . . . . . . . . . . . . . . . . . . . . . . . 216
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
. . . . . . . . . . . . . . . . . . . . . 222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
. . . . . . . . . . . . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
. . . . . . . . . . . . . . . . . . . . 240
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
? . . . . . . . . . . . . . . . . . . . . . . . . . 243
12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
2: . . . . . . . . . . . . . . . . . . . . . . . 247
3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
6: . . . . . . . . . . . . . . . . . . . . . . . . 249
7: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . 250
. . . . . . . . 251
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
( ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
( ) . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
15. : UNIX . . . . . . . 254

SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
SPIKE 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
. . . . . . . . . . . . . . . . . . . . . . . . . . . 261
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
SPIKE NMAP . . . . . . . . . . . . . . . . . . . 263
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
16. :
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
18. : . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
ActiveX . . . . . . . . . . 309
, , . . . . . . . . . . . . . . . . . . . . . . . . . 312
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
19. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
: ?. . . . . . . . . . . . . . . . . . . . . 320
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
$ ? . . . . . . . . . . . . . 325
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
: . . . . . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
20. : . . . . . . . . . . . . . . 332
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
14
Windows . . . . . . . . . . . . . . . . . . . 337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

? . . . . . . . . . . . . . . . . . 341

? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
? . . . . . . . 348

? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
PyDbg, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
III. . . . . . . . . . . . . . . . . . . . . . . . . . 365
21. . . . . . . . . . . . . . . . . . . . . . . . . . . 367
? . . . . . . . . . . . . . . . . . . . . . 368
. . . . . . . . . . . . . . . . . . . . . . . . . 371
Antiparser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Dfuz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Peach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Autodafej . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
: Shockwave Flash . . . . . 389
SWF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley: . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
22. . . . . . . . . . . . . . . . . . . . . . . . . . 436
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
23. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
. . . . . . . . . . . . . . . . . . . . . . . . 455
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
PStalker Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24. . . . . . . . . . . . . . . . . . . . . 484
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . 493
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . 497
: . . . . . . . . . . . . . . . 500
. . . . . . . . . . . . . . . . . . . . . . 502
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
IV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
25. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
16
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
SDLC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
26. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
beSTORM Beyond Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
BPS$1000 BreakingPoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Codenomicon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
GLEG ProtoVer Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Mu Security Mu$4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Security Innovation Holodeck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
. . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
$
. ,
$
,
.
,
$
. $
$
,
. $
: , , .
, , $
. $
,
,
. $
.
.
. ,
.

. ,

. $
, , .
, $
.
$
Mac OS X. . $
,
$, .
$
$
. 2003 ,
18
UDP$ $
.
Microsoft WINS.
. , $
UDP
Computer Associates, Norton Ghost $
Mac OS X.
. $
2006
,
$. 2006
ActiveX (AxMan), $
100
Microsoft.
Month of Browser Bugs ( ), $
Metasploit Framework. $
AxMan , $
. , .
.
, , ,
$
. $
,
, $
. ,
, .
!
. .
,
.
$.,
, ,
29 2000

,
. $
, Microsoft Internet Explo$
rer, Microsoft Word Microsoft Excel, 2006 , $
. $
$
.
, , , $
.
, $
, $
, ,
. $
,
. $
,
, , , .

$
. ,
,
, $
.
20
: , $
, ,
.
, $
,

. , $
: ,
. $
. $
(SDLC), .
,
, ,
. , $
$
, ,
. ,
, $
.
SDLC $
, . $
, .

. $
, , , $
. ,
$
.
, , $
.
. $
, ,
.
,
, , .
, ,
. $
.
. $
,
Exploiting Software ( )
(Greg Hoglund) (Gary McGraw),
Hacking Exposed, The Shellcoders Handbook (
21
) (Jack Koziol),
(David Litchfield) .
, , $
. ,
, $
, .
$ ,
, , $
$
.
I $
, .
, , .

, . I

,
.
II . $
$ . $
, ,
, $
.
,
Windows UNIX. , ,
, 11, $
, . 12 $
: UNIX $
UNIX, 13
: Windows
, Windows.
III . ,
, $
, , $
, I II. III $
,
, $
.
, IV , , $
.
, , ,
.
22

,
, .
, ( , ,
) , ,
. $
43$
$ (a.k.a. Dubya). ,
, ,
,
, $
! 1 $
,
, . , , $
, ,
.

. (, ,
The L Word & Fish2 DailyDave.) $
, $
. $
. , , $
.

. (fuzzy) $
. ,
, , , $
.
: www.fuzzing.org
$ fuzzing.org , $
. , ,
, , $
,
. fuzzing.org
$ , $
. $
: .
1
2
http://tinyurl.com/33l54g
http://archives.neohapsis.com/archives/dailydave/2004+q1/0023.html

,
,
. ,
$. $
,
,
, : , , $
. $
, , $
.
(Peter DeVriews) :
. . $
. $
.
, , .
, $
, $
(Charlie Miller), $
.
. . (H. D. Moore) , ,
, . $
Addison$Wesley,
: (Sheri Cain), (Kristin
Weinberger), (Romny French), (Jana Jones)
(Lori Lyons). , $
,
, $
.

.
,
24
$ $
, .
,
, .
iDefense Labs SPI Dynamics, $
. , $
, , $
GOYA, GOMOA $
, $
.

( ),
JTHS, (Mark Chegwidden),
(Louis Collucci), (Chris Burkhart),
sgo, Nadwodny, (Dave Aitel), (Jamie
Breiten), , , Kloub and AE, , $
, , .

, .
(Cody Pierce),
(Cameron Hotchkies) (Aaron
Portnoy), TippingPoint
. (Peter Silberman), $
(Jamie Butler), Xo, (Halvar
Flake) (Ero Carrera) , $
. (David End$
ler), (Ralph Schindler), (Sunil
James) (Nicolas Augello), $
, , . $
, , $
, .

(Michael Sutton) SPI
Dynamics. , $
, $
.
, ,
.
$ (WASC),
$.
SPI Dynamics iDefense/Veri$
Sign, iDefense Labs, $
,
.
(ISAAS)
Ernst & Young.
.
; , ,
. $
.

(Adam Green) $ $
, .
iDefense Labs, ,
.
, $
, UNIX$
.

(Pedram Amini) $
TippingPoint.
26
$
iDefense Labs. ,
, :
, .
( ) $
PaiMei Sulley.
, OpenRCE.org, $
$, .
RECon, BlackHat, DefCon, ShmooCon ToorCon $
,
.
.
1.
2. ?
3.
4.
5.
?
$.,
29 2000
,
, . $
? , $
. ,
$
.
:
, . $
, . $
$
. , $

. , $
$
; . $
$
.
,
, .

, , .
30
1.
$
, $
, , , $
, .
,
.
, ,
.

, ,
.

. , $

,
.

$ . ,
, ,
. $
, $
$

. , $
, .
,
.
, $
C, test
10$ :
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, "test");
}
, $
:
#include <string.h>

{
char buffer[10];
strcpy(buffer, argv[1]);
}
Microsoft
, $
, $
, 2004 .
, , , $
Mi$
crosoft Windows NT 4.0 Windows 2000. Microsoft $
, .
, $
$
. . $
.
, , CVE$2004$0566,
.bmp.1 $
, Microsoft , , $

.2 ? $
? $
, ,

, $
. ,
. , ,
TinyKRNL3 ReactOS4, $
Microsoft
Windows.
Microsoft, $
, $ $
Windows . Win$
dows ,
$
Windows.
1
2
3
4
http://archives.neohapsis.com/archives/fulldisclosure/2004+02/
0806.html
http://news.zdnet.com/2100+1009_22+5160566.html
http://www.tinykrnl.org/
http://www.reactos.org/
31
32
1.
strcpy(),
. strcpy()
C/C++, $
, .
, ,
, $
.
, test (
) 5, , 10$
, .
$
, .
, $
. $
strcpy() . $
, $
. ,
. $
, . $
, .
, $
, . ,
? : , ,
, , $
. $
. , $
, , ,
, . $
,
. , , $
.

$
: , $
.
(compile time checker)
. ,
$
. /analyze Microsoft Visual C++
.1 Microsoft PREfast for Drivers2,
1
2
http://msdn2.microsoft.com/en+us/library/k3a3hzw7.aspx
http://www.microsoft.com/whdc/devtools/tools/PREfast.mspx
33
$
, .
, $
.
,
$
. , , $
, strcpy(), $
. Cscope1 Linux
Cross$Reference2 .

$
. , $
, . ,
,
, $
. $
, Fortify3, Coveri$
ty4, KlocWork5, GrammaTech6 . . 1.1 $
, ,
, , .
1.1.

RATS (Rough
Auditing Tool
for Security)
C, C++,
UNIX,Win32
Perl, PHP,
Python
http://www.fortifysoftware.com/
security+resources/rats.jsp
ITS4
C, C++
UNIX,Win32
http://www.cigital.com/its4/
Splint
UNIX,Win32
http://lclint.cs.virginia.edu/
Flawfinder
C, C++
UNIX
http://www.dwheeler.com/flaw+
finder/
Jlint
Java
UNIX,Win32
http://jlint.sourceforge.net/
CodeSpy
Java
Java
http://www.owasp.org/software/
labs/codespy.htm
1
2
3
4
5
6
http://cscope.sourceforge.net/
http://lxr.linux.no/
http://www.fortifysoftware.com/
http://www.coverity.com/
http://www.klocwork.com/
http://www.grammatech.com/
34
1.
,
. $
.
. , $
, ,
, , ,
, . , , ,
Rough Auditing Tool for Security (RATS)
, . RATS
: $
strcpy(). $
.

, ,
.
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000131 seconds
53435 lines per second
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000794 seconds
8816 lines per second
35

, $
. ?
, . ,
, $
. ,
Microsoft Windows $
. ?
. , $
. $
. , , $
, $
.
. ,
.
:
. $
. , $
, , .
, $
.

, $
.
. . $
UNIX , $
, Win32, $
. $
$
.

, , $
. $
, , , $
, $
.
$ $.
HTML XML, $$
,
, .
:
Microsoft Office, $
36
1.
, , $
. ,
.
, $
. $
, .

, $.
$. $
$
, .
$
, $
, SQL$.
, $
, ( $
). ,
, (sweeping), $
. ,

. ,
LDAP, $
LDAP , . , $
, $
, .
CreateProcess() , $
Microsoft Windows (API). $
, CreateProcess()
.1 :
BOOL CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
1
http://msdn2.microsoft.com/en+us/library/ms682425.aspx
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
,
lpApplicationName NULL, ,
, $
lpCommandLine. , , Create
Process():
CreateProcess(
NULL,
"c:\program files\sub dir\program.exe",
...
);
CreateProcess() $
, :
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
, $

. , program.exe $
c:\,
CreateProcess() pro$
gram.exe. $
, .
2005 1, $
$
CreateProcess().
$
. ,
(, notepad.exe)
c:\.
. $
, , , Cre
ateProcess().
1
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=340
37
38
1.
,
, , , $
, $
. 2 ?
. , $
,
( ), .
,
,
. $
$, . 1.1.
. 1.1. +
Microsoft?
.
2005 The Trustworthy Computing Security Deve$
lopment Lifecycle document (SDL)1 , Microsoft

. SDL
, $
, $
, $
. SDL
,
. $
, $
SDL,
.
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/
dnsecure/html/sdl.asp
39
, Name () $
, Age () .
,
? $
ASCII? $
? ? $
$
. $
, .
, , .
. $
, ,
,
.

, ,
. :
.
, , ,
.
. $
, , , $
, FTP$, $
FTP$.
. , (reverse
code engineering, RCE), , $

.
, $
, $
, ,
$ , , .
$
. , :
. $
, , ,
. $
23 .
. , $
, .
, , $
; $
, .
40
1.
$
,
RCE.

, $
, $
(reverse code engineer$
ing RCE). , $
$
. ,
, , $
. $
, . $
, .

.

RCE ,
RCE , $
. RCE
. $
,
$
, ,
().
$
.
,
, $
, ,
. , ,
. $
,
. , $
. $
, , .
, $
, , $
().
, . $
,
, , DataRescues Interac$
41
tive Disassembler (IDA) Pro1, . 1.2. IDA

, Win$
dows, UNIX MacOS
.
$
, .
,
$
. , $
, , , $
, $
, .
, (, C C++), $

. Boomerang.2 $
,
(, C#), $
, $
.
,
, $
. 1.2. DataRescue IDA Pro

1
2
http://www.datarescue.com
http://www.boomerang.sourceforge.net/
42
1.
. $
$
. Win32
OllyDbg1, . 1.3, Microsoft
WinDbg ( wind bag, , ).2
WinDbg Debugging Tools for Windows3,
Microsoft. OllyDbg $
,
. $
, $
OllyDbg.4 UNIX
, $
GNU Project Debugger5 (GDB). GDB $
UNIX/Linux.
. 1.3. OllyDbg
1
2
3
4
5
http://www.ollydbg.de/
http://www.openrce.org/forums/posts/4
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
http://www.openrce.org/downloads/browse/OllyDbg_Plugins
http://www.gnu.org/software/gdb/gdb.html
43

,
RCE
. , , $
, IDA Pro, $
. . 1.2 .
1.2.
LogiScan
LogicLibrary
LogicLibrary BugScan
2004 , $

Logidex SDA
BugScam Halvar Flake
BugScam $
IDC IDA Pro, $

,
$
$
.
$
BugScan
Inspector HB Gary
Inspector $
RCE,

RCE,
IDA Pro OllyDbg
Security$ Veracode
Review
VeraCode $
$
. $
$
,
Coverity.
Vera$
Code $
,
BinAudit SABRE Security
$
BinAudit . $
$$
SABRE Security
IDA Pro, $
$

, $
, $
. .
44
1.

, $
, $
RCE. ,
, . :
. $ $
, .
. , $
, $
.
:
. RCE , $
$
.
$
, . $
, .
, ,
$
. $
, , $
, $
RCE.
$
.
,
$
.
.
, , .
, $
, .
$
, RCE.

, $
. $

.
2
?
.
$.,
, ,
6 2000
,
, $
. ,
.

. $
, ,
$ , $
$.

fuzzing
$, , $
. $
$
$. $
.
(bo$
undary value analysis, BVA)1,
1
http://en.wikipedia.org/wiki/Boundary_value_analysis
46
2. ?

, $
. BVA $
, $
,
. BVA, $
, ,
.

.
$
, , $
. , , (very generic) , $
. $
: ,
, , $
, $
.
. 3
$
.
$
. ,
. ,
, , $
. , $
, $
, , $
. $
, .
, $
.
, , $
,
. ,
.
, $
$
, , $
. , ,
.
$
!
47

,
1989 . (Barton Miller) ( $
) , $
, $
UNIX.1 $
,
. $
, setuid $
. 1995 $
UNIX .
1995 ,
$ .
, ,
. , ,
, .

, . . .
, , ,
.
1999
PROTOS. PROTOS $
: ,
, ,
, .
, $
. $

, $
.
2002 Microsoft $
PROTOS2, 2003 PROTOS $
Codenomicon (Codenomicon) ,

. $ $
, , $
,
.3
Codenomicon
26 .
1
2
3
http://www.cs.wisc.edu/~bart/fuzz/
http://www.ee.oulu.fi/research/ouspg/protos/index.html
http://www.codenomicon.com/products/features.shtml
48
2. ?
PROTOS 2002
SPIKE1, $
GNU (GPL). $
2 $
. SPIKE ,
.
. SPIKE
, ,
. SPIKE
,
. Sun RPC Microsoft RPC
,
. SPIKE $

. $
, 21 $
.
, SPIKE,
UNIX, (sharefuzz). $
, , $
. ,
. $
,
( $
), , .
SPIKE
. $
(Michal Zalewski)3 ( lcamtuf) 2004
$
(mangleme)4 CGI, $
HTML,
$. $
. . . (Aviv Raff) Hamachi5
HTML (DHTML),
(Matt Murphy) (Therry Zol$
ler) CSSDIE6 $
(CSS).
1
2
3
4
5
6
http://immunityinc.com/resources+freesoftware.shtml
http://www.immunityinc.com/downloads/advantages_of_block_based_analy+
sis.html
http://lcamtuf.coredump.cx/
http://lcamtuf.coredump.cx/mangleme/mangle.cgi
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
49
2004 . Microsoft $
MS04$028, $
, JPEG.1 $
,
$ , $
Microsoft . $
,
.
, $
. $
$.
? , $
, Microsoft,
Microsoft Office,
. $

, $
.
Black Hat 2005 2 $
, ,
, File Fuzz,
SPIKEfile notSPIKEfile.3
2005 Mu Security
,
.4
$
. $
, ,
5,
(Gadi Evron). ,
.
ActiveX 2006 , $
COMRaider, . . AxMan.6 $
ActiveX, $
$
Microsoft Internet Explorer.
, $
. ActiveX, ,
1
2
3
4
5
6
http://www.microsoft.com/technet/security/bulletin/MS04+028.mspx
http://www.blackhat.com/presentations/bh+usa+05/bh+us+05+sutton.pdf
http://labs.idefense.com/software/fuzzing.php
http://www.musecurity.com/products/overview.html
http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
http://metasploit.com/users/hdm/tools/axman/
50
2. ?
,
, $
, $
. ActiveX $
17 $$
18 $: .
,
, . $
. 2.1, .
,
. $
,
$
.
.
, , $
, , $
.
$
$.
1999
2002

Black Hat

SPIKE
PROTOS
2000
2001
2002
2005
Black Hat
File
Fuzz, SPIKEfile
notSPIKEfile
2003
2005

(Codenomicon,
Mu Security . .)
2004
2005
2006
2006

ActiveX: COMRider

AxMan . .
2007
1989 1989 1999

UNIX

1989
2007
PROTOS SNMP
2002
. 2.1.

(lcamtuf)
Mangleme
2004
. . ,

Hamachi
CSSDIE
2006
51

? $
. ,
. ,
, , .

:
1. . $
. $
$
, .
,
. $
$
. , Securi$
tyFocus1 Secunia2, . $
$, ,
, , , $
, . $
,
. ,
, $
, $
$ .
2. .
, $
$
.
. $
$
. $
. $
, . $
, , ,
. . ,
.
3. . $
, . $
, ,
,
1
2
http://www.securityfocus.com/
http://secunia.com/
52
2. ?
. $
.
4. . $
. .
,
.
. $
.
5. . , $
,
. $ 10 000 $
, $
, . $
;
.
6. . $
$
, .
$
. , $
,
.
. 2.2.

; $
.
. 2.2.
53
.
, , , 100%
. $
, , , .

$
. $
. ,
.

,
, $
. , , $, $
. $
, .
. $
. $
, $
.
, $
. $
,
,
. $
. $
,
. ? , .
,
.
, , , $
$
.

$
. , , ,
Veritas Backup Exec, $
Windows, ,
.1 , ,
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269
54
2. ?
. $ $
, TCP RPC,
, $
.
.
, , , $

Microsoft (Microsoft Interface Description Language, IDL), $
$
.

RPC ,
, , $
. , $
ActiveX 18 $: $
, $
, , .
, .

,
,
, , . $
, $
. , , $
, ,
, $
. , $
, , $
, .

.
,
. ,
, $
. , , , $
, $
.
. , $
x86 Linux , %n,
:
mov %ecx,(%eax)
55
$
, %n,
, $$
.
SIGSEGV. $
SIGSEGV, $
.
.
( ) $ $
, , , $
SIGSEGV.
, ; $
, ,
? , $
, , $
.
, .
$
.

, $
.
. $
,
, $
. ,
$
,
.
, $
,
. , ,
. ,
, $
. $
, .

.
.
$.,
$, ,
6 2004
.
$
.
, . $
, $
. $
II .

, $
: , $
, +
, ,
.
.
,
, .
57

, $
(pregenerated test cases) $
PROTOS. $
, , $
$
.
, $
. $
, $
. $
,
, ,
$
.
$
, . $
, $
.

, , , $
,
. $
$
,
. $
,
while [ 1 ]; do cat /dev/urandom | nc vv target port; done
Linux$$
urandom ,
netcat. while , $
.
, ,
. $
! $
, , . $
, 500 000 ,
. , , . , $
, $
. ,
, ,
58
3.
. . 3.1 $
$
,
. ? ,
.
. , .
. 3.1. ? /dev/urandom

, , /dev/urandom.
$
. , . $
,
$
. , , , $
. ,
.
$.
59
,

, , $
$
, , $
.
, $
. , ,
. , $
, . ., ,
, .
,
, $
. , $
. , $
. $
,
, $ $
.
FileFuzz notSPIKEfile Windows Linux .

.
: $
. ,
$
, , $
.
, , ,
.
,
. $
$
, $. $
SPIKE SPIKEfile.
SPIKE $

.
, $
.
60
3.

, , ,
. $
, .
, $
. $
.
, , $
.

UNIX setuid $
. $
,
setuid
.
setuid $
: 1) $
setuid $
; 2) UNIX $
, . , $
.

$
, . ,
1 ,
:
#include <string.h>
{
char buffer[10];
strcpy(buffer, argv[1]);
}
setuid,
. , $

setuid, . ,
.
61
:
clfuzz1 warl0ck.
.
iFUZZ2 . $
. $
, $
,
(usage help messages).

setuid.
, , $
:
#include <string.h>
{
char buffer[10];
strcpy(buffer, getenv("HOME"));
}

,
, . ,

, $

. $
. $
:
Sharefuzz3 . $
. getenv $
.
iFUZZ4 . $
,
. iFUZZ , Sharefuzz,
.
setuid 7
8 $
: .
1
2
3
4
http://warl0ck.metaeye.org/cb/clfuzz.tar.gz
http://fuzzing.org
http://www.immunitysec.com/resources+freesoftware.shtml
http://fuzzing.org
62
3.

, , , $
. , $
, $
, . , $
. $
,
.
. $
, $
$.
, $
.
:
FileFuzz1 .
(GUI) Win$
dows.
notSPIKEfile SPIKEfile2 . UNIX$, $
SPIKE .
PAIMEIfilefuzz3 . FileFuzz,
Windows GUI; PaiMei. PaiMei $
.
11
, 12 :
UNIX 13 :
Windows.

, $
. ,
. $
$
, $, ,
(DNS) . .

.
1
2
3
http://fuzzing.org
http://fuzzing.org
https://www.openrce.org/downloads/details/208
63

$
: . $
.

.
, ASCII.
. $
.
FTP. FTP $
ASCII.
.

$
ASCII. $
, ; $
.

Microsoft (MSRPC): , $
, $
. . $
, . $
:
SPIKE1 . SPIKE
. $
;
API.
Peach2 (Michaei Eddington).
, Python. ,

.
14
, 15 :
UNIX 16 :
Windows.
1
2
http://peachfuzz.sourceforge.net/
64
3.

$ $
, $
. Web 2.0 ( )
, , $
.1
$ ,
, SQL, XSS . .
, HTTP
. $
$ :
WebScarab2 OWASP. $
.
SPI Fuzzer3 SPI Dynamics. HTTP
$, WebInspect.
Codenomicon HTTP Test Tools4 Codenomicon. $
HTTP.
$ 9 $
10 $ $
: .

$
, , $
$
. $ $
HTML . , $
lcamtuf mangleme, $
,
<META REFRESH>
. $
$
. $
.
$ HTML $
. , $
See$Ess$Ess$Die CSS, COM Raider
COM, Microsoft In$
1
2
3
4
http://www.google.com/a/
http://www.owasp.org/index.php/Fuzzing_with_WebScarab
http://www.spidynamics.com/products/webinspect/index.html
http://www.codenomicon.com/products/internet/http/
65
ternet Explorer. $
. $:
mangleme1 lcamtuf. HTML.
CGI,
HTML.
DOM+Hanoi2 . . . DHTML.
Hamachi3 . . . DHTML.
CSSDIE4 . . , , +
. CSS.
COM Raider5 (David Zimmer). $
COM ActiveX.
COM ActiveX 17
$ 18 $: $
. CSS $
;
, .

$ $
. $
. , $
. $

.
, . , $
. $
, $
. :
.
, ,
$
; .
. $
$
. ,
, $
, $
1
2
3
4
5
http://freshmeat.net/projects/mangleme/
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://labs.idefense.com/software/fuzzing.php#more_comraider
66
3.
, , , $
.
:
. $
, ,
.
. $
, $
.
.
. 19 $
20 : ,
.

()
.
,
. $
, ,
, SPIKE Peach.
, $
, $
. $
. , $

, $
. ,
. $
. :
. $
, $
.
. $
,
,

,
.
:
. $
, , ,
67
.
.
. , $
, , ,
.
,
.
.
, $
, , $
.
.
,
,
, $
. $
, .
$
, .
,
.
, $
. ,
, ,
. $
, .
.
$.,
, ,
21 2004
$
. ,
. $
, $
.
, .
, , $
,
. ,
$
.
?
.
,
, . $
, $
. ,
, ,
, , $
. $
69
, $
( $
). , $
, : .
$, 345. $
, , , $
. $
. $
. ,
. ,
.
: ,
, , $
$
.1
;
. , $
,
,
. $
, ,
. $
.
. ,
.
.

.
. , $
, $
,
.
, $
. ,
, , $
. , $

, . $
, $

.
, $
.
1
http://en.wikipedia.org/wiki/Protocol_%28computing%29
70
4.
.
, $
. , $
GIF , $
Microsoft Excel, .
, , $
. , $
. .

,
, $
, . ,
, $
, . $
:
, .

, .
$
, . , $
, $
, CSV ( ), $
$
, , , Microsoft Excel.
XML , ,
; XML
, , $
. ,
$
(< >), $
(=).

.
, Ethernet, $ (IP), $
(TCP)
(UDP), $
, $
. , Ethernet
, MAC$ ( $
), , $
MAC$ .
$
.
71
.
$
.
, $
, . $
$
,
;
, , $
, , $
.

$
, $
,
. , $
IPv6
32 . Intel,
3.41, $
Pentium:

Pentium.
, $
, 69 Pentium
Pro Pentium II. (DCU)
, 32 .
,
DCU, Pentium Pro Pen$
tium II. $
, ,
32 , $
32 ,
$
.1
RISC$ (RISC $
), SPARC, ,

,
.
1
http://download.intel.com/design/intarch/manuals/24281601.pdf
72
4.

(plain text protocol) $
,

ASCII. , , $
, ,
(\r, 0x0D), (\n $
0x0A), (\t, 0x09)
( 0x20).
,
, .
$
, ,
, $
. (FTP) $
.
, , . FTP $
$
. , FTP $
, ,
:
C:\>nc 192.168.1.2 21
220 Microsoft FTP Service
USER Administrator
331 Password required for Administrator.
PASS password
230 User Administrator logged in.
PWD
257 "/" is current directory.
QUIT
221

Netcat1 FTP$ Microsoft. $
FTP$, Netcat
, ,
.
, , ,
, ,
, . , $
.
, ,
.
http://www.vulnwatch.org/netcat/
73

, $
, $
.
$ . $
, $
.
,
$
, , $
, $
AOL (AIM) , ,
, .
, $
.
AIM, $
, $
. AIM
.1
,
$
. AIM OSCAR (
). $
, GAIM2
Trillian3. , ,
Wireshark,
. .
, , $
.
, $
, $
, . $
Google ,
.
Wotsit.org $
$
.
,
AIM. , $
.
1
2
3
http://en.wikipedia.org/wiki/AOL_Instant_Messenger
http://gaim.sourceforge.net/
http://www.ceruleanstudios.com/
74
4.
AIM , Wireshark
.
. . 4.1 $
Wireshark $
AIM AIM. ,
.
AOL, $
. , $
AIM Signon (0x0017) $
Signon (0x0006).
. 4.1. AIM Signon:

AIM Signon, Sign$on. $
(0x0001), (fuzz$
ingiscool) (13). $
. , $
.
, $
. , $
, ($
). $
,
75
,
. $
. , , $
,
;
.
, SPIKE1, .
. 4.2,
(3740020309). AIM$
, $
. , $
,
.
. 4.2. AIM Signon:
. 4.3 ,
,
. $
, ,
,
.
76
4.
. 4.3. AIM Signon:
,
. $
(), $
AOL, 5.5.3591/WIN32.
.

FTP AIM
. ,
77
. , $
, , ,
,
. :
, . $
.
?
.
$
$
, . $
$ $
, ,
, $
. , $
, , $
$
. $
(IETF).1 IETF $

:
(RFC), $ $
, , $
. RFC $
IETF .

, , $
$
. , $
Microsoft Office. Microsoft
$
, Microsoft Office, Excel PowerPoint.
, OpenDocument (ODF)2,
OpenOffice.org
OASIS ( $
).3 OASIS , $

,
.
1
2
3
http://www.ietf.org/
http://en.wikipedia.org/wiki/OpenDocument
http://www.oasis+open.org
78
4.
OASIS Microsoft
2005 Mi$
crosoft Office, , Microsoft
Office Open XML.1 $
, ODF. Microsoft
Open XML Translator2

XML.
$
$
, OpenOffice Writer Microsoft Word 2003.
, fuz$
zing, , . $
OpenOfficeWriter OpenDocument Text
(*.odt). $
, . , $
*.zip , ,
XML, ,
$
:
Directory of C:\Temp\fuzzing.odt
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
12:07 AM <DIR>
.
12:07 AM <DIR>
..
12:07 AM <DIR>
Configurations2
04:05 AM
2,633 content.xml
12:07 AM <DIR>
METAINF
04:05 AM
1,149 meta.xml
04:05 AM
39 mimetype
04:05 AM
7,371 settings.xml
04:05 AM
8,299 styles.xml
12:07 AM <DIR>
Thumbnails
5 File(s)
19,491 bytes
5 Dir(s) 31,203,430,400 bytes free
$
. XML,
.
Content.xml , , $
, $
, ,
, $
(fuzzing):
1
2
http://www.microsoft.com/office/preview/itpro/fileoverview.mspx
http://sev.prnewswire.com/computer+electronics/20060705/
SFTH05506072006+1.html

<?xml version="1.0" encoding="UTF8"?>
<office:documentcontent
xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"
xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"
xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0"
xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xslfocompatible:1.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0"
xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"
xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svgcompatible:1.0"
xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0"
xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0"
xmlns:math="http://www.w3.org/1998/Math/MathML
xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0"
xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
xmlns:ooo="http://openoffice.org/2004/office"
xmlns:ooow="http://openoffice.org/2004/writer"
xmlns:oooc="http://openoffice.org/2004/calc"
xmlns:dom="http://www.w3.org/2001/xmlevents"
xmlns:xforms="http://www.w3.org/2002/xforms"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"
office:version="1.0">
<office:scripts/>
<office:fontfacedecls>
<style:fontface style:name="Tahoma1" svg:fontfamily="Tahoma"/>
<style:fontface style:name="Times New Roman"
svg:fontfamily="'Times New Roman'"
style:fontfamilygeneric="roman"
style:fontpitch="variable"/>
<style:fontface style:name="Arial"
svg:fontfamily="Arial"
style:fontfamilygeneric="swiss"
<style:fontface style:name="Lucida Sans Unicode"
svg:fontfamily="'Lucida Sans Unicode'"
style:fontfamilygeneric="system"
<style:fontface style:name="Tahoma"
svg:fontfamily="Tahoma"
style:fontfamilygeneric="system"
</office:fontfacedecls>
<office:automaticstyles/>
<office:body>
<office:text>
<office:forms form:automaticfocus="false"
form:applydesignmode="false"/>
79
80
4.
<text:sequencedecls>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Illustration"/>
text:name="Table"/>
text:name="Text"/>
text:name="Drawing"/>
</text:sequencedecls>
<text:p text:stylename="Standard">fuzzing</text:p>
</office:text>
</office:body>
</office:documentcontent>
Microsoft Word 2003, $

Word (*.doc).
, , , ,
OpenDocument (20 7 ).
, $
, , $
.
, , $
, , , $
:
00000a00h:
000024d0h:
000024e0h:
000024f0h:
00002500h:
00002560h:
00002570h:
66 75 7A 7A 69 6E 67 0D 00 00 00 00 00 00 00 00 ; fuzzing.........
66
00
61
64
75
00
65
72
7A
00
6C
61
7A
00
2C
6D
69
1E
20
00
6E
00
41
00
67
00
64
00
00
00
61
00
1E
1C
6D
1E
00
00
20
00
00
00
61
00
00
00
6E
00
04
4D
64
04
00
69
20
00
00
63
50
00
00
68
65
00
;
;
;
;
fuzzing.........
............Mich
ael, Adam and Pe
dram............
4D 69 63 72 6F 73 6F 66 74 20 4F 66 66 69 63 65 ; Microsoft Office
20 57 6F 72 64 00 00 00 40 00 00 00 00 00 00 00 ; Word...@.......

?

. $
, , $
. $
, .

$
(, =12),
.
81
Content.xml,
XML.
$
, $
, .

, $
, . $
. $
AIM AIM Signon $
(0x0001) . $
, ,
AOL. $
, , , $
, $
.

$
, , $
, $
, .
, ,
, . $
$ . , $
,
, .

, $
, .
;
,
,
$
. PNG
, . $
,
, $
,
.
82
4.

, $
,
.
, ,
,
, . $
$
, , ,
, $
, . 22

.
,
.
$.,
, ,
21 2001

.
, $
. ,
, $
. $
, .
,
, , $
, , . , II
, , $
,
. , , $
,
,
, 12
: UNIX. $
, , $
, .
84
5.

,
$
. , $
.
$
, , ,
. $
. $
POST
, $
. $
$ , $
. ? , . $
, . , $
, $ . ,
$ ,
. $
, $
.
,
. $
$
1, $
. , $
$ $
.2
: , , , $

.
.
.
, , , $
, $
. , $
.
http://www.outsourceworld.org/, http://money.cnn.com/2003/09/17/news/
economy/outsourceworld/
Computer Science Students Outsource Homework, http://developers.slash+
dot.org/developers/06/01/19/0026203.shtml
85

,
,
. $
,
, . $
, ,
JPEG Microsoft Paint. $
, ,
, , ,
. 5.1.
JPEG
1.jpg
2.jpg
3.jpg
Microsoft
Paint
4.jpg
...
. 5.1.
JPEG $
JPEG. $
, $
Microsoft Paint
. ,

Microsoft Paint. $
,
.
,
. , $
, .
, , (SMTP),
(SIP) $
IP (VoIP):
86
5.
Excerpt of an SIP INVITE Transaction
49
6f
32
30
4e
70
2e
2f
56
65
30
55
49
6e
0d
44
54
72
0a
50
45
63
56
20
20
65
69
70
73
2e
61
61
69
6f
3a
6d
70
72
20
69
3a
67
53
6e
72
20
49
69
6f
53
50
4c
6f
49
2f
2e
74
50
32
75
40
2f
2e
6e
INVITE sip:root@
openrce.org SIP/
2.0..Via: SIP/2.
0/UDP voip.openr

, , $
( , $
). ,
,
,
?
, $
, , $
.

$
, :
. (. 5.2).
($
, ), , $
PIN$, ,
, $
. $
,
PIN
. 5.2.

87
. $
. $
,
. ,
, . ,
, . ,
, $
, PIN$.

SSH ( ). $
.
. $
, .
,
.
SSH, ,
. 5.3.
. 5.3. SSH
,
, $
. $
,
. $
.
MAIL FROM SMTP,
HELO EHLO. . 5.4,
SMTP MAIL
FROM , ,
.
88
5.
HELO openrce.org
SMTP
MAIL FROM:pedram@openrce.org
HELO openrce.org
. 5.4. 1 SMTP
. 5.4 1 , $
MAIL FROM.
. 5.5: SMTP $
MAIL FROM $
.
SMTP
HELO openrce.org
HELO openrce.org
. 5.5. 2 SMTP
. 7 2006 $
1, $
SMTP Ipswitch Collaboration Suite.
$ @ :
. $
,
EHLO. $
, . $
, $
EHLO HELO.
?
.
http://www.zerodayinitiative.com/advisories/ZDI+06+028.html
89
,
,
.
,

, $
, . $
, , , $
,
.
. (quality assurance, QA) $
, , $
. $
QA $, , $
, $
90% ,
25% . $
,
$
, . $
23 .
$
, , $
.
: ? ,
: ?

. $
, . ,
, $
, , $
. $
, , $
, , . (ping)

, . $
, .
ASCII, $
,
, , Windows Event Viewer, . 5.6.
90
5.
. 5.6. Microsoft Windows Event Viewer
,
.
,
. , ,
, Microsoft Windows $
,
(Structured Exception Handling,
SEH).1
$
$ ,
. , $
FileFuzz, II, $
Microsoft Windows $
. $
,
, . ,
SMTP, Mac OS X, Microsoft Windows
Gentoo Linux, , ,
. , $
$ ,
, . VoIP,
1
91
$
, $
.
,
DBI1 (dynamic binary instrumentation/translation) Valgrind2
Dynamo Rio3.
, $ .
DBI
$
$ . $
, $
, . .
, ,
, , $ $
, .
, , $
,
. Valgrind $
, $
, .

.
,
, $
.

, (, $
), .
. , $
,
, $
, $50 .
$
(software development lifecycle, SDLC)
. $
, .
, , $
. , SDLC $
, ,
1
2
3
http://en.wikipedia.org/wiki/Binary_translation
Valgrind: http://valgrind.org/
Dynamo RIO: http://www.cag.lcs.mit.edu/dynamorio
92
5.
. ,
, ,
, , .
,
,
,
. ,
SDLC .
,
$
.
, $
.
; $
, $
$
.
II

6.
7.
8. :
9. $
10. $ :
11.
12. : UNIX
13. : Windows
14.
15. : UNIX
16. : Windows
17. $
18. $:
19.
20. :
.
,
, .
$.,
, ,
5 2004
.
$
.
$
, . $

, . $
,
,
$

.

, $
, .

96
6.
, .

, , , , $
,
.
,
.
,
, $
. ,

, Java, .NET Python. $
,

. $ $
$

, .

,
. $
,
. ,
$
, $

.
. $
, :

FTP$,
, FTP$,
.

FTP$.

, $
, $
, . $
, $
, , .
, $
, $
. ,
97

, .

$

, .1 ,
,
. $
(
).
Ethereal2/Wireshark3
Wireshark ( Ethereal)4 $
.
,
, $
. Wireshark $
,

. , , , $
, ,
. $
$
, Wireshark. $
Wire$
shark, , Ethernet.5
libdasm6 libdisasm7
libdasm, libdisasm $
;
at&t Intel $
. Libdasm , libdisasm Perl. Libdasm
Python. $
,
1
2
3
4
5
6
7
http://www.threatmind.net/secwiki/FuzzingTools
http://www.ethereal.com
http://www.wireshark.org
http://www.wireshark.org/faq.html#q1.2
http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/
http://www.nologin.org/main.pl?action=codeView&codeId=49
http://bastard.sourceforge.net/libdisasm.html
98
6.
.
: 12 $
: UNIX, 19
, 20 : $
, 23 24 $
.
Libnet1/LibnetNT2
Libnet $
;
.
, $
IP ,
. $
, .
LibPCAP3
LibPCAP Microsoft Windows WinPCAP4 $
;

UNIX Microsoft Windows. $
, Wireshark, $
.
Metro Packet Library5

Metro Packet Library , C# $
Ipv4, TCP, UDP $
(ICMP). $
.
16 $
: Windows.
PTrace
UNIX
ptrace() ( ). $
ptrace() , , $
.
1
2
3
4
5
http://www.packetfactory.net/libnet
http://www.securityfocus.com/tools/1559
http://www.tcpdump.org
http://www.tcpdump.org/wpcap.html
http://sourceforge.net/projects/dotmetro
99
,
8 :
12 : UNIX.
Python
Python
. Pcapy, Scapy PyDbg.
Pcapy1 Python, LibPCAP\WinPCAP $
Python . Scapy2
, $
, .
Scapy ,
. PyDbg3 32$ Py$
thon Microsoft Windows,
. PyDbg $

PaiMei4, 19, 20,
23 24.
$
. $ $
. , $
,
, .

$

;
, : .
.
, $
. $
,
.
$
,
.
1
2
3
4
http://oss.coresecurity.com/projects/pcapy.html
http://www.secdev.org/projects/scapy
http://openrce.org/downloads/details/208/PaiMei
100
6.

,
: $
. , ++, $
.
, Libnet
.
, Python Ruby,
; $
. $
,
. ,
, , $
, , .
Java, PHP
C# .

, , $
. , $
. , , $
IMAP.
IMAP, ,
(CCR),
RCF 3501.1
7.5.
+
. ,
.
.

, .
,
.
,
.
.
, CRLF, ,
.
,
:
http://www.faqs.org/rfcs/rfc3501.html
101
: C: A001 LOGIN {11}

S: + Ready for additional command text
C: FRED FOOBAR {7}
S: + Ready for additional command text
C: fat man
S: A001 OK LOGIN completed
C: A044 BLURDYBLOOP {102856}
S: A044 BAD No such command as "BLURDYBLOOP"
...
RFC , {} ($
),
, .
, $
? $
? , ,
32$ 0xFFFFFFFF
(4,294,967,295).
, 136 !
$
100 ,
500 .
IMAP , $
. , $
,
.

$
.
,
.

(0 0xFFFFF$
FFF) $
.
? , $
. $
,
,
, :
int size = read_ccr_size(packet);
// save space for NULL termination.
buffer = (char *) malloc(size + 1);
,
. ,
102
6.
, $
. , $
(, $
32$ ) $
(, )
, $
, ,
0xFFFFFFFF$1, 0xFFFFFFFF$2, 0xFFFFFFFF$3 1, 2, 3, 4 . .
$
. , , ,
Unicode. $
2. $
, :
int size = read_ccr_size(packet);
// create space for the Unicode converted buffer
// plus Unicode NULL termination (2 bytes).
buffer = (char *) malloc((size * 2) + 2);

,
: 0xFFFFFFFF/2,
0xFFFFFFFF/2$1, 0xFFFFFFFF/2$2 . .
, 3? 4? , $
, $
16$ (0xFFFF)?
8$ (0xFF)?
.
:
MAX32 16 <= MAX32 <= MAX32 + 16;
MAX32 / 2 16 <= MAX32 / 2 <= MAX32 / 2 + 16;
MAX32 / 3 16 <= MAX32 / 3 <= MAX32 / 3 + 16;
MAX32 / 4 16 <= MAX32 / 4 <= MAX32 / 4 + 16;
MAX16 16 <= MAX16 <= MAX16 + 16;
MAX16 / 2 16 <= MAX16 / 2 <= MAX16 / 2 + 16;
MAX16 / 3 16 <= MAX16 / 3 <= MAX16 / 3 + 16
MAX16 / 4 16 <= MAX16 / 4 <= MAX16 / 4 + 16
MAX8 16 <= MAX8 <= MAX8 + 16;
MAX8 / 2 16 <= MAX8 / 2 <= MAX8 / 2 + 16;
MAX8 / 3 16 <= MAX8 / 3 <= MAX8 / 3 + 16;
MAX8 / 4 16 <= MAX8 / 4 <= MAX8 / 4 + 16,
MAX32 32$ (0xFFFFFFFF),
MAX16 16$ (0xFFFF), MAX8
8$ (0xFF), 16
103
.

. $
,

100 .

. ,
. $

$
, $
. $
22 $
.

1 2005
,
Novell NetMail IMAPD1, $
. ,
$

.
$
, $
$

MMalloc() (. ):
; ebx is
00402CA2
00402CA5
00402CA6
attacker controlled
lea ecx, [ebx+1]
push ecx
call MMalloc
MMalloc() $
.
,
$
. $
memcpy():
1
http://pedram.redhive.com/advisories/novell_netmail_imapd/
104
6.
; destination is attacker allocated

00402D6E rep movsd
00402D70 mov ecx, edx
00402D72 and ecx, 3
00402D75 rep movsb
, $
,
,
.
Novell
, $
. Novell, IMAP
. ,
1 0xFFFFFFFF, 2 0xFFFFFFFE
. . ,
:
x LOGIN {4294967295}
:
x LOGIN {1}

, 22 2006 Novell $
...1

$
, ,
? 12
:
perl e 'print "A"*5000'
$
. , $
ASCII, B. , $
, $
1
2
, Google: http://www.google.com/search?
hl=en&q=%22perl++e+%27print+%22A%22*%22
105
Microsoft Windows $ ASCII

A B .
, ,
, , $
, $
A. ,
AAAAAAAAAAAAAAAAA.

, $$
, .
. $
$
, $
, ,
. , ,
http$ :
!@#$%^&*()_=+{}|\;:'",<.>/?~`
, $, http?

HTTP$:
HTTP/1.1 200 OK
Date: Sun, 01 Oct 2006 22:46:57 GMT
Server: Apache
XPoweredBy: PHP/5.1.4pl0gentoo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
CacheControl: nostore, nocache, postcheck=0, precheck=0
Pragma: nocache
KeepAlive: timeout=15, max=93
Connection: KeepAlive
TransferEncoding: chunked
ContentType: text/html; charset=ISO88591
, , $
, $
0x0d 0x0a.
. ,
( ), (/) (.)
.
(:) , $
ContentType, Server Date . $
,
(,), (=), (;) ().
$
, $
(. ). , $
106
6.
. , ,
Sendmail (2003 ).1 $
<>, $
. $

:
void parse (char *inbuf)
{
char cpy[16];
char *cursor;
char *delim_index;
int length = 0;
for (cursor=inbuf; *cursor; cursor++)
{
if (*cursor == :)
delim_index = cursor;
else
length++;
}
// 2 for null termination and the : delimiter
if (length < sizeof(cpy) 2)
strcpy(cpy, inbuf);
}
,
(). $
.
length . $

$
,
,
strcpy(). $
, name:pedram amini.
, 16, ,
, strcpy().
: name::::::::::::::::::::::pedram? $
10, , $
strcpy().
,
strcpy(), 32, .
http://xforce.iss.net/xforce/alerts/id/advise142
107

$
; , , $
.
, %d,
10, %08x $
16. $
%s,
%n ( ).
, $
. $

. $
%s , $
, , $
. %s $
.
$
%s%n.

,
%d, %x, %s, ,
%n , $
.
.

$
, $
%n $
.
Microsoft $
%n $
printf. $
_set_printf_count_output()1, $
, %n. $
%n ,
.
1
108
6.

, , $
, $
. , 0xFE 0xFF
4 UTF16.

.
,
, $
. , Microsoft Internet Explorer $
UTF$8 Unicode.1 ,
5$ 6$ UTF$8

. $
, , 5$ 6$ $
UTF$8, .

.

$
, $.

$. ,
$,
,
. Mitre CVE 2006 , $

, $
, .2
$, $
$. (OSVDB)

, .3
, , Computer Associates BrightStor
ARCserve backup. BrightStor $
TCP caloggerd. $
, ,
$
. $
1
2
3
http://cwe.mitre.org/documents/vuln+trends.html#table1
http://www.osvdb.com/searchdb.php?text=directory+traversal
109
, $
, $
. $
,
. UNIX, , $
/etc/passwd.
;
2007 .
$
, ../../ ..\..\.

, $
$, $
CGI. $
, $; $

. , $
, $
$
, exec() system(), $
. $
Python:
directory = socket.recv(1024)
listing = os.system("ls /" + directory)
socket.send(listing)
$
, ,
. $
, $
. UNIX $
&&, ; |. , var/lib ; rm rf /
ls /var/lib ; rm rf /, ,
.
.
,
,
.

II III $
. $
,
110
6.
. $
.
,
$, , $
, .
,
. $
, $
. $
, , ,
.

.
$.,
New York Daily News,
23 2002
, .
$
, ,
$
.
$, $
.

. $
, . . , $

.
, .
112
7.

, Windows,
,
. ;
argv, main C. $
argc . $
, , , $
. $
:
int main(int argc,char *argv[])
{
int ix;
for (ix=0;ix<argc;ix++)
printf("argv[%d] == %s\n",ix,argv[ix]);
}

, . 7.1.
. 7.1.

$
. ,
113
. $
, . $
( ) $
, $
. ,
. command.com $
Windows. UNIX $
, sh, csh, ksh bash.

HOME, PATH, PS1 USER. $
, ,
.
, $
, $
, .
, $
getenv, $
. Windows ,
UNIX, UNIX, $
Windows setuid,
, ,
. . 7.2
. 7.2. bash

114
7.
UNIX.
, bash set.
$
export. , , $
, $
.

: $
,
. ,
.
, .
$
.
, , $
, , ,
. $
, $
. $
,
.
,
. $
, , $
. 'su',
UNIX. $
, , $
,
,
$
.
C, , $
su $ :
{
[...]
if (argc >1)
become(argv[1]);
else
become("root");
[...]
}
115
,
, $
. . ,
$
? ?

.
. UNIX
, setuid
setgid.
setuid setgid ,
. setuid,
, , . set
gid, $
. , , setuid,
setgid, .
setuid
find,
UNIX .
setuid (setuid binaries) . $
, :
find / type f perm 4000 o perm 2000
find , $
,
.
, find.
, ,
/ . type
find, . ,
, .
perm , . $
o find or. $
setgid setuid, true
. , $
, setuid (4), setgid (2). $
Fedora
Core 4:
[root@localhost /]# find / type f perm 4000 o perm 2000
/bin/traceroute6
/bin/traceroute
/bin/mount
116
7.
/bin/su
/bin/ping6
/bin/ping
/bin/umount
/usr/bin/lppasswd
/usr/bin/gtali
/usr/bin/wall
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/glines
/usr/bin/gnibbles
, gnibbles
/usr/bin/at
...
/usr/bin/gnotravex
/usr/bin/gnobots2
/usr/bin/sudo
/usr/bin/samegnome
/usr/bin/gataxx
/usr/bin/rcp
/usr/bin/mahjongg
/usr/bin/iagno
/usr/bin/rlogin
/usr/bin/gnotski
/usr/bin/chage
/usr/bin/lockfile
/usr/bin/write
/usr/bin/gpasswd
/usr/bin/sshagent
/usr/bin/crontab
/usr/bin/gnomine
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/slocate
/usr/bin/newgrp
/usr/bin/rsh
/usr/X11R6/bin/Xorg
/usr/lib/vte/gnomeptyhelper
/usr/libexec/openssh/sshkeysign
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/sendmail.sendmail
/usr/sbin/usernetctl
/usr/sbin/lockdev
/usr/sbin/utempter
/sbin/pam_timestamp_check
/sbin/netreport
/sbin/unix_chkpwd
/sbin/pwdb_chkpwd
117
UNIX
UNIX
: , .
: $
, , . $
. $
, ,
. , ,
, .
,
:
rxx 2 dude staff 2048 Jan 2 2002 File
dude. ,
. ,
, $
.

, , . $
. ,
: , $
, .
UNIX
.
, . . 0 7.
4, 2, 1.
, .
, , $
, , , 666.
dude 510:
(5) = (4) + (1), (1) = (1), $
(0), . . .
setu
id setgid. setuid 4, setgid 2. $
, setuid setgid 6,755.
, ,
, .

; ASCII,
. $
HOME
118
7.
, , .
Perl, UNIX
:
HOME=`perl e 'print "X"x10000'` /usr/bin/target
,
HOME. , ,
, HOME. $
, ?
, ?

, $
.
, getenv
. getenv $
getenv,
.
,
.
GNU (GDB)
, . $
GDB getenv
. GDB
Solaris 10:
(08:55AM)[user@unknown:~]$gdb q /usr/bin/id
(no debugging symbols found)...(gdb)
(gdb) break getenv
Function "getenv" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (getenv) pending.
(gdb) commands
Type commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
>silent
>x/s $i0
>cont
>end
(gdb) r
Starting program: /usr/bin/id
[...]
Breakpoint 2 at 0xff2c4610
Pending breakpoint "getenv" resolved
(no debugging symbols found)...

0xff0a9064:
0xff0a9078:
0xff24b940:
0xff351940:
0xff351948:
0xff3518d8:
0xff3518e4:
0xff3518f0:
0xff3518f8:
0xff351904:
0xff351910:
uid=100(user)
119
"LIBCTF_DECOMPRESSOR"
"LIBCTF_DEBUG"
"LIBPROC_DEBUG"
"LC_ALL"
"LANG"
"LC_CTYPE"
"LC_NUMERIC"
"LC_TIME"
"LC_COLLATE"
"LC_MONETARY"
"LC_MESSAGES"
gid=1(other)
Program exited normally.

(gdb)
, GDB,
:
break $
. , $
getenv.
commands , $
.
i0 , x/s.
SPARC i0 ,
.
,
.
run, .
11 $
, /usr/bin/id. ,
, $
, , , $
$ . $
, $eax x86, $i0 SPARC $a0 MIPS.
, , , $
.

, $
, $
. ,
getenv. $
getenv , $

120
7.
getenv.
.
getenv.
environ, $
. environ , $
. ,
; , NULL, ,
:
extern char **environ;
char *getenv(char *variable)
{
int ix=0;
while (environ[ix])
{
if ( ! ( strncmp(string,environ[ix],strlen(string))) &&
(environ[ix][strlen(string)] == =) )
{
printf("%s\n",environ[ix]+strlen(string)+1);
return environ[ix]+strlen(string)+1;
}
ix++;
}

(preloading) . $

, , $
. $
,
.
. $
. $
, ,
. , $
. ,
strcpy $
,
strcpy, strcpy. $
,
. $
.
getenv; $
.
getenv; $
. $
121
,
getenv:
#define BUFFSIZE 20000
char *getenv(char *variable)
{
char buff[BUFFSIZE];
memset(buff,A,BUFFSIZE);
buff[BUFFSIZE1] = 0x0;
return buff;
}
, $
. environ, $
.
GRL$ sharefuzz, $
$
setuid. $,
C $
($
, , ). Linux $
:
gcc shared fPIC o my_getenv.so my_getenv.c
LD_PRELOAD=./my_getenv.so /usr/bin/target
/usr/bin/target, getenv
getenv.

, ,
, , $
. , . $
, $
.
, $
,
. $
.
.
. UNIX Linux, $
$ , $
128 . , $
139, SIGSEGV $
11. $ , $
132, SIGILL 4.
122
7.
: 132 139,
.
, , . SIGABRT $
glibc
. ,
(dump core).
$ (heap),
.
, $
, .
, C ,
, , wait waitpid.
: fork execve $
wait waitpid . $
,
, wait waitpid.

iFUZZ, .
, $
( $
),
signal. $
API, $
, $
. UNIX
ptrace. fork ptrace execve
waitpid ptrace
, , $
, .
waitpid, ,
.
waitpid, , . $
,
. $
ptrace. , SPIKEfile
notSPIKEfile, $
. $
12 :
UNIX. , $
.
ptrace $
. UNIX setuid $
, SIGSEGV SIGILL. , $
ptrace, ,
.
123
, ,
.
$
, $
UNIX C. $
getenv.
,
.
$
,
, $
.
8

:
+ !
$.,
, ,
24 2004
iFUZZ ,
.
UNIX c
setuid, 7 $
. iFUZZ,
, iFUZZ
IBM
AIX 5.3.
iFUZZ
iFUZZ , $
.
;
C, ;
, .
iFUZZ , $
UNIX , $
UNIX. IRIX,
iFUZZ
125
HP$UX, QNX, MacOS X, AIX.

:
argv.
, .
argv[0] argv[1] .
:
, , .
, ,
, $
, .
/ .
; $
,
. $
. iFUZZ
a Z,
./target a FUZZSTRING
FUZZSTRING , $
iFUZZ. $
, ,
, , , $
.
getopt. $
: , $
getopt, $
, $
. $
,
.

. , , , $
$
$
f. usage $
, :
$ ./sample_program
Usage:
f <file> Input filename
o <file> Output filename
v Verbose output
d Debug mode
s Silent mode
, $
, getopt , , $
126
8. :
f:o:vds. , f o $
, v, d s . $
? getopt:
options , +
, .
(:),
, . +
(::),
, ; GNU.
iFUZZ getopt,
. iFUZZ
, $
, ,
.
iFUZZ
.
, , ,
$ . . ;
, .
iFUZZ getenv $
. ,
, .
sharefuzz :
, $
. $
iFUZZ, .
getopt,
getopt $
. ,
C; $
. , $
$
.
getopt , $
usage.
, , $
. $
iFUZZ, $
fuzzing.org, $
.
127

iFUZZ :
, , .

. $
, .
, $
, argv[0]. $
,
argv[0],
, QNX,
Linux AIX. $
.
$
, $
,
. , $
$
argv[0]:
{
if (argc >1) printf(argv[1]);
exit(0);
}

, $
.

,
. 1999
proftpd 1.2.opre6
(Tymm Twillman) $
BugTraq1,
. $
$ snprintf(),
.2
1
2
http://seclists.org/bugtraq/1999/Sep/0328.html
http://en.wikipedia.org/wiki/Format_string_attack
128
8. :
. $
,
UNIX. $
. ,

. $
.
, iFUZZ
, ,
, $
. :
getopt.
: , $
, $
. $
. $
, .
$
getopt. ,
, , $
,
, $
. $
, ,
.
. $
, ,
, $
UNIX ,
.
Fork, Execute Wait

fork ($
), execute () wait ():
[...]
if ((pid = fork ()) != 0)
{
child = pid;
waitpid (pid, &status, 0);
if (WIFSIGNALED (status))
{
switch (WTERMSIG (status))
{
case SIGBUS:
case SIGILL:
129
case SIGABRT:
case SIGSEGV:
fprintf (stderr, "CRASH ON SIGNAL #%d\n",
WTERMSIG (status));
break;
default:
break;
}
}
}
else /* child */
{
execle ("/bin/program","program",NULL, environ);
perror ("execle");
}
[...]
Fork, Ptrace/Execute
Wait/Ptrace
, ,
, $
, $
. notSPIKEfile SPIKEfile, $
12
: UNIX:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}
130
8. :
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii
(WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal...\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) ==SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) == SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}
iFUZZ C.
, , $
, C $ ,
, , $
.
, ,
, ; , $
UNIX, , $
. , Python Ruby, $
. Perl, $
131
UNIX. , ,
Perl, .
, Python Perl, $
.

.
, ,
hack, , $
bash, ,
.

iFUZZ 50 $
IBM AIX 5.3,
, $
. $
argv[0]
argv[1]. $
. , ,
. $
, $
iFUZZ $
iFUZZ. (
setuid)
iFUZZ :
piomkpq A ascii p X d X D x q LONGSTRING;
piomkpq A ascii p LONGSTRING d X D X q.
$
,
printq, $
, .
$
getopt iFUZZ. $
getopt a:A:d:D:p:q:Q:s:r:w:v:
ls $
:
rsrx 1 root printq 32782 Dec 31 1969 /usr/lib/lpd/pio/etc/piomkpq*
iFUZZ $
. $
LONGSTRING
20 000 , X ,
132
8. :
x. X $
.
, ,
, ,
; ,
iFUZZ. $
iFUZZ argv[0], argv[1] $
setuid AIX 5.3, $
,
, .
IBM, ; $
iFUZZ $
, , ,
.

, ,
iFUZZ. ,
iFUZZ. , $
iFUZZ:
, iFUZZ $
,
, $
.
, ,
, $

.
, $
, $
. ,
.
, iFUZZ, $

setuid setgid. .
,
, , , $ $
. ,
iFUZZ , $
, $
.
, , $
. $

133
usage $
. , $

, $
.
,
C. C
,
. $
. $
, $
,
.
,
, ,
$
.

, ,
.
9

.
$.,
$1,
4 2003
$
. , $
$. , $
$, ,

$. $
, , , $
. $, $
, $
,
. $, $
, $
, $ $
. , $$
, , $
.
?
$ $
. (
14 )
135
<?
, $ $
, HTTP. $
$ $ $$
.
$,
, $
. $ $
, ,
. ,
ASP (application service provider $
).
$ $
, . $
,
. $
, $
.
, $
ASP. $
ASP,
,
. , $
$ .
, $
$, $
.
$
Microsoft Live
Microsoft $
$. $
GUI$ Microsoft Office,
2005 Microsoft
$: Windows Live Office
Live.1 Windows Live $
, Office Live $
. Microsoft $
. Live $
2002 Xbox Live $$
, Xbox.
1
http://news.com.com/2061+10805_3+6026895.html
136
9. <
,
.
. $

$ . $
, $ ,
$ . $
, , ,
,
. , $
$
.
. $
,
.

CGI
(Common Gateway Interface, CGI)
, $
(NCSA) $$
NCSA HTTP 1993 . CGI ,
$ ,
$.1 $
CGI , $
Perl.
PHP
(Hypertext Preprocessor, PHP2)
, $
$. , $
PHP
. PHP HTML
$, $
.
Flash
Flash FutureWave Soft$
ware, 1996 3 Macromedia.
1
2
3
http://en.wikipedia.org/wiki/Common_Gateway_Interface
http://www.php.net/
http://en.wikipedia.org/wiki/Adobe_Flash
<?
137
Flash
,
.
$.
Macromedia Macromedia Flash, $
Macromedia Flash Player. Flash
, ActionScript,
. Flash $
, Macromedia Flash Remoting
Flash Player $
.1 Macromedia 2005 Adobe
Systems.2
JavaScript
Netscape JavaScript 1995 $
$.3 JavaScript $
, .
JavaScript HTML, $
$, .
JavaScript ,
$ $
. , Mi$
crosoft ASP.Net (. ), JavaScript.
Java
Java (James Gosling) Sun Mi$
crosystems. Oak $
. $
$
Java, , Oak .4
Java $
. Java
,
Java Virtual Machine, . $
Java . $
$, $
.
1
2
3
4
http://www.macromedia.com/software/flashremoting/
http://en.wikipedia.org/wiki/Macromedia
http://en.wikipedia.org/wiki/Javascript
http://en.wikipedia.org/wiki/Java_programming_language
138
9. <
ASP.Net
.Net , .
CLR, , Visu$
al Basic C#. Microsoft .Net 2002 $
, $
, $. Java ,

, (Common Inter$
mediate Language, CIL), $
.1 $ ASP
.Net, . ASP.Net $
.Net$ .
1
http://en.wikipedia.org/wiki/Microsoft_.Net
$ $
, ,
$ ,
. $ $
, , $
. $
,
:
$
Microsoft Outlook Web Access Cross$Site Scripting Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=261

phpBB Group phpBB Arbitrary File Disclosure Vulnerability
display.php?id=204
Tikiwiki tiki$user_preferences Command Injection Vulnerability

display.php?id=335
139
WordPress Cookie cache_lastpostdate Variable Arbitrary PHP Code

Execution
http://www.osvdb.org/18672
(Enterprise Resource Planning,

ERP)
SAP Web Application Server sap$exiturl Header HTTP Response
Splitting
http://www.osvdb.org/20714

AWStats Remote Command Execution Vulnerability
display.php?id=185

IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerability
display.php?id=268
Multiple Vendor Cacti Remote File Inclusion Vulnerability
display.php?id=265
, $$
, ,
, , $
.
$, $
.
$ $
. $
. ,
,
, $
. , $, $
, . $
, , ,
.
140
9. <
$
, .
: , $
$, $
. , , $
,
.
CPU$ / $
. , $
, ,
$
.
$ $
.
$ . $
, , , $
: , ,
, $.
. $
, $
, . ,
$ , $
, .
, Windows XP1
Linux, $, , $
$ $
.
(VM), VMWare2
Microsoft Virtual Machine3,
$. $$
$ VM,
. $
$. $,
, $, $
VM.
. , $
$
, , $
2
3
http://www.microsoft.com/resources/documentation/windows/xp/all/prod+
docs/en+us/iiiisin2. mspx
http://www.vmware.com
http://www.microsoft.com/windows/virtualpc/default.mspx
141
. , , $
, .

, $
$, $
. : $
? , $
, URL cookies, $
$? $? ,
.
, $ .
,
$, ,
. $
$ $, Microsoft Inter$
net Explorer Mozilla Firefox. $, $
$
URL . , $
$, $
. , , $$
. telnet$, $
. Telnet $
, TCP.
$
:
telnet www.fuzzing.org 80[Return]
GET / HTTP/1.1[Return]
Host: www.fuzzing.org[Return]
[Return]
. telnet$
: (fuzzing.org)
(80). Telnet TCP$ 23. $
$ ,
TCP$ 80. $
, HTTP. $
, (GET). $
.
/ $, $
. $ $
$ , .
$, HTTP
(HTTP/1.1).
, HTTP 1.0 , HTTP 1.1
142
9. <
. 1 ( $
Return), :
HTTP/1.1 200 OK
CacheControl: private
ContentType: text/html
SetCookie:
PREF=ID=56173d883ba96ae9:TM=1136763507:LM=1136763507:S=W43uFkQu1vexo
Pq; expires=Sun, 17Jan2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
TransferEncoding: chunked
Date: Sun, 08 Jan 2006 23:38:27 GMT
<html>
<head>
<meta httpequiv= "contenttype"
content="text/html;charset=UTF8">
<title>Google</title>
<style><!
body,td,a,p,.h{fontfamily:arial,sansserif;}
.h{fontsize: 20px;}
.q{color:#0000cc;}
//>
</style>
</head>
<body bgcolor=#ffffff text=#000000 link=#0000cc
vlink=#551a8b
alink=#ff0000 topmargin=3 marginheight=3>
<center>
[snip]
<a href=http://www.google.com/intl/en/about.html>About
Google</a>
<span id=hp style="behavior:url(#default#homepage)">
</span>
</font><p><font size=2>©2006
Google</font></p></center>
</body>
</html>
HTML$ $,
, $ $
. HTML$
$, $
, ,
URL. , , ,
, .
http://rfc.net/rfc2616.html#s14.23
143
, $
, HTTP$.
$? $
, $ Internet Explo$
rer. Ethereal :
GET / HTTP/1.1
Accept: */*
AcceptLanguage: enus
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727)
Host: www.google.com
Cookie:
PREF=ID=32a1c6fa8d9e9a7a:FF=4:LD=en:NR=10:TM=1130820854:LM=1135410309:S=b9I4
GWDAtclpmXBF
? HTTP $
, $
. HTTP/1.1
176$ RFC 2616 Hypertext Transfer
Protocol HTTP/1.1.1 $
, , $
:
Accept: */*
Accept , $
. , $
(*/*).
, text/html image/jpeg.
AcceptLanguage
, . $
.
RFC 1766 Tags for the Identifi$
cation of Languages ( ).2
AcceptEncoding: gzip, deflate

,
.
, gzip3 deflate4.
http://rfc.net/rfc2616.html
2
3
4
144
9. <
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;

.NET CLR 1.1.4322; .NET CLR 2.0.50727)
UserAgent ($), $
. ,
$
. Microsoft Internet
Explorer 6.0 SP2, Windows XP SP2.
Host: www.google.com
, $
$. , $
$ . ,
IP$ .
Connection $
.
, . Con
nection: close ,
.
Cookie: PREF=ID=32b1c6fa8e9e9a7a:FF=4:LD=en:NR=10:TM= 1130820854:

LM=1135410309:S=b9I4GWDAtc2pmXBF
Cookies $
, $
. Cookies
.

$ . $
$, .
, , $
$
. , ,
$, $
.
, (Uniform Resource
Identifier, URI), HTTP, HTTP $
. $
:
[Method] [RequestURI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]
145
$ GET POST.
,
$.
$. GET $
URI . , http://www.google.com/se
arch?as_q=security&num=10 Google $
, security (as_q=security) $
10 (num=10). $
GET URI $
?, &.
POST. $
, $
HTTP HTTP. $
, $
. HTTP
URI, $ $$
. $ 414 (URI
), URI .
POST , URI $
, .
, , $
URI Google Maps,
. ,
?
http://maps.google.com/maps?hl=en&q=1600+Pennsylvania+
Ave&near=20500
, $ $
. :
HEAD. GET, $
, HTML$ $.
PUT. $.
, $
, PUT ,
. ,
Microsoft Security Bulletin
MS05$006.1 , $
Microsoft SharePoint $
PUT.2
1
2
http://www.microsoft.com/technet/security/Bulletin/MS05+006.mspx
http://support.microsoft.com/kb/887981
146
9. <
DELETE.
$. ,
,
, .

$.
TRACE. , $
. $
,
, . 2003
(Jeremiah Grossman) WhiteHat Security $
Cross$Site Tracing (XST)1, $
, ,
$ cookies $
, TRACE.
, TRACE
.
CONNECT. , $
.
OPTIONS. $ $
, . $
, ,
.
OPTIONS, , ,
$ $
(Internet Information Services, IIS), $
WebDAV, $
HTTP, $. $
MS03$0072 (Unchecked Buffer in
Windows Component Could Cause Server Compromise $
Windows ).
OPTIONS * HTTP/1.0 , OPTIONS,
, WebDAV.3 , $
, WebDAV , $
Public:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST
ContentLength: 0
1
2
3
http://www.cgisecurity.com/whitehat+mirror/WH+WhitePaper_XST_ebook.pdf
http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm
147
,
WebDAV. , WebDAV $
Microsoft IIS 5.0, $
, MS03$007,
:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
ContentLength: 0
AcceptRanges: bytes
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
CacheControl: private
(URI)
$ URI. URI
($), .
(, http://www.target.com/page.html)
(/page.html) . $
, $ $
. *
OPTIONS. $
. , , $

/dir/page.html?name1=value1&name2=value2
:
/[path]/[page].[extension]?[name]=[value]&[name]=[value]
$
. $ $
, $
, $ , ,
.
,
, ,
.
:
.
.
, $
../.
,
148
9. <
1
2
3
4
5
, , ,
.
. Macromedia JRun 4 Web Server
JRun 4 Updater 5 $
.1 $
, 65 536 .
$
.
.
3Coms Network Supervisor $
.2 $, $
TCP$ 21700; , Network Supervi$
sor 5.0.2 URL,
../, $
$. ,
, , , .
. $
,
.
. Microsoft IIS 4.0
, $
.htr, .stm .idc.
Microsoft
Security Bulletin MS99$0193, .
. 3Com OfficeConnect
Wireless 11g Access Point , $
$ $
$ $
.4 , /main/config.bin
, , $
.
Nikto5 ,
, $$
,
$.
. , $
, ,
. $
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360
http://www.cirt.net/code/nikto.shtml
149
: *.html (HyperText Markup Language $

), *.asp (Active Server Page )
*.php (Hypertext Preprocessor ).
$ ,
.
. $
, $
. $
, $
.
.
, $. $
, length=50, $
, $
, . ,
, , $
? ? $
, $
.
, .
,
, , $
. :
, $
.
. , , ,
(/, =, &, ., : . .),
. $
$ , $
, $
.
$
HTTP, , HTTP $
, , , , $
. $
HTTP HTTP/1.1.
HTTP (HTTP/[major].[minor]).
.
:
[Header name]: [Header value]
150
9. <
, : $
, (:).
, $
. $
, HTTP, $
RFC:
RFC 1945Hypertext Transfer ProtocolHTTP/1.01
RFC 2616Hypertext Transfer ProtocolHTTP/1.12
, , $
, $
.

2006 iDefense Labs $
Novell
SUSE Linux Enterprise Server 9.3 $
POST $
ContentLength. , $
:
POST / HTTP/1.0
ContentLength: 900
[Data to overwrite the heap]
Cookies
Cookies ; HTTP,
$,
cookies. cookies :
Cookie: [Name1]=[Value1]; [Name2]=[Value2] ...
, .
, cookies ,
.
1
2
3
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id= 371
151
POST
,
$ URI GET, $
HTTP POST. :
[Name1]=[Value1]&[Name2]=[Value2]

(Greg MacManus) iDefense Labs
$, $
Linksys.1 $
, POST apply.cgi
10 000 .
$
, $
,
.

$ $
, $
, , . $

. , $
. $
.
$
:
$

$

cookies
http://www.idefense.com/intelligence/vulnerabilities/display.php?id= 305
152
9. <

$ $ $
. , $
$. , (
="hidden"),

. ,
,
. , $
, , .
$
/. , $
cookies, ,
HTTP $
. HTTP, $
Wireshark.1
$
, $, ,
$. $
, $ ($
$).
$, $
, $$
. $
, , . ,
, , $
. , $ wget.2 $
UNIX,
win32.3
, WebScarab.4 WebScarab, $
Open Web Application Security Project (OWASP),
$.
WebScarab $, $
. $
WebScarab, $
/ .
$,
, .
1
2
3
4
http://wireshark.org/
http://www.gnu.org/software/wget/
http://gnuwin32.sourceforge.net/packages/wget.htm
http://www.owasp.org/software/webscarab.html
153
$ $
, .
:
(Denial+of+service, DoS). DoS$ $
. DoS$
,
, $
, $
.
(Cross+site scripting, XSS). $
Mitre 2006 XSS 21,5% $
.1 , XSS$
$, $
. $ XSS$
, ,
$. , XSS, $
$, $
, , $
.
SQL. $
SQL , $
. Mitre 2006 ,
SQL (14%)
. $ $
$, ,
SQL,
. ,
SQL , , , $
;
.
SQL $
$
.
/ . ,
, $ $
, , , .
,

. , $
$
, .
1
154
9. <
$ $
, $
.
.
, , $
. $
,
. $
, , $
$ :
,
.
. , HTTP $
, $
, $
$
.
cookies URI ,
, . Cookies
,
. $
cookies , $
.
. , ,
$ , $
. , $
$ , C#
Java, , $
. , $
. $
,
, C C++,
. ,
: $ $. $$
, $
.
HTTP. $$
GET POST. ,
, ,
RFC$. ,

. , $
$
, .
155
. $ $

.
, $
. PHP Perl
.
.
PHP$. ,
,
include() require(), PHP
, . ,
,
$ PHP. , $
, Mitre 2006 ,
9,5%.
. $
, . ,
, , $
,

, .
, ,
. $
,
, .
HTTP+. HTTP$
Sanctum Inc.
Divide and Conquer.1 ,
CRLF
. , , $
$ ,
$ $.
HTTP+ (Cross+Site Request Forgery, CSRF).
CSRF$ ; $
. ,
$ $
, $ , , $
. , $ $

$, $
. ,
.
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespon+
se.pdf
156
9. <
,
$ ,
. CSRF$ $$
$
, $
. $ $
$
.
$,
, $ $
. , , $
, $
. $
$, HTTP,
, $
. $
Web Application Secu$
rity Consortiums Threat Classification.1
$$
. $
, $ $
, $ 10 000 $
. , , ,
. , $
, $
:
HTTP. $ , $
.
10 RFC 2616 Hy$
pertext Transfer Protocol HTTP/1.1.2 $
, .
, (500) $
, $
. , 401
, , $
.
+. $ $
,
1
2
http://www.webappsec.org/projects/threat/
157
. $
HTML .
.
, , ,
. ,
,
.
, $
, $
.
. $ ,
. , $
, $
. , $
, . $
, ,
$ $
, .
, $
, .
.
$ , , $
,
. $
Microsoft Windows; $
Event Viewer.
. $
$
, . $
$
, $
. , $
, , $
,
, $
$
. , $
, .
$$
, ,
.
158
9. <
$ $$
,
$. , $
$ .
$
, $
.
; $
. $$
, ,
.
10

:
.
,
, .
$.,
, ,
13 2001
, .
.
. .
$.,
, ,
13 2002
, , $
, .
, ,
WebFuzz $.
,
. $
. $
.
,
160
10. < :
, $
. $?
, $$
, , WebFuzz .

$ . $
, . $
$:
SPIKE Proxy1. . SPIKE Proxy $
, Python. $
, $, $
$$ $
, SQL, $
XSS. SPIKE Proxy
, $
. SPIKE Proxy ,
. . 10.1
SPIKE Proxy.
. 10.1. SPIKE Proxy
<
161
WebScarab1. Open Web Application Security Project

(OWASP)
$, WebScarab.
$ $
, $
.
SPI Fuzzer2. SPI Toolkit, , ,
WebInspect. WebInspect $
, SPI Dynamics $
$$
.
Codenomicon HTTP Test Tools3. Codenomicon $
,
HTTP.
beSTORM4. Codenomicon, Beyond Security
. beSTORM , $
$,
HTTP.
WebFuzz SPI Fuz$

zer. SPI Fuzzer , $
$,
HTTP, $
. HTTP, $
, .
, ,
.
. 10.2 SPI Fuzzer.
SPI Fuzzer ,
$
. , SPI Fuzzer,
, ,
, WebFuzz.
, WebFuzz , $
. $
,
. $
.
, .
1
2
3
4
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
http://www.spidynamics.com/products/webinspect/toolkit.html
http://www.codenomicon.com/products/internet/http/
http://www.beyondsecurity.com/BeStorm_Info.htm
162
10. < :
. 10.2. SPI Fuzzer
, , WebFuzz $
. , ,
.
, , $
, $
. WebFuzz $
, $
. WebFuzz $
www.fuzzing.org.
,
,
HTTP, ,
.
163
. $ ,
. $
$. ,
(HTTP)
HTTP.
. $
.
,
.
. 10.3 WebFuzz.
:
. IP$ $ $
. $, WebFuzz
, . .
. $ TCP$$
80, TCP$. ,
$,
, ,
$.
, , WebFuzz, $
, .
+. $
, $, , $
, . ,
timeout, $
. $
,
: , ,
DoS.
(Request Headers). $
. $
, URI , $
. $
, ,
. $
, (Request
headers). ,
(point$and$click), $
, , $
. 10.3. $
(Default Headers),
$ .
164
10. < :
. 10.3. WebFuzz

,
. ,
$
. , $
$
, (, [Overflow]).

: (static lists)
(generated variables).
, $
. $
XSS. $
, $
XSS (, <script>alert('XSS')</script>), $
.
ASCII; ,

.
,
. Overflow
. ,
, $
. . 10.4 , $
.
165
. 10.4.

.
$
(, $
),
,
. WebFuzz
.
,
WebFuzz
. WebFuzz , $
:
[Methods] /file.php?var1=[XSS][SQL]&var2=[Format] HTTP/1.1
Accept: */*
UserAgent: Mozilla/4.0
Host: [Overflow]
ProxyConnection: KeepAlive
WebFuzz (responses)
. ,
.
$
(raw results), HTML $. . 10.5
, . 10.6 $$
. ,
. , $
( , 500 ), $
DoS. , $ $
, $
SQL. $
.
166
10. < :
. 10.5.
. 10.6. HTML
167

HTTP
,
.
,
$.

WebFuzz
HTTP, , $$
? $ ?
?
, ,
. $
, $, $
WebFuzz $
$. LiveHTTPHeaders1
HTTP $
Mozilla. . 10.7 , LiveHTTPHeaders
Firefox.
. 10.7. LiveHTTPHeaders
1
http://livehttpheaders.mozdev.org/
168
10. < :
,
, WebFuzz, $
. $
, Tamper Data1 Firebug2 Firefox Fiddler3
Internet Explorer, LiveHTTPHeaders
.
, $ $
, $
. WebFuzz , $
, $
.
$, ,
.
.
, , HTML$
, $
Responses ().
WebFuzz
:
HTML

,

WebFuzz

$
, ,
.
HTML
, HTML $
, $
. $
, WebFuzz $
, ,
.
, .
1
2
3
https://addons.mozilla.org/firefox/966/
http://www.getfirebug.com/
http://www.fiddlertool.com
169

$ $
$. $
$ ,
. , $
: $
. $
$ , $
, , .
( $
) (), $
.
SQL.
,
$
,
XSS. $ $
, , , $
. , HTML$
, WebFuzz, , $
XSS.

DoS$ ,
.
, $
DoS$. $
, $
, ,
, CPU.

, ,
$
DoS$.
WebFuzz
WebFuzz $
, $ . $
, $ $
, WebFuzz , $
. ,
DoS$.
170
10. < :

$
, , .
, . $
,
. , $
, ,
. , ,
$ $
. ,
, FileFuzz COMRaider,
. $
, WebFuzz $
. $
$, $
, ,
DoS$.
, , . $
$.
WebFuzz
$.
HTTP,
.
, $
.
,
.

WebFuzz GUI$$
. C# $
. $, C#
GUI . $, C#
. $
C# , Win$
dows. $ ,
, . ,
Windows
Windows.
171
,
. $
,
. ,
, , $.
TcpClient
C# WebClient,
HTTP. , $
,
.
, WebFuzz,
HTTP. C# $
HttpWebRequest HttpWebResponse.
,
, . $
WebFuzz? . $
TcpClient,
TCP$, HTTP.
$. ? $
?
, .
,
, . , $
.

HTTP, , , $$
. , , :
WebClient wclFuzz = new WebClient();
wclFuzz.Headers.Add("blah", "blah");
Stream data = wclFuzz.OpenRead("http:// www.fuzzing.org");
StreamReader reader = new StreamReader(data);
data.Close();
reader.Close();
, $
$ WebClient.
GET (blah:
blah). , $
, , :
GET / HTTP/1.1
blah: blah
Host: www.fuzzing.org
172
10. < :
, : Host
Connection. $ , $
. $
,
.
TcpClient WebFuzz.

.
,
WebFuzz , $

.
. , ,
, ,
, .
,
$
$. , WebFuzz
, , , , $
. ,
.
, ,
. .
WebFuzz, $
:
TcpClient client;
NetworkStream stream;
ClientState cs;
try
{
client = new TcpClient();
client.Connect(reqHost, Convert.ToInt32(tbxPort.Text));
stream = client.GetStream();
cs = new ClientState(stream, reqBytes);
}
catch (SocketException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
catch (System.IO.IOException ex)
{
173
return;
}
IAsyncResult result = stream.BeginWrite(cs.ByteBuffer, 0,
cs.ByteBuffer.Length, new AsyncCallback(OnWriteComplete), cs);
result.AsyncWaitHandle.WaitOne();
TCPClient NetworkStream, Begin

Write(). :1
byte[] array , , $
;
int offset , ;
int numBytes ;
AsyncCallback userCallback , ,
;
object stateObject ,
.
AsyncWaitHandle.WaitOne() ,
. ,
:
public static void OnWriteComplete(IAsyncResult ar)
{
try
{
ClientState cs = (ClientState)ar.AsyncState;
cs.NetStream.EndWrite(ar);
}
catch (System.ObjectDisposedException ex)
{
MessageBox.Show(ex.Message, "Error",MessageBoxButtons.OK,
}
}
, $
:
try
{
result = stream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
{
MessageBox.Show(ex.Message, "Error",MessageBoxButtons.OK,
1
http://msdn.microsoft.com/library/en+us/cpref/html/frlrfsystemiofilestream+
classbeginwritetopic.asp
174
10. < :
ReadDone.Close();
return;
}
, $
$. Begin
Read(), , BeginWrite(),
OnReadComplete():
public void OnReadComplete(IAsyncResult ar)
{
readTimeout.Elapsed += new ElapsedEventHandler(OnTimedEvent);
readTimeout.Interval = Convert.ToInt32(tbxTimeout.Text);
readTimeout.Enabled = true;
ClientState cs = (ClientState)ar.AsyncState;
int bytesRcvd;
try
{
bytesRcvd = cs.NetStream.EndRead(ar);
}
{
return;
}
catch (System.ObjectDisposedException ex)
{
return;
}
cs.AppendResponse(Encoding.ASCII.GetString(cs.ByteBuffer,
cs.TotalBytes, bytesRcvd));
cs.AddToTotalBytes(bytesRcvd);
if (bytesRcvd != 0)
{
cs.NetStream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
else
{
readTimeout.Enabled = false;
if (ReadDone.Set() == false)
ReadDone.Set();
}
}
OnReadComplete() (readTimeout), $
ReadDone.Set(),
. ,
175
, $
, .
.
, . $
, . , $
BeginRead(). , .

, .
, , (Request Headers),
,
. $
, (Request)
btnRequest_Click():
if (rawRequest.Contains("[") != true || rawRequest.Contains("]") != true)
rawRequest = "[None]" + rawRequest;
while (rawRequest.Contains("[") && rawRequest.Contains("]")
{
fuzz = rawRequest.Substring(rawRequest.IndexOf('[' ) + 1,
(rawRequest.IndexOf(']') rawRequest.IndexOf('[')) 1);
, ,
,
. $
, , $
:
int arrayCount = 0;
int arrayEnd = 0;
Read fuzzText = null;
WebFuzz.Generate fuzzGenerate = null;
ArrayList fuzzArray = null;
string replaceString = "";
string[] fuzzVariables = { "SQL", "XSS", "Methods", "Overflow", "Traversal",
"Format" };
switch (fuzz)
{
case "SQL":
fuzzText = new Read("sqlinjection.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[SQL]";
break;
case "XSS":
fuzzText = new Read("xssinjection.txt");
replaceString = "[XSS]";
176
10. < :
break;
case "Methods":
fuzzText = new Read("methods.txt");
replaceString = "[Methods]";
break;
case "Overflow":
fuzzGenerate= new WebFuzz.Overflow(overflowFill, overflowLength,
overflowMultiplier);
fuzzArray = fuzzGenerate.buildArray();
replaceString = "[Overflow]";
break;
case "Traversal":
fuzzGenerate= new WebFuzz.Overflow("../", 1, 10);
replaceString = "[Traversal] ";
break;
case "Format":
fuzzGenerate= new WebFuzz.Overflow("%n", 1, 10);
replaceString = "[Format]";
break;
case "None":
ArrayList nullValueArrayList = new ArrayList();
nullValueArrayList.Add("");
fuzzArray = nullValueArrayList;
replaceString = "[None]";
break;
default:
arrayEnd = 1;
break;
, (SQL,
XSS (Methods)), Read() $
ASCII, $
. ( (Overflow), $
(Traversal) (Format)), , $
Generate() ,
.

, WebFuzz ,
, HTML, , $
. , ,
, , ($
177
) ListView. , ,

ListView, Rich$
TextBox WebBrowser:
rtbRequestRaw.Text = reqString;
rtbResponseRaw.Text = dataReceived;
wbrResponse.DocumentText = html;
string path = getPath(reqString);
lvwResponses.Items.Add(lvwResponses.Items.Count.ToString());
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add(status);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add(reqHost);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add
(requestString.Substring(0, requestString.IndexOf("\r\n")));
lvwResponses.Refresh();
requestsRaw[lvwResponses.Items.Count 1] = reqString;
responsesRaw[lvwResponses.Items.Count 1] = dataReceived;
responsesHtml[lvwResponses.Items.Count 1] = html;
responsesHost[lvwResponses.Items.Count 1] = reqHost;
responsesPath[lvwResponses.Items.Count 1] = path;
, WebFuzz
. , $
HTTP.

www.fuzzing.org.

, , WebFuzz, $
. , .

, , $
$
, . $
,
$ $
, . , $
, , $
. ,
, $
, $
.

../, .
178
10. < :
URL, $
$. $
, , ,
.
, $
$. , Windows $
boot.ini win.ini, ASCII, $

Windows.

Trend Micro Control Manager1,
IMAGE rptserver.asp. $
WebFuzz get$ rptserver.asp,
IMAGE [Tra
versal], win.ini.
. 10.8: ,
.
. 10.8. Trend Micro Control Manage

1
179
. 10.9. Ipswitch Imail Web Calendaring
, . Ipswitch
Imail Web Calendaring1 , $
, $ $
.
,
JSP. WebFuzz (. 10.9).
GET , $
$ blah.jsp, $
, , boot.ini.
. 10.9 , , $
$, .
$, $
$
GUI, . ,
1
180
10. < :
, $

. , $
. $
, ,
,
. , $
, DoS$ $
.
WebFuzz
, .
, PMSoftwares Simple Web
Server1?
GET . , ,
:
GET /[Overflow] HTTP/1.1
404 Page Not Found (

), . 10.10 , WebFuzz
$ . ?
. 10.10. +
1
http://secunia.com/advisories/15000/
181
. 10.11. +
, $
Simple Web Server, ,
. 10.11.
( Simple Web Server). $
, $
. , DoS$.
? . 10.12, $
, EIP $
, .
, . $
. $
.
. 10.12. +
182
10. < :
SQL
SQL ,
SQL
.
, .
,
SQL.
SQL $
Ipswitch Whatsup Professional (SP1)1
. $
? LiveHTTPHeaders ,
Login.asp
POST, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.0.1)
Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://localhost/NmConsole/Login.asp
Cookie: Ipswitch={A481461B2EC640AEB36246B31959F6D1}
ContentType: application/xwwwformurlencoded
ContentLength: 81
bIsJavaScriptDisabled=false&sUserName=xxx&sPassword=yyy&btnLogIn=Log+In
,
, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
bIsJavaScriptDisabled=false&sUserName=[SQL]&sPassword=&btnLogIn=Log+In
: There was
an error while attempting to login: Invalid user name ( +
: ).
WebFuzz , , $
. 10.13,
. ,
.
183
. 10.13. Ipswitch Whatsup Professional (SP1)
SQL. $
' or 1=11 , $
UPDATE
. $
, SQL,
; ?
Google. $, Ipswitch $
.2
, $ $
, . :
Ipswitch , . $
Ipswitch3 ,
:
osql E D WhatsUp Q "UPDATE WebUser SET sPassword=DEFAULT
WHERE sUserName='Admin'"
, Ipswitch, $
,
, . ,
SQL.
, $
:
/: $$
. ?
/: SQL $

1
2
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.ipswitch.com/support/whatsup_professional/guides/WhatsUp+
DBSchema.zip
http://support.ipswitch.com/kb/WP+20041122+DM01.htm
184
10. < :
XSS
XSS . Mitre 2006 21,5% $
XSS, .1 slackers.org
XSS2, ,
.
$, XSS $
. $
$
.
, $
JavaScript. , , $
$ $
.
XSS $$
. SPI Dynamics $ http://zero.web+
appsecurity.com (. 10.14) WebInspect,
. 10.14. SPI Dynamics Free Bank

1
2
http://sla.ckers.org/forum/read.php?3,44
185
$.
$. post login1.asp, $
rootlogin.asp.
XSS. , ,
txtName, Last Name:
rootlogin.asp. $
, $
XSS$.
XSS $
JavaScript ,
. ,
, $
, JavaScript
$. , XSS $
:
POST /rootlogin.asp HTTP/1.1
Host: zero.webappsecurity.com
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://zero.webappsecurity.com
ContentType: application/xwwwformurlencoded
ContentLength: 72
txtPassPhrase=first&txtName=<script>alert('Does fuzzing
work?')</script>&txtHidden=This+was+hidden+from+the+user
. 10.15, $
, .
, , $
.
, ,
. . .
, ,
. Java$
Script, ? ,
. , $
JavaScript, ,
. HTML? $
, , Java$
Script, XSS. HTML$
IMG .
186
10. < :
. 10.15.
HTML$ IMG,
$$
. , , ,
, voila! , XSS. .
WebFuzz .
WebFuzz $
. $
.
xssinjection.txt:
%3Cimg+src%3D%27http%3A%2F%2Flocalhost%2Fblah%27%3E
URL$ ,
$
:
<img src='http://localhost/blah'>
?
#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 20070131 00:57:34
187
#Fields: time cip csmethod csuristem scstatus

00:57:34 127.0.0.1 GET /xss 404
! 404 Page Not Found , Web$

Fuzz rootlogin.asp, $
XSS.

WebFuzz , $
, ,
. , ,
HTTP,
, . ,
,
. $
, , $

.
Web$
Fuzz, .
, , $

. WebFuzz
$, $
, . ,
$
, . , $

,
, XSS.
, , . $
,
,
.
$ , $
. $
,
$
. WebFuzz , $
. $
WebFuzz
.
11

.
$.,
, ,
19 2000

. , $
, , $ $
. , $
, , $
. $
$
, .
2005 2006 $
,
:
$
. $
eEye, , $
Zero$
Day Tracker.1 , , $
$
. $
1
http://research.eeye.com/html/alerts/zeroday/
189
, $
.
,
.
. $
, $ ,
, .
, $
, . ,
,
.
Microsoft
Exchange TNEF, . 11.1
.
11.1.

http://www.tippingpoint.com/security/
$ advisories/TSRT+06+10.html
Microsoft
HLINK.DLL
http://www.idefense.com/intelligence/

vulnerabilities/display.php?id=318
CHM
Kaspersky

m3u Winamp
http://www.microsoft.com/technet/se+

curity/Bulletin/MS06+055.mspx

$


MIME WinZip
$ http://www.microsoft.com/technet/se+
TNEF
curity/Bulletin/MS06+003.mspx
Microsoft Exchange
190
11.
, $
. $
. ,
, $
. $
$: ,
.
!1
,
. , , $
, Microsoft Security
Bulletin MS06$055, Internet Explorer,
Outlook.
,
. $
, , $
: , $
. , $
,
$
.
, $
, .
.
, $
,
,
. $
, $
. $
$
, $
. $

:
1. , $
( ).
2. , .
3. , ,
.
1
http://www.clearswift.com/solutions/porn_filters.aspx
191
4. . $
, $
.
5. .
,
. , $
, , , $
, . ,
,
, , ,
.
,
, $
, .
, $
. , $
. $
, $
. , $
:
, 0xff. $
, $ .
,
. $
. , $
.
, $
.
, , ?
. $
, .
$
, $
, $$
.
. $,
, , , $
. ,
, Microsoft Word.
20 .
20 480 . ,
2 ,
11 , $
. 254 ?
192
11.
$
, $
. $
, ,
, : $
.
,
, $
, $
$, . $
$
. ,
$
, $
$
. $
, $
.
,
, ,
$
.
, , , $
.
, , $
. , $
.
, .
$
.
, $
,
, $
. , $
,
Google , $ .
$, Wotsits Format1,
. $
, $
$

. ,
1
http://www.wotsit.org
193

.
,
, SPIKEfile 12
: UNIX.
$
, .

$
, $
. $
. ,
, $
,
. $
,
, ,
.
$
. WinRAR1 ,
. ,
WinRAR , $ WinRAR.
.
zip, rar, tar, gz, ace, uue .
, Win$
RAR, . $
, $
.
: . $
, , $
, ,
, , $
. ,
, , $
. , $
;
, $ $
$
.
http://www.rarlab.com
194
11.
$
$
. :
( )

/

$
, ,
, $
.
, , $.
,
$
( ), $
null.
, , $
, $
.
,
,
, , $
. $
ClamAV.1

$
.
$
:
[...]
[1] size
[2] allocation_size
[3] buffer
[4] for (ix = 0; ix
1
=
=
=
<
read32_from_file();
size+1;
malloc(allocation_size);
size; ix++)
http://idefense.com/intelligence/vulnerabilities/display.php?id=333
195
[5] buffer[ix]
[...]
= read8_from_file();
$
, .
32$
(0xFFFFFFFF) size, [2] allocation_size $
$ .
, . $
[4] [5] $
, size, $
, .
. $
, .

. $ $
, $
. $ $
, , ,
.
, , ,
.

, , $

.
:
[0] #define MAX_ITEMS 512
[...]
[1] char buff[MAX_ITEMS]
[2] int size;
[...]
[3] size = read32_from_file();
[4] if (size > MAX_ITEMS)
[5]
{ printf("Too many items\n");return 1; }
[6] readx_from_file(size,buff);
[...]
/* readx_from_file: read 'size' bytes from file into buff */
[7] void readx_from_file(unsigned int size, char *buff)
{
[...]
}
,
, [4]
196
11.
( [1]), MAX_ITEMS (
[0]) , , , 1
512. ,
[7],
. 1, ,
42949672954294967295. , $
, ,
readx_from_file, $
.

, $
. . $
. $

. $ $
, . $
, $
. , $
, The Shallcoders
Handbook: Discovering and Exploiting Security Hotels (
$: $
).1

$
. $
$
, $
WMF Microsoft, MS06$001.2
. $
, ,
, $
.

, $
, ,
. , $
,
, US$CERT, $
1
2
ISBN$10: 0764544683.
197
$
%n.1
, , $
, , $
. $
Adobe2 RealNetworks3. $
,
, , $
. , $
, , $
, .

, $
,
.
.
,
Microsoft Internet Explorer.
, $ , Internet Explorer $
,
, , .
$
. $
, ,
, $
. , , $

. $
:
. $
Microsoft Windows, $
Event Viewer. ,
, $
, $
.
1
2
3
https://buildsecurityin.us+cert.gov/daisy/bsi/articles/knowledge/guidelines/
340.html
198
11.
(). $

. $
, $
, $
. $
$
24
.
. $
, $
, , $
.
, UNIX ,
.
. $

. , $
, , $
, , , , $
,
.
, $
.
$
$
PyDbg Microsoft Windows, $
PaiMei.1
, $
, , $
, $
, , . $
. , $
8$ 42$
, 8$42. $

. ,
, . $
.
http://www.openrce.org/downloads/details/208
199

, .

, $ $
, .
$
TCP/IP,
$
.
, , , $
$
,
.
12
:
UNIX
.
, , .
.
$.,
. .
Bush at War ( )
$
, $ ,
, $
. ,

. HTML, $
Microsoft Internet Explorer, , $
, $
. , $
UNIX, ,
.
,
notSPIKEfile SPIKEfile, $
.
, .
, $
,
. UNIX, $
notSPIKEfile SPIKEfile
201
$. $

.
notSPIKEfile SPIKEfile
,
UNIX, SPIKEfile notSPIKEfile.
, SPIKE,
SPIKE.1
:
, $

.
, $
, .
$
ASCII.
, $
,
.
?
notSPIKEfile SPIKEfile ,
. $
:
. $
x86 Linux ptrace,
. ,
$
.
.
, $
$
.
, , $
. $
,
.
.
http://www.immunityinc.com/resources+freesoftware.shtml
202
12. : UNIX

, $
, , .

Linux. $
, ,
.
.

,
$
. ? .

, .
, , ,
.
, , $
. , $
UNIX system , . $
$
, . $
, ,
, $
, ,
,
, $
.
, ,
:
(LIBC) , $
open, creat, system
. .

ptrace.
, $
, ,
, ,
. $
, $
, $
ptrace.
203

( )

, .
, $
. $
,
. , , $
. $

ptrace. $
, . $

x86. libdisasm1, $
, , $
, Google, $
. , libdisasm
, ,
.

, $
, $
. , $
notSPIKEfile, SPIKE$
file, SPIKEfile
SPIKE. ,
.
, , , SPIKEfile
, SPIKE.
, SPIKE,
. SPIKE
, .
notSPIKEfile . $
.
$
.
: .
,
. $
, , . $
,
1
http://bastard.sourceforge.net/libdisasm.html
204
12. : UNIX
, ,
URL , $
. $
, SPIKE notSPIKEfile,
. 12.1,
$
. ,
, $
.
12.1.
"A"x10000
"%n%n"x5000
. $

$
HTTP:// + "A"x10000
URL.
URL
"A"x5000 + "@" + "A"5000
.
$

0x20000000,0x40000000,
0x80000000,0xffffffff
,

. $
. , mal
loc(user_count*sizeof (struct blah));. $
, $
$
, $

"../"x5000 + "AAAA"

URL

, . , ,
, $
,
.
, , , $
.html .

SPIKEfile notSPIKEfile.
205

$
, . , $
, forking off $
. $
:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii (WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status)
==SIGTRAP) ? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);
206
12. : UNIX
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status) == SIGTRAP)
? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}
, , $
. , , $
ptrace , $
, PTRA
CE_TRACEME. , ,
, ,
, $
$ .
, , $
, , $
PTRACE_TRACEME. $
,
. , $
. , $
. $
.
, , ,
, $
. $
, $
, ,
. $
, , $
.
, $
. : ,
?, .
? , $
,
, , $
, $ $
. , $
.
207
$
$
. $
, .
,
GLIBC. $
, $
.1
, $
, ,
, .
UNIX , .
UNIX
. 12.2 , $
, $
, .
12.2. UNIX

SIGSEGV
. $

SIGILL
.
; . $
, $
$

SIGSYS
.
,
($ ). $
, SIGILL
SIGBUS
. $ $
. $
.
RISC . $
RISC $
SIGBUS
SIGABRT
. $
, GLIBC

http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt
208
12. : UNIX
UNIX
. 12.2, . 12.3 ,
, , , $
.
12.3. UNIX

SIGCHLD
SIGKILL, SIGTERM
SIGFPE
, $

SIGALRM
, SIGCHLD, ,
, $
. $
, $ $
, $ .

$ ,
(. . ), ,
, wait
waitpid. $
,
. ,
. $
, , . 12.1.
, $
fork, , $
,
wait waitpid. , $
$.
notSPIKEfile $
,
,
. , ,
, $
8 .
. $ ,
.
SIGCHLD,
209
<
fork()
Parent()
Child()
wait(&status)
Code()
exit(0):
,
,

. 12.1.
.
SIGCHLD .
$
, $
. !
. wait
waitpid, , $
WHOHANG.
, , $
.
.
SPIKEfile $
, $
. $
SIGCHLD, .
SPIKEfile SPIKE, $
$ ,
, . , SPIKE
TCP/IP,
.
filestuff.c:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
210
12. : UNIX
#include <fcntl.h>
#include "filestuff.h"
#include "spike.h"
extern struct spike *current_spike;
int
spike_fileopen (const char *file)
{
int fd;
if ((fd =
open (file, O_CREAT | O_TRUNC | O_WRONLY,
S_IRWXU | S_IRWXG | S_IRWXO)) == 1)
perror ("fileopen::open");
return current_spike>fd = fd;
current_spike>proto = 69; /* 69==file,068 are reserved by
the ISO fuzzing standard */
}
int
spike_filewrite (uint32 size, unsigned char *inbuffer)
{
if (write (current_spike>fd, inbuffer, size) != size)
{
perror ("filewrite::write");
return 1;
}
return 1;
}
void
spike_close_file ()
{
if (current_spike>fd != 1)
{
close (current_spike>fd);
current_spike>fd = 1;
}
}
Makefile, , SPIKE, $

. , $
SPIKE, . 12.4.
12.4. , SPIKE
SPIKEfile

filestuff.c
util.c
notSPIKEfile
SPIKEfile . ptrace,
F_execmon
211
generic_file_fuzz.c
SPIKEfile. main
include/filestuff.h
filestuff.c
Libdisasm
, x86
$

SPIKEfile notSPIKEfile $
, , $
. Adobe Acrobat Reader RealNet$
works RealPlayer .
, ,
, . $
,
.
, $
.
. $
, $
. , $
, $
, $
.
, .
, Acro$
batReader RealPlayer.
.
Adobe Acrobat
Acrobat acro$
read, DEBUG. $
, $
acroread,
$PREFIX/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread.
$
, ,
acroread. .
notSPIKEfile $
UnixAppOpenFilePerform $
Adobe Acrobat Reader.1
1
212
12. : UNIX
RealNetworks RealPlayer
, realplay
. ,
realplay.bin.
user@host RealPlayer $ file realplay realplay.bin
realplay: Bourne shell script text executable
realplay.bin: ELF 32bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
RealPlayer $
HELIX_PATH RealPlayer.
real$
play.bin, RealPlayer. $
realplay.
notSPIKEfile $
RealPix RealNetworks Real$
Player/HelixPlayer.1
:
RealPix
RealPlayer
, notSPIKEfile
RealPlayer,
2005 . ,
RealPlayer. , , $
RealPix. Google
RealPix, $
$
notSPIKEfile. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="dd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>2
1
2
http://service.real.com/help/library/guides/realpix/htmfiles/tags.htm
RealPix
213
RealPlayer. $
RealPlayer, , $
. notSPIKE$
file .
, :
user@host $ export HELIX_PATH=/opt/RealPlayer/
user@host $ ./notSPIKEfile t 3 d 1 m 3 r 0 S s SIGKILL o FUZZY
sample1.rp sample1.rp "/opt/RealPlay/realplay.bin %FILENAME%"
[]
user@host $
t $
RealPlayer 3 . d $
1 $
. $
realplayer m, $
r ,
.
s SIGKILL
s.
, , $
, $
, sample1.rp, , $
RealPlayer, . $
! , ,
, $ .
, $
FUZZY$sample1.rp$0x28ab156b$dump.txt. $
,
.
, .
12288$FUZZY$sample1.rp.
.
, ,
. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="%n%n%n%n%n%n%n%n%n%n%n%ndd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>
214
12. : UNIX
%n, ,
. $
, Real$
Player GDB:
user@host ~/notSPIKEfile $ gdb q /opt/RealPlayer/realplay.bin
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r 12288FUZZYsample1.rp
Starting program: /opt/RealPlayer/realplay.bin 12288FUZZYsample1.rp
Program received signal SIGSEGV, Segmentation fault.
0xb7e53e67 in vfprintf () from /lib/tls/libc.so.6
(gdb) x/i $pc
0xb7e53e67 <vfprintf+13719>: mov %ecx,(%eax)

RealPlayer timeformat.
.

. $, Linux, , $
.
Linux , , , $
, Linux . $
, ptrace
, $
.
, ,
SPIKE . $ $
SPIKE, $ , $
, ,
,
$
.

. $
$ , ,
, .
13
:
Windows
,
,
.
$.,
, ,
28 2005

UNIX. $
$
Windows. , $
, . $$
, Windows $
, ,
, ,

$. $ ,
;
Windows, , Windows
. $

.
216
13. : Windows
Windows
$
,
.
.

,
. $
, $
.
$
, $
,
. , $
. $
, $
, .
.
$
,
. $
.
, , $
. $
.
$ , $
. ,
, $
. ?
$
? ,
. ,
Lynx?
, ,
.
Windows $
$ , .
,
.
, .
,
, .
, $
, Windows
.
Windows
217
. $
, Mi$
crosoft Windows.
FileFuzz $
. FileFuzz
. $,
. $,
, $
, . $, $
, , ,
. $
, $
Microsoft .NET. $
C#, $
, , C. . 13.1 $
.
. 13.1. FileFuzz
218
13. : Windows
,
Microsoft Windows
MS04*028. JPEG (GDI+)
.
2004 Microsoft
, $
, ,
GDI+
JPEG,
. JPEG
0xFFFE,
.
2 , $
2 , . $
, , ,
$
. $
Windows, GDI+ (gdiplus.dll) $
. $
$
.
MS05*009 PNG
.
, , Microsoft, $
, $
PNG ( $
), tRNS, $
.
Windows Messenger MSN Messenger , Mi$
crosoft
,
.
MS06*001.
.
2005 $
, WMF ($
Windows), , $
Internet Explorer .
$ Microsoft $
2006 . $
, .
219
WMF , $
GDI ($
) Windows. , Es
cape, SETABORTPROC $
. , $
$4000.1
Excel, eBay.
8 2005 fearwall eBay
, $
Microsoft Excel.2 ,
eBay , , $
3, $
.
1
2
3
http://www.securityfocus.com/brief/126
http://www.osvdb.org/blog/?p=71
http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerabi+
lity_auction/
FileFuzz
, ,
. , FileFuzz $
, , $
, $
. , , .
FileFuzz ,

.
FileFuzz .
: , , $
, $
. $
$
. ,
$
$. , $
, $
, .
,
220
13. : Windows
.
.

FileFuzz .
, , $
$
, ,
.
, .
FileFuzz
( , , ),
:
;
;
;
;
;
ASCII;
.
, FileFuzz
, ASCII.
: .
, $
. $
, $
. ,
, $
, . , , , $
.
, , $
, ,
.
. $
$
,
. , $
, ,
$ .
, .
, $
, ,
, $
221
. .
, , ,
, ,
$ . $
.
,
, $
.
, ,
. $
,
. $
$
, , $
,
.
FileFuzz ASCII: $
, $
, , $
, ,
. $
, ,
. . ASCII $
*.ini :
name = value
, . , $
A, 10.
Finf
=, . $
Replace 1010. 10 $
,
=. 10 10 100 $
A .

. ,
*.doc, $
Microsoft Word. FileFuzz
CreateProcess() Windows,
FileFuzz ,
, $
, ,
. $
.
222
13. : Windows

, .
$
, . $
,
, $
.
Execute , $
,
.

, $
. ,
, , ,
, , 10 $
? ,
.
,
.
,
, , . $
, ? . $
$ , ,
, $ .
, $
,
Windows Event Viewer. ,
( ) $
( ).
,
.
, $
$
. , $
,
. Windows $

. ,
,
, $
.

,
. $
223
, $
$
. , . $
$
.
, $
.
, $
, .
FileFuzz crash.exe, , $
,
, . $
, , $
FileFuzz , $
crash.exe .

FileFuzz : $
$
.
, $
. $
, $
File Types .
$
, .
, $
targets.xml.
:
<test>
<name>jpg iexplore.exe</name>
<file>
<fileName>JPG</fileName>
<fileDescription>JPEG Image</fileDescription>
</file>
<source>
<sourceFile>gradient.jpg</sourceFile>
<sourceDir>C:\WINDOWS\Help\Tours\htmlTour\</sourceDir>
</source>
<app>
<appName>iexplore.exe</appName>
<appDescription>Internet Explorer</appDescription>
<appAction>open</appAction>
<appLaunch>"C:\Program Files\Internet Explorer\iexplore.exe"</appLaunch>
<appFlags>{0}</appFlags>
</app>
<target>
224
13. : Windows
<targetDir>c:\fuzz\jpg\</targetDir>
</target>
</test>
$
. FileFuzz $
, ,
$
. $
$
.
XML : $
$
, . , $
,
, . $

.
XML.
XML .
, <test>.
$
$
. $
, $
, . $
,
. ,
, , ,
.

Windows UNIX ,
Windows
, .
, , $
, $
,
.

Microsoft Windows $
. $
, $

225
.
. , $
, $
$ ,
,
, $
. , , $
JPEG. $
, ,
, , $
$
. Windows XP , $
JPEG, Windows Picture and Fax Viewer. $
, , Windows Picture and Fax Viewer,
, $
, , $
Download.com. ?
Windows , $
.
Windows
,
Windows? $
, $
. , $
, ,
. $
, $
.
, $
.
Windows Explorer $
, , $
, . Win$
dows Explorer, , JPEG
Windows Picture and Fax Viewer. , $
, JPEG$
FileFuzz .

Windows Explorer. .
. 13.2 , .
. $
$
, . $
, $
226
13. : Windows
. 13.2.
, , $
:
. ,
,
,
.
, $
JPEG, , $
$
. , $
.
Windows $
.
$
. $
, Windows JPEG,
.
. 13.3, ,
.
227
. 13.3.
$! Windows , $
. , ,
. 13.4, , Windows Picture and Fax Viewer
. $
(DLL), $
rundll32.exe.
Windows Picture and Fax Viewer :
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
Windows Picture and Fax Viewer

, , , Win$
dows ImageView_Fullscreen.
%1 $
JPEG, $
Windows Picture and Fax Viewer, $
. . $
$
, ,
FileFuzz . $
Application Arguments, $
Execute FileFuzz. , $
, %1, ,
a{0}, , FileFuzz.
: Windows ,
.
, ,
.
228
13. : Windows
. 13.4.
Windows
90 100
Windows Explorer,
, ,
Windows Explorer. , ,
*.cbo. CBO Microsoft Interactive
Training, Windows XP, $
, Dell. $
, Microsoft Interactive Training,
, CBO $
Windows Explorer, Windows Explorer $
CBO
Microsoft Interactive Training . $
?
, Windows Explorer? $
Windows. $
\HKEY_CLASSES_ROOT\.xxx, xxx
. $
, .
HKEY_CLASSES_ROOT\,
. \shell\open\com$
mand , $
, $
.
229
, $
Windows, $
. , $
FileFuzz,
FileFuzz
GDI+ JPEG,
Microsoft MS04$028.
FileFuzz,
, $
, $
. ,
, , $
. $
,
Windows, $
.

, $
.NET.
, , $
. $

C#. C,
$ $
Windows. .NET $
, $
, , $
.NET.
, File$
Fuzz. $
. ,
.
FileFuzz,
www.fuzzing.org.
230
13. : Windows

, FileFuzz $
Windows, , $
ASCII. Read.cs $
, write.cs $
.

FileFuzz , $
.

. , .NET $
. $

ASCII. BinaryReader $
.
ASCII , $
StreamReader. , , $
, , $
. Read:
private BinaryReader brSourceFile;
private StreamReader arSourceFile;
public byte [] sourceArray;
public string sourceString;
private int sourceCount;
private string sourceFile;
public Read(string fileName)
{
sourceFile = fileName;
sourceArray = null;
sourceString = null;
sourceCount = 0;
}
sourceArray $
, , sourceString
ASCII.

, $

. , FileFuzz $
,
:
;
;
231
;
.
Write,

.
BinaryWriter , $

. ASCII, $
, StreamWriter $
.

, $
, Main.cs, $
. , ,
, , ,
,
, , ,
. crash.exe $
.
Process.
executeApp() , $
.
,
, . ,
, crash.exe, , $
, crash.exe, $
, . $
crash.exe, $
crash.exe
rtbLog, $
FileFuzz:
Process proc = new Process();
public Execute(int startFileInput, int finishFileInput, string
targetDirectoryInput, string fileExtensionInput, int applicationTimerInput,
string executeAppNameInput, string executeAppArgsInput)
{
startFile = startFileInput;
finishFile = finishFileInput;
targetDirectory = targetDirectoryInput;
fileExtension = fileExtensionInput;
applicationTimer = applicationTimerInput;
executeAppName = executeAppNameInput;
executeAppArgs = executeAppArgsInput;
procCount = startFile;
232
13. : Windows
}
public void executeApp()
{
bool exceptionFound = false;
//Initialize progress bar
if (this.pbrStart != null)
{
this.pbrStart(startFile, finishFile);
}
while (procCount <= finishFile)
{
proc.StartInfo.CreateNoWindow = true;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.FileName = "crash.exe";
proc.StartInfo.Arguments = executeAppName + " " + applicationTimer + " " +
String.Format(executeAppArgs, @targetDirectory + procCount.ToString() +
fileExtension);
proc.Start();
//Update progress bar
if (this.pbrUpdate != null)
{
this.pbrUpdate(procCount);
}
//Update counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(procCount);
}
proc.WaitForExit();
//Write std output to rich text box log
if (this.rtbLog != null && (proc.ExitCode == 1 || proc.ExitCode == 1))
{
this.rtbLog(proc.StandardOutput.ReadToEnd());
this.rtbLog(proc.StandardError.ReadToEnd());
exceptionFound = true;
}
procCount++;
}
//Clear the progress bar
if (this.pbrStart != null)
{
this.pbrStart(0, 0);
}
//Clear the counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(0);
233
}
if (exceptionFound == false)
this.rtbLog("No excpetions found\n\n");
exceptionFound = false;
}

, FileFuzz
crash.exe, , C, $
, Win$
dows. libdasm, ,
.
, ,
, crash.exe
. FileFuzz
, ,
, , $
, $
. $
, $
$
.
CreateProcess DEBUG_PROCESS:
if (argc < 4)
{
fprintf(stderr, "[!] Usage: crash <path to app> <milliseconds> <arg1>
[arg2 arg3 argn]\n\n");
return 1;
}
// convert wait time from string to integer.
if ((wait_time = atoi(argv[2])) == 0)
{
fprintf(stderr, "[!] Milliseconds argument unrecognized: %s\n\n", argv[2]);
return 1;
}
// create the command line string for the call to CreateProcess().
strcpy(command_line, argv[1]);
for (i = 3; i < argc; i++)
{
strcat(command_line, " ");
strcat(command_line, argv[i]);
}
//
// launch the target process.
//
ret = CreateProcess(NULL,
// target file name.
234
13. : Windows
command_line,
NULL,
NULL,
FALSE,
DEBUG_PROCESS,
NULL,
NULL,
&si,
&pi);
// command line options.

// process attributes.
// thread attributes.
// handles are not inherited.
// debug the target process and all spawned children.
// use our current environment.
// use our current working directory.
// pointer to STARTUPINFO structure.
// pointer to PROCESS_INFORMATION structure.
printf("[*] %s\n", GetCommandLine()); //Print the command line

if (!ret)
{
fprintf(stderr, "[!] CreateProcess() failed: %d\n\n", GetLastError());
return 1;
}
crash.exe
. ,
, , $
. , $

. $
,
: , $
. $
, ,
. $
libdasm, , $
, $
:
while (GetTickCount() start_time < wait_time)
{
if (WaitForDebugEvent(&dbg, 100))
{
// we are only interested in debug events.
if (dbg.dwDebugEventCode != EXCEPTION_DEBUG_EVENT)
{
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
continue;
}
// get a handle to the offending thread.
if ((thread = OpenThread(THREAD_ALL_ACCESS, FALSE,
dbg.dwThreadId)) == NULL)
{
fprintf(stderr, "[!] OpenThread() failed: %d\n\n", GetLastError());
return 1;
}
235
// get the context of the offending thread.

context.ContextFlags = CONTEXT_FULL;
if (GetThreadContext(thread, &context) == 0)
{
fprintf(stderr, "[!] GetThreadContext() failed: %d\n\n",
GetLastError());
return 1;
}
// examine the exception code.

switch (dbg.u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
exception = TRUE;
printf("[*] Access Violation\n");
break;
case EXCEPTION_INT_DIVIDE_BY_ZERO:
exception = TRUE;
printf("[*] Divide by Zero\n");
break;
case EXCEPTION_STACK_OVERFLOW:
exception = TRUE;
printf("[*] Stack Overflow\n");
break;
default:
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
}
// if an exception occurred, print more information.
if (exception)
{
// open a handle to the target process.
if ((process = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
dbg.dwProcessId)) == NULL)
{
fprintf(stderr, "[!] OpenProcess() failed: %d\n\n",
GetLastError());
return 1;
}
// grab some memory at EIP for disassembly.
ReadProcessMemory(process, (void *)context.Eip, &inst_buf, 32, NULL);
// decode the instruction into a string.
get_instruction(&inst, inst_buf, MODE_32);
get_instruction_string(&inst, FORMAT_INTEL, 0,
inst_string,sizeof(inst_string));
// print the exception to screen.
printf("[*] Exception caught at %08x %s\n", context.Eip, inst_string);
printf("[*] EAX:%08x EBX:%08x ECX:%08x EDX:%08x\n", context.Eax,
context.Ebx, context.Ecx, context.Edx);
printf("[*] ESI:%08x EDI:%08x ESP:%08x EBP:%08x\n\n", context.Esi,
236
13. : Windows
context.Edi, context.Esp, context.Ebp);
return 1;
}
}
}
, crash.exe,
$
. ,
$
. ,
, $
, , $
$
, $
, .

, ,
, $
. $

Microsoft MS04$028 $
JPEG (GDI+) .1 $
, ,
.
$
, ,
. $
, $
, $
, .
gdiplus.dll, $
, Microsoft Of$
fice, Internet Explorer Windows Explorer. JPEG $
, .
0xFFFE,
16$ , $
.
FileFuzz ? .

, $
. , ,
1
237
Windows.
Windows XP SP1.

11. ? ,
. $
, , $
, . $
631 $

. fuzz, $

:
0000009eh: FF FE 00 06 66 75 7A 7A ; p..fuzz
Breakdown:
FF FE
00 06
66 75 7A 7A
Comment preface
Length of comments in bytes
ASCII value of fuzz
, ,
Windows XP
JPEG. ,
, Windows Picture and Fax Viewer

JPEG (. 13.5):
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
FileFuzz .
FileFuzz JPEG, $
File Type,
FileFuzz,
.
Create
JPEG,
JPEG ,
. Create
:
. C:\Program Files\FileFuzz\Attack\test.jpg. $
JPEG.
. C:\fuzz\jpg\. ,
.
(), . 00 x 2.
1 ,
, 0x00
1
http://www.securityfocus.com/archive/1/375204
238
13. : Windows
. 13.5. JPEG+ Create
0x01. ,
2 . $
, ,
0x0000, ,
.
. = 150170.
160.
150 170.
. 13.5.
, Create $
. Execute.
FileFuzz, Windows Pic$
ture and Fax Viewer. Execute
:
239
. rundll32.exe. Windows Picture and Fax

Viewer DLL,
run32.exe, $
DLL.
. C:\WINDOWS\system32\shimgvw.dll,ImageView_Full$
screen {0}. $
Windows Picture and Fax Viewer (shimgvw,dll),
ImageView_FullScreen {0}, $
.
. 150. , .
. 170. , .
. 2000. , Windows
Picture and Fax Viewer ,
.
. 13.6.
. 13.6. FileFuzz Windows Picture and Fax Viewer
240
13. : Windows
, . Execute, , Windows
Picture and Fax Viewer .
21 , 21 $
. , , FileFuzz $
. $
, 160.jpg, $
. ,
160 JPEG,
160.jpg 0x0000:
[*] "crash.exe" rundll32.exe 2000
C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen c:\fuzz\jpg\160.jpg
[*] Access Violation
[*] Exception caught at 70e15599 rep movsd
[*] EAX:fffffffe EBX:00904560 ECX:3ffffe3c EDX:fffffffe
[*] ESI:0090b07e EDI:0090c000 ESP:00aaf428 EBP:00aaf43400

FileFuzz
.
,
, $
. ,
.

.
. , $
,
(,
0xFFFFFFFF). ,
. $

, , . $
, : $
,
, $

.
FileFuzz , $
,
. , $
. , $
Create Intelligent ( ) $
Create,
Create Brute Force ( ). $
; $
241
$
, $
. $
,
, , $
. , , $
$
, FileFuzz, , $
.
$
,
. $
, crash.exe, $
, $
,
, . $
, ,
.
, .
. .
Mi$
crosoft. $
Office, $
. , Microsoft
, $
, $
. , $
$
$
, $
.
14

?
. ?
$.,
,
$, ,
8 2004
,
setuid $
UNIX. , $

, .
$
, $
. ,
, $
$, , , .
, Microsoft Internet Explorer, $
, . $
, $
.
, .

,
. ,
,
$ , $
243
,
. $
,
, .
.
?
, $
, $
,
. , ,
$ $
, .

, $ .
,
$
$ DB9 .
Microsoft
,
, .
,
Y2K , .
Microsoft,
$
.
. $
$
,

.
,
Microsoft, , $
. ,
,
2002 Trustworthy Computing Initiative1,
Microsoft $
.
1
http://www.microsoft.com/mscorp/twc/2007review.mspx
244
14.
Code Red. IIS Web server

Internet Server Application Programming Interface (ISAPI) $
18 2001 .1
, 13 $
2001 . , $
$ HELLO!
Welcome to http://www.worm.com! Hacked By Chinese! ($
! http://www.worm.com!
!). 20 27 ,
DoS$ $
IP$, IP$ whitehouse.gov.
Slammer. SQL$ Slammer
, Microsoft Security Bulletins MS02$
0392 MS02$0613, SQL$ Microsoft Desktop Engi$
ne. 25 2003 , 10 $
75 000 .4 $
(MS02$039)
Microsoft , $
, .
Blaster. 11 2003 18$
5, $
$
(RPC) DCOM Windows XP Windows 2000.6 $
. $
DoS$ SYN$
windowsupdate.com. $
18 , 100 $
.7
,
Microsoft,
.

.
1
2
3
4
5
6
7
http://research.eeye.com/html/advisories/published/AD20010618.html
http://en.wikipedia.org/wiki/SQL_slammer_worm
http://en.wikipedia.org/wiki/Blaster_worm
http://weblog.infoworld.com/techwatch/archives/001035.html
245

. ,
.
, SPIKE1 ProtoFuzz,
16 : $
Windows. SPIKE , $
. $
, $
. ircfuzz2, dhcpfuzz3
Infigo FTPStress Fuzzer4. , $
, .

,
. $
, ,
21 . ,
.
, $
. . 14.1

, .
. $
, , ,
.
, , $$
, . . ,
, .
, $
, Open Systems Interconnection
Basic Reference Model ( OSI)5 (. 14.1). $
, $
,
, $
. ,
. $
, , .
1
2
3
4
5
http://www.digitaldwarf.be/products/ircfuzz.c
http://www.digitaldwarf.be/products/dhcpfuzz.pl
http://www.infigo.hr/en/in_focus/tools
http://en.wikipedia.org/wiki/Osi_model
246
14.
$
, .
14.1. +

Sendmail $ http://xforce.iss.net/xforce/alerts/
id/216
$ http://archives.neohapsis.com/archi+
MySQL
ves/vulnwatch/2004+q3/0001.html
RPC$

RPC DCOM
$ http://bvlive01.iss.net/issEn/delive+
OpenSSH
ry/xforce/alertdetail.jsp?oid=20584
RealServer ../
DESCRIBE
http://www.zerodayinitiative.com/
$ advisories/ZDI+07+003.html
CA Bright$
Stor ARCserve Backup
http://www.microsoft.com/technet/
security/bulletin/MS03+026.mspx
http://www.service.real.com/help/
faq/security/rootexploit082203.html
. 14.1. OSI
247
2:
(data link
layer) Ethernet 802.11. 2 $
,
. $
2 Mitre, CVE$
2006$3507.1 $
AirPort Mac OS $ $
. $
, , $
. $
:
, . $
$
Mac OS ,
.
Black Hat 2006 $

(Jon Ellch) $
(David Maynor) , $
, Apple
Macbook, .2

, Apple
, $
.
Apple , , $
, ,
, Apple.
Apple ,
CVE$2006$3507, ,
, $
Black Hat.
, . $
: .
1
2
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CVE+2006+3507
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_mac+
book_in_60_seco.html
248
14.
3:
3, , IP Internet Control Message
Protocol (ICMP). TCP/
IP ,
. ,
Windows Vista , $
, . $
TCP/IP MS06$032 Vulnerability in
TCP/IP Could Allow Remote Code Execution ( TCP/IP $
).1
$ IP
4. ,

.
4:
4, : , $
TCP UDP. ,
TCP/IP ,
.
winnuke$, out$of$band TCP$
.2 winnuke$ , , $
DoS$ . $
, $
TCP$ TCP$.
API, ,
.
5:
, 5 OSI,
,
. , DCE/RPC (MSRPC Microsoft)
ONC RPC, Sun RPC.
Windows UNIX . $
.
Microsoft Security Bulletin MS04$0113,
Sasser4. $
lsass.exe, $
RPC, $
1
2
3
4
http://support.microsoft.com/default.aspx?scid=kb;[LN];168747
http://en.wikipedia.org/wiki/Sasser_worm
249
Windows. , $
$ DsRolerUpgradeDown$
levelServer .
6:
6, $
, XDR, eXternal Data Representation (
), Sun RPC. $
XDR , ,
xdr_array, $
(Neel Mehta).1 $
.
, ,
.
.
7:
7, , ,
OSI. $
, FTP, SMTP, HTTP,
DNS . $
,
. ,
.
7,
, $
, $
.
$
, 11 . $
, , ,
, $
.
.
,
,
, $
. $ $
1
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
250
14.

$. $
, $
, .
$
. , , , .
, , , $
. $
, $
.
, $
, $
. $
, $ $
, $ .
. $
, , $
, ,
.
,
, $
.
.
, . $
, .
,
FTP, $
. , $
(USER, PASS, CWD . .), $
.
$
PEACH1 . $
,
. $
,
, .
,
, , $
, , . $
, , , $
, $
http://peachfuzz.sourceforge.net/
251
.
,
, , , ,
. , ,
, , $
, . $
, ,
$
.

,
. $
? , $
. , $
( ).
,
, ,
. ,

.
, $
, .
OpenSSH$ sshutuptheo1, GOBBLES,
$
SSH$.
,
SSH. ,
. , $
SSH 1, 2 SSH
. , ,
,
.

, $
$ 24
.
, $
, $
. $
1
http://online.securityfocus.com/data/vulnerabilities/exploits/sshutup+
theo.tar.gz
252
14.
$. , $
,
. ,
.
, , $
. ,
$.
, , , $
$
.
, , , $
, $.
,
$. $
$.
( )
$
.
, .
Ollydbg, Windbg, IDA GDB.
, $
.
( )
, .
,
, $
. .
.
.
, $
. 24.

, $
. $
$
. ,

, .
, $
, $
253
. , $
, , $
DoS. : $
, $
.
,
,
. , $
, $
, , $
. ,
, $
, . $
,
, .
15
:
UNIX
, , .
$.,
,
Dallas Morning News,
10 2000
Microsoft Win$
dows, UNIX $ $
. $ Apache, ,
UNIX, 30 Mic$
rosoft IIS NetCraft.1
UNIX
.
UNIX DNS, $. ,
, , BIND (Berkeley Internet Name
Domain) DNS$, $
$. ,
, ,
, .
UNIX
. $
http://news.netcraft.com/archives/2007/02/23/march_2007_web_server_
survey.html
SPIKE
255
, SPIKE,
, $
. $
, $
$
SPIKE.
SPIKE
SPIKE
, : , $
$,
.

:
$ .
$ ,
$.
$ ,
, .
, No$
vell NetMail1, , $

. , Net$
Mail Networked Messaging Application Protocol (NMAP). NMAP
Nmap2, $
. NetMail NMAP? $
, , , Novell $
.
NMAP Networked Messaging Application
Protocol ( ).
IP$, IANA 689, $
NIMS$.
NDS eDirectory NIMS$, $
,
, . $
$
NMAP $
1
2
http://www.novell.com/products/netmail/
http://insecure.org/nmap/
256
15. : UNIX
. NMAP
RFC NIMS.1
NMAP Novell
TCP.
. , $
.
$
, . $
, , $
, , ,
, .
Novell 90$ NetMail $$
2, $
. $
, Novell.
, , $
( $ ). $
, $
. NMAP.

NMAP SPIKE, , ,
. $
. ,
NMAP . $
, .
,
.
. Google , $
. , $
Wireshark ($
Ethereal). Wireshark Subversion, $
epan\dissectors3, , .
, ,
NMAP , , $
$ . $
, $
. , , NMAP $
TCP$ 689,
1
2
3
http://support.novell.com/techcenter/articles/ana20000303.html
http://download.novell.com/index.jsp
http://anonsvn.wireshark.org/wireshark/trunk/
SPIKE
257
Microsoft TCPView1 ( Sys Inter$

nals). TCPView ,
nmapd.exe TCP 689. $
TCP netcat2 $
Windows telnet. ,
HELP , , ,
.
. $
, nmapd.exe
IDA Pro. Shift+F12
, . 15.1. , $
, , $
, ASCII$ 1000.
, ,
, 1000.
, NMAP, , $
.
. 15.1. nmapd.exe
1
2
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
http://www.vulnwatch.org/netcat/
258
15. : UNIX
,
.
$
, :
<argument>. . ,
.
[argument]. .
{CONSTANT1|CONSTANT2|CONSTANT3}. ; $
. $
|.
,
.
. $
. , PASS :
PASS {SYS | USER <Username>} <Password>
, $
SYS USER. Username $
USER, , $
USER. SYS, User
name . , Password
. PASS, ,
, , , . $
, .
,
, $
.

. ,

( ) $
, , .
,
, , $
, , $
.
, .
, . $
, , .
, USER,
PASS, FTP.
PASS. $
NMAP$ SYS $
PASS USER.
SPIKE 101
259
$
IDA, $
.
ASCII, +
. , .
+.

( ),
. , $
IDA.
NMAP, $
SPIKE NMAP$.
SPIKE 101
SPIKE, ,
21 . $
.
SPIKE ,
SPIKE
TCP.

SPIKE
. $
, , . .
.
, $
;
$
, $
. ,
ASCII, 64 000 $
A. $
,
. , $
. ,
XDR$ .
TCP
, ,
TCP. line_send_tcp.c,
SPIKE. , $
SPIKE. SPIKE
,
260
15. : UNIX
. $
. $
, SPIKE
.
, ,
SPIKE API.
, , $
, , , :
s_string(char * instring). SPIKE $
. .
s_string_variable(unsigned char *variable). SPIKE $
.
.
s_binary(char * instring). SPIKE .
.
s_xdr_string(unsigned char *astring). SPIKE
XDR.
. .
s_int_variable(int defaultvalue, int type). SPIKE
.
s_int_variable() $
:
Binary Big Endian. (Most signifi$
cant bit, MSB), 4 .
ASCII. ASCII.
One byte. .
Binary Little Endian Half Word.
(Least significant bit, LSB), 2 .
Binary Big Endian Half Word. MSB, 2 .
Zero X ASCII Hex. ASCII $
0x.
ASCII Hex. ASCII.
ASCII Unsigned. ASCII.
Intel Endian Word. LSB, 4 .
SPIKE $
C,
. SPIKE/SPIKE/include/listener.h
:
#define
#define
#define
#define
BINARYBIGENDIAN 1
ASCII
2
ONEBYTE
3
BINARYLITTLEENDIANHALFWORD 4
261

#define
#define
#define
#define
#define
BINARYBIGENDIANHALFWORD
ZEROXASCIIHEX
ASCIIHEX
ASCIIUNSIGNED
INTELENDIANWORD
5
6
7
8
9
SPIKE $
NMAP$.
SPIKE .

, SPIKE $
$
.
. $
, , , $

. ,
.
,
. s_block_start() s_block_end()
$
:
int s_block_start(char *blockname)
int s_block_end(char * blockname)

. ,
, $
blocksize. ,
, . , $
blocksizes , , $
blocksizes. ,
,
.
blocksizes, SPIKE:
s_blocksize_signed_string_variable(char * instring, int size)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)
s_binary_block_size_word_bigendian(char *blockname)
s_binary_block_size_word_bigendian_variable(char *blockname)
s_binary_block_size_halfword_bigendian(char * blockname)
s_binary_block_size_halfword_bigendian_variable(char *blockname)
s_binary_block_size_byte(char * blockname)
s_binary_block_size_byte_variable(char * blockname)
s_binary_block_size_byte_plus(char * blockname, long plus)
s_binary_block_size_word_bigendian_plussome(char *blockname, long some)
262
15. : UNIX
s_binary_block_size_intel_halfword(char *blockname)
s_binary_block_size_intel_halfword_variable(char *blockname)
s_binary_block_size_intel_halfword_plus_variable(char *blockname,long plus)
s_binary_block_size_intel_halfword_plus(char *blockname,long plus)
s_binary_block_size_byte_mult(char * blockname, float mult)
s_binary_block_size_halfword_bigendian_mult(char * blockname, float mult)
s_binary_block_size_word_bigendian_mult(char *blockname, float mult)
s_binary_block_size_intel_word(char *blockname)
s_binary_block_size_intel_word_variable(char *blockname)
s_binary_block_size_intel_word_plus(char *blockname,long some)
s_binary_block_size_word_intel_mult_plus(char *blockname, long some,
float mult)
s_binary_block_size_intel_halfword_mult(char *blockname,float mult)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)
SPIKE
SPIKE , ,
API ,
. $
$
. SPIKE $
SPIKE .

SPIKE $
:
HTTP
Microsoft RPC
X11
Citrix
Sun RPC
$
SPIKE. , $
,
.

SPIKE ,
SPIKE. :
CIFS
FTP
H.323
SPIKE NMAP
263
IMAP
Oracle
Microsoft SQL
PPTP
SMTP
SSL
POP3

, SPIKE , $
. :
() TCP$;
TCP/UDP$;
TCP$.
SPIKE NMAP
NetMail, SPIKE,
, $
HELP IDA Pro.

. $

:
s_string_variable("PASS");
s_string("");
s_string_variable("USER");
s_string(" ");
s_string_variable("devel_user");
s_string(" ");
s_string_variable("secretpassword");
s_string("\r\n");
s_string("QCREA ");
s_string_variable("test");
s_string("\r\n");
s_string("CREA ");
s_string_variable("inbox");
s_string("\r\n");
s_string("MBOX ");
s_string("\r\n");
s_string("LIST ");
264
15. : UNIX
s_string_variable("0");
s_string("\r\n");
s_string("GINFO ");
s_string(" ");
s_string("\r\n");
s_string("SEARCH BODY ");
s_string("\r\n");
s_string("DFLG ");
s_string(" ");
s_string_variable("SEEN");
s_string("\r\n");
s_string("CSCREA ");
s_string("\r\n");
s_string("CSOPEN ");
s_string("\r\n");
s_string("CSFIND ");
s_string(" ");
s_string(" ");
s_string("\r\n");
s_string("BRAW ");
s_string(" ");
s_string(" ");
s_string("\r\n");
NMAP
SPIKE .
TCP$
SPIKE nmap.spk $
:
./line_send_tcp 192.168.1.2 689 nmap.spk 0 0
$
, ! NMAP
OllyDbg . 15.2.
SPIKE NMAP
265
. 15.2. nmapd.exe
. 15.2 $
. EBP ( ), EBX, ESI, EDI $
EIP ( ) $
0x41 ASCII.
, , , $
. $
, $ ,
0x41414141. $
,
. ,
, , $
, .
.
SPIKE : SPIKE , $
. , $
SPIKE, ,
NetMail NMAP. $ $
, ,
SPIKE . $
266
15. : UNIX
, ,
SPIKE, NMAP.
, NMAP $
SPIKE :
snip
Fuzzing Variable 5:1
Read first line
Variablesize= 5004
Fuzzing Variable 5:2
Couldnt tcp connect to target
Segmentation fault
snip
,
, NMAP. $

. NMAP $
. SPIKE , ,
. , , ,
.
, , $
SPIKE Fuzzing Variable
5:1. ,
5. $
, , 1. ,
5, $
SPIKE , variable,
0. CREA, $
. , $
1
CREA.
. ,
. $
printf() line_send_tcp.c,
, $
. , ,
CREA <longstring>.
. $
$
CREA. : $
. , $
, $
.
NMAP, SPIKE ,
CREA, $
.
267
, $
$
. NMAP $
. $
SPIKE, $
NMAP. , ,
$
. $
. , $
. NMAP $
.
16
:
Windows
, +,
,
.
$.,
,
, ,
10 2001
,
UNIX,
Microsoft Windows,
. ,
Windows, $
. , , Slammer1,
Microsoft
SQL, Windows. $
$
Microsoft MS02$0392 24 2002 , Slammer
25 2003 . $
;
.3
1
2
3
http://www.cert.org/advisories/CA+2003+04.html
http://pedram.openrce.org/__research/slammer/slammer.txt
269
,
, $
,
.
, Slammer $
,
.1 , Win$
dows .

SPIKE UNIX,
Novell NetMail NMAP.

, ,
Windows .
ProtoFuzz
,

. .
,
,
.
. $
, . $
, ProtoFuzz $
,
. .

, $
, .
:
. PROTOS Test Suite2, $
Codenomicon3 $
, .
, $
$
, , .
1
2
3
http://isc.sans.org/portreport.html?sort=targets; http://atlas.arbor.net/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.codenomicon.com/products/
270
16. : Windows
. ,
SPIKE
, $
.
.
. , $
:
.

, $
,
, $
,
.
, $
. $
,
, , $
. $
ProtoFuzz.
, ; $
. ProtoFuzz $
$ . $
,
,
$

.

$
, , ProtoFuzz $
.
ProtoFuzz, $
$
, . $

.

, ,
ProtoFuzz
. $
, .
, $
271
.
,
, $
, $
. $
, Wireshark,
. . 16.1
TCP, Wireshark.
. 16.1. Wireshark AIM,
Wireshark ,
. $
. , $
. $
. , Wire$
shark AOL Instant Messenger, $
TCP. ,

ASCII .
272
16. : Windows

, $
,
.
, $
$
.
. ,

, ProtoFuzz $
, $
. :
[XX] . , $
, $
. , $
256 , (2 ) $
65 536 .
<XX> . $
$

(Strings.txt). $
,
.
TCP,
,
:
00 0C F1 A4 83 57 00 13 49 25 D5 72 08 00 45 00 00 28<B0 3B>00 00 FE 06
89 40 C0 A8 01 01 C0 A8 01 02 08 A6 0B 35 14 9E E1 9F 9F 33 69 E5 50 11
10 00 09 4E 00 00 01 00 5E 00 00[16]

.
,
, IP$ MAC$ . $

RFC. HttpRequest
.NET. ,
URL, HTTP, $
Ethernet, TCP IP . $
,
, , $
, $
RFC. , $
273
,
, , ,
, .

Proto$
Fuzz, $
.
, $
$
. , $
, , $
. ,
, , , $
, , .

, $
, $
. $
$
, .
, $ $
,
, $ $
. ,
. $
,
. ,
.

,
, $
. , , , $
$
. , $
.
,
Performance Logs and Alerts System Monitor, $
Microsoft Management, $
.
274
16. : Windows

.
, , ,
, $ $
. $
. , $
, , $
.

$
. Metro Packet Library1,
ProtoFuzz, ndisprot.inf
NDIS ( ), $
Microsoft .
NDIS $
, $
Ethernet. ProtoFuzz
; , $
net start ndisprot. $
, $
, ,
. Metro
, , .
.
, $
, $, $
. ,
, ProtoFuzz $
:
. ProtoFuzz
. $
, $

.
. ProtoFuzz
.

.
1
http://sourceforge.net/projects/dotmetro/
275
. $
, $
. ProtoFuzz $
, Ethernet $
TCP/UDP.
, ProtoFuzz,
$
. , $
Windows, $
, , $
.

FileFuzz,
Windows , $
, C# Mic$
rosoft .NET Framework. .NET
$
, , $
, ,
. $
.NET , $
.NET Framework. $
, .NET,
, $
.

$
. : $
, . , ,
, $ , $
,
.
, ProtoFuzz Win$
dows, . $
Microsoft Windows
WinPcap1, , $
, (Piero Viano) $
libpcap Windows . WinPcap

http://www.winpcap.org/
276
16. : Windows
, $
.
,
, Wireshark (
Ethereal) Core Impact.1 $ WinPcap $
100 , $
, ,
!
WinPcap ProtoFuzz,
C#
. WinPcap
C, $
WinPcap , $
C#, , $
WinPcap. $
PacketX2, COM, $
WinPcap, $
, .
.
,
Metro Packet Library.
, WinPcap, # $
; $

. Metro $
. , $
$
, Ethernet, TCP, UDP, ICMP, IPv4 $
(ARP), , $
,
. , ProtoFuzz,
,
, Metro ,
,
.
. , $
ProtoFuzz $ www.fuzzing.org.
,
.
1
2
http://www.coresecurity.com/products/coreimpact/index.php
http://www.beesync.com/packetx/index.html
277

ProtoFuzz , $
. $
, , $

. $
, , $

. , Metro ,
, $
:
private const string DRIVER_NAME = @"\\.\ndisprot";
NdisProtocolDriverInterface driver = new NdisProtocolDriverInterface();
try
{
driver.OpenDevice (DRIVER_NAME);
}
catch (SystemException ex)
{
string error = ex.Message;
error += "\n";
error += "Please ensure that you have correctly installed the " +
DRIVER_NAME + " device driver. ";
error += "Also, make sure it has been started. ";
error += "You can start the driver by typing \"net start " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" at a command prompt. ";
error += "To stop it again, type \"net stop " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" in a command prompt. ";
error += "\n";
error += "Press 'OK' to continue... ";
MessageBox.Show(error, "Error, MessageBoxButtons.OK,
return;
}
foreach (NetworkAdapter adapter in driver.Adapters)
{
cbxAdapters.Items.Add(adapter.AdapterName);
if (cbxAdapters.Items.Count > 0)
cbxAdapters.SelectedIndex = 0;
}
NdisProtocolDriverInterface, $
OpenDevice() ndis
prot,
. , SystemException $
.
278
16. : Windows
Network
Adapter, $
. foreach ,
Adapter
Name .

, $
:
try
{
maxPackets = Convert.ToInt32(tbxPackets.Text);
capturedPackets = new byte[maxPackets][];
driver.BindAdapter(driver.Adapters[cbxAdapters.SelectedIndex]);
ThreadStart packets = new ThreadStart(capturePacket);
captureThread = new Thread(packets);
captureThread.Start();
}
catch (IndexOutOfRangeException ex)
{
MessageBox.Show(ex.Message +
"\nYou must select a valid network adapter.",
"Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
(capturedPackets), $
, , , $
. $
BindAdapter(),
NdisProtocolDriverInterface (driver).
capturePacket . $
, $
:
private void capturePacket()
{
while (packetCount < maxPackets)
{
byte[] packet = driver.RecievePacket();
capturedPackets[packetCount] = packet;
packetCount++;
}
}
$
ReceivePacket().
capturedPackets.
279

, $
. $
, Wireshark, $
,
TreeView
RichTextBox. $
,
. $
,
,
TreeView. ProtoFuzz
. 16.2.
. 16.2. ProtoFuzz
280
16. : Windows
TreeView
. , TreeView, packet
TvwDecode(),
: Ethernet, TCP, UDP, IP, ARP ICMP. $
, , $
Ethernet:
Ethernet802_3 ethernet = new Ethernet802_3(capPacket);
strSourceMacAddress = ethernet.SourceMACAddress.ToString();
strDestMacAddress = ethernet.DestinationMACAddress.ToString();
strEthernet = "Ethernet II, Src: " + strSourceMacAddress +
", Dst: " + strDestMacAddress;
strSrcMac = "Source: " + strSourceMacAddress;
strDstMac = "Destination: " + strDestMacAddress;
strEthernetType = "Type: " + ethernet.NetworkProtocol.ToString();
strData = "Data: " + ethernet.Data.ToString();
TreeNode
TreeNode
TreeNode
TreeNode
TreeNode
nodeEthernet = tvwDecode.Nodes.Add(strEthernet);
nodeEthernetDstMac = nodeEthernet.Nodes.Add(strDstMac);
nodeEthernetSrcMac = nodeEthernet.Nodes.Add(strSrcMac);
nodeType = nodeEthernet.Nodes.Add(strEthernetType);
nodeData = nodeEthernet.Nodes.Add(strData);
, Ethernet802_3 $
capPacket, , ,
TreeView, . $
, $
.
16 :
static string PrintData(byte [] packet)
{
string sData = null;
int nPosition = 0, nColumns = 16;
for (int i = 0; i < packet.Length; i++)
{
if (nPosition >= nColumns)
{
nPosition = 1;
sData += "\n";
}
else
nPosition++;
byte nByte = (byte) packet.GetValue(i);
if (nByte < 16)
sData += "0";
sData += nByte.ToString("X", oCulture.NumberFormat) + " ";
}
sData += "\n";
281
return (sData);
}

,
([]) ,
(<>) .
$
. $
.

$
, $
. .NET
Framework ToString("X")
,
$
.1 HexEncoding, $
$
$
C# www.codeproject.com.

, , $
, . ProtoFuzz ,
, $
. ,
, , $
, , . $
SMTP, RCPT
TO, :
220 smtp.example.com ESMTP
HELO mail.heaven.org
250 smtp.example.com Hello smtp.example.com
MAIL FROM:god@heaven.org
250 2.1.0 god@heaven.org... Sender ok
RCPT TO:[Ax1000]

SMTP. $
TCP HELO, MAIL FROM
RCPT TO, .
1
http://www.codeproject.com/csharp/hexencoding.asp
282
16. : Windows
, , $
RCPT TO ,
. $
SPIKE, $
, $
.
ProtoFuzz , $
,
. ,
$
, ,
.
, $
.
Mercury LoadRunner
HewlettPackard, Zero Day Ini$
tiative, TippingPoint,
.1 , $
TCP 54345, .
,
, , $
. , , , $
; $
, . $
, $
server_ip_name.
, ProtoFuzz
, server_ip_name $
.
, Mercury LoadRunner $
, $
, , , . $
,
ASCII , , $
server_ip_name, .
0070
0080
0090
00a0
2b
65
30
69
5b
72
00
70
b6
63
00
5f
00
75
00
6e
00
72
00
61
05
79
05
6d
b2
32
88
65
00 00 00 07 00 00 00 12 6d
3b 31 33 30 34 3b 31 33 30
28 2d 73 65 72 76 65 72 5f
3d
+[...... .......m
ercury2; 1304;130
0......( server_
ip_name=
, ser
ver_ip_name, .
(<>).
283
ProtoFuzz , $
, Strings.txt. $
,
.
Strings.txt.
, ,
. Magentproc.exe
,
TCP 54345, $
. , OllyDbg
:
Registers
EAX 00000000
ECX 41414141
EDX 00C20658
EBX 00E263BC
ESP 00DCE7F0
EBP 41414141
ESI 00E2549C
EDI 00661221 two_way_.00661221
EIP 41414141
Stack
00DCE7F0
00DCE7F4
00DCE7F8
00DCE7FC
00DCE800
00DCE804
00DCE808
00DCE80C
00DCE810
00DCE814
00000000
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141
, NetMail
, , $
. , $
, , ,
.

ProtoFuzz ,
.
, $

. Proto$
Fuzz, .
284
16. : Windows
ProtoFuzz
.
,
, $
.
, , $
. $
() $
, . ProtoFuzz
,
. ProtoFuzz $
, $
, $

.
$
, $ $
.
ProtoFuzz $
.
, .
, Proto$
Fuzz
. ,
$
, $
. $
,
, . $
, $
, , ,
, $
. Metro Proto$
Fuzz, .NET Framework
.
ProtoFuzz .
17

:
, , .
$.,
$,
27 2000
$
, $
,
(). $
, $
$
. $
$
,
$.
$ $
$.
, $
, $
,
.
, 2006 $
. , $
$, Microsoft Inter$
net Explorer Mozilla Firefox. $
HTML$, JavaScript, $
286
17. <
, JPG, GIF PNG,

ActiveX. Ac$
tiveX, $
Microsoft Windows, .
,
ActiveX. $
ActiveX COM, 2006 $
. $
ActiveX $
,
ActiveX. , $
$. $
,
.
?
$
HTML$, $
.
HTML, , $
, Java, RSS$, FTP$$
.
, $ $
. Google
.
, $

2006 . .
(MoBB).1 $
, , $
$
. , $
Microsoft Internet Explorer, $
$, Safari, Mozilla, Opera Konqurer.2
$
, $ $
, .
1
2
http://browserfun.blogspot.com/
http://osvdb.org/blog/?p=127
287
$
, MoBB Skywing skape (
Metasploit, . . ) $
$
Internet Exp$
lorer , , $
, $
.1 ,
, $
, MoBB. $
, $ , $

, , , $
$ $
, .
1
http://www.uninformed.org/?v=4&a=5&t=sumry
, .
, $
, .
, , , Fi$
refox Internet
Explorer, , $
. $
, . $ $
, .
,
, $
. ,
, ,
, , $
Internet Explorer, Firefox
. , Internet Explorer ,
, $
. $
Firefox $ $
Internet Explorer. $, Netscape,
Opera, Safari Konqueror, $
, .
288
17. <
$ . $$
, , $
, $
. $$
, $
. $
.
$ ,
,
, .
, :
HTML+. $,
, $,
, ,
$
. , $
HTTPEQUIV META
. $
. Mangleme1,
,
HTML$ $, , ,
HEAD $, :
<META HTTPEQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">

mangleme mangleme.cgi, , $
$. $
JavaScript $
2000 :
<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!
var time = null
function move() {
window.location = 'http://localhost/fuzz'
}
//>
</SCRIPT>
</HEAD>
1
http://freshmeat.net/projects/mangleme/
289
<BODY ONLOAD="timer=setTimeout('move()',2000) ">

[Page Content]
</BODY>
</HTML>
. $
$
. , $$
$ ,
. ,
fuzz.html Internet Explorer:
C:\>"C:\Program Files\Internet Explorer\iexplore.exe" C:\temp\fuzz.html
.
, .
,
,
. , $
ActiveX, $
$, .

ActiveX , ,
. COMRaider1, ,
ActiveX, .

, $ $

. ,
. $ $
$, , , $
, . , ,
, HTML.
HTML
, , HTML.
,
,
$ .
CVE$2003$01132,
$
..
Microsoft MS03$0153. (Jouko Pynnnen) $
1
2
3
http://labs.idefense.com/software/fuzzing.php#more_COMRaider
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2003+0113
290
17. <
, $ urlmon.dll
'
1 . $
, Internet Explorer 5.x 6.x $
.
HTML
HTML$
. $ $
, HTML, XML XHTML,
$ HTML.
HTML , $
.
, $,
, $ $
, , $
.
, , $
.
HTML .
HTML, ,
$, $
$
(DTD). DTD, ,
, $
HTML 4.01:
<!DOCTYPE html PUBLIC "//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/
html4/strict.dtd">
HTML, , $
. $
.
, $
. HTML $
:
<font color="red">Fuzz</font>
color font,
Fuzz . , $
, , HTML$
. $
HTML$,
,
HTML.
1
http://downloads.securityfocus.com/vulnerabilities/exploits/urlmon+ex.pl
291
Mangleme
$ HTML,
CVE$2004$10501, $
Microsoft MS04$040.2 $
mangleme ,
SRC NAME IFRAME, FRAME EMBED
. $
3 . , $
HTML $, DOM$
Hanoi4 Hamachi5, . . .
XML
XML , $
(SGML),
HTTP. XML $
, RSS, $
(AVDL), $
(SGL) . . HMTL, $
XML
. , $
$
, $
. (VML)
XML, .
, Internet Explorer
Outlook,
VML. 19 2006 Microsoft $
9255686, $
$
(vgx.dll), $
.
Mi$
crosoft .7 $
2007
.8
1
2
3
4
5
6
7
8
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2004+1050
http://www.microsoft.com/technet/security/bulletin/ms04+040.mspx
http://downloads.securityfocus.com/vulnerabilities/exploits/InternetExploit+
er.txt
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://www.microsoft.com/technet/security/advisory/925568.mspx
292
17. <
ActiveX
ActiveX
Microsoft, Microsoft COM, $
.1 $
ActiveX
, $$
.
ActiveX , ,
, $
Internet Explorer Windows.
, $.
ActiveX ;
, , $
, .
$
ActiveX, Windows
. $

$, $
, $$
.2 , $
ActiveX $
, ,
,
$.
COMRaider , $
, $
ActiveX .
, ActiveX,
, ,
$,
. COMRaider $
Acti$
veX .
ActiveX .
$
ActiveX. COMRaider $
, , $
. COMRaider
,
. . 17.1 , $
COMRaider
1
2
http://en.wikipedia.org/wiki/ActiveX_Control
http://msdn.microsoft.com/workshop/components/activex/safety.asp
293
. 17.1. COMRaider
ActiveX, $
.
AxMan1 ActiveX. AxMan $
. . $
ActiveX, 2006 $
.2

CSSDIE3 CSS, . . , ,
;

Opera.4 , background $
1
2
3
4
http://metasploit.com/users/hdm/tools/axman/
http://browserfun.blogspot.com/2006/08/axman+activex+fuzzer.html
http://browserfun.blogspot.com/2006/07/mobb+26+opera+css+background.html
294
17. <
DHTML URL $
, .
, CSS, $
, CVE$2005$4089, MS06$0211,

Internet Explorer. ,
@import ,
CSS.
(Matan Gillon) ( hacker.co.il) ,
, $
$ Google Desktop Search (GDS).2
,
Google, , $
Internet Explorer
( GDS)
. CSS $
, $
. , anchor , {color: white}.
CSS
@import, Internet Explorer
CSS, , $
, $
cssText. ,
GDS, $
. Google News
CSS }{. ,
cssText, $
GDS . $
GDS ,
, @import, GDS.

$
$.
, $
JavaScript, , VBScript,
Jscript3 ECMAScript4.
, $
. , ECMAScript $
JavaScript, Jscript JavaScript
1
2
3
4
http://www.hacker.co.il/security/ie/css_import.html
http://en.wikipedia.org/wiki/Jscript
http://en.wikipedia.org/wiki/Ecmascript
295
Microsoft. $
$, $
.
, $
, , $
, $
, Ac$
tiveX. ,
. $
, , ,
Internet Explorer JavaScript $
1.

JavaScript:
for (var i in window.alert) { var a = 1; }
JavaScript Firefox, $
(Azafran), , $
$ $
.2 $,
replace(). , $
,
, .

,
, , $
.
,
,
. Java$
Script $
, $
. , $

. , , $
,
. ,
EAX:
1
2
http://browserfun.blogspot.com/2006/07/mobb+25+native+function+iterator.html
http://www.mozilla.org/security/announce/2005/mfsa2005+33.html
296
17. <
MOV EAX, [EAX]

CALL [EAX+4]
EAX ,
$
. $

,
$
. JavaScript $
heap $

. , JavaScript $
NOP $$
,
$. NOP
$
. $
NOD, $
NOD .
$ ( SkyLined) $

Internet Explorer1, 0x0D.
,
. $,
5$ NOP, OR EAX, 0D0D0D0D. $
, , $
. $
, .
OllyDbg Heap Vis2,
. 17.2.3 ,
Internet Explorer
, , $
.
Heap Vis $
.
1
2
3
http://www.milw0rm.com/exploits/930
http://www.openrce.org/downloads/details/1
http://pedram.openrce.org/images/olly_heap_vis/skylined_ie_heap_
fill.gif
297
. 17.2. OllyDbg Heap Vis
500 ,
0x0D0A0020. 0x0D0D0D0D.
Heap Block 0D0A0020..0D12101F
$
0x0D $.
, $
EAX 0x0D0D0D0D. MOV
EAX, [EAX] , EAX $
, , ,
0x0D. , CALL [EAX+4], $
0x0D0D0D11, $
0x0D. $
$
, NOP, ,
$, .
0x0D0D0D0D $
,
298
17. <
. , $
, ,
, $
. ,
0x44444444, , $
, $
,
.
, $
: 0x01010101,
ADD [ECX], EAX, 0x0A0A0A0A, OR CL,
[EDX]. , , $ $
, ECX,
, $ , $
EDX.
0x05050505, ADD EAX, 0x05050505.

.
Flash
, Adobe Flash Player $$
, , $
, ,
$
Flash Player. Flash$ $
.swf ,
$,
$ Flash Player. $
.swf ,
11 , 12 $
: UNIX 13 :
Windows, $
. 2005 eEye $
Macromedia Flash 6 7. $
, $
, , . Flash$
ActionScript, ,
Flash $
.1
http://en.wikipedia.org/wiki/Actionscript
299
ActionScript,
Flash$.
2006 Rapid7 ,
, XML.addRequestHeader() $
HTTP
Flash.1 , ,
HTTP $
HTTP.
URL
URL .
MS06$0422 eEye , $
$
. , URL $
Internet Explorer, $ GZIP
,
, lstrcpynA() URL
2084 , 260 .3 , $
, ,
URL; , , $
Internet Explorer.
, $
$
, $
, , :
DoS (Denial$of$service). $
$ $
,
. , $
,
.
.
, $
$ ,
. $
, .
.
$. $
1
2
3
http://www.rapid7.com/advisories/R7+0026.jsp
http://research.eeye.com/html/advisories/published/AD20060824.html
300
17. <
1
2
3
, $
, , $
.
. $
,
, $
. , (Albert Puigsech
Galicia) , FTP $
FTP URI, , Internet
Explorer 6.x $
FTP $
.1 , , $
. $
, $
,
. Microsoft MS06$042.
. $ $
, $
. ,
, ,
cookies , $
. , $
. $
GDS, ,
.
. Internet Explorer $
, . $
, , , $
, , , .
, , , ,
. 2005
,
, URL$ $
, Internet Explorer
, , $
.2 , , $
, $
. Microsoft
$
MS05$14.3
http://osvdb.org/displayvuln.php?osvdb_id=12299
http://jouko.iki.fi/adv/zonespoof.html
301
. ,
$
, , $
.
$
, $
$, $
. , $
, ,
$ $
, . $
, $
.
$, , $
.
, . , $
:
.
Windows, Event Vie$
wer. Internet Explorer 7.0 Internet Exp$
lorer Event Viewer.
Internet Explorer , $
.
, $
, .
. $
, ,
$. $
$
. , ,
, $
, $
.
. $
$ $
, . $
, $
, ,
.
302
17. <
, $
,
, $
.
, . $
, ,
, .
$ $
. $
, $
$.
$.
18
:
.
,
.
$.,
, ,
20 2000
17 $ $
$ . $

,
$
, Mozilla Firefox Microsoft Internet Explorer.
,
ActiveX. Internet
Explorer ActiveX ,
, , $
. Internet Explorer
, Microsoft $
$.
ActiveX, $
ActiveX.

Microsoft COM ,
1990$ $
304
18. <:
. $
,
, COM,
, ,
, . COM , $
$
( ).

COM $
(Dynamic Data Exchange, DDE), , $
Win$
dows. DDE , clip$
book viewer (NetDDE) Microsoft Hearts ( NetDDE). 1991
Microsoft $
(Object Linking and Embedding, OLE). DDE $
, OLE $
. OLE $

(VTBL).
OLE COM, OLE 2, $
OLE, COM, VTBL. 1996 $
ActiveX. , , Microsoft
Distributed COM (DCOM)
COM Common Object Request Broker Architec$
ture1 (CORBA). DCOM RPC$ Distributed Com$
puting Environment/Remote Procedure Calls2 (DCE/RPC).
DCOM COM, $
$
, .
COM COM+,
Windows 2000. COM+

Microsoft Transaction Server Win$
dows 2000. DCOM, COM+ $
,
.

COM , . , $
ActiveX,
1
2
http://en.wikipedia.org/wiki/Corba
http://en.wikipedia.org/wiki/DCE/RPC
305
. $
COM, ,
. COM $
128$ , ID (CLSID).
, COM$ 128$
, ID (IID).
COM$ IStream, IDispatch IObjectSafety. ,
$
IUnknown.
CLSID $
(ProgID). ProgID $
, $
. :
000208D5$0000$0000$C000$000000000046
Excel.Application
CLSID, ProgID,
. , , ProgIDs
.
ActiveX
ActiveX COM, , ,
$. Ja$
va, ActiveX $
$
, . $
ActiveX $
.
ActiveX , , ,
$, $ , $$
, $ .
Microsoft Internet Explorer ,
ActiveX Docu$
ment Object Model (DOM) , $
. $
:
Pure DOM
<object classid = "clsid:F08DF954859211D1B16A00C0F0283628"
id
=" "Slider1"
width = "100"
height = "50">
<param name="BorderStyle" value="1" />
<param name="MousePointer" value="0" />
<param name="Enabled"
value="1" />
<param name="Min"
value="0" />
<param name="Max"
value="10" />
306
18. <:
</object>
Slider1.method(arg, arg, arg)
Outdated Embed
<embed type =
name =
align =
border =
width =
height =
clsid =
"application/xoleobject"
"foo"
"baseline"
"0"
"200"
"300"
"{8E27C92B1264101C8A2F040224009C02}">
foo.method(arg, arg, arg)

Javascript / Jscript
<script type="javascript">
function call_function()
{
obj = new ActiveXObject('AcroPDF.PDF');
obj.property = "value";
obj.method(arg, arg, arg);
}
call_function();
</script>
Visual Basic
<object classid = 'clsid:38EE5CEE4B6211D3854F00A0C9C898E7'
id
= 'target' >
</object>
<script language='vbscript'>
'Wscript.echo typename(target)
'Sub SelectAndActivateButton ( ByVal lButton As Long )
arg1=2147483647
target.property = arg1
target.method arg1
</script>

ActiveX
COM. $
, $

Internet Explorer.
Microsoft COM $
, .
COM $ Microsoft
COM1 ,
http://www.microsoft.com/com/default.mspx
307
MSDN : 1,
.

ActiveX,
COM.

ActiveX . $
, $
ActiveX. COM$
Raider2 Visual Basic $
C++. AxMan3 C++, JavaScript HTML.
,
:
ActiveX.
ActiveX
.
$
.
.
.
,
, Python. ,
. Python $
, $
, Windows API. $
, , , COM,
win32api, win32com, pythoncom win32con. (
Python Win$
dows,
Python programming on win32.4 $
, Py$
thon COM.) . 18.1 18.2 Py$
thonWin$ COM , $
COM$
.
1
2
3
4
https://labs.idefense.com/software/fuzzing.php#more_comraider
https://metasploit.com/users/hdm/tools/axman/
http://www.oreilly.com/catalog/pythonwin32/
308
18. <:
. 18.1. PythonWin COM
. 18.2. PythonWin
, $
Microsoft Excel $
Visible:
import win32com.client
xl = win32com.client.Dispatch("Excel.Application")
xl.Visible = 1
309
, ,
ActiveX, .
, , $
COM$, $
$ (http://www.fuzzing.org).
ActiveX
COM,
. COM $
Windows1, HKEY_LOCAL_
MACHINE (HKLM) SOFTWARE\Classes.
API Windows:2
import win32api, win32con
import pythoncom, win32com.client
from win32com.axscript import axscript
try:
classes_key = win32api.RegOpenKey( \
win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes")
except win32api.error:
print "Problem opening key HKLM\\SOFTWARE\\Classes"
$

COM. $
CLSID. CLSID , , $
:
skey_index = 0
clsid_list = []
while True:
try:
skey = win32api.RegEnumKey(classes_key, skey_index)
print "End of keys"
break
progid = skey
try:
skey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes\\%s\\CLSID" % progid)
print "Couldnt get CLSID key...skipping"
1
2
http://en.wikipedia.org/wiki/Windows_registry
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/sysinfo/
base/registry_functions.asp
310
18. <:
skey_index += 1
continue
try:
clsid = win32api.RegQueryValueEx(skey, None)[0]
print "Couldnt get CLSID value...skipping"
skey_index += 1
continue
clsid_list.append((progid, clsid))
skey_index += 1
$
,
COM. COM
, Internet Explorer.
, $
ActiveX , $
. Internet Explorer $
, $
. Internet Ex$
plorer ActiveX,
:1
Windows
.
Windows
.
COM$ IObjectSafety.
Windows Component Categories, $
, $
. : CATID_SafeForScripting
CATID_SafeForInitializing. , $
CLSID Internet Explorer:
def is_safe_for_scripting (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:
http://msdn.microsoft.com/workshop/components/activex/safety.asp
311

break
# CATID_SafeForScripting
if skey == "{7DD95801988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False
def is_safe_for_init (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:
break
# CATID_SafeForInitializing
if skey == "{7DD95802988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False
, ActiveX
Internet Explorer, $
IObjectSafety. , $
ActiveX IObjectSafety, $
. ,
ActiveX IObjectSafety $
, , Internet Explorer:
def is_iobject_safety (clsid):
try:
unknown = pythoncom.CoCreateInstance(clsid, \
None,
\
pythoncom.CLSCTX_INPROC_SERVER,
\
pythoncom.IID_IUnknown)
except:
return False
try:
objsafe = unknown.QueryInterface(axscript.IID_IObjectSafety)
except:
return False
return True
312
18. <:
Ac$
tiveX, . Microsoft kill
bitting1, CLSID Internet
Explorer HKLM\Software\Microsoft\Internet Explor$
er\ActiveX Compatibility\<CLSID of ActiveX Control>. CLSID,
,
. :
def is_kill_bitted (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Microsoft\\Internet Explorer"
\
"\\ActiveX Compatibility\\%s" % clsid)
return False
try:
(compat_flags, typ) = win32api.RegQueryValueEx(key, \
"Compatibility Flags")
return False
if typ != win32con.REG_DWORD:
return False
if compat_flags & 0x400:
return True
else:
return False
return False
, Acti$
veX ,
.
, ,
$
, ActiveX . $
, COM,
. ,
. COM
, ,
. $
ActiveX $
, ,
. ,
.
1
http://support.microsoft.com/kb/240797
313
COM ,
VARIANT. VARIANT
: , , , ,
, COM . PythonCOM
,
. . 18.1 $
Python VARIANT.
18.1. PythonCOM VARIANT
Python
VARIANT
Integer
VT_I4
String
VT_BSTR
Float
VT_R8
None
VT_NLL
True/False
VT_BOOL
pythoncom LoadTypeLib() $
COM. ,
COM, $
. , Adobe Acro$
bat PDF, . 18.2. Ac$
tiveX Adobe Acrobat Reader, Internet Explorer
, .
,
, Python, $
VARIANT:
adobe = r"C:\Program Files\Common Files" \
r"\Adobe\Acrobat\ActiveX\AcroPDF.dll"
tlb = pythoncom.LoadTypeLib(adobe)
VTS = {}
for vt in [x for x in pythoncom.__dict__.keys() if x.count("VT_")]:
VTS[eval("pythoncom.%s"%vt)] = vt
VARIANT
, .
, GetTy
peInfoCount(). ,
. 18.2. $
:
for pos in xrange(tlb.GetTypeInfoCount()):
name = tlb.GetDocumentation(pos)[0]
print name
314
18. <:
, Acrobat . $
, . 18.2, IAcroAXDocShim. $
, ,
. . , . $
$

:
info = tlb.GetTypeInfo(2)
attr = info.GetTypeAttr()
print "properties:"
for i in xrange(attr.cVars):
id = info.GetVarDesc(i)[0]
names = info.GetNames(id)
print "\t", names[0]
cVars ( $
), .
. , $
;
:
print "methods:"
for i in xrange(attr.cFuncs):
desc = info.GetFuncDesc(i)
if desc.wFuncFlags:
continue
id
= desc.memid
names = info.GetNames(id)
print "\t%s()" % names[0]
i = 0
for name in names[1:]:
print "\t%s, %s" % (name, VTS[desc.args[i][0]])
i += 1
cFuncs $
, .
, wFuncFlags. ,
() , ,
. GetNames() ,
. $
, , names[1:], $
. , $
GetFuncDesc(), VARIANT $
( ). VARIANT $
,
VARIANT, .
315
IAcroAX$
DocShim ActiveX Adobe Acrobat PDF ActiveX
:
properties:
methods:
src()
LoadFile()
fileName, VT_BSTR
setShowToolbar()
On, VT_BOOL
gotoFirstPage()
gotoLastPage()
gotoNextPage()
gotoPreviousPage()
setCurrentPage()
n, VT_I4
goForwardStack()
goBackwardStack()
setPageMode()
pageMode, VT_BSTR
setLayoutMode()
layoutMode, VT_BSTR
setNamedDest()
namedDest, VT_BSTR
Print()
printWithDialog()
setZoom()
percent, VT_R4
setZoomScroll()
percent, VT_R4
left, VT_R4
top, VT_R4
setView()
viewMode, VT_BSTR
setViewScroll()
viewMode, VT_BSTR
offset, VT_R4
setViewRect()
left, VT_R4
top, VT_R4
width, VT_R4
height, VT_R4
printPages()
from, VT_I4
to, VT_I4
printPagesFit()
from, VT_I4
to, VT_I4
shrinkToFit, VT_BOOL
316
18. <:
printAll()
printAllFit()
shrinkToFit, VT_BOOL
setShowScrollbars()
On, VT_BOOL
GetVersions()
setCurrentHightlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
setCurrentHighlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
postMessage()
strArray, VT_VARIANT
messageHandler()
39 ()
.
. $
$
,
, $
. ,
(VT_I2) (VT_I4).
, ,
0xFFFF (65535), $
0xFFFFFFFF (4294967295).
,
, Internet Explorer $
ActiveX .
.

6
$
. $
.

, , $
, . $

. $

317
ActiveX,
,
Internet Explorer.
, , , WinZip FileView ActiveX
Control Unsafe Method Exposure Vulnerability.1 $
ActiveX ProgID WZFILEVIEW.FileViewCtrl.61 $
, $
$ $
. , ExeCmdForAllSelected
ExeCmdForFolder , ,
,
, $ FTP.
:
, $
. WinZip ,
kill bit.
, , $
, URL $
, , $
WinZip FileView. , $
,
, $ .
.
, $
. $
HTML,
ActiveX;
.
. $
,
Internet Explorer. $
.
Python ActiveX Acrobat PDF
:
adobe = win32com.client.Dispatch("AcroPDF.PDF.1")
print adobe.GetVersions()
adobe.LoadFile("c:\\test.pdf")

Adobe COM, adobe.
. $
GetVersions(),
PDF Acro$
318
18. <:
bat Reader. , $
.
. Python COM
PaiMei1 $
. $
, .
, ,
ActiveX. $
, , $
, .
PaiMei API.
. $
Microsoft, CreateFile()2
CreateProcess()3, ,
ActiveX .
API $
.
, $
.
GetURL(), DownloadFile(), Execute()
. ., , ,
.
COM Microsoft
ActiveX, $
$ Internet Explorer.
Python COM , $
ActiveX,
, , . ,
, $
COM$, $
$ (http://www.fuzzing.org).
1
2
http://www.openrce.org/downloads/details/208/PaiMei
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/fileo/fs/
createfile.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp
19

.
$.,
,
,
19 2001
$
,

. , , $
( ) $
, .
,
, $
, , $
, .

UNIX, Windows.
$
.
Microsoft Windows . $, $
,
Windows, UNIX. $, Windows
API $
. , API$ $
UNIX, ,
320
19.
. ,
, , , .
: ?
$
. 11 $
, 12 : $
UNIX 13 :
Windows $
. 14 , 15 $
: UNIX 16 $
: Windows
$. $
$
,
. , $
.
. $
$
, .
,
, . $
, $
$.
? , $
,
.
,
.
. $
$$
, , $
. $
,
. , $
,
, $ $
.
,
,
.
, . $
.
321

,
Microsoft Windows, $

Windows. $
, , , $
. ,
$
.
Windows 95 Windows
32$
4 . 4
. (0x00000000
0x7FFFFFFF) , (0x80000000
0xFFFFFFFF) . $
3 : 1 ( /3GB boot.ini1): 3 $
1
Oracle.
, , $
.
, , $
. $

$
, $
.
, Windows
. ,
$
4 .

(MMU). $
, $
4 .
. $
4096 (01000) Windows. , $
, RAM ( $
).
( )
RAM.
Windows
.
http://support.microsoft.com/kb/q291988/
322
19.
;
. , $
, , :1
PAGE_EXECUTE ( ). $
,
.
PAGE_EXECUTE_READ ( ).
,
.
PAGE_EXECUTE_READWRITE (, ).
: ,
, .
PAGE_NOACCESS ( ). $
. ,
.
PAGE_READONLY ( ).
. $
. $
( ),
.
PAGE_READWRITE ( ).
. PAGE_READONLY, $
,
$
.
PAGE_GUARD ($
), MSDN2 $
STATUS_GUARD_PAGE_VIOLATION $
,
. PAGE_GUARD
.
. $
PAGE_NOACCESS.
,
, .
, $
. $
. :
Windows 4 $
.
1
2
http://msdn2.microsoft.com/en+us/library/aa366786.aspx
.
323
,
0x00000000 0x7FFFFFFF, .

.
4 $
4096 (0x1000).

.
PAGE_GUARD
.
. 19.1, ,
Windows $
.
,
.

, .
,
. 19.1, , .
, 0x00010000
. , 7 $
, $
, $
. $
, 0x00030000 0x00150000. ,
, ,
malloc() HeapAlloc(). , $
. ,
0x0012F000, .
, $
. , $
.
2 0x00D8D000. 0x00400000
,.exe, $
. $
DLL
kernel32.dll ntdll.dll. DLL $
Microsoft, , $
. , DLL
Portable Executable (PE). , $
. 19.1 $
.
, $
. $
324
19.
0x00000000
0x00010000
0x00030000
0x0012F000
0x00150000
0x00400000
0x00D8D000
0x71AB0000
0x7C800000
KERNEL32.DLL
0x7C900000
NTDLL.DLL
0x7F000000
0x80000000
0xFFFFFFFF
. 19.1. Windows ( )
.1
, $ $
.
1
Microsoft Windows Internals, Fourth Edition, Mark E. Russinovich, David A.

Solomon; Undocumented Windows 2000 Secrets: A Programmers Cookbook,
Sven Schreiber; Undocumented Windows NT, Prasad Dabak, Sandeep Phadke,
Milind Borate.
325
< ?

?
. $

. . $
. 19.2, $
, .
while(1):
accept()
recv()
func1()
unmarshal()
parse()
func2()
...
. 19.2.
$
. ,
,
j recv().
$
. unmarshal() $
,
. , , $
parse(), $
. parse() $
, $
, $
.
,
?
, $
, . $
$
,
326
19.
, . $

, ,
, .
, ,
, $
.
, $
$
. $
, $
; 22
.
.
$
, SMTP, POP HTTP, $
RFC, ,
, . ,
$
, , $
. ,
, $ $
, . , $
, $
.
, ,
? , $
? $
Skype1
. EADS/CRC $
2, $
Skype (SKYPE$SB/2005$003)3. $
, , $
, ? $
.

.
1
2
http://www.skype.com
http://www.ossir.org/windows/supports/2005/2005+11+07/EADS+CCR_Fabri+
ce_Skype.pdf
http://www.skype.com/security/skype+sb+2005+03.html
327
, $
, , $
$
, , $
. ,

, , $
.
:
$
(mutation loop insertion, MLI). MLI , $
, $
parse(). MLI$
mutate() . $
, ,
,
. MLI$ $
$
.
, $
, . 19.3.
, ? $
. $
.
.
while(1):
accept()
recv()
func1()
unmarshal()
parse()
func2()
...
mutate()
. 19.3.
328
19.
,
, , mutate().
, $
. , $
, , $
. 20
: , $
.
+
(snapshot restoration mutation, SRM).
MLI, , $
, $
parse(). , MLI, SRM
. ,
SRM$
. $
, , $
. $
, . 19.4.
, $
. 20 $
while(1):
accept()
recv()
func1()
unmarshal()
snapshot()
restore()
parse()
func2()
...
. 19.4.
329
, $
, . $
, , $
, .
, , $
.

$
. $ $
,

.
. , , $
POP, TCP$ 110. $
(, $
, ):
$ nc mail.example.com 110
+OK Hello there.
user pedram@openrce.org
+OK Password required.
pass xxxxxxxxxxxx
+OK logged in.
list
+OK
1 1673
2 19194
3 10187
... [output truncated]...
.
retr 1
+OK 1673 octets follow.
ReturnPath: <ralph@openrce.org>
DeliveredTo: pedram@openrce.org
[output truncated]
retr AAAAAAAAAAAAAAAAAAAAAAA
ERR Invalid message number. Exiting.
$
RETR, ,

. $
$
$
. ,
4 .
330
19.

.
, $
. MLI$, SRM$
, (
),
. $
,
. $
, , , $
Skype, .

. $
1 $
$
. $
,
, $
. . 19.5.
read string()
pedram
pedramAAAA...
mutate()
parse name()
read_string()
pedram%s%s%s
. 19.5.
MLI parse_name() read_string(). $

parse_name()
.
,
.
1
http://en.wikipedia.org/wiki/Heisenberg_principle
331
, $
, $
.
.
$
, . $
, $
$
.
,
, $
.
.
,
HBGary LLC 1 $
2 Blackhat Security 2003 .
HBGary $
Inspector3. $
,
. , $
, $
.
$
. $
, , $
. , $
, $ http://www.fuzzing.org.
1
2
3
http://www.blackhat.com/presentations/bh+federal+03/bh+fed+03+hoglund.pdf
http://www.blackhat.com/presentations/bh+usa+03/bh+us+03+hoglund.pdf
http://hbgary.com/technology.shtml
20
:
, ,
.
$.,
,
$, ,
8 2004
$
. $
Windows UNIX, , $
, $
Windows. $
, 32$ Windows x86.
, ,
.
, .
$
, .
, , :
http://www.fuzzing.org.
.

, ,
x86 Windows,
. $
333
. , ,
, , , $
, 24
.

19
MLI SRM,
.
MLI ,

. SRM
, $
, $
.
. 20.1 20.2, $
recv()
func1()
unmarshal()

parse()
func2()
...
mutate()
. 20.1.
recv()
unmarshal()
func1()

parse()
func2()
...
. 20.2.
334
20. :
: , $
, , $
.
$
, Windows.
, , ,
.

.
. $
$
. 1 ,
,
(ESP), (ESP) (EBP)
(EAX, EBX, ECX, EDX,
ESI EDI). $

SRM. , , $
Windows $
, .
, $

SRM. $
, ,
MLI.
SRM MLI. ,
SRM,
MLI. MLI,
. $
, $
.

$
Windows,
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/context_str.asp
335
, ,
,
. , $
, C C++, $
, $
.
Perl, Python Ruby.
,
, , , . $
, Python, $
ctypes1 Python, . ctypes
Windows,
C $
Python . $
, , , $
GetCurrentProcessId(), kernel32.dll:
from ctypes import *
# create a convenience shortcut to kernel32.
kernel32 = windll.kernel32
# determine the current process ID.
current_pid = kernel32.GetCurrentProcessId()
print "The current process ID is %d" % current_pid
$
C. ctypes ,
, Python
(. 20.1).
20.1. , C ctypes
ctypes
Python
c_char
c_int
c_long
c_ulong
c_char_p
c_void_p
http://starship.python.net/crew/theller/ctypes/tutorial.html.
http://starship.python.net/crew/theller/ctypes/
336
20. :
$
. $
value.
byref().
, , c_char_p c_void_p, $
.
create_string_buffer().

raw. $
, ReadProcessMemory():
read_buf = create_string_buffer(512)
count
= c_ulong(0)
kernel32.ReadProcessMemory(h_process, \
0xDEADBEEF, \
read_buf, \
512,
\
byref(count))
print "Successfully read %d bytes: " % count.value
print read_buf.raw
ReadProcessMemory() $
, $
; , ; $
, ; ,
, , , ,
, .
$
, $
, :
c_data = c_char_p(data)
length = len(data)
count = c_ulong(0)
kernel32. WriteProcessMemory(h_process, \
0xC0CAC01A, \
c_data,
\
length,
\
by_ref(count))
print "Sucessfully wrote %d bytes: " % count.value
WriteProcessMemory() $
ReadProcessMemory().
,
; ; , $
; , , $
, ,
.
Windows
337
, $
.
, ,
, ,
.
Windows
19
Windows. $
, $ $
Windows, $
.
Windows Windows NT $
,

, . $

: 1, 2 3. $
,
. , , $
.
. $

, $
.
:
pi = PROCESS_INFORMATION()
si = STARTUPINFO()
si.cb = sizeof(si);
kernel32.CreateProcessA(path_to_file,
command_line, \
0,
\
0,
\
0,
\
DEBUG_PROCESS, \
0,
\
0,
\
1
base/debugging_functions.asp
base/debugging_events.asp
base/debugging_structures.asp
338
20. :
byref(si),
byref(pi))
print "Started process with pid %d" pi.dwProcessId
A CreateProcess: $
Windows Unicode,
ANSI. $
.
ctypes $
. , $
ANSI,
Unicode, MSDN. $
MSDN, , , CreateProcess1, $
: CreateProcessW (Unicode) CreateProcessA
(ANSI). PROCESS_INFORMATION STARTUP_INFO $
CreateProcess $
, , $
(pi.dwProcessId)
(pi.hProcess). $
, ,
DebugActiveProcess():
# attach to the specified process ID.
kernel32. DebugActiveProcess(pid)
# allow detaching on systems that support it.
try:
kernel32.DebugSetProcessKillOnExit(True)
except:
pass
, $
, , $
A W. DebugActiveProcess() $
. DebugActiveProcess()
, , ,
. DebugSetProcessKillOnExit()2 $
Windows XP; $
, ($
, ).
try/except
,
,
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp
base/debugsetprocesskillonexit.asp
Windows
339
, Windows 2000. $
, $
.
( ) $
. ,
. , , $
, $
. $ $
. ,
, . $
. , ,
. $
, , $
. $
:
debugger_active = True
dbg
= DEBUG_EVENT()
continue_status = DBG_CONTINUE
while debugger_active:
ret = kernel32. WaitForDebugEvent(byref(dbg), 100)
# if no debug event occurred, continue.
if not ret:
continue
event_code = dbg.dwDebugEventCode
if event_code == CREATE_PROCESS_DEBUG_EVENT:
# new process created
if event_code == CREATE_THREAD_DEBUG_EVENT:
# new thread created
if event_code == EXIT_PROCESS_DEBUG_EVENT:
# process exited
if event_code == EXIT_THREAD_DEBUG_EVENT:
# thread exited
if event_code == LOAD_DLL_DEBUG_EVENT:
# new DLL loaded
if event_code == UNLOAD_DLL_DEBUG_EVENT:
# DLL unloaded
if event_code == EXCEPTION_DEBUG_EVENT:
# an exception was caught
# continue processing
kernel32.ContinueDebugEvent(dbg.dwProcessId, \
dbg.dwThreadId, \
continue_status)
340
20. :

WaitForDebugEvent()1,
DEBUG_EVENT, , $
, $
. , $
DEBUG_EVENT dwDebug
EventCode. , ,
$
, , $
DLL . $
, ,
, u.Exception.Exception
Record.
ExceptionCode DEBUG_EVENT. MSDN2 $
, $
:
EXCEPTION_ACCESS_VIOLATION. , $
$
.
EXCEPTION_BREAKPOINT. $
.
EXCEPTION_SINGLE_STEP. $
.
EXCEPTION_STACK_OVERFLOW.
. $
;
.

$
. $
ContinueDebugEvent().

$
Windows, $
, ,
ctypes $
Windows. $
:
1
base/waitfordebugevent.asp
base/exception_record_str.asp
341

?
$
?
$
?
?

?
,
$
. $
: . $
80x86 . $
, $
$, $, $
. $
, $
DR0 DR3 DR7. $
. DR7
, , $
, ,
(, ) . $
$
. , ,
; $
INT3, 0xCC.
$
, . ,
$ ,
. $
,

0xDEADBEEF. $
, ,
ReadProcessMemory, $
. 20.3.
, $
$ .
INT3 $
WriteProcessMemory, (. 20.4).
?
0xCC INT3.
342
20. :
debugger
8B
OxDEADBEEF
8B
OxDEADBEF1
55
OxDEADBEF2
8B
FF
mov edi, edi

push ebp
mov ebp, esp
EC
. 20.3.
debugger
8B
OxDEADBEEF
CC
OxDEADBEFO
FF
OxDEADBEF3
EC
INT3
55
8B
call [ebp75]
in al, dx
. 20.4. INT3
mov edi, edi (0xFF), , $

push ebp (0x55), mov ebp, esp
(0x8B), call [ebp75].
0xEC in al, dx. $
, 0xDEADBEEF, INT3
EXCEPTION_DEBUG_EVENT $
EXCEPTION_BREAKPOINT,
( ?). $
. 20.5.
, $
, . , $
343
debugger
8B
OxDEADBEEF
CC
OxDEADBEFO
FF
OxDEADBEF3
EC
INT3
55
8B
call [ebp75]
in al, dx
EIP
. 20.5. EXCEPTION_BREAKPOINT
debugger
8B
OxDEADBEEF
8B
OxDEADBEFO
55
OxDEADBEF3
8B
FF
mov edi, edi

push ebp
EC
mov ebp, esp
EIP
. 20.6. EIP
$ . ,
(EIP, , $
, )
0xDEADBEF0, 0xDEADBEEF. $ ,
0xDEADBEEF INT3 $
, , EIP 0xDEAD$
BEEF+1. , EIP $
0xDEADBEEF, . 20.6.
0xDEADBEEF ,
. , $
EIP . ,
344
20. :
, $
, (EIP),
.
GetThreadCon
text()1, $
CONTEXT.
CONTEXT Set
ThreadContext()2, $
:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
kernel32.GetThreadContext(h_thread, byref(context))
context.Eip = 1
kernel32.SetThreadContext(h_thread, byref(context))
,
.

?
, $
: ? . $
.
, , . $
, .

. $
, VMWare3,
. $

. $
4 ,
. $
.
$
. , $
1
3
4
base/getthreadcontext.asp
base/setthreadcontext.asp
http://www.vmware.com
Greg Hoglund, Runtime Decompilation, BlackHat Proceedings
345
. $
, ,
. , $
.1 $,
, TH32CS_SNAP
THREAD:
thread_entry = THREADENTRY32()
contexts
= []
snapshot = kernel32.CreateToolhelp32Snapshot( \
TH32CS_SNAPTHREAD,
\
0)
. ,
$
Thread32First(): dwSize
. Thread32
First(), $
:
thread_entry.dwSize = sizeof(thread_entry)
success = kernel32.Thread32First( \
snapshot,
\
byref(thread_entry))
, , $
, (pid) $
.
, $
, , :
while success:
if thread_entry.th32OwnerProcessID == pid:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
h_thread = kernel32.OpenThread( \
THREAD_ALL_ACCESS,
\
None,
\
thread_id)
kernel32.GetThreadContext( \
h_thread,
\
byref(context))
contexts.append(context)
kernel32.CloseHandle(h_thread)
346
20. :
success = kernel32.Thread32Next( \
snapshot,
\
byref(thread_entry))
, ?,

$
.

. ,
32$ Windows x86
4 . 4 $
(0x00000000x7FFFFFFF).
$
, 4096 .
.

, , , $
, $
. , :
PAGE_READONLY
PAGE_EXECUTE_READ
PAGE_GUARD
PAGE_NOACCESS
, $
, .
$
VirtualQue
ryEx()1,
:
cursor
memory_blocks
read_buf
count
mbi
=
=
=
=
=
0
[]
create_string_buffer(length)
c_ulong(0)
MEMORY_BASIC_INFORMATION()
while cursor < 0xFFFFFFFF:

save_block = True
bytes_read = kernel32.VirtualQueryEx(
h_process,
cursor,
byref(mbi),
sizeof(mbi))
\
\
\
\
http://msdn2.microsoft.com/en+us/library/aa366907.aspx
347

if bytes_read < sizeof(mbi):
break
VirtualQueryEx() ,
, $
.
$
:
if mbi.State != MEM_COMMIT or \
mbi.Type == MEM_IMAGE:
save_block = False
if mbi.Protect & PAGE_READONLY:
save_block = False
if mbi.Protect & PAGE_EXECUTE_READ:
save_block = False
if mbi.Protect & PAGE_GUARD:
save_block = False
if mbi.Protect & PAGE_NOACCESS:
save_block = False
,
,
ReadProcessMemory()1
$
. , ,
, :
if save_block:
kernel32.ReadProcessMemory(
h_process,
mbi.BaseAddress,
read_buf,
mbi.RegionSize,
byref(count))
\
\
\
\
\
memory_blocks.append((mbi, read_buf.raw))
cursor += mbi.RegionSize
, , , . ,
, $
, PAGE_READONLY,
? $
; . $
, ? ,
,
348
20. :
.
: $
, $
, , .
, $
$
.

?
,
.
$
. , ,
. $
, $
; , , $
. $
23 .
,
.

?

. $
, , $
. $
:
.
PyDbg,
, , , $
. , , $
( ),
Python PyDbg.1
? , $
. , . $
; , $
, , $ .
PyDbg,
349
PyDbg
Windows . $
PyDbg :
, ;
, , ;
, ;
, ;
$
( SRM);
;

PyDbg,
PID 123
:
from pydbg import *
from pydbg.defines import *
dbg = new pydbg()
dbg.attach(123)
dbg.debug_event_loop()
, , $
. , $
$
Winsock recv() ,
$
:
from pydbg import *
ws2_recv = None
def handler_bp (pydbg, dbg, context):
global ws2_recv
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress
if exception_address == ws2_recv:
print "ws2.recv() called!"
return DBG_CONTINUE
dbg = new pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_bp)
dbg.attach(123)
ws2_recv = dbg.func_resolve("ws2_32", "recv")
dbg.bp_set(ws2_recv)
350
20. :
$
. handler_bp(),
. PyDbg.
DEBUG_EVENT1 $
$
. $
, .
, ,
, $
Winsock recv(). , . $
PyDbg DBG_CONTINUE, $
,
PyDbg $
. ,
set_callback(), PyDbg.
,
PyDbg
. $
$
. , func_resolve()
bp_set(). $
recv() Windows ws2_32.dll
. $
. $

recv() Winsock
ws2.recv() $
. , ,
,
.

$
, , ,
.
$ fuzzing.org fuzz_client.exe fuzz_ser$
ver.exe, .
. $
, , $
. $ $
. TCP$ 11427 $
. $
, .
1
351
? $ , , $
, $
. :
$ ./fuzz_server.exe
Listening and waiting for client to connect...
, .
IP$ . , $
:
$ ./fuzz_client.exe 192.168.197.1 'sending some data'
connecting....
sending...
sent...
192.168.197.1 $
sending some data ( $ ).
:
client connected.
received 17 bytes.
parsing: sending some data
exiting...
17 ,
. , $
, $
. , ,
TCP, $
, Ethereal1 . 20.7.
. 20.7. + Ethereal
1
http://www.ethereal.com/, Ethereal: A Network Protocol Analyzer.

Wireshark http://
www.wireshark.org.
352
20. :
, , , , $ $
, . ,
, ,
, $
.
.
, $
. ,
, ,
.
, , , $
.
,
( ,
, ). $
fuzz_ser$
ver.exe , .
fuzz_server.exe $
. .
$
? . $
,

? ,

. OllyDbg1, $
Windows, .
OllyDbg, $
, ,
. , , $
, fuzz_server.exe . ,
TCP, fuzz_server.exe OllyDbg

recv() WS2_32.dll. , ,
WS2_32.dll Ctrl+N,
(. 20.8).
recv() F2, .
F9, $
, fuzz_client ,
. OllyDbg $
fuzz_server,
. Alt+F9
.
1
http://www.ollydbg.de
353
. 20.8. OllyDbg WS2_32.recv()
fuzz_server, WS2_32. $
F8 , printf(), $
, $
. , . 20.9,
, fuzz_server
0x0040100F.
. 20.9. OllyDbg
354
20. :
OllyDbg , $
, Ethereal.
0x0040100F $
?
: $
, . ,
. 20.10, $
.
! ,
. $
, , $
0x00401005, , printf(). $
, exiting printf(), , $
fuzz_server, , $
.
. F9, $
0x00401450, $
, . 20.11.
, $
$
ESP+4.
.
. 20.10. OllyDbg
355
. 20.11. OllyDbg
, $

. $
, , $
. $
. Ctrl+9
, F7 F8,
, ,
. 20.12, printf() exiting[el].
printf()
0x004012b7, , fuzz_server $
exiting[el] . ,
, fuzz_server $
, .
, 0x0040100F $
. , 0x00401450 $
. $
.
0x004012b7 ,
printf("exiting[el]"). $
, , . 20.13 $
, .
356
20. :
. 20.12. OllyDbg
recv()
0x0040100F()
0x00401450()
printf(exiting...)
. 20.13.
PyDbg $
$
, .
,
357
$
. PyDbg, $
PyDbg, (
), , $
,
, , $
:
from pydbg import *
import time
import random
snapshot_hook
restore_hook
snapshot_taken
hit_count
address
=
=
=
=
=
0x00401450
0x004012B7
False
0
0
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT,handle_bp)
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION,handle_av)
found_target = False
for (pid, proc_name) in dbg.enumerate_processes():
if proc_name.lower() == "fuzz_server.exe":
found_target = True
break
if found_target:
dbg.attach(pid)
dbg.bp_set(snapshot_hook)
dbg.bp_set(restore_hook)
print "entering debug event loop"
else:
print "target not found."

.
$
. ,
PyDbg.
$
, : 1) $
, , 2) ,
, $ ($ $
), 3) , .

,
. , $
358
20. :
, $
.
, $
, (
), ( $
).
PyDbg $
http://pedram.redhi+
ve.com/PaiMei/docs/PyDbg/.
def handle_av (pydbg,
exception_record
exception_address
write_violation
violation_address
dbg, context):
= dbg.u.Exception.ExceptionRecord
= exception_record.ExceptionAddress
= exception_record.ExceptionInformation[0]
= exception_record.ExceptionInformation[1]
try:
disasm = pydbg.disasm(exception_address)
except:
disasm = "[UNRESOLVED]"
pass
print "*** ACCESS VIOLATION @%08x %s ***" % \
(exception_address, disasm)
if write_violation:
print "write violation on",
else:
print "read violation on",
print "%08x" % violation_address
try:
print pydbg.dump_context(context, 5, False)
except:
pass
print "terminating debuggee"
pydbg.terminate_process()
$
, OllyDbg.
$
, JIT (just$in$time)1 . $
:
def handle_av (pydbg, dbg, context):
pydbg.detach()
return DBG_CONTINUE
1
base/debugging_terminology.asp
359
, $
. 20.14.
. 20.14.

JIT$, ,
.
, $
. , $
fuzz_server
, .
PyDbg $
, .
, ,
,
exception_address:
def handle_bp (pydbg, dbg, context):
global snapshot_hook, restore_hook
global snapshot_taken, hit_count, address
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress
, , $
. ,
hit_count $
:
if exception_address == snapshot_hook:
hit_count += 1
print "snapshot hook hit #%d\n" % hit_count
snapshot_taken.
fuzz_server , $
, PyDbg process_snapshot().
360
20. :

True:
# if a process snapshot has not yet been
# taken, take one now.
if not snapshot_taken:
start = time.time()
print "taking process snapshot...",
pydbg.process_snapshot()
end = time.time() start
print "done. took %.03f seconds\n" % end
snapshot_taken = True
, if, $
.
.
hit_count, $
,
. .
( , $
), $
virtual_free() PyDbg:
if hit_count >= 1:
if address:
print "freeing last chunk at",
print "%08x" % address
pydbg.virtual_free( \
address,
\
1000,
\
MEM_DECOMMIT)
if hit_count >= 1,
fuzz_server $
virtual_alloc() PyDbg.
. $
? , $
, $
fuzz_server $
. $
:
,
:
print "allocating memory for mutation"
address = pydbg.virtual_alloc( \
None,
\
1000,
\
MEM_COMMIT,
\
PAGE_READWRITE)
print "allocation at %08x\n" % address
361
, $
ASCII
$
. A,
ASCII.
:
print "generating mutant..."
fuzz = A * 750
random_index = random.randint(0, 750)
mutant = fuzz[0:random_index]
mutant += chr(random.randint(32, 126))
mutant += fuzz[random_index:]
mutant += \x00
print done.\n
$
write_process_memory()
PyDbg:
print "writing mutant to target memory"
pydbg.write_process_memory(address, mutant)
print
, $
. , . 20.11
, ,
, 4, $
. :
print "modifying function argument"
pydbg.write_process_memory( \
context.Esp + 4,
\
pydbg.flip_endian(address))
print
print "continuing execution...\n"
,
, if, $
$
.
process_resto
re() PyDbg.
:
if exception_address == restore_hook:
start = time.time()
print "restoring process snapshot...",
pydbg.process_restore()
end = time.time() start
print "done. took %.03f seconds\n" % end
362
20. :
pydbg.bp_set(restore_hook)
return DBG_CONTINUE
$
:
$ ./fuzz_server.exe
Listening and waiting for client to connect...
:
$ ./chapter_20_srm_poc.py
entering debug event loop
:
$ ./fuzz_client.exe 192.168.197.1 sending some data
connecting....
sending...
sent...
,
, $
:
snapshot / mutate hook point hit #1
taking process snapshot... done. took 0.015 seconds
, .
, fuzz_server $
:
received 17 bytes.
parsing: sending some data
exiting...
, $
$
:
restoring process snapshot... done. took 0.000 seconds
fuzz_server
, . $
, hit_count 1,
:
allocating chunk of memory to hold mutation
memory allocated at 003c0000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant
363
continuing execution...
, $
fuzz_server, .
, fuzz_server

:
parsing:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
exiting...
), $
. Fuzz_server $
, , $
. $
,
, . $
, $
, $
, :
restoring process snapshot... done. took 0.016 seconds
freeing last chunk at 01930000
allocating chunk of memory to hold mutation
memory allocated at 01940000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant
*** ACCESS VIOLATION @41414141 [UNRESOLVED] ***
read violation on 41414141
terminating debuggee
265$ SRM$
, , $
364
20. :
. @41414141 ,
0x41414141,
,
. 0x41 $
ASCII A. , $
, $
. ,
, , $
, .
, , $
$
( $
).

$
.

. ,

. ,
$
.
, , .
, $
, , $
$
, . PyDbg $
,
. http://www.fuzzing.org
. ,
, , $
,

.

, , ,
.
24, $

.
III

21.
22.
23.
24.
21

,
, ,
: ,
.
.
$.,
, ,
17 2002
, $

.
; $
, $
, . , $
SMTP$ $
, Microsoft Exchange,
Sendmail, qmail . .
, $
, ,
, .
,
, $
$
.

.
368
21.
$
, SPIKE,
, (
, ).

, Autodafej GPF. $
, , $

$
, .
$
. ,
, $
, .
?
, $
, C, Python
Ruby. , $
$
. , $
Peach Python, dfuz $
( ,
).
, . $
;
. ,
,
.
$
.
,
, $
, $
. $
,
,
.
$
. $
TLV (type, length, value , , $
), ASN.1.1 :
http://en.wikipedia.org/wiki/Asn.1
369
, $
, 0x01 0x02 $
. , $
. ,
, , ;
. .
01
00 07
F U Z Z I N G
(Value)

. $
$
, $
. , $
,
(CRC, Calculat$
ing Cyclic Redundancy Check)1 $
. CRC

. PNG, $
, CRC, $
, CRC
. $
, $
, CRC $
. $

(DNP3, Distributed Network Protocol)2,

(SCADA, Supervisory Control and Data Acquisition). $
250$ ,
CRC$16! ,
: IP$ ,
,
.
, , $
$
.
1
2
http://en.wikipedia.org/wiki/Cyclic_redundancy_check
http://www.dnp.org/
370
21.
,
.
.
, ,
. $
$
(%n%n%n%n) (../../../).

, ,
;
.
; $
24 $
. $
,
.
. $

, $
, .
$
, $
. $
,
.
$
$
: 0x41 0x42, \x41 \x42, 4142 . .
(. 23 ) $
. $

, .
, $
$
$
.
$
, .
,

,
$
.
371

$
, , $
.
, , , $
. $
$
.
Antiparser1
Antiparser , Python
$
, .
, $
,
Python. $
.
antiparser; $
. antiparser ,
.
:
apChar() C;
apCString() , . . , $
;
apKeywords() , $
, ;
apLong() 32$ ;
apShort() 16$ ;
apString() .
apKey
words(). ,
,
, , . $
[ ] [] [ ] [$
].
Antiparser evilftpclient.py, $
apKeywords(). , $
,
. Python $
evilftpclient.py, $
1
http://antiparser.sourceforge.net/
372
21.
FTP$ $
FTP. $
, , , $
FTP$.
.
from antiparser import *
CMDLIST = ['ABOR',
'XCWD',
'MACB',
'PASV',
'RETR',
'SITE',
'SYST',
'ALLO',
'DELE',
'MODE',
'PORT',
'RMD',
'SIZE',
'TYPE',
'APPE',
'HELP',
'MTMD',
'PWD',
'XRMD',
'STAT',
'USER']
'CDUP',
'LIST',
'NLST',
'XPWD',
'REST',
'STOR',
'XCUP',
'MKD',
'NOOP',
'QUIT',
'RNFR',
'STRU',
'CWD',
'XMKD',
'PASS',
'REIN',
'RNTO',
'STOU',
SEPARATOR = " "

TERMINATOR = "\r\n"
for cmd in CMDLIST:
ap = antiparser()
cmdkw = apKeywords()
cmdkw.setKeywords([cmd])
cmdkw.setSeparator(SEPARATOR)
cmdkw.setTerminator(TERMINATOR)
cmdkw.setContent(r"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")
cmdkw.setMode('incremental')
cmdkw.setMaxSize(65536)
ap.append(cmdkw)
sock = apSocket()
sock.connect(HOST, PORT)
# print FTP daemon banner
print sock.recv(1024)
# send fuzz test
sock.sendTCP(ap.getPayload())
# print FTP daemon response
print sock.recv(1024)
sock.close()
$
antiparser, FTP, $
() $
( ). $
FTP
, antiparser. $
apKeywords(). $
, , $
( , $
). $
373
$ .
apKeyword() $
. FTP$
$
, , , .
, setMode('incremental') setMaxSize(65536), $
,
65 336. $
,
$
ap.permute(). , $
.
, , .
, apKeywords(), antiparser, $
. $
, ap.getPayload(),
sock.sendTCP().
, antiparser . FTP$$
Python $
. $
, , $
antiparser $
.
, $
, , $
TLV. ,
,
, , (
2.0, 2005 ).

,
.
Dfuz1
Dfuz C; $
. $
, $
, Mi$
crosoft, Ipswitch RealNetworks.
, $
$ $
.
http://www.genexx.org/dfuz/
374
21.

. , $
, , $
( README). $
, ,
. Dfuz $
UNIX/Linux $
. $
, $
.
; $
.
, Dfuz, $
, , , , . $
,
$
. $
:
var my_variable = my_data
var ref_other = "1234",$my_variable,0x00
var,

$ ( Perl PHP). $
. , , $
antiparser, ,
.
Dfuz ,
. , $
, (%).
:
%attach() , Enter Return.
,
. , $
,
,
%attach() , $
.
%length() or %calc() $
. , %length("AAAA") $
0x04 . $
32 , $
8 %length:uint8() 16
%length:uint16().
375
%put:<size>(number) $
. ,
uint8, uint16 uint32 .
%random:<size>() $
. , %put(),
, uint8,
uint16 uint32 .
%random:data(<length>,<type>)
. ,
. , $
; ASCII, $
, .
%dec2str(num) $
. , %dec2str(123) 123.
%fry() .
"AAAA",%fry(), , , $
AAAA
.
%str2bin() $
. ,
4141, 41 41 41$41 AA.
. $

, , ,
. $
$
$. $
,
( . ):
var my_variable1 = "a string"
var my_variable2 = 0x41,|0xdeadbeef|,[Px50],[\x41*200],100
list,
, begin, , $
,
end. $
. :
list my_list:
begin
some_data
more_data
even_more_data
end
376
21.
, ,
, ($). $
, , Perl PHP,
$
: $my_list[1]. $
rand: $my_list[rand].
.
:
keep_connecting , $
;
big_endian $
( );
little_endian
( );
tcp , $
TCP;
udp , $
UDP;
client_side ,
, , ;
server_side ,
, , , $
;
use_stdout $
(), ,
.
stdout.
,
, Dfuz FTP,
POP3, Telnet SMB ( ).
, ftp:user(), ftp:pass(),
ftp:mkd(), pop3:user(), pop3:pass(), pop3:dele(), telnet:user(), telnet:
pass(), smb:setup() . . (. Dfuz $
).
$
. $
, $
( ) $
FTP$:
port=21/tcp
peer write: @ftp:user("user")
peer read
peer write: @ftp:pass("pass")

peer
peer
peer
peer
peer
377
read
write: "CWD /", %random:data(1024,alphanum), 0x0a
read
write: @ftp:quit()
read
repeat=1024
wait=1
# No Options
, $
TCP, 21.
, , . peer read
peer write , $
, .
FTP $
FTP.
(CWD) $
. CWD 1024 $
$ , $
(0x0a). , .
, repeat, , $
1024 . $
Dfuz $
FTP$, CED $
1024 $
.
Dfuz ,

. stdout ( $
)
, $
. Dfuz
, $
. , $
, . $
,
;
$
, $
. Dfuz $
, $
, , $
Peach. : $
. , Dfuz
$
, .
378
21.
SPIKE1
SPIKE , , $
. SPIKE C
,
. $
SPIKE ,
(GPL)2
GNU. $
SPIKEfile, $
,
(. 12 : $
UNIX). SPIKE
, , . $
,
SPIKE, ,
. $
$
. $
, ,
$
:3
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_block_end("somepacketdata");
SPIKE ( SPIKE C) $
somepacketdata ( $ $
), 0x01020304
.
4 $
. ,
SPIKE s_, spike_.
s_binary() $
$
,
, 4141 \x41
0x41 41 00 41 00. , $
SPIKE. SPIKE
, $
1
2
3
http://www.gnu.org/copyleft/gpl.html
http://www.immunitysec.com/downloads/advantages_of_block_based_analy+
sis.pdf
379
. $
:
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_blocksize_halfword_bigendian("innerdata");
s_block_start("innerdata");
s_binary("00 01");
s_binary_bigendian_word_variable(0x02);
s_string_variable("SELECT");
s_block_end("innerdata");
s_block_end("somepacketdata");
somepacketdata innerdata ($
). , $
. in$
nerdata (0x0001),

0x02,
SELECT. s_bina
ry_bigendian_word_variable() s_string_variable() $

( ) ,
. $
SPIKE
, .
, SPIKE $

. $
SPIKE/src/spike.c.
2.9 , $
700 , .
, $
, , $
$
. $
.
SPIKE.
: $
FTP, SPIKE. $
SPIKE,
, :
s_string("HOST ");
s_string_variable("10.20.30.40");
s_string("\r\n");
s_string_variable("USER");
380
21.
s_string(" v);
s_string_variable("bob");
s_string("\r\n");
s_string("PASS ");
s_string("\r\n");
s_string("SITE ");
s_string_variable("SEDV");
s_string("\r\n");
s_string("ACCT ");
s_string("\r\n");
s_string("CWD ");
s_string_variable(".");
s_string("\r\n");
s_string("SMNT ");
s_string_variable(".");
s_string("\r\n");
s_string("PORT ");
s_string(",");
s_string(",");
s_string(",");
s_string(",");
s_string(",");
s_string("\r\n");
SPIKE , $
$
, . , $
,
, $
.
$
, SPIKE $
, $
, .
.
$
SPIKE $
Microsoft Windows, SPIKE $
UNIX, $
381
SPIKE Windows
Cygwin.1 , $
, $
, , $
.

. , $
,
.
SPIKE
, $
. SPIKE $
, proxy$, $
$$
. $
, SPIKE,
, . $
, , , $
: SPIKE
.
Peach2
Peach, IOACTIVE 2004 , $
, Py$
thon. Peach , $
.
Peach, , $
, $
. , ,
(peach, fuzz ?3).
,
, , , $
, .
$
.
. $
$
$
. , ,
, SMTP$. $
1
2
3
http://www.cygwin.com/
http://peachfuzz.sourceforge.net
Peach ,
fuzz . . .
382
21.
$
, .
$.
base64, gzip HTML. $
$
. ,
, URL,
gzip. $
$
. $

, $
.
(publishers) $
.
TCP.
$
.
Peach , $

. , , $
GIF. $
$
.
$
, , $
. Peach $
. , Script, $
, $
,
group.next() protocol.step().
, $
Peach, $
FTP $
:
from
from
from
from
from
Peach
Peach.Transformers
Peach.Generators
Peach.Protocols
Peach.Publishers
import
import
import
import
import
*
*
*
*
*
loginGroup = group.Group()
loginBlock = block.Block()
loginBlock.setGenerators((
static.Static("USER username\r\nPASS "),
dictionary.Dictionary(loginGroup, "dict.txt"),
383
static.Static("\r\nQUIT\r\n")
))
loginProt = null.NullStdout(ftp.BasicFtp('127.0.0.1', 21), loginBlock)
script.Script(loginProt, loginGroup, 0.25).go()
Peach.
. $
, . $
.
.
FTP
, . $
FTP.
, $
. ,
,
.
,
Peach. Peach $
, Autodafej Dfuz.
Peach , $
$
, , $
. , , $
$
, , ,
, $
. , gzip $
, $

, HTTP $
. Peach.
, .
Peach Python,
Python. , $
, $
Python, Microsoft COM1 Microsoft .NET, Peach
Active X $
. DLL
Microsoft Windows, Peach C/C++
, .
Peach , $
0.5
1
http://en.wikipedia.org/wiki/Component_Object_Model
384
21.
( 2006 ). Peach
, , , $
$
. $ $
, $
, .
Peach
. ,
Ruby Peach, $
.
1
(GPF, General Purpose Fuzzer)
Applied Security.
.2
GPF , $
GPL;
UNIX. , GPF $
; SPIKE, $
.
, ,
. $
GPF ,
, , $
. GPF $
, PureFuzz ( $
), Convert (), GPF ( ), Pattern
Fuzz ( ) SuperGPF.
PureFuzz ;
, /dev/urandom . $
, $
, $

. $
PureFuzz netcat /dev/urandom $
, PureFuzz $
, $
. , , PureFuzz $
,
, .
1
2
http://www.appliedsec.com/resources.html
general purpose fuzzer $
general protection fault.
. .
385
Convert GPF, libpcap, $

, Ethereal1 Wireshark2, GPF.

pcap (
) , .
GPF GPF
$
. , $
.
$
, $
. ,
.
Pattern Fuzz (PF) GPF,

. PF
ASCII $

. $
tokAids, C. ASCII
tokAid (normal_ascii), (,
DNS). tokAid $
$
.
SuperGPF GPF Perl,
, $
, , $
. SuperGPF GPF
, , $
. $
GPF $
. $
SuperGPF ASCII.
GPF,
FTP:
Source:S
Source:C
Source:S
Source:C
Source:S
Source:C
Source:S
1
2
Size:20 Data:220 (vsFTPd 1.1.3)

Size:12 Data:USER fuzzy
Size:34 Data:331 Please specify the password.
Size:12 Data:PASS wuzzy
Size:33 Data:230 Login successful. Have fun.
Size:6 Data:QUIT
Size:14 Data:221 Goodbye.
http://www.ethereal.com
http://www.wireshark.org
386
21.
GPF .
GPF, .

tokAids , $
SPIKE, , ,
. , $
$
:
GPF ftp.gpf client localhost 21 ? TCP 8973987234 100000 0 + 6 6 100 100 5000
43 finish 0 3 auto none G b
, GPF
. $
, , $
.
ASCII
. $
GPF ,

!
, PureFuzz GPF, $
,
, .
,
, BrightStor ARC$
serve Backup Computer Associates. 2005 $
, Microsoft
SQL Server1, $
. , , $
, 3168 $
, TCP 6070.

,
.
$
, PureFuzz, ,

.
1
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=287
387
$

. $
22 .
Autodafe1
Autodafej : SPIKE $
,
. Autodafej
, GPL
GNU $
UNIX. SPIKE,
Autodafej .
Autodafej,
2 ,
Autodafej; SPIKE
:
string("dummy");
string_uni("dummy");
hex(0x0a 0a \x0a);
block_begin("block");
block_end("block");
block_size_b32("block");
block_size_l32("block");
block_size_b16("block");
block_size_l16("block");
block_size_8("block");
block_size_8("block");
block_size_hex_string("a");
block_size_dec_string("b");
block_crc32_b("block");
block_crc32_l("block");
send("block");
recv("block");
fuzz_string("dummy");
fuzz_string_uni("dummy");
fuzz_hex(0xff ff \xff);
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
define a constant string */

define a constant unicode string */
define a hexadecimal constant value */
define the beginning of a block */
define the end of a block */
32 bits bigendian size of a block */
32 bits littleendian size of a block */
16 bits bigendian size of a block */
16 bits littleendian size of a block */
8 bits size of a block */
8 bits size of a block */
hexadecimal string size of a block
decimal string size of a block */
crc32 of a block in bigendian */
crc32 of a block in littleendian */
send the block */
receive the block */
fuzz the string "dummy" */
fuzz the unicode string "dummy" */
fuzz the hexadecimal value */
;
$
.
Autodafej $
$
,
1
2
http://autodafe.sourceforge.net
http://autodafe.sourceforge.net/docs/autodafe.pdf
388
21.
.

. Autodafej:
fuzz_string("GET");
string(" /");
fuzz_string("index.html");
string(" HTTP/1.1");
hex(0d 0a);
$ $
HTTP, $
. , Autodafej $
, 500 .
, ,
500 , 1000
. $
, , ,
. Autodafej $
$
. Autodafej ,
, ( ). $
$
,
,
.
Autodafej $
adbg. $
,
, FileFuzz (. 13
: Windows), Autodafej $
, $
. Autodafej
,
strcpy(), , fprintf(),
.
.
$
, , .
. $
, $
, . , $
, $
. $
,
. $
, , $
: Shockwave Flash
389
. $
,
,
.
Autodafej ,
. $
, PDML2AD, PDML (
), Ethereal
Wireshark Autodafej.
750 ,
,
$
. , PDML2AD
, $
hex(),
string() . . , TXT2AD
, Autodafej. $
, ADC Autodafej. ADC
Autodafej, $
,
.
Autodafej , $
, SPIKE. $
Autodafej SPIKE. $
, $
. ,
, Microsoft
Windows
. $
; $

, .
:
Shockwave Flash

. $, $
, http://www.fuzz+
ing.org. ,
. $
, , $
. ,

390
21.
, , ,
. $

.
,

, , $
.
$
$
. $
Mac$
romedia Shockwave Flash (SWF)1 Adobe
,
.
Shockwave Flash
, Flash Player $
. $
Microsoft Windows
Flash Player .
SWF $
, $
.
, $
2 $ $
SWF $
. $, SWF

Adobe Macromedia
Flash (SWF) Flash Video (FLV).3 $
8$ . $
,
,
. $
$
, Adobe Macromedia. $
, SWF $
, $
,
1
2
http://www.macromedia.com/software/flash/about/
Tipping$
Point.
http://www.adobe.com/licensing/developer/
: Shockwave Flash
391
. SWF
, $
, . $

, $
, , .
SWF
$
SWF ,
. SWF ,
; $
:
[Header]
<magic>
<version>
<length>
<rect>
[nbits]
[xmin]
[xmax]
[ymin]
[ymax]
<framerate>
<framecount>
[FileAttributes Tag]
[Tag]
<header>
<data>
<datatypes>
<structs>
...
[Tag]
<header>
<data>
<datatypes>
<structs>
...
...
[ShowFrame Tag]
[End Tag]
:
magic SWF
FWS;
version , $
Flash, ;
392
21.
length ,
SWF ;
rect :
nbits ;
:
xmin, xmax, ymin ymax. $
,
Flash. ,
, , Flash,
1/20 .
rect
. nbits 3, rect
5 + 3 + 3 + 3 + 3 = 17 .
nbits 4, rect 5 + 4 + 4 +
4 + 4 = 21 .
.

SWF.
, $
Flash. , FileAttributes, $
8$ Flash; , $
. $, , SWF$
, . $
, ,
, $
. $, , Flash
Player SWF$ . $
SWF ,
: $
. : , ,
. ,
. Flash Player , $
ShowFrame, $
. SWF End.
,
2 , . $
.
63 , $
: [ $
] [ ] [].
, $
, : [$
] [111111] [$
] []. , $
: Shockwave Flash
393
SWF $
.
.
. ,
SWF, ( $
). , $

! .
, $
$
. , $
, $
, .
Python $
.
,
(), (), (), $
(), 8$, 16$, 32$
64$ . $
Sulley ( $
Sulley,
):
BIG_ENDIAN
= ">"
LITTLE_ENDIAN = "<"
class bit_field (object):
def __init__ (self, width, value=0, max_num=None):
assert(type(value) is int or long)
self.width
self.max_num
self.value
self.endian
self.static
self.s_index
=
=
=
=
=
=
width
max_num
value
LITTLE_ENDIAN
False
0
if self.max_num == None:
self.max_num = self.to_decimal("1" * width)
def flatten (self):
@rtype: Raw Bytes

@return: Raw byte representation
# pad the bit stream to the next byte boundary.

bit_stream = ""
if self.width % 8 == 0:
bit_stream += self.to_binary()
394
21.
else:
bit_stream = "0" * (8 (self.width % 8))
bit_stream += self.to_binary()
flattened = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
flattened += struct.pack("B", self.to_decimal(chunk))
# if necessary, convert the endianess of the raw bytes.
if self.endian == LITTLE_ENDIAN:
flattened = list(flattened)
flattened.reverse()
flattened = "".join(flattened)
return flattened
def to_binary (self, number=None, bit_count=None):
@type number:
Integer
@param number:
(Opt., def=self.value) Number to convert
@type bit_count: Integer
@param bit_count: (Opt., def=self.width) Width of bit string
@rtype: String
@return: Bit string
if number == None:
number = self.value
if bit_count == None:
bit_count = self.width
return "".join(map(lambda x:str((number >> x) & 1), \
range(bit_count 1, 1, 1)))
def to_decimal (self, binary):
Convert a binary string into a decimal number and return.
return int(binary, 2)
def randomize (self):
Randomize the value of this bitfield.
self.value = random.randint(0, self.max_num)

def smart (self):
Step the value of this bitfield through a list of smart values.
: Shockwave Flash
395
smart_cases = \
[
0,
self.max_num,
self.max_num / 2,
self.max_num / 4,
# etc...
]
self.value
= smart_cases[self.s_index]
self.s_index += 1
class byte (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "B", value)[0]
bit_field.__init__(self, 8, value, max_num)
class word (bit_field):
def __init__ (self, value=0, max_num=None:
value = struct.unpack(endian + "H", value)[0]
class dword (bit_field):
value = struct.unpack(endian + "L", value)[0]
class qword (bit_field):
value = struct.unpack(endian + "Q", value)[0]
# class aliases
bits = bit_field
char = byte
short = word
long = dword
double = qword
bit_field (width), $
, (max_num),
(value), (endian), , ,
(static), , , $
(s_index). bit_field $
:
396
21.
flatten() $
.
to_binary() $
.
to_decimal() $
.
randomize()
.
smart() $
,
.
bit_field,$

. $

flatten() .
, $
SWF, RECT RGB.
, $
, ( , $
):
class RECT (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields
[
("Nbits",
("Xmin" ,
("Xmax" ,
("Ymin" ,
("Ymax" ,
]
= \
sulley.numbers.bits(5, value=31, static=True)),
sulley.numbers.bits(31)),
class RGB (base):

self.fields
[
("Red" ,
("Green",
("Blue" ,
]
= \
sulley.numbers.byte()),
,
. $

: Shockwave Flash
397
.
bit_field depen
dent_bit_field, :
class dependent_bit_field (sulley.numbers.bit_field):
def __init__ (self, width, value=0, max_num=None, static=False, \
parent=None, dep=None, vals=[]):
self.parent = parent
self.dep
= dep
self.vals = vals
sulley.numbers.bit_field.__init__(self, width, value, \
max_num, static)
def flatten (self):
# if there is a dependency for flattening (including) this
# structure, then check it.
if self.parent:
#
VVV object value
if self.parent.fields[self.dep][1].value not in self.vals:
# dependency not met, dont include this object.
return ""
return sulley.numbers.bit_field.flatten(self)
,
.
, dep, $
vals, . MATRIX $
:
class MATRIX (base):
self.fields = \
[
("HasScale"
("NScaleBits"
("ScaleX"
("ScaleY"
("HasRotate"
, sulley.numbers.bits(1)),
, dependent_bits(5, 31, parent=self, \
dep=0, vals=[1])),
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
dep=0, vals=[1])),
("NRotateBits" , dependent_bits(5, 31, parent=self, \

dep=4, vals=[1])),
("skew1"
dep=0, vals=[1])),
("skew2"
dep=0, vals=[1])),
398
21.
("NTranslateBits" , sulley.numbers.bits(5, value=31)),
("TranslateX"
("TranslateY"
]
, NScaleBits MATRIX
5 31,
,
0 (HasScale) 1. ScaleX, ScaleY, skew1 skew2
HasScale. , HasScale $
1, .
. , NRotateBits
4 (HasRotate). 200 $
SWF .1
, $
. $,
, :
class base (structs.base):
def __init__ (self, parent=None, dep=None, vals=[]):
self.tag_id = None
(structs.base).__init__(self, parent, dep, vals)
def flatten (self):
bit_stream = structs.base.flatten(self)
# pad the bit stream to the next byte boundary.
if len(bit_stream) % 8 != 0:
bit_stream = "0" * (8(len(bit_stream)%8)) + bit_stream
raw = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
raw += pack("B", self.to_decimal(chunk))
raw_length = len(raw)
if raw_length >= 63:
# long (record header is a word + dword)
record_header = self.tag_id
record_header <<= 6
record_header |= 0x3f
flattened = pack('H', record_header)
record_header <<= 32
record_header |= raw_length
flattened += pack('Q', record_header)
flattened += raw
. http://www.fuzzing.org for the code.
: Shockwave Flash
399
else:
# short (record_header is a word)
record_header = self.tag_id
record_header <<= 6
record_header |= raw_length
flattened = pack('H', record_header)
flattened += raw
return flattened
flatten()
$
. 50 $
SWF .
:
class PlaceObject (base):
self.tag_id = 4
self.fields = \
[
("CharacterId"
("Depth"
("Matrix"
("ColorTransform"
]
,
,
,
,
sulley.numbers.word(value=0x01)),
sulley.numbers.word()),
structs.MATRIX()),
structs.CXFORM()),
class DefineBitsLossless (base):

self.tag_id = 20
self.fields = \
[
("CharacterId"
("BitmapFormat"
("BitmapWidth"
("BitmapHeight"
("BitmapColorTableSize"
("ZlibBitmapData"
("ZlibBitMapData_a"
,
,
,
,
,
structs.dependent_byte( \
parent=self, dep=1, vals=[3])),
, structs.COLORMAPDATA( \
parent=self, dep=1, vals=[3])),
, structs.BITMAPDATA( \
parent=self, dep=1, vals=[4, 5])),
]
class DefineMorphShape (base):
self.tag_id = 46
400
21.
self.fields = \
[
("CharacterId"
("StartBounds"
("EndBounds"
("Offset"
("MorphFillStyles"
("MorphLineStyles"
("StartEdges"
("EndEdges"
]
,
,
,
,
,
,
,
,
structs.RECT()),
structs.RECT()),
structs.MORPHFILLSTYLE()),
structs.MORPHLINESTYLES()),
structs.SHAPE()),
structs.SHAPE()),

. SWF,
bit_field. $
, , . bit_field
dependent_bit_field, , ,
.
SWF. $
, $
SWF.
. 21.1.
, $
, SWF.
.
, $
byte, word, . .
bit_field
dependent_byte, . .
dependent_bit_field
base
base
. 21.1. SWF
: Shockwave Flash
401
SWF . $

randomize()
smart() . , $

flat
ten().
.

$
SWF, . $
SWF , $
. $

, .
$
, .
Google SOAP1, SWF$ ,
filetype:swf ( :swf). $
a filetype:swf, b filetype:swf
z filetype:swf. ,
SWF. $
MD5, $
.
10 000 SWF$,
3 . SWF
, $
. 21.1.
21.1.
Flash+ SWF
SWF
Flash 8
< 1%
Flash 7
~ 2%
Flash 6
~ 11%
Flash 5
~ 55%
Flash 4
~ 28%
Flash 1 Flash 3
~ 3%
http://www.google.com/apis/index.html
402
21.
. ,
$
Flash Player. , $
, $
.
SWF.

PaiMei1
.
PaiMei Python, $

.
23. $
, PaiMei FileFuzz.
:
1. SWF Flash Player
PaiMei, PyDbg.
2. $
. ; $
,
SWF, .
3. ,

.
4. $
, Flash Player.
5. .
$
SWF 0x000C $
0xFFFF. , SWF $
,
. $
SWF $, Microsoft Internet Exp$
lorer Mozilla Firefox. , $
, ,
ActionScript2, $
SAFlashPlayer.exe. $
Macromedia Studio.3
1
2
3
http://en.wikipedia.org/wiki/ActionScript
http://www.adobe.com/products/studio/
Sulley:
403

SWF $
.
.
$
SWF ,
. $
,
SWF,
SWF SWF. $
, SWF $
$ $
.

SWF .
$
.
, $
.
Sulley:
Sulley $
, $
. Sulley ( )

, . $
, $
. Sulley
Monsters, Inc. ( )1,
, .2 Sulley
$ http://www.fuzzing.org/sulley.
, , $
. Sulley
,
, $
. Sulley $
. Sulley
, $
. Sulley ,
1
2
http://www.pixar.com/featurefilms/inc/chars_pop1.html
. fuzzy , $
fuzz, .
. .
404
21.
. Sulley $
, . Sulley $
,
. Sulley
$
. , Sulley :
1. : $
. , , $
.
Sulley.
2. : ,
; $
Sulley (, , . .)
.
3. : $
. .
Sulley http://
www.fuzzing.org, . $
, , $
.
Sulley
Sulley , . $
, ,
, $
. ,
:
archived_fuzzies: ,
, $
, :
trend_server_protect_5168: $
.
trillian_jabber: , $
.
audits:
PCAP, , . $

archived_fuzzies.
docs:
Epydoc.
requests: Sulley. $
,
.
Sulley:
405
__REQUESTS__.html: $
. $
.
http.py: $.
trend.py: , $
, .
sulley: . $
.
legos: , .
ber.py: ASN.1/BER.
dcerpc.py: Microsoft RPC NDR.
misc.py: ,
.
xdr.py: XDR.
pgraph: Python.
.
utils: .
dcerpc.py: Microsoft RPC, $
.
misc.py: , $
CRC$16 UUID.
scada.py: ,
SCADA, DNP3.
__init__.py: s_, $
.
blocks.py: $
.
pedrpc.py: , $
Sulley $
.
primitives.py: ,
, , .
sessions.py:
.
sex.py: $
Sulley.
unit_tests: Sulley.
utils: .
crashbin_explorer.py: ,
, $
.
406
21.
pcap_cleaner.py: ,
PCAP , $
.
network_monitor.py: ,
PedRPC.
process_monitor.py: $
, PedRPC.
unit_test.py: Sulley.
vmcontrol.py: , VMWare,
PedRPC.
, ,
, Sulley .
.

SPIKE .
, , $
$
,
. Sulley $
,
. :
s_initialize("new request")
,
.
. $
. $
. $
, $
. , $
,
, , .

, s_static(),
.
Sulley $
. s_dunno(), s_raw() s_unknown() s_static():
# these are all equivalent:
s_static("pedram\x00was\x01here\x02")
s_raw("pedram\x00was\x01here\x02")
s_dunno("pedram\x00was\x01here\x02")
s_unknown("pedram\x00was\x01here\x02")
Sulley:
407
, . . $
. $

request.names["name"] ,
, . $
,
s_binary(), , $
. SPIKE, , $
, (, $
, ) , $
:
# yeah, it can handle all these formats.
s_binary("0xde 0xad be ef \xca fe 00 01 02 0xba0xdd f0 0d")
Sulley
, , .
s_random(),
.
, 'min_length'
'max_length',
,
, . $
:
num_mutations ( , 25): , $
,
;
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
num_mutations ,
,
. $
, $
'min_length' 'max_length'.

ASCII
, , HTTP.
, Sulley $
:
: s_byte(), s_char();
: s_word(), s_short();
408
21.
: s_dword(), s_long(), s_int();

: s_qword(), s_double().
,
. $
:
endian (, <): $
. <, >;
format (, binary): ,
ascii, , $
. , 100 $
100 ASCII \x64 ;
signed (, False):
, ascii;
full_range (, False):
(
);
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
full_range
. ,
DWORD; 4 294 967 295 .
, 10
, , $
, 13 !
Sulley
. 10 $
; (MAX_VAL); MAX_VAL,
2; MAX_VAL, 3; MAX_VAL, $
4; MAX_VAL, 8; MAX_VAL, 16,
MAX_VAL, 32. $
141
.

. , $
, , . $
, , .
Sulley s_string(),
. , $
Sulley:
409
. $
:
Size ( , 1): $
.
1;
padding (, \x00):
, $
, ;
encoding (, ascii): $
. ,
str.encode() Python. Microsoft Unicode
utf_16_le;
fuzzable (, True):
;
name (string, default None): , $
Sulley,
.
.
, ,
HTTP: GET /index.html HTTP/1.0. (/)
(.) . $
Sulley , $
s_delim(). , $
, $
. $
, s_delim()
'fuzzable' 'name'. ,
. $
,
HTML.
# fuzzes the string: <BODY bgcolor="black">
s_delim("<")
s_string("BODY")
s_delim(" ")
s_string("bgcolor")
s_delim("=")
s_delim("\"")
s_string("black")
s_delim("\"")
s_delim(">")
, , $
.
s_block_start(),
410
21.
s_block_end(). ,
s_block_start().
:
group (, None): , $
( );
encoder ( , None): $
,
;
dep (, None): ,
;
dep_value (, None): ,
dep, $
;
dep_values ( , []): ,
dep, $
;
dep_compare (, ==): , $
. $
: ==, !=, >, >=, <, and <=.
, $
, ; $
.
$
, ,
. $
, ,
$
. s_group()
. ,
,
. $
Sulley, $
$.
# import all of Sulleys functionality.
from sulley import *
# this request is for fuzzing: {GET,HEAD,POST,TRACE} /index.html HTTP/1.1
# define a new block named "HTTP BASIC".
s_initialize("HTTP BASIC")
# define a group primitive listing the various HTTP verbs we wish to fuzz.
s_group("verbs", values=["GET", "HEAD", "POST", "TRACE"])
Sulley:
411
# define a new block named "body" and associate with the above group.
if s_block_start("body", group="verbs"):
# break the remainder of the HTTP request into
individual primitives.
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
# end the request with the mandatory static sequence.
s_static("\r\n\r\n")
# close the open block, the name argument is optional here.
s_block_end("body")
Sulley. $
HTTP BASIC.

.
GET, HEAD, POST TRACE.
$

. , s_block_start()
True,
, $
. , s_block_end()
.
. $
$
, .
Sulley, $
, , $
.
, . $
, $

. $
. DcsProces$
sor.exe Trend Micro Control Manager
TCP 20901 , $
XOR. $
$
XOR:
412
21.
def trend_xor_encode (str):
key = 0xA8534344
ret = ""
# pad to 4 byte boundary.
pad = 4 (len(str) % 4)
if pad == 4:
pad = 0
str += "\x00" * pad
while str:
dword =
str
=
dword ^=
ret +=
key
=
struct.unpack("<L", str[:4])[0]
str[4:]
key
struct.pack("<L", dword)
dword
return ret
Sulley , $
, . $
, $
, , $
,
.
$
. , $
, ,
dep. $
Sulley ,
$
. $
dep_value. $
dep_values. , $

dep_compare. , $
, $
:
s_short("opcode", full_range=True)
# opcode 10 expects an authentication sequence.
if s_block_start("auth", dep="opcode", dep_value=10):
s_string("USER")
s_delim(" ")
s_string("pedram")
s_static("\r\n")
s_string("PASS")
Sulley:
413
s_delim(" ")
s_delim("fuzzywuzzy")
s_block_end()
# opcodes 15 and 16 expect a single string hostname.
if s_block_start("hostname", dep="opcode", dep_values=[15, 16]):
s_string("pedram.openrce.org")
s_block_end()
# the rest of the opcodes take a string prefixed with two underscores.
if s_block_start("something", dep="opcode", dep_values=[10, 15, 16],
dep_compare="!="):
s_static("__")
s_string("some string")
s_block_end()

(, , ) .

, $
, Sulley, .
, .
SPIKE s_sizer()
( s_size()). ,
, $
:
length ( , 4): ;
endian (, <): .
< > ;
format (, binary): , $
ascii, , $
;
inclusive (, False):
?
signed (, False):
, ascii;
fuzzable (, False):
;
name (, None): ,
Sulley,
$
.
, $
$
414
21.
, XDR, ASN.1 . . Sulley $

.
Sulley .
; , $
, fuzzable.

, , s_checksum() $
.

:
algorithm ( , crc32):
,
(crc32, adler32, md5, sha1);
endian (, <): .
< > ;
length ( , 0): ,
0 ;
name (, None): ,
Sulley,
$
.
:
crc32, adler32, md5 sha1.
, $
.
s_repeat() ( s_repeater()) $
. , , $
$
. $
: , , $
.
, :
step (integer, default=1): $
;
fuzzable (boolean, default, False): $
;
name (, None): ,
Sulley,
$
.
Sulley:
415
,
.
, . $
, ,
, , CRC$32, $
.
, $
. , $
Sulley:
# table entry: [type][len][string][checksum]
if s_block_start("table entry"):
# we dont know what the valid types are, so well fill
this in with random data.
s_random("\x00\x00", 2, 2)
# next, we insert a sizer of length 2 for the string field to follow.
s_size("string field", length=2)
# block helpers only apply to blocks, so encapsulate the string
# primitive in one.
if s_block_start("string field"):
# the default string will simply be a short sequence of Cs.
s_string("C" * 10)
s_block_end()
# append the CRC32 checksum of the string to the table entry.
s_checksum("string field")
s_block_end()
# repeat the table entry from 100 to 1,000 reps stepping 50 elements
# on each iteration.
s_repeat("table entry", min_reps=100, max_reps=1000, step=50)
Sulley
,
.

Sulley
, ,
, Microsoft RPC,
XDR, ASN.1 . ASN.1 / BER $
[0x04][0x84][ ][]. $
ASN.1$ $
.
:
s_lego("ber_string", "anonymous")
, $
options,
416
21.
. $
tag,
XML:
class tag (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.tag DEFAULT VALUE")
#
# [delim][string][delim]
self.push(primitives.delim("<"))
self.push(primitives.string(self.value))
self.push(primitives.delim(">"))
, , $
$
.

self.push().

ASN.1 / BER1 Sulley.
$
, $
: [0x02][0x04][ ], 0x02 $
, 0x04 ,
, $
. , sul$
ley\legos\ber.py:
class integer (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.ber_integer DEFAULT VALUE")
self.push(primitives.dword(self.value, endian=">"))
def render (self):
# let the parent do the initial render.
http://luca.ntop.org/Teaching/Appunti/asn1.html
417
Sulley:
blocks.block.render(self)
self.rendered = "\x02\x04" + self.rendered
return self.rendered
, $
self.push(). , $
render() , $
\x02\x04,
, $
. Sulley . $
,
,
. .
,
. Sulley
$
. $
. $
, pgraph,
, $
uDraw, . 21.2:
ROOT_NODE
helo
ehlo
mail from
rcpt to
data
. 21.2. SMTP+
418
21.
s_initialize("helo")
s_static("helo")
s_initialize("ehlo")
s_static("ehlo")
s_initialize("mail from")
s_static("mail from")
s_initialize("rcpt to")
s_static("rcpt to")
s_initialize("data")
s_static("data")
sess = sessions.session()
sess.connect(s_get("helo"))
sess.connect(s_get("ehlo"))
sess.connect(s_get("helo"), s_get("mail from"))
sess.connect(s_get("ehlo"), s_get("mail from"))
sess.connect(s_get("mail from"), s_get("rcpt to"))
sess.connect(s_get("rcpt to"), s_get("data"))
fh = open("session_test.udg", "w+")
fh.write(sess.render_graph_udraw())
fh.close()
, Sulley $
: , $
, .
helo. Sulley $
mail from, $
helo. Sulley $
rcpt to.
helo
mail from. data
ehlo. Sulley $
$
. , $
, , Ipswitch Collaboration
Suite 2006 .1
,
, @ :. $
,
EHLO, HELO.
, $
.
Sulley:
419

:
session_filename (, None): ,
.
, $
;
skip ( , .0): $
, ;
sleep_time ( , 1.0): , $
;
log_level (integer, default 2):
$; , $
;
proto (, tcp): ;
timeout ( , 5.0):
send() recv() .
, Sulley, $

.
$
, , , . $
:
def callback(node, edge, last_recv, sock)
node , , edge
$
node, last_recv , $
, sock . $
, , , $
. :
IP$ , , $
IP sock.getpeername()[0].
$
callback session.connect().

, $
. ,
,
VMWare, :
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
420
21.
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :
}
= \
"SpntSvc.exe",
[net stop "trend serverprotect"],
[net start "trend serverprotect"],
sess.add_target(target)
sess.fuzz()
TCP 5168 10.0.0.1.

() ,
26001.
PCAP
$ . $
, $
26002.
, , $
,
. ,
VMWare,
26003. , .
Sulley ,
.
, $
.
.
: (network_monitor.py)
$
PCAP . $
TCP 26001
Sulley PedRPC.
, Sulley $
, $
. $
, Sulley $
, ,
PCAP .
PCAP .
, $
. $
.
:
ERR> USAGE: network_monitor.py
<d|device DEVICE #>
device to sniff on (see list below)
[f|filter PCAP FILTER] BPF filter string
[p|log_path PATH] log directory to store pcaps to
Sulley:
421
[l|log_level LEVEL] log level (default 1), increase

for more verbosity
Network Device List:
[0] \Device\NPF_GenericDialupAdapter
[1] {2D938150427D445F93D6A913B4EA20C0} 192.168.181.1
[2] {9AF9AAECC36246429A3F0768CDA60942} 0.0.0.0
[3] {9ADCDA98A452495694080968ACC1F482}
192.168.81.193
...
: (process_monitor.py)
,

. $
TCP 26002 Sulley
PedRPC.
Sulley
, $
, $ . ,
, , $
Sulley $$
( ). $
$
. $
.
:
ERR> USAGE: process_monitor.py
<c|crash_bin FILENAME> filename to serialize crash bin class to
[p|proc_name NAME]
process name to search for and attach to
[i|ignore_pid PID]
ignore this PID when searching for
the target process
[l|log_level LEVEL]
log level (default 1), increase for
more verbosity
: VMWare (vmcontrol.py)
VMWare $
TCP 26003 Sulley
PedRPC. $
$
; , ,
, , $
.
, , Sulley
$
.

$
422
21.
,
.
:
ERR> USAGE: vmcontrol.py
<x|vmx FILENAME>
<r|vmrun FILENAME>
[s|snapshot NAME>
[l|log_level LEVEL]
path to VMX to control

path to vmrun.exe
set the snapshot name
log level (default 1), increase for more verbosity

Sulley $,
26000.
fuzz() $ $
, , $
. . 21.3 , $
.

. $

. $
, $
. , , $
; $
.
.
. 21.3. + Sulley
Sulley
. $
$
Sulley:
423
, ,
. $
, .
crashbin_explorer.py, $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg
, , $
, , , , $
, $
. $
, Trillian
Jabber, :
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin
[3] ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused
access violation 1415, 1416, 1417,
[2] ntdll.dll:7c910e03 mov [edx],eax from thread 664 caused
access violation 3780, 9215,
[24] rendezvous.dll:4900c4f1 rep movsd from thread 664 caused
access violation 1418, 1419, 1420, 1421, 1422, 1423, 1424,
1425, 3443, 3781, 3782, 3783, 3784, 3785, 3786, 3787, 9216,
9217, 9218, 9219, 9220, 9221, 9222, 9223,
[1] ntdll.dll:7c911639 mov cl,[eax+0x5] from thread 664 caused
access violation 3442,

, . $
,
t.
1416:
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin t 1416
ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused access violation
when attempting to read from 0x263b7467
CONTEXT DUMP
EIP: 7c910f29 mov ecx,[ecx]
EAX: 039a0318 ( 60424984) > gt;>>...>>>>>
(heap)
EBX: 02f40000 ( 49545216) >
PP@ (heap)
ECX: 263b7467 ( 641430631) > N/A
EDX: 263b7467 ( 641430631) > N/A
EDI: 0399fed0 ( 60423888) > #e<root><message>>>>
...>>& (heap)
ESI: 039a0310 ( 60424976) > gt;>>...>>>>>
(heap)
424
21.
EBP: 03989c38 ( 60333112) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
P (stack)
ESP: 03989c2c ( 60333100) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
(stack)
+00: 02f40000 ( 49545216) >
PP@ (heap)
+04: 0399fed0 ( 60423888) > #e<root><message>>>>
...>>& (heap)
+08: 00000000 (
0) > N/A
+0c: 03989d0c ( 60333324) > Hg9I Pt]I@"ImI,IIpHsoIPnIX{ (stack)
+10: 7c910d5c (2089880924) > N/A
+14: 02f40000 ( 49545216) >
PP@ (heap)
disasm around:
0x7c910f18 jnz 0x7c910fb0
0x7c910f1e mov ecx,[esi+0xc]
0x7c910f21 lea eax,[esi+0x8]
0x7c910f24 mov edx,[eax]
0x7c910f26 mov [ebp+0xc],ecx
0x7c910f29 mov ecx,[ecx]
0x7c910f2b cmp ecx,[edx+0x4]
0x7c910f2e mov [ebp+0x14],edx
0x7c910f31 jnz 0x7c911f21
stack unwind:
ntdll.dll:7c910d5c
rendezvous.dll:49023967
rendezvous.dll:4900c56d
kernel32.dll:7c80b50b
SEH unwind:
03989d38 > ntdll.dll:7c90ee18
0398ffdc > rendezvous.dll:49025d74
ffffffff > kernel32.dll:7c8399f3
,
, ,
ECX, , $
ASCII &;tg. , ?
, $
, $
g.
. 21.4 Trillian
Jabber.
, , ,
, , , . $
. $

XMPP (
). Trillian $
_presence mDNS (
DNS) UDP 5353. $
mDNS,
425
Sulley:
[30] kernel32.d11:7c80b50b
[5] rendevous.d11.4900c56d
[24] rendevous.d11.4900c4f1
[1] rendevous.d11.49023afd
[5] rendevous.d11.49023967
[3] ntd11.d11:7c910d5c
[1] rendevous.d11.49023b1f
[2] ntd11.d11:7c910e03
[1] ntd11.7c911639
[3] ntd11.d11:7c910f29
. 21.4. , Sulley
XMP TCP 5298. plugins\rendezvous.dll $

:
4900C470 str_len:
4900C470
mov cl, [eax]
; *eax = message+1
4900C472
inc eax
4900C473
test cl, cl
4900C475
jnz short str_len
4900C477
4900C479
4900C47E
4900C47F
sub eax, edx

add eax, 128
push eax
call _malloc
; strlen(message+1) + 128
,
, +128, $
, expatxml.xmlCompos
eString(), :
plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *);
struct xml_string_t {
unsigned int struct_size;
char *string_buffer;
struct xml_tree_t *xml_tree;
};
xmlComposeString() expatxml.
19002420(), HTML &, > < &, > < $
.
:
426
21.
19002492
19002494
19002496
1900249B
190024A0
190024A1
push
push
push
push
push
call
0
0
offset str_Amp
offset ampersand
eax
sub_190023A0
; "&"
; "&"
190024A6
190024A8
190024AA
190024AF
190024B4
190024B5
push
push
push
push
push
call
0
0
offset str_Lt
offset less_than
eax
sub_190023A0
; "<"
; "<"
190024BA
190024BC
190024BE
190024C3
190024C8
190024C9
push
push
push
push
push
call
offset str_Gt
; ">"
offset greater_than ; ">"
eax
sub_190023A0

,
rendez$
vous.dll ,
:
4900C4EC
4900C4EE
4900C4F1
4900C4F3
4900C4F5
4900C4F8
mov
shr
rep
mov
and
rep
ecx, eax
ecx, 2
movsd
ecx, eax
ecx, 3
movsb
, Sulley, $
. $
, $
. ,
, PCAP, $
, . pcap_cleaner.py
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>
,
, $
, PCAP $
. ,
,
.
Sulley:
427

, $
Sulley; ,
. ,
, $
, $
Sulley. $
Trend Micro Server Protect, ,
Microsoft DCE/RPC TCP 5168,
SpntSvc.exe. RPC
TmRpcSrv.dll, $
, IDL ( ):
// opcode: 0x00, address: 0x65741030
// uuid: 25288888bd5b11d19d530080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
// not sent on wire
[in] long trend_req_num,
[in][size_is(arg_4)] byte some_string[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
// not sent on wire
[in] long arg_6
);
arg_1 arg_6
. , $
.
, trend_req_num $
. ,
$
RPC.
:
0x0001,
1
21;
0x0002,
1
18;
0x0003,
1
84;
0x0005,
1
24;
428
21.
0x000A,

1 48;
0x001F,
1
21.
$
,
DCE/RPC.
, .
utisl.dcerpc.request() , $

, :
# dce rpc request encoder used for trend server protect 5168 RPC service.
# opnum is always zero.
def rpc_request_encoder (data):
return utils.dcerpc.request(0, data)

$
, Sulley.
requests\trend.py, $
, Trend, $
. $
(
), Python
$
trend_req_num:
for op, submax in [(0x1, 22), (0x2, 19), (0x3, 85), (0x5, 25), (0xa, 49),
(0x1f, 25)]:
s_initialize("5168: op%x" % op)
if s_block_start("everything", encoder=rpc_request_encoder):
# [in] long trend_req_num,
s_group("subs", values=map(chr, range(1, submax)))
s_static("\x00")
# subs is actually a little endian word
s_static(struct.pack("<H", op)) # opcode
# [in][size_is(arg_4)] byte some_string[],
s_size("some_string")
if s_block_start("some_string", group="subs"):
s_static("A" * 0x5000, name="arg3")
s_block_end()
# [in] long arg_4,
s_size("some_string")
# [in] long arg_6
Sulley:
429
s_static(struct.pack("<L", 0x5000)) # output buffer size

s_block_end()

.
s_group() $
subs,
trend_req_num, .
.
trend_req_num,
;
, . $
some_string NDR.
DCE/RPC NDR Sulley,
RPC , $
NDR . some_string.
,
. $
A ( 20 ). $
s_string(),
, Trend
, $
. ,
size_is arg_4. ,
$
. ,
.

Sulley , $
fuzz_trend_server_protect_5168.py.
archived_fuzzies, $
. Sulley $
Trend :
from requests import trend
, $
DCE/RPC
.
, , . $
utils.dcerpc.bind(),
Sulley:
def rpc_bind (sock):
bind = utils.dcerpc.bind("25288888bd5b11d19d530080c83a5c2c", "1.0")
sock.send(bind)
utils.dcerpc.bind_ack(sock.recv(1000))
430
21.
$
. , $
Trend Server Protect, $
VMWare 10.0.0.1.
$
. ,
, $
:
sess = sessions.session(session_filename="audits/
trend_server_protect_5168.session")
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)
VMWare, Sulley $
$
,
. VMWare ,
, Sulley
. $
stop_commands start_commands :
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :
= \
"SpntSvc.exe",
['net stop "trend serverprotect"'],
['net start "trend serverprotect"'],
proc_name , $
; , $
, ,
.
VMWare, , Sulley $
, $
.
, , $
restart_target() VMWare. $
, $
, $
. , $
fuzz() :
# start up the target.
target.vmcontrol.restart_target()
print "virtual machine up and running"
sess.add_target(target)
sess.pre_send = rpc_bind
Sulley:
sess.connect(s_get("5168:
sess.fuzz()
431
op1"))
op2"))
op3"))
op5"))
opa"))
op1f"))

$
. $
$

:
network_monitor.py d 1 \
f "src or dst port 5168" \
p audits\trend_server_protect_5168
process_monitor.py c audits\trend_server_protect_5168.crashbin \
p SpntSvc.exe
, ,
Sulley, $
. BPF ( ) $
, ,
, . $
,
PCAP . $
$
, sulley ready and waiting
(sulley ).
VMWare VM$
Ware ( ). $
vmrun.exe, $
, , , ,
,
:
vmcontrol.py r "c:\\VMware\vmrun.exe"
x "v:\vmfarm\Trend\win_2000_pro.vmx"
snapshot "sulley ready and waiting"
, , !
, . fuzz_trend_server_protect_
5168.py $ http://127.0.0.1:26000
. ,
.
432
21.
221 $
, , 19 $
. crashbin_explorer.py, $
, :
$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin
[6] [INVALID]:41414141 Unable to disassemble at 41414141 from thread 568
caused access violation 42, 109, 156, 164, 170, 198,
[3] LogMaster.dll:63272106 push ebx from thread 568 caused
access violation 53, 56, 151,
[1] ntdll.dll:77fbb267 push dword [ebp+0xc] from thread 568 caused
[1] Eng50.dll:6118954e rep movsd from thread 568 caused access violation
181,
[1] ntdll.dll:77facbbd push edi from thread 568 caused access violation
118,
[1] Eng50.dll:61187671 cmp word [eax],0x3b from thread 568 caused
[1] [INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation 70,
[2] Eng50.dll:611896d1 rep movsd from thread 568 caused access violation
152, 182,
[1] StRpcSrv.dll:6567603c push esi from thread 568 caused
[1] KERNEL32.dll:7c57993a cmp ax,[edi] from thread 568 caused
[1] Eng50.dll:61182415 mov edx,[edi+0x20c] from thread 568 caused
,
, , $
EIP, 0x41414141. 70 ,
,
Unicode ($, $
, , ). ,
,
,
. $
. $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg
, , $
$
70:
Sulley:
433
$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin t 70
[INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation
when attempting to read from 0x0058002e
CONTEXT DUMP
EIP: 0058002e Unable to disassemble at 0058002e
EAX: 00000001 (
1) > N/A
EBX: 0259e118 ( 39444760) > A.....AAAAA (stack)
ECX: 00000000 (
0) > N/A
EDX: ffffffff (4294967295) > N/A
EDI: 00000000 (
0) > N/A
ESI: 0259e33e ( 39445310) > A.....AAAAA (stack)
EBP: 00000000 (
0) > N/A
ESP: 0259d594 ( 39441812) > LA.XLT.......MPT.MSG.OFT.PPS.RT (stack)
+00: 0041004c ( 4259916) > N/A
+04: 0058002e ( 5767214) > N/A
+08: 0054004c ( 5505100) > N/A
+0c: 0056002e ( 5636142) > N/A
+10: 00530042 ( 5439554) > N/A
+14: 004a002e ( 4849710) > N/A
disasm around:
0x0058002e Unable to disassemble
SEH unwind:
0259fc58 > StRpcSrv.dll:656784e3
0259fd70 > TmRpcSrv.dll:65741820
0259fda8 > TmRpcSrv.dll:65741820
0259ffdc > RPCRT4.dll:77d87000
ffffffff > KERNEL32.dll:7c5c216c
, $ , $
Unicode . $
PCAP .
. 21.5 Wireshark,
PCAP.
. 21.5. DCE/PRC Wireshark
434
21.
, , , ,
PCAP, ,
. pcap_cleaner.py $
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>
,
, ,
PCAP .
, $
, Trend. $
:
TSRT$07$01. StCom$
mon.dll Trend Micro ServerProtect;
TSRT$07$02. eng50.dll
Trend Micro ServerProtect.
, $
.
.
,
s_string(), .

, ;
, .
$
, ,
.
, $
, , $
, $
. SWF Shock$
wave Flash Adobe Macromedia , $
$ ,
, ,

. , , ,
$
,
. , $
435
$
,
.
$
Sulley. $
,
$
. Sulley $
; $
. http://www.fuzzing.org
,
.
22

, .
$.,
$,
27 2000
$
. , $
, $
, $
. $

$. , $
.
$
$
.
$
.
?
$
,
,
. $
SMB$ Microsoft, , 1992
437
Samba.1 $
$ Samba
Windows$ SMB$$. $
$
?
.
, , ,
.
, HTTP, $
, RFC2 $
. $
. , , $
,
, , $
. $
Ipswitch I$Mail. 2006 $
Ipswitchs SMTP $
.3 $
$
, @ :. , $
, .
SAMBA
SAMBA 10 1992 ,
(Andrew Tridgell)
vmsnet.net$
works.desktop.pathworks newsgroup.4 $
UNIX$
PATHWORKS DOS.
nbserver, 1994 ,
Syntax Corp. , $
Samba.5 Sam$
ba $
$ .
1
2
3
4
http://www.samba.org
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://groups.google.com/group/vmsnet.networks.desktop.pathworks/msg/
7d939a9e7e419b9c
http://www.samba.org/samba/docs/10years.html
438
22.
,
Ipswitch $ ,
.
, ,
, .
, $
. ,
, , $
: $
. , $
$
. , $
. , HTTP, $
, . $
, , $
GET POST, HEAD, OPTIONS
TRACE .
?

. $
, . $
, $
, , $
$
.
$
,
, . ,
, $
, $ .
, , .
, , $
.
Wotsit.org, $
, .
, $
Wireshark Ethereal,
,
.
$
,
. $
, $
$
.
439

, ,
,
$
. ,
.

, , $
1 ,
ProxyFuzzer. $$
,
. 22.1.
. 22.1.
, ProxyFuzzer $
, $
. ,
2 ,
. ,
, . ,
, . 22.2.
, $
. 22.2,
, .
ProxyFuzzer
, $
,
. , $
,
1
2
Tipping Point.
IP
, .
440
22.
. 22.2.
(PCAP). , $

$
Matasanos Protocol Debugger (PDB).1
ProxyFuzzer $
, $
. ProxyFuzzer ,
;
,
ASCII . $
$
, .
. 22.3 .
, ProxyFuzzer ,
$
. , ()
, $
, .
. 22.3.
1
http://www.matasano.com/log/399/pdb+blackhat+talk+materials+as+promised/
441
ProxyFuzzer
ProxyFuzzer $
, .
, , $
( ) .
$ ProxyFuzzer

Computer Associates Brightstor.
$
, . $
$ TCP 6050

UnivAgent.exe.
igateway.exe
HTTP, TCP 5250. $
,
.
fprintf(), $ $
.
, $
; , $
ProxyFuzzer .
, $
. , , $
,
. $
, , $
, , . , $
$
, .

ProzyFuzzer.
$
.

.
, $
, . . $

442
22.
. $
.
, $
. ( TCP/IP$) $
IP$ . ,
, $
, ASCII.
, $
, ,
. 22.4, $
.
raw data
plaintext
delimited
char
binary
padded
static
TLV
XML
. 22.4.
,
SMB, , $
, , ,
, ,
.
,
(|):
|00 04|user|00 06|pedram|0a 0a 00 01|code rev 254|00 00 00 00 be ef|END
|00 04|user|00 04|cody|0a 0a 00 02|code rev 11|00 00 00 00 00 de ad|END
|00 04|user|00 05|aaron|0a 0a 00 03|code rev 31337|00 00 00 c0 1a|END
(, , ) $
$
. , $
.
443
IP$ (0a 0a 00 01 = $
IP 10.10.0.1). 4 ASCII$: , [user],
[pedram],[ code rev 254] END. $
, $,
$ , , . ,
( $
), IP$ . $
.
, ASCII$ , $
. .
, 10$ $
ASCII. , ENG,
. ,
ASCII . 0xbeef,
, $
. , $
, . , ,
,
:
;
;
IP$ ;
10$
;
$
;
ASCII .
$
. $
. $
,
. ,
, .

,
, $
. . $
runtime ( ,
), .
. $
$.
.
, , $
444
22.
. $
:
0040206C
00402072
00402079
0040207C
00402081
00402083
00402088
call ds:__imp__sscanf
mov eax, [esp+5DA4h+var_5CDC]
add esp, 0Ch
cmp eax, 3857106359
; string prefix check
jz short loc_40208D
push offset 'string'
; "access protocol error"
jmp loc_401D61
sscanf() API
. $
3857106359, , $
$
. $
.

.
.
$
PyDbg $
PaiMei.1
,
.
, $
, , $
, , , $
, , $
, .2 ,
,
,
, , , . $
$
. $
?
$

. . $
:
1
2
http://en.wikipedia.org/wiki/Bioinformatics
445
: ACAT
TACAGGA.
: ACATTCCTACAGGA.
$
. $
; , 1 (Needleman Wun$
sch (NW)), 1970 2 (Saul Needle$
man) 3 (Christian Wunsch). NW$ $

.
, . .
.
,
2004
ToorCon4 , .
(Marshall Beddoe)
Python Protocol
Informatics (PI), , , ,
Wired.5 $
, . PI $
Mu Security6,
, , $
$ . ,
$ PI Packet Storm.7
PI $
$
. $
8 (SW), NW$
, PI $
, HTTP, ICMP SMB. $
, ,
PI, , $
.
$
. $
. SW$
1
2
3
4
5
6
7
8
http://en.wikipedia.org/wiki/Needleman+Wunsch_algorithm
http://en.wikipedia.org/wiki/Saul_Needleman
http://en.wikipedia.org/wiki/Christian_Wunsch
http://www.toorcon.org
http://www.wired.com/news/infostructure/0,1377,65191,00.html
http://www.musecurity.com
http://packetstormsecurity.org/sniffers/PI.tgz
http://en.wikipedia.org/wiki/Smith+Waterman
446
22.
, $
.
NW$ . $
.
, Percent Accepted Mutation (PAM) Blocks
Substitution Matrix (BLOSUM), PI $
, .
, ,
ASCII$ ASCII.
$
. PI , $
. $

NW, , $
,
(Unweighted Pairwise Mean by
Arithmetic Averages, UPGMA).
. $
.
ICMP1
PI. $
ICMP:
# tcpdump s 42 c 100 nl w icmp.dump icmp
PI:
# ./main.py g p ./icmp.dump
Protocol Informatics Prototype (v0.01 beta)
Written by Marshall Beddoe <mbeddoe@baselineresearch.net>
Copyright (c) 2004 Baseline Research
Found 100 unique sequences in '../dumps/icmp.out'
Creating distance matrix .. complete
Creating phylogenetic tree .. complete
Discovered 1 clusters using a weight of 1.00
Performing multiple alignment on cluster 1 .. complete
Output of cluster 1
0097 x08 x00 xad x4b x05 xbe x00 x60
0039 x08 x00 x30 x54 x05 xbe x00 x26
0026 x08 x00 xf7 xb2 x05 xbe x00 x19
0015 x08 x00 x01 xdb x05 xbe x00 x0e
0048 x08 x00 x4f xdf x05 xbe x00 x2f
0040 x08 x00 xf8 xa4 x05 xbe x00 x27
0077 x08 x00 xe8 x28 x05 xbe x00 x4c
0017 x08 x00 xe8 x6c x05 xbe x00 x10
0027 x08 x00 xc3 xa9 x05 xbe x00 x1a
0087 x08 x00 xdd xc1 x05 xbe x00 x56
1
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
447
0081 x08 x00 x88 x42 x05 xbe x00 x50

0058 x08 x00 xb0 x42 x05 xbe x00 x39
0013 x08 x00 x3e x38 x05 xbe x00
0067 x08 x00 x99 x36 x05 xbe x00 x42
0055 x08 x00 x0f x56 x05 xbe x00 x36
0004 x08 x00 xe6 xda x05 xbe x00 x03
0028 x08 x00 x83 xd9 x05 xbe x00 x1b
0095 x08 x00 xc1 xd9 x05 xbe x00 x5e
0093 x08 x00 xb6 x05 xbe x00 x5c
[ output trimmed for sake of brevity ]
0010 x08 x00 xd1 xb6 x05 xbe x00
0024 x08 x00 x11 x8f x05 xbe x00 x17
0063 x08 x00 x11 x04 x05 xbe x00 x3e
0038 x08 x00 x37 x3b x05 xbe x00 x25
DT BBB ZZZ BBB BBB BBB BBB ZZZ AAA
MT 000 000 081 089 000 000 000 100
Ungapped Consensus:
CONS x08 x00 x3f x18 x05 xbe x00 ???
DT BBB ZZZ BBB BBB BBB BBB ZZZ AAA
MT 000 000 081 089 000 000 000 100
Step 3: Analyze Consensus Sequence
Pay attention to datatype composition and mutation rate.
Offset 0: Binary data, 0% mutation rate
Offset 1: Zeroed data, 0% mutation rate
Offset 6: Zeroed data, 0% mutation rate
Offset 7: ASCII data, 100% mutation rate
:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 1 byte ] [ 1 byte ]
:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 2 byte ]
$ $
ICMP$.
16$ . 100 $
, .
,
.
$
. $
, $
.1 PI $
, .
1
http://www.matasano.com/log/294/protocol+informatics/
448
22.

() $
, , . $
, $
.
, $
. ,
.
:
, ;
, $
;
, $
.
$
. , $
, $
10.
. $
, .

3 6 .
,
. $
, $
. :
1. .
2. ,
.
3. .
4. , $
.
,
() :
0100100000
1000001010
1110100111
0000001000
2
3
7
1
( )
, ( $
). 3 ,
6 :
449

1000001010
1110100111
3
7
100 + 0100111 > 1000100111

111 + 0001010 > 1110001010
1000001010
1110100111
3
7
100000 + 0111 > 1000000111

111010 + 1010 > 1110101010
(
). :
1000100111
1110001010
1000000111
1110101010
>
>
>
>
1010100111
1110000010
1000001111
1110101110
6
4
5
7
, , $
.
.
, $
$ .
, $
. , ,
.
, ,
$ .

$
(); $
BlackHat US 2006 .1 $
, Sidewinder,
. $
$, $
$ . $
. $

, API (, strcpy), $
. ,
Autodafej
, . $
(control$flow graph, CFG; $
2) ,
( recv) $
. . 22.5 CFG, $
. CFG
23 .
1
2
http://www.blackhat.com/html/bh+usa+06/bh+usa+06+speakers.html#Embleton
http://en.wikipedia.org/wiki/Context+free_grammar
450
22.
recv
strcpy
. 22.5. ,
$
, . . 22.6
CFG $
.
CFG. $
$
. ,
. . 22.7
CFG . $
.
CFU, .
, $
,
CFU . $
.
, ,
.
, . $
. $
,
, , $
.
451
recv
strcpy
. 22.6.
recv
strcpv
. 22.7.
452
22.
Sidewinder , $
$
. , $
,
. $, CFG
. ,
$
. $, $
CFG. CFG $
. ,
$
, TLV. ,
,
CRC.
, .
, Sidewinder

, ,
,
.
, $
$
. $
, , $
.
, . , $
, $
. $
23

, , ,
+ ,
.
$.,
$ CNN,
30 2000
,
, $
.
. $
, $
. ,
.
, $
. ,
, , $
, $
.
?
,
. . .
. , $
IA$32/x86 (Complex In$
454
23.
struction Set Computer1 (CISC)), 500 ,

$
.
(Reduced Instruction Set Computer (RISC)) , , ,
SPARC, 200 .2
, CISC RISC, $
$,
, . .
, C C++. , ,
,
. $
. $
, $
.
Voice over IP (VoIP)
, ,
? , $
, , $
CISK RISC
CISC ( ) $
RISC ( ); $
1970 IBM.
, RISC$$
, CISC$

. $

$ $
, Apple Mac, $
PowerPC RISC.
, ,
x86$ , $
.3
1
2
http://www.intel.com/intelpress/chapter+scientific.pdf
,
. CISC $
, RISC.
http://www.openrce.org/blog/view/575
455
,
. $
,
.
, OllyDbg, $
, $
. , $
. $
, $ VoIP , $
,
.
$
;
$
, .
, , ,
.
$
, , +
. ,
.
, ,
, $.

, ,
, $
.
() .
, $
.
,
(. 23.1).
, . 23.1, , $
sub_ 8$ , $
. $
DataRescue Interactive Disassembler Pro (IDA Pro)1,

.
.

. . 23.1 $
1
http://www.datarescue.com
456
23.
sub_00000010()
sub_00000440()
_snprintf()
sub_00000220()
sub_00000110()
sub_00000AE0()
sub_00000550()
recv()
sub_00000330()
. 23.1.
; snprintf() recv().
, sub_00000110()
sub_00000330(), recv().
CFG
CFG$
. , $
. $
: ? $
,
, .
, :
;
;
.
:
;
.
.
, $
.
.
CFG
$
sub_00000010. [el] . 23.2
. $
+.
. 23.2.
457
00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h
00000025
jz 00000050
0000002B
mov eax, 0Ah
00000030
mov ebx, 0Ah
00000050
xor eax, eax
00000052
xor ebx, ebx
. 23.2. + sub_00000010
$ $
. , $
0x00000010,
0x00000025.
0x0000002B, 0x00000050,
. $
CFG, . 23.2, ,
. 23.3.
00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h
00000025
jz 00000050
0000002B
0000002B
00000030
mov eax, 0Ah

mov ebx, 0Ah
00000050
00000050
00000052
xor eax, eax

xor ebx, ebx
. 23.3. sub_00000010
458
23.
$
.
, , . .
,
. , $
.

$
. , $
, , ,
$
. , OllyDbg $
debug\trace into debug\trace over.
PyDbg,
20 : $
, :
1. .
2. , $
.
3. $
.
4.
.
, PyDbg $
50 Python. $
, $
; .
, , $
, $
. $
.
, $
:
.

, .
, ,
$
.
459
, ,
;
?
,
. , $
.
, :
?
?
?
?
?
$
?

?
$
.
, $
. $
, .
$
IDA Pro. $
IDA. $
, ,
, .

, $ , :
? $
,
. $
, .
$
. $
PyDbg, :
1. .
2. .
3. .
460
23.
4. $
.
5. $
.
$
$
,
, OlltDbg. $
, ,
.
PyDbg
PyDbg, $
. $
. $

.
$
PyDbg $
. , $
sysenter. $
, Microsoft Win$
dows. sysenter,
, ,
(. . ).

. :
from pydbg import *
# breakpoint handler.
def on_bp (dbg):
ea
= dbg.exception_address
disasm = dbg.disasm(ea)
# put every thread in single step mode.
if dbg.first_breakpoint:
for tid in dbg.enumerate_threads():
handle = dbg.open_thread(tid)
dbg.single_step(True, handle)
dbg.close_handle(handle)
print "%08x: %s" % (ea, disasm)
dbg.single_step(True)
return DBG_CONTINUE
# single step handler.
461
def on_ss (dbg):

ea
= dbg.exception_address
disasm = dbg.disasm(ea)
print "%08x: %s" % (ea, disasm)
# we cant single step into kernel space
# so set a breakpoint on the return and continue
if disasm == "sysenter":
ret_addr = dbg.get_arg(0)
dbg.bp_set(ret_addr)
else:
return DBG_CONTINUE
# create thread handler.
def on_ct (dbg):
# put newly created threads in single step mode.
return DBG_CONTINUE
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT,
on_bp)
dbg.set_callback(EXCEPTION_SINGLE_STEP,
on_ss)
dbg.set_callback(CREATE_THREAD_DEBUG_EVENT, on_ct)
try:
dbg.attach(123)
except pdx, x:
dbg.cleanup().detach()
print x.__str__()
, ,
, $
. $
, .
, $
. $
, . ,
,
.
,
, . $
$
. $
. $
,
.
.
462
23.
$
.
, $
, $
.
( ,
. .). , $
.

, , $

, :
?
?
?
$
?
$
, $
. ,
.

, Mi$
crosoft Outlook Express Network News
Transfer Protocol (NNTP)1, 14 2005 .
$
. $
Microsoft:
Outlook
Express, .
,
, +
. +
+
. , +
.
1
463
, $
, , , IDS$
IPS$. , ,
Outlook Express NTTP$. $
, $ , $
Process Stalker.1
Process Stalker ; $

OpenRCE.2
, $
Outlook Express ,
, MSOE.DLL.
Process Stalker IDA Pro
4800 58 000 . $
, , . $
, , Process Stalker $
, Outlook
Express NTTP$. . $
, $
. $
, NTTP$
news:// URI$, Internet Explorer, $
$
Outlook Express, , $
, , $
, . NTTP$
,
. 23.4.
. 23.4.
1
2
http://www.openrce.org/downloads/details/171/Process_Stalker
https://www.openrce.org/articles/full_view/12
464
23.
,
. $
Process Stalker , $
GUI. NTTP$
Outlook Express. $
GUI
, $
NTTP$. $
91 . 1337 ,
, 747 .
58 000, , $
.
, $
,
26 . $
:
16$ .
!
$
( 1).

1PyDg, ,
$
PaiMei. PaiMei Python $
2. PaiMei $
, $
(
24 ). $
PAIMEIpstalker ( Pro$
cess Stalker, PStalker). ,
, , $
, $
. :
PyDbg: win23$, Python;

pGRAPH:
, ;
http://www.hbo.com/sopranos/
465
PIDA: pGRAPH , $
(DLL EXE), $
, $
. ,
.
PyDBG . $
PIDA . PIDA
, $
, . :
import pida
module = pida.load("target.exe.pida")
# step through each function in the module.
for func module.functions.values():
print "%08x %s" % (func.ea_start, func.name)
# step through each basic block in the function.
for bb in func.basic_blocks.values():
print "\t%08x" % bb.ea_start
# step through each instruction in the
# basic block.
for ins in bb.instructions.values():
print "\t\t%08x %s" % (ins.ea, ins.disasm)

PIDA$ .
, .
, $
. $
, ,
PyDbg PIDA $
. PaiMei $
:
: $
. process_stalker.py, ,
$
;
: WxPython $
GUI$.
pstalker;
. $
pida_dump.py IDA$, Python. $
IDA Pro .PIDA.
PStalker $
WxPython GUI , , $
466
23.
PaiMei. $
$
.
PStalker Layout
PStalker , $
PaiMei. PStalker
(. 23.5) .
. 23.5. PaiMei PStalker
Data Source
, $
PIDA. Data Exploration
. Data Capture .
:
, .
, $
.
.
PIDA .DLL$ .EXE$, $
.
.

$
.
467

.
.
,
PStalker .
$
.
PaiMei, 1, , $
PStalker.
, .

MySQL$ Con'
nections Retrieve Target List
. $
.
Available Targets. , $
.
:
Load hits. $
.
Append hits. ,
, .
Export to IDA. $
IDA .
Sync with uDraw. $
uDraw.
.
Use for stalking. $
.
.
Filter tag. $
. $
.
Clear tag. , ,
. PStalker , $
. $
.
Expand tag. $
,
( ).
1
http://pedram.openrce.org/PaiMei/docs/PAIMEIpstalker_flash_demo/
468
23.
Target/tag properties. ,
, .
Delete tag. .
PIDA PIDA,
.
, $
PIDA. $
PIDA $
. PIDA $
.

.

. . $

.
,
, $
,
PIDA.

PIDA. $
.
Retrieve List $
, .
$
. Functions
Basic Blocks .
Restore BPs ,
. . $
.
Heavy , $
.
. Unhandled Only, $
,
.
,
Attach and Start Tracking. $
.
469
$
. $
, DataRescues IDA Pro, , $
IDA Pro. , $
, .
. $
IDA Pro Make final pass , $
. , , $
,
.

,
PStalker. $
. $
. ,
.
MySQL.
: cc_hits, cc_tags, cc_targets.
, cc_targets $
, $
, :
CREATE TABLE 'paimei'.'cc_targets' (
'id' int(10) unsigned NOT NULL auto_increment,
'target' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;
SQL$ cc_tags,
, $
, :
CREATE TABLE 'paimei'.'cc_tags' (
'id' int(10) unsigned NOT NULL auto_increment,
'target_id' int(10) unsigned NOT NULL default '0',
'tag' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;
, cc_hits $
:
CREATE TABLE 'paimei'.'cc_hits' (
'target_id' int(10) unsigned NOT NULL default '0',
'tag_id' int(10) unsigned NOT NULL default '0',
470
23.
'num' int(10) unsigned NOT NULL default '0',
'timestamp' int(10) unsigned NOT NULL default '0',
'eip' int(10) unsigned NOT NULL default '0',
'tid' int(10) unsigned NOT NULL default '0',
'eax' int(10) unsigned NOT NULL default '0',
'ebx' int(10) unsigned NOT NULL default '0',
'ecx' int(10) unsigned NOT NULL default '0',
'edx' int(10) unsigned NOT NULL default '0',
'edi' int(10) unsigned NOT NULL default '0',
'esi' int(10) unsigned NOT NULL default '0',
'ebp' int(10) unsigned NOT NULL default '0',
'esp' int(10) unsigned NOT NULL default '0',
'esp_4' int(10) unsigned NOT NULL default '0',
'esp_c' int(10) unsigned NOT NULL default '0',
'eax_deref' text NOT NULL,
'ebx_deref' text NOT NULL,
'ecx_deref' text NOT NULL,
'edx_deref' text NOT NULL,
'edi_deref' text NOT NULL,
'esi_deref' text NOT NULL,
'ebp_deref' text NOT NULL,
'esp_deref' text NOT NULL,
'esp_4_deref' text NOT NULL,
'esp_c_deref' text NOT NULL,
'is_function' int(1) unsigned NOT NULL default '0',
'module' varchar(255) NOT NULL default '',
'base' int(10) unsigned NOT NULL default '0',
PRIMARY KEY ('target_id','tag_id','num'),
KEY 'tag_id' ('tag_id'),
KEY 'target_id' ('target_id')
) ENGINE=MyISAM;
cc_hits:
target_id tag_id. $
.
num. , $
, $
.
timestamp. UNIX$ (1 $
1970 , 00:00:00 GMT) , $
.
eip. , $
. $
.
471
tid. ,
eip. Windows $
, $
.
eax, ebx, ecx, edx, edi, esi, ebp esp.
$
. $
deref, ASCII$, $
. ASCII$
(stack), (heap) (global), $
. N/A , $
, $
.
esp_4, esp_8, esp_c esp_10. $
(esp_4 = [esp+4], esp_8 = [esp+8], . .).
is_function. . 1 ,
( eip) .
module. , .
base. ,
. $
eip , $
.
$
, Pstalker.

Pstalker $
. $
Gizmo Project1, VoIP Instant Messaging
(IM). . 23.6 $
Gizmo Project, .
Gizmo ,
. $
Skype2, Gizmo $
VoIP, Session Initiation Protocol (SIP RFC 3261),
. Gizmo
SIP$ . $
Gizmo VoIP.
, , $
.
1
2
http://www.gizmoproject.com/
http://www.skype.com/
472
23.
Gizmo

Map it

. 23.6. Gizmo Project
Gizmo
SIP$. , VoIP$$
, , SIP,
. $
SIP$. $
, $
, PROTOS
Test$Suite: c07$sip.1 4527 $$
, Java JAR$. $
INVITE$,
. PROTOS $
,
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
473
Codenomicon.1 SIP$
$
31 971 $.
, Utilize PStalker $
PROTOS. $
, $
.
.
$ PROTOS
20 .
:
$ java jar c07sipr2.jar h
Usage java jar <jarfile>.jar [ [OPTIONS] | touri <SIPURI> ]
touri <addr>
Recipient of the request
Example: <addr> : you@there.com
fromuri <addr>
Initiator of the request
Default: user@pamini.unity.local
sendto <domain>
Send packets to <domain> instead of
domainname of touri
callid <callid>
Call id to start testcase call ids from
Default: 0
dport <port>
Portnumber to send packets on host.
Default: 5060
lport <port>
Local portnumber to send packets from
Default: 5060
delay <ms>
Time to wait before sending new testcase
Defaults to 100 ms (milliseconds)
replywait <ms>
Maximum time to wait for host to reply
Defaults to 100 ms (milliseconds)
file <file>
Send file <file> instead of testcase(s)
help
Display this help
jarfile <file>
Get data from an alternate bugcat
JARfile <file>
showreply
Show received packets
showsent
Show sent packets
teardown
Send CANCEL/ACK
single <index>
Inject a single testcase <index>
start <index>
Inject testcases starting from <index>
stop <index>
Stop testcase injection to <index>
maxpdusize <int>
Maximum PDU size
Default to 65507 bytes
validcase
Send valid case (case #0) after each
testcase and wait for a response.
May be used to check if the target is still
responding. Default: off
http://www.codenomicon.com/
474
23.
, $
,
java jar c07sipr2.jar touri 17476624642@10.20.30.40
teardown
sendto 10.20.30.40
dport 64064
delay 2000
validcase
\
\
\
\
\
( touri).
delay Gizmo , $
, GUI $.
validance , PROTOS $
, $ .
, $
. , Gizmo $
. Gizmo, $
. 250 $.
$, !
Gizmo
[*] 0x004fd5d6 mov eax,[esi+0x38] from thread 196 caused access violation
when attempting to read from 0x00000038
CONTEXT DUMP
EIP: 004fd5d6
EAX: 0419fdfc
EBX: 006ca788
ECX: 00000000
EDX: 00be0003
EDI: 00000000
ESI: 00000000
EBP: 00000000
ESP: 0419fdd8
+00: 861c524e
+04: 0065d7fa
+08: 00000001
+0c: 0419fe4c
+10: 0419ff9c
+14: 0061cb99
mov eax,[esi+0x38]
( 68812284) > <CCallMgr::IgnoreCall() (stack)
( 7120776) > e(elllllllllllllllllllll (PGPlsp.dll.data)
(
0) > N/A
( 12451843) > N/A
(
0) > N/A
(
0) > N/A
(
0) > N/A
( 68812248) > NR (stack)
(2250003022) > N/A
( 6674426) > N/A
(
1) > N/A
( 68812364) > xN (stack)
( 68812700) > raOo|hoho||@ho0@*@b0zp (stack)
( 6409113) > N/A
disasm around:
0x004fd5c7
0x004fd5c9
0x004fd5ca
0x004fd5ce
0x004fd5d4
0x004fd5d6
0x004fd5d9
xor eax,esp
push eax
lea eax,[esp+0x24]
mov fs:[0x0],eax
mov esi,ecx
mov eax,[esi+0x38]
push eax
475

0x004fd5da
0x004fd5de
0x004fd5df
0x004fd5e4
lea eax,[esp+0xc]
push eax
call 0x52cc60
add esp,0x8
SEH unwind:
0419ff9c > 006171e8: mov edx,[esp+0x8]
0419ffdc > 006172d7: mov edx,[esp+0x8]
ffffffff > 7c839aa8: push ebp
touri dport , $
5060 ( SIP$)
Gizmo.
. 23.7 $
.
17476624642 Gizmo, 64064
SIP$.
, , $
, .
.
. 23.7. sip+ Gizmo
SIP, $
. , , $
SIPPhoneAPI.dll.
IDA Pro
pida_dump.py SIPPhoneAPI.pida. $
,
. PaiMei $
476
23.
. PaiMei
$.1 (. 23.8) $
Gizmo Idle,
Gizmo .
,
,
. Idle (. 23.9)
SIPPhoneAPI PIDA (. 23.10).
. 23.8. PaiMei PStalker
. 23.9. Idle
1
http://pedram.openrce.org/PaiMei/docs/
477
. 23.10. SIPPhoneAPI PIDA
. 23.11.
,
.
. 23.11 ,
. Refresh Process List $
. $
Gizmo, .
Coverage Depth Basic Blocks $
. . 23.10,
25 000 . ,
, ,
, .
Restore BPs , $
. , $
.
, Heavy. ,

. ,
,
$ .
478
23.
Start Stalking
Gizmo . $
,
PaiMei. $
PStalker. $
:
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
...
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
Stalking module sipphoneapi.dll

Loading 0x7c900000 \WINDOWS\system32\ntdll.dll
Loading 0x7c800000 \WINDOWS\system32\kernel32.dll
Loading 0x76b40000 \WINDOWS\system32\winmm.dll
Loading 0x77d40000 \WINDOWS\system32\user32.dll
Loading 0x77f10000 \WINDOWS\system32\gdi32.dll
Loading 0x77dd0000 \WINDOWS\system32\advapi32.dll
Loading 0x77e70000 \WINDOWS\system32\rpcrt4.dll
Loading 0x76d60000 \WINDOWS\system32\iphlpapi.dll
Loading 0x77c10000 \WINDOWS\system32\msvcrt.dll
Loading 0x71ab0000 \WINDOWS\system32\ws2_32.dll
Loading 0x71aa0000 \WINDOWS\system32\ws2help.dll
Loading 0x10000000 \Internet\Gizmo Project\SipphoneAPI.dll
Setting 105174 breakpoints on basic blocks in SipphoneAPI.dll
Loading 0x16000000 \Internet\Gizmo Project\dnssd.dll
Loading 0x006f0000 \Internet\Gizmo Project\libeay32.dll
Loading 0x71ad0000 \WINDOWS\system32\wsock32.dll
Loading 0x7c340000 \Internet\Gizmo Project\MSVCR71.DLL
Loading 0x00340000 \Internet\Gizmo Project\ssleay32.dll
Loading 0x774e0000 \WINDOWS\system32\ole32.dll
Loading 0x77120000 \WINDOWS\system32\oleaut32.dll
Loading 0x00370000 \Internet\Gizmo Project\IdleHook.dll
Loading 0x61410000 \WINDOWS\system32\urlmon.dll
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
10221d31
10221d4b
10221d67
10221e20
10221e58
10221e5c
10221e6a
10221e6e
10221e7e
10221ea4
1028c2d0
1028c30d
1028c369
1028c37b
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12
#13
#14

. , $
, SIP,
Gizmo, .
,
479
Use for Stalking.

Idle Filter Tag. $
, . $
. . 23.12
, 4527 $ PROTOS.
. 23.12.
, PROTOS 6% 9% $
SIPPhoneAPI. $
, ,
$ .
$ , $
, ,
. , $
,
$. , Gizmo
$ PROTOS $
, Gizmo ,
.
$
, .
, PROTOS 1/7 $
, , $
7 ? , . ,
, $
.
,
?
.

, .
QA $
480
23.
, $
, $
.
, $
$, Codenomicon. $
,
, . $
:
.
, $
. $
, $
, ,
. .
, , $
, VoIP, ,
. $
, $
. ,
: VoIP 45 000 $
$. $
? , 45 000 $ 5000
. , , $
$
. , $
. $
$
: VoIP
45 000 $, 90% .
QA$ , $
$. $
. , $
, $, $
, parse_sip(). $
, , ,
, . $
. $
$
, .
,
,
$
. QA$ $
, . $
QA , $
481
,

.
, .
, $
, ,
.
, $
. ,
, . ,
, ,
.

, ,
.
$
.
$
, , , $
. , , $
, . ,
, $
$.

.
. 18.5.2
3B1 2
Intel IA32, Pentium 4 Xeon
:
BTF (single*step on branches) flag (bit 1)
TF EFLAG
,
. $
, (.
18.5.5 , $
).
, , $

.
1
2
ftp://download.intel.com/design/Pentium4/manuals/25366919.pdf
http://www.intel.com/products/processor/manuals/index.htm
482
23.
,
. , $
,

. , $
,
.
, ;
$ .
. $
PyDbg, ,
Branch Tracing with Intel MSR Registers1 OpenRCE $
. $
.

( ). ,
, ; $
, , $
. ,
. , ,
, . 23.13.
. 23.13.
, $
A, B, D $. $
? ,
$? $
http://www.openrce.org/blog/view/535
483
, $
, :
ABD
ABCD
ACD
, , $
, .
, , ,
66% .
$.
$
, , $
Python. , $
$
.
, $
. : ? $
: ?
, $
.
PaiMei
Pstalker . ,
. $
, .
$
.
$
,
, $
.
24

, .
$.,
, ,
31 2000
, . , .
, , $
. , $
. ,
$
. :
. $
, , , $
, $
.
$
, .
, , $

(dynamic binary instrumentation (DBI)). , $
, , , $
, , .
485

, 50 000
IMAP$,
IMAP$ ,
$? . .
, $ , $
, $
. , , .

$. , , $
$, PROTOS $
. IMAP, ,
, $ :
x001 LOGIN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
x001 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
TCP$
$ 143 ( IMAP$). $
, $ $
. , Codenomi$
con, , $
($ ) $. $
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.tcp_connect(143):
fuzzer.log_fault(case)
,
. , ,
paimei whiteeyebrow IMAP$, $
, , $
paimei.
,
$.
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.imap_login("paimei", "whiteeyebrow"):
fuzzer.log_fault(case)
, , $
, $
. .
, , , IMAP$$
500$ $ . !
486
24.
, !
, ,
, 500$ $, , $
, . ? $
. , , $
$ IMAP$$
, 500$ $ $
. 500$ $
.
, +
.
: , $ $
1$ 499$ IMAP$, 500$ $
, , $
. ,
. :
# find the upper bound:
for i in xrange(1, 500):
for j in xrange(1, i + 1):
fuzzer.send(j)
fuzzer.send(500)
if not fuzzer.tcp_connect(143):
upper_bound = i
break
fuzzer.restart_target()
# find the lower bound:
for i in xrange(upper_bound, 0, 1):
for j in xrange(i, upper_bound + 1):
fuzzer.send(j)
fuzzer.send(500)
if fuzzer.tcp_connect(143):
lower_bound = i
break
fuzzer.restart_target()

,
.
1$ n$ , 500$, n 1.
, $
.
. $
$, $
500$
487
. , , , $
, $
$. , , $
$ 15$ 20$ 500, $
15$ 20$ $
. .
$
. ,
, . ,
, .
?

, , $
.
. , ,
, $
, .
, , $
. $
, . $
, ,
, $ .
,
. $

. , $
.
, , $
,
$
.
IMAP$. $
,
, ,
. $
, . $
, $
, :

;
.

. C
488
24.
0x12FFFEEE
arg2
arg1
EIP
EBP
int x
char buf[16]
int y
0x12000000
. 24.1.
, , $
. 24.1.
void taboo (int arg1, char *arg2)
{
int x;
char buf[16];
int y;
strcpy(buf, arg2);
}
, $
, $
,
.
taboo() , $
. CALL $
(
EIP) . , , $
. $
($
EBP) . ,
($
ESP). ,
. 24.1.
489
. 24.1,
.
. arg2 16 ($
buf), strcpy()
buf , $
x, ,
, . . $
, arg2 A, EIP $
0x41414141 (0x41 $
ASCII$ A).
taboo() , RETN $
EIP $
, 0x41414141.
0x41414141
.
, $
0x41414141 $
ACCESS_VIOLATION. , $
arg2, 16, 20 ,
.
, $

(NX1) , $
0x4141414 ACCESS_VIO$
LATION. ,
, . , $
. $
.
$
C, (. . 24.1):
void taboo_two (int arg1, char *arg2)
{
int *x;
char buf[] = "quick brown dog.";
int y = 10;
x = &y;
for (int i = 0; i < arg1; i++)
printf("%02x\n", buf[i]);
strcpy(buf, arg2);
printf("%d\n", *x)
}
http://en.wikipedia.org/wiki/NX_bit
490
24.
, $
,
x y. $
buf, $
arg1. $
, ,
, 16 printf().
, , $
, .
x,
, $
, . . arg1
ACCESS_VIOLATION ,

, ,
, $
.
, $
. , , , arg2
20 A ( 4 , buf),
$ x; $
,
. , printf(), $
, $
ACCESS_VIOLATION 0x41414141.
, $
, $
:
void syslog_wrapper (char *message)
{
syslog(message);
}
API$ syslog() $
.
syslog() ,
message, , ,
. $
, $
, , . , $
%s%s%s%s%s, 5
,
. $
%s ACCE_VIOLATION.
, , $
, NULL$, ,
491
NULL. , $
$
.
$
C, (. . 24.1):
void taboo_three (int arg1, char *arg2)
{
int x;
char buf[] = "quick brown dog.";
int y;
buf[arg1] = \0;
}
, $
, , $
buf , arg1. $
, 16 $
.
, , $
, , .
, ,
.
;
, , $
:1
char *A = malloc(8);
char *B = malloc(16);
char *C = malloc(24);
strcpy(A, "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP");
free(B);

, .

, $
. 24.2.
. 24.2.
http://doc.bughunter.net/buffer+overflow/free.html
492
24.
strcpy(), ,
A, ,
P. ,
. $
? free(B)
B A C. :
B>backward>forward = B>forward
B>forward>backward = B>backward

, , strcpy(),
B 0x50505050 (0x50 $
ASCII$ P). $
.

,
.
. $
, $
$
C$
.1 $

, .
,
, $
, $

DoS. , $
, .
1
http://www.cs.drexel.edu/~spiros/research/papers/WCRE03a.pdf

, $
$
, $
. , , ,
, $
493
, $
. $
.
, . . ,
, .
, , , $
, , $
. A
0x41414141.
, , $
ACCESS_VIOLATION; $
, . $
, $
, , .
4
, ?

( 0x800000000xFFFFFFFF),
.
, $
. , $
%s, $
.
%s ,
, , $
, .
? , $
,
%n .
%n ,
$
. %n, %s, $
, $
. %n%s
, %n $
(. 6 )
, .
6
.

,
,

494
24.
. ,
,

. , $
PaiMei.1 $
,
, . 24.3. ,
Windows$, ,
, Intel IA$32.
. 24.3.

, , $
IMAP$.
, .
. $
,
,
, $
, , $
. , $
Python:
from pydbg import *
import utils
def av_handler (dbg):
crash_bin = utils.crash_binning.crash_binning()
crash_bin.record_crash(dbg)
https://www.openrce.org/downloads/details/208/PaiMei
495
# signal the fuzzer.

print crash_bin.crash_synopsis()
dbg.terminate_process()
while 1:
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATON, av_handler)
dbg.load(target_program, arguments)
dbg.run()
PaiMai $
, , Python .
,
$
Windows PyDbg1.
. PaiMei.utils2 ,
. $
crash_binning, .
while, $
PyDbg av_handler()
ACCESS_VIO$
LATION. , $
, .
$
.
$
, , .
$
run() ( debug_event_loop()).
$
av_handler().
$
PyDbg.
PaiMei$ crash_binning.
, $
. , , $
record_crash():
. , ,
, ACCESS_VIOLATION.
. , ,
.
1
2
http://pedram.redhive.com/PaiMei/docs/PyDbg/
http://pedram.redhive.com/PaiMei/docs/Utilities/
496
24.
. , $
.
. $
, . 4
1234
0xDEADBEEF 0xC0CAC01A
.
64 Windows
32$ Win$
dows ,
. .
EBP. $
EBP. $
EBP+4. $
(TEB), FS1: FS[4] $
FS[8] .
, $
, EBP$ .

, , $
EBP $
. EBP$ $

EBP:
MOV EAX, [EBP0xC]
; EBPbased framing
MOV EAX, [ESP+0x440xC] ; frame pointer omitted
, $
,
. Microsoft 64$$
,
MSDN.2 , $
( $
)
, Portable Executable$$
(PE)3, .
1
2
3
http://openrce.org/reference_library/files/reference/Windows%20Me+
mory%20Layout,%20User+Kernel%20Address%20Spaces.pdf
http://msdn2.microsoft.com/en+us/library/7kcdt6fy.aspx
http://www.uninformed.org/?v=4&a=1&t=sumry
497
. .
. , .
. $
, . $
.
. .
32$$
Windows$, , $
, . $
23 $
.
SEH+. (Structu$
red Exception Handler (SEH)). ,
, ,
, ,
.
,
, $ , $
.
, , $
$.
, , $
, record_crash(), $
, . while $
. PyDbg,
20 : .
, . PyDbg
$
. , .
, $
, $
, , $, .
,
.
.

IMAP, . $
: , 50 000 $
$. $
, 1000 $
. $
, , .
:
498
24.
Test case 00005: x01 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=11223300 ECX=FFFF7248
EIP=0x00112233: REP SCASB
Test case 00017: x01 AUTHENTICATE %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=00000000 ECX=FFFFFF70
Test case 00023: x02 SELECT %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=47392700 ECX=FFFEEF44
. $
$
( ). , $
, ,
$ , $
. ,
REP SCASB, $
, 1000 .
.
. SCASB IA$32
, AL (
EAX). AL=0.
REP ECX,
ECX 0. ECX
. ,
. ,
.
. 1000 $, ,
,
( ).
(, ). ? , .
, PaiMei$ crash binning
.

.
record_crash() $
. . $

1000 50 000 $ :
50 000 $ 650 0x00112233,
300 0x11335577, 20 0x22446688 . . $
:
from pydbg import *
import utils
499
crash_bin = utils.crash_binning.crash_binning()
def av_handler (dbg):
global crash_bin
crash_bin.record_crash(dbg)
for ea in crash_bin.bins.keys():
print "%d recorded crashes at %08x" % \
(len(crash_bin.bins[ea]), ea)
print crash_bin.crash_synopsis()
dbg.terminate_process()
while 1:
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATON, av_handler)
dbg.load(target_program, arguments)
dbg.run()
,
. : $
$
.
,
. $
,
. $
,
crash_synopsis().
$
$
, . $
. $
$
, (. 24.4).
. 24.4
.
. $
, . $
50 000 $ 650
0x00112233, 300 0x11335577, 20
0x22446688 50 000 $ 650
0x00112233, 400 x, y, z, 250 a, b, z
. . , $
.
500
24.
0x33234567
0x77234567
0x66234567
0x11234567
0x55234567
0x11234567
0x22234567
0x44234567
logger()
0x00112233
0x11335577
0x22446688
. 24.4.
0x00112233 0x11335577. $
,
.
logger(). ? , $
.

IMAP$, , $
IMAP$
. , $
,
. $
.
:
.
, , Mi$
crosoft Windows , $
501
.1 ,
. , ,
. , $
, , .
, $
, . $
, $
, EXCEPTION_DEBUG_INFO.2
PyDbg $
:
def access_violation_handler (dbg):
if dbg.dbg.u.Exception.dwFirstChance:
# first chance
else:
# last chance
dwFirstChance , $

. $
? , ,
. , ,
IMAP$
$
logger():
void logger (char *message)
{
try
{
// format string vulnerability.
fprintf(log_file, message);
}
except
{
fprintf(log_file, "Log entry failed!\n");
}
try/except fprintf() $
. , fprintf() $
, fprintf() .
, $
, IMAP$
1
2
http://msdn.microsoft.com/msdnmag/issues/01/09/hood/
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/wcecore+
os5/html/wce50lrfexceptiondebuginfo.asp
502
24.
. , $
! , .
, , $

. $
, . $
, .
, $
, $

.
.

. ,
5 ,
DBI. , $
,
. , $
, $
. DBI $
.
23 , $
,
, , $
. DBI
, $
$ .

. $
$
RISC$ .
DBI
$ . API DBI $

.

DBI$, DynamoRIO1, DynInst2 Pin3. DynamoRIO,
,
HewlettPackard. DynamoRIO $
1
2
3
http://www.cag.lcs.mit.edu/dynamorio/
http://www.dyninst.org/
http://rogue.colorado.edu/pin/
503
IA$32 Microsoft Windows,

Linux. DynamoRIO ,
,
Memory Firewall1 Determina2. $
DynamoRIO Determina
, Se$
cure Execution Via Program Shepherding ( $
).3 PinDBI , , $
DBI$, $
, , $
DBI.
DBI
:
, $
. $
:
char *A = malloc(8);
char *B = malloc(16);
char *C = malloc(24);
strcpy(A, "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP");
free(B);

,
strcpy(). , $
. $
.
$
$
, free().
DBI $
.
$
.
,
.
$
.
, , .
,
DBI, . , $
1
2
3
http://www.determina.com/products/memory_firewall.asp
http://www.determina.com/
http://www.determina.com/products/memory_firewall.asp
504
24.
. $
, IBM Rational Purify1, Compuware DevPartner
BoundsChecker2, OC Systems RootCause3 Parasoft Insure++4. Purify,
, Static Binary Instrumentation (SBI), BoundsChe$
cker SBI DBI. ,
$
. , $
Valgrind5. Valgrind
DBI, ,
Memcheck, $
. Valgrind
, $
Annelid.6
, $
$, $
.

, $
. DBI, DBI$
, $
.
, ,
$
$. $
, $ , $
, .
$

.
1
2
3
4
5
6
http://www+306.ibm.com/software/awdtools/purify/
http://www.compuware.com/products/devpartner/visualc.htm
http://www.ocsystems.com/prod_rootcause.html
http://www.parasoft.com/jsp/products/home.jsp?product=Insure
http://valgrind.org/
http://valgrind.org/downloads/variants.html?njn
IV

25.
26.
25

: ?
$.,
, ,
11 2000
, $
, ,
.
, $
: , $
. $
(SDLC, software development life$
cycle) , $
.

$ $
$
,
, SDLC. Microsoft $
Trustworthy Computing Security
Development Lifecycle (
, ).1 $
1
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dnsecure/
html/sdl.asp
508
25.

, , $
, $
(Security Development Lifecycle, SDL). Microsoft
SDL, SDLC; $
. 25.1.
. 25.1. SDLC SDL Microsoft
, Microsoft
SDLC. $
, $
SDLC.
SDLC,
. ,
$

.
SDLC ,
(Winston Royce)1 $
1
http://en.wikipedia.org/wiki/Waterfall_process
509
. $
: $
. . 25.2.

.
Microsoft
, Microsoft
SDLC. Microsoft
, , $
. , Mi$
crosoft , $
,
.
, , Microsoft Internet Information Services (IIS)1,
$ Microsoft. 14 $
5.x.2 6.x,
2003 , 3, $
.
$
$
/GS4, (Data Execution
Prevention, DEP) $
(Safe Structured Exception Handling, SafeSEH)5; $
Windows Vista $
(Address Space
Layout Randomization, ASLR).6 Microsoft $
$
, , Secure Windows Initia$
tive.7 , $
$
, .
1
2
3
4
5
6
http://www.microsoft.com/WindowsServer2003/iis/default.mspx
http://secunia.com/product/39/?task=advisories
http://secunia.com/product/1438/?task=advisories
http://msdn2.microsoft.com/en+US/library/8dbf701c.aspx
http://en.wikipedia.org/wiki/Data_Execution_Prevention
http://www.symantec.com/avcenter/reference/Address_Space_Lay+
out_Randomization.pdf
http://www.microsoft.com/technet/Security/bestprac/secwinin.mspx
510
25.
. 25.2.
,
. $
, $
. SDLC , $
,
,
.
$
. $
,
. $
,
.
, $
. $
, .
, $
. ,
. , $
Linux, .
Windows,
ActiveX,
$? ,
COM$.
$
SDLC. , , $
511

, , , $
$
(Extensible Messaging and Presence Protocol, XMPP). $
XML$,
1999 Jabber.1
.
$
XMPP XMPP .

. , $

. , ,
.
, . $

, , $ $
. ,
.
$
.
,
. $
$
.

,
. $
, . $
ActiveX, .
19 20
: ,
. $
$
,
, , $
.
, $
, $
, $
http://www.jabber.org/
512
25.
. ,
, , $
. ,
, $
,
. ,
SLDC ,
. ,
.
, $
. $
, . . . $
, $
. ,
, SLDC, . .
.
,
, $
, . SDLC $
$
, $
, .
,
$
, . $
. ,
$
, $
, $
. $
, , $
, , ,
.
, $
, , $
, , $
. $
, ,
, . $
, $
. ,
513
$
$
. , $
, ,
$ . ,
32$ , 64$.
,
.
$
.
, ,
. $
,
, $
,
.
SDLC
, $
,
. , $
, SDLC , $
. , $

. .
$
SDLC, .
$
. $
, .

, $
$
, .
$
(IDE), $
. , Microsoft Visual Studio IDE $
C# Visual Basic Windows, Eclipse
Java $
.
IDE$$
,
514
25.
. DevInspect1
SPI Dynamics, ,
. DevInpect , $
Visual Studio Eclipse ,
, $
ASP.Net Java .

$
, . , , $
$ ,
,
.
, $
, .
$
. , $
$
. ,
, .
, $
. $
, ,
,
,
. $
. $
.

$ .
$
$
.
SDLC. $
. SDLC $
,
. , Microsoft
BlueHat Security Briefings2,
.
1
2
http://www.spidynamics.com/products/devinspect/
http://www.microsoft.com/technet/security/bluehat/sessions/default.mspx
515
$
SDLC.
, , $
, . 25.3.
,

$
.
, $

,
.
100X
15X
6.5X
1X
. 25.3. SDLC
, $
: , $
. ,
, . $
,
.
$
SDLC. $
, .
,
,
.
26

, .
$.,

3 11 .
, ,
20 2001
?
,
SDLC. $
, ,
, $
.
, , $
.

,
. $
$
. Microsoft $

SDLC, ,
$
.
, .
517
beSTORM1 Beyond Security

beSTORM ,
$
. Beyond Security
, $ SecuriTeam2, $
. , $
beSTORM, :
HTTP Hypertext Transfer Protocol ( $
)
FrontPage
DNS Domain Name System ( )
FTP File Transfer Protocol ( )
TFTP Trivial File Transfer Protocol ( $
)
POP3 Post Office Protocol v3 ( )
SIP Session Initiation Protocol ( )
SMB Server Message Block ( )
SMTP Simple Mail Transfer Protocol (
)
SSLv3 Secure Sockets Layer v3 ( )
STUN Simple Traversal of User Datagram Protocol (UDP) Through
Network Address Translators (NATs) ( UDP
( ) NAT
( ))
DHCP Dynamics Host Configuration Protocol ( $
)
beSTORM Windows, UNIX Linux $
.3

. be$
STORM ,
UNIX Linux. . 26.1 $
beSTORM.
1
2
3
http://www.beyondsecurity.com/
http://www.securiteam.com/
http://www.beyondsecurity.com/beSTORM_FAQ.pdf
518
26. ,
. 26.1. beSTORM Beyond Security
BPS1000 BreakingPoint Systems1

BreakingPoint . $
, . BPS$
1000 ,
5 TCP 500 000 (. 26.2). $
BPS$1000 ,
.
. 26.2. BPS+1000 BreakingPoint Systems

1
http://www.breakingpointsystems.com/
519
BPS$1000 AC$
,
$.
Codenomicon1
Codenomicon , ,
. Codenomicon
PROTOS2, , $
. (, ). PROTOS $
2002 , $
,
SNMPv1. PROTOS
SNMPv1 $
.
, $
, , $
, .3
, $
, ,
. $
PROTOS SNMPv1 ,
, $
$
.4 PROTOS
$
, :
WAP Wireless Application Protocol ( $
)
HTTP Hypertext Transfer Protocol ( $
)
LDAPv3 Lightweight Directory Access Protocol v3 (
)
SNMPv1 Simple Network Management Protocol v1 ( $
)
SIP Session Initiation Protocol ( )
H.323 , $
1
2
3
http://www.codenomicon.com/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
#h+ref2
http://www.cert.org/advisories/CA+2002+03.html
520
26. ,
ISAKMP Internet Security Association and Key Management Proto$

col ( $
)
DNS Domain Name System ( )

, PROTOS.

, $
, . 26.3.
Codenomicon
( ). $
$30 000 .
, $
, $
, , , , $

. $
. Codenomicon $
, ,
. 24 $
. 26.3. Codenomicon DNS
521
, $
.
GLEG ProtoVer Professional1

GLEG , Vuln$
Disco2, ,
$
CANVAS3 Immunity, Inc. GLEG
, $
VulnDisco.
ProtoVer Professional; Python. $
:
IMAP Internet Message Access Protocol ( $
)
LDAP Lightweight Directory Access Protocol ( $
)
SSL Secure Sockets Layer ( )
NFS Network File System (
)
,
GUI $, . 26.4.
ProtoVer $
. $4500 $
.
.
Mu Security Mu4000
Mu Security Mu$40004, $
,
. Mu$4000 $
, BreakingPoint,
$ ,
. $
Mu$4000 $
Linux,
Mu ,
. Mu ,
. , DHCP,
. 26.5.
1
2
3
4
http://www.gleg.net/protover_pro.shtml
http://www.gleg.net/products.shtml
http://www.immunitysec.com/products+canvas.shtml
http://www.musecurity.com/products/mu+4000.html
522
26. ,
. 26.4. GLEG ProtoVer Professional: +
. 26.5. Mu SecurityMu+4000
523
Security Innovation Holodeck

Holodeck1 Security Innovation $
,
$
, Microsoft Windows.
, $
, .
:
,
COM;
, $
, .
Holodeck $1495
API, $
$
. Holodeck . 26.6.
, , $
$
. ,
. $
.
,
$ .
. 26.6. Holodeck Security Innovation
http://www.securityinnovation.com/holodeck/
524
26. ,

, ,
, $
.
$ , , $
. $
.
, , $
, $
. , $
. $
.
, ,
? 23 $
,
. , $
.
. $
,
,
$
. ,

$,
$
. , $
.

, , $
; $
. $
, ,
, ,

. $
$
, $
, $
. ,
, Microsoft Visual Studio Eclipse. $
$
525
$
, IBM Mercury. , $
,
.
DevInspect SPI Dynamics QAInpect,
.
? $
, .
$
. $
, , $
, $
,
. $
, .

, $

,
.
, $
24. $
. ,
.

. , $
( 24), IBM, Compuware, Para$
soft OC Systems , ,
, .
, , $
. $
, $
. ,
$
. ? $
, , $
$
: $
, .
Accept, , 143
Accept$Encoding, , 143
Accept$Language, , 143
ActiveX, , 304
Adobe Acrobat PDF,
, 313
WinZip FileView, 317
, 304
, 307
, 316
, 309
, 317
, ,
, 312
, 316
, 292
Adobe Acrobat PDF
, 313
, ,
211
AIM (AOL Instant Messenger), ,
73
, 74
, 75
, 75
ap.getPayload(), , 373
apKeywords(), , 371
Apple Macbook, , 247
argv, , 125
ASCII, , 221
ASP (application service provider), 135
ASP.Net, 137
Autodafej, 387
av_handler(), , 495
AWStats Remote Command Execution
Vulnerability, $, 139
AxMan, 49
BeginRead(), , 174
BeginWrite(), , 174
beSTORM, 161, 517
BinAudit, 43
BindAdapter(), , 278
bit_field, , 395
Blaster, , 244
BoundsChecker, 504
bp_set(), , 350
BreakingPoint, 518
btnRequest_Click(), , 175
BVA (boundary value analysis), 45
byref(), , 336
C
cc_hits, , 469
CCR (
), , 100
cc_tags, , 469
CFG (control$flow graph)

, 450
, 450
, 449
CFG (control$flow graphs), 456
$,
456
CGI (Common Gateway Interface), 136
CISC (Complex Instruction Set Computer),
, 454
clfuzz, 61
Code Red, , 244
Codenomicon, 64, 519
, 47
HTTP, 161
COM (Component Object Model), 303
527

ActiveX,
Adobe Acrobat PDF,
, 313
, 305
Raider, 292
VARIANT, , 313
, 304
, 304
, 304
commands, , 119
Common Gateway Interface (CGI), 136
Computer Associates Brightstor,

, 441
CONNECT, , 146
Connection, , 144
ContinueDebugEvent(), , 340
Convert, 385
Cookie, , 144
cookies, 150
crashbin_explorer.py, , 423
CRC (Calculating Cyclic Redundancy
Check), , 369
CREA, , 266
CreateFile(), , 318
CreateProcess(), , 36, 318
CreateProcess, , 338
create_string_buffer(), , 336
CSRF (Cross$Site Request Forgery), 155
CSS (Cascading Style Sheet)
CSSDIE, , 48, 65, 293
, 294
CSSDIE, 48, 65, 293
ctypes, , 335
D
DataRescue Interactive Disassembler Pro
(IDA Pro), 455
DBI (Dynamic Binary Instrumentation),
91, 502
DynamoRIO, 502
Pin, 502
, , 503
, 503
, 91
DebugActiveProcess(), , 338
DEBUG_EVENT, , 340
DebugSetProcessKillOnExit(), ,
338
DELETE, , 146
DevInpect, , 514
Dfuz, 373
, 373
, , 374
, , 376
, , 375
, 376
, 374
DHTML ( HTML), 48
Distributed COM (DCOM), 304
DOM (Document Object Model), 305
DOM$Hanoi, 65
DoS (Denial$of$service)
$, 299
$, 153
DownloadFile(), , 318
Dynamic Data Exchange (DDE), 304
DynamoRIO, , 502
E
Enterprise Resource Planning (ERP), 139
ERP (Enterprise Resource Planning), 139
Ethereal, , 351
Excel, , eBay, 219
Execute(), , 318
eXternal Data Representation (XDR), 249
F
File Transfer Protocol (FTP), 72, 377
FileAttributes, (Flash), 392
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221

, 222
, 89
, 236
, 229
, 230
, 231
, , 230

, 233
, 229
, 230
528
, 229
, , 229
, 217
, 240
find, , 115
Flash, 298
flatten(), , 396
FTP (File Transfer Protocol), 379
func_resolve(), , 350
fuzz_client.exe, 350
fuzz_server.exe, 350
OllyDbg, 352
WS2_32.recv(),
, 352
, 362
, 355
, 352
, 361
, 352
fuzz_trend_server_protect_5168.py, 431
G
GDB (GNU Debugger), 42, 118
GDI+ , ,
236
GET, , 145
GetCurrentProcessId(), , 335
getenv, , 118119
getopt, , 125
GetThreadContext(),
, 344
GetURL(), , 318
Gizmo Project, , 471
SIP
, 475
, 472
, 476
, , 476
, 478
, 479
, 471
, 472
, , 476
GNU Debugger (GDB), 42, 118
GPF (General Purpose Fuzzer), 384
H
Hamachi, 48, 65
handler_bp(), , 350
HEAD, , 145

HewlettPackard Mercury LoadRunner,
, 282
Holodeck, 523
Host, , 144
HTML (Hupertext Markup Language)
, 168
, , 290
HTTP (Hypertext Transfer Protocol)
, , 167
, 156
, 154
, 149
I
IAcroAXDocShim, , 314
IBM
AIX 5.3, , 131
ICMP, , 446
IDA (Interactive Disassembler), 41
IDA Pro (DataRescue Interactive Disas$
sembler Pro), 455
IDE (
), 513
iFUZZ, 61
getopt, , 126
argv, 125
getenv,
, 126
/
,
125
, 132
, 127
Fork, Exe$
cute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace, 129
, 131
, 124
, 130
IID (ID ), 305
Inspector, 43
INT3, , , 341
IObjectSafety, , 311
Ipswitch
I$Mail
, 437
Imail
529

Web Calendaring,
, 179
Whatsup Professional,
SQL, 182
Whatsup Professional SQL Injection
attack, 139
J
Java, 137
JavaScript, 137
K
kill bitting, 312
L
libdasm, , 97
libdisasm, , 97
Libnet, , 98
LibPCAP, , 98
LogiScan, 43
M
Macbook, , 247
Macromedia Flash, 298
mangleme, 65
Matasanos Protocol Debugger, 440
MATRIX, , 397
Metro Packet Library, 98
Microsoft
NDIS, , 274
SAMBA, 437
Windows
Live/Office Live, 135
, 321
, 509

(MSRPC), 63

, 31
Excel, , eBay, 219

GDI+ , 218,
236
Outlook Express NTTP,
, 463
Outlook Web Access Cross$Site
Scripting, 138
PNG, 218
WMF, 218
, 38
, 243
MLI (mutation loop insertion), 327, 333
MMalloc(), , 103
MSRPC (
), 63
Mu Security, 49
Mu$4000, 521
Multiple Vendor Cacti Remote File Inclu$
sion Vulnerability, $, 139
mutation loop insertion (MLI), 333
N
NDIS, , 274
Netcat, 72
Network News Transfer Protocol (NNTP),
462
NMAP (NetMail Networked Messaging
Application Protocol), 255
SPIKE NMAP, ,
263
, 255
NNTP (Network News Transfer Protocol),
462
notSPIKEfile, 62
UNIX, 207
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208
, 201

, 202

RealPix, 212
, 214
NW (Needleman Wunsch), ,
445
O
OASIS (

), 77
ODF (OpenDocument format), 77
Office Live, 135
530
OllyDbg, 352
WS2_32.recv(), ,
352
, 354
, 354
, 355
, 355
OnReadComplete(), , 174
open XML, , 78
OpenDocument format (ODF), 77
OpenSSH,
, 246
OPTIONS, , 146
OSCAR (
), 73
, 463
OWASP (WebScarab), 64
P
PAGE_EXECUTE, , 322
PAGE_EXECUTE_READ, , 322
PAGE_EXECUTE_READWRITE,
, 322
PAGE_NOACCESS, , 322
PAGE_READONLY, , 322
PAGE_READWRITE, , 322
PaiMei, 464
PIDA, , 465
PaiMei,
ActiveX, 318
PaiMei,
, 464

, , 494
, , 497
crash binning, 498
SWF, 402
PAIMEIfilefuzz, 62
PAM (Percent Accepted Mutation), 446
parse(), , 325
Pattern Fuzz (PF), 385
PDB (Protocol Debugger), 440
PDML2AD, 389
Peach, , 381
, 381
, 382
, 383
, 381
, 382

, 382
Percent Accepted Mutation (PAM), 446
PF (Pattern Fuzz), 385
PHP (Hypertext Preprocessor), 136
phpBB Group phpBB Arbitrary File Dis$
closure Vulnerability, $, 138
PI (Protocol Informatics), 445
PIDA, , 465
Pin DBI, , 502
PNG, , 218
POST, , 151
printf(), , 266
process_restore(), , 361
process_snapshot(), , 359
ProgID ( ),
305
Protocol Debugger (PDB), 440
Protocol Informatics (PI), 445
ProtoFuzz
NDIS, , 274
, 270
,
, 275
, 272
, , 275
, 269
, 272
, 284
, 281
, 270
, 276
, 279
, 281
, 278
, 277
/,
281
, 274
, 275
PROTOS, 47, 519
ProtoVer Professional, 521
ProxyFuzzer, 439
PStalker
Gizmo Project,
SIP, , 475
SIP$, , 472
, 476
, , 476
, 478
531

, 479
, 471
, 472
, , 476
, 468
, 468
, 467
, 469
, 469
ptrace, , 122
PTRACE_TRACEME, , 206
PureFuzz, 384
PUT, , 145
PyDbg, , 348

, 356
Python
ctypes, , 335
PaiMei, , 464
PIDA, , 465
,
494
, 464

, 497
crash binning, 498
SWF, 402
Protocol Informatics (PI), 445
PyDbg, , 348

, , 460

, 356
COM, 307
, 99
PythonWin COM, , 307
PythonWin,
, 307
R
randomize(), , 396
Rational Purify, 504
RATS (Rough Auditing Tool for Security),
33
RCE (reverse code engineering),
, 43
, 40
ReadProcessMemory(), , 336
RealPlayer
, ,
212

RealPix, 212
RealServer ../ DESCRIBE, ,
246
ReceivePacket(), , 278
record_crash(), , 498
RECT, , 396
Reduced Instruction Set Computer
(RISC), , 454
RFCs ( ), 77
RGB, , 396
RISC (Reduced Instruction Set Comput$
er), , 454
S
SAMBA, 437
SAP Web Application Server sap$exiturl
Header HTTP Response Splitting, $
, 139
s_block_end(), , 261, 410
s_block_start(), , 261, 410
s_checksum(), , 414
SDL (Security Development Lifecycle),
508
SDLC
, 91
SDLC (Software Development Lifecycle)
Microsoft SDL, 508
, 508
, 510
, 512
, 510
, 511
, 512
SDLC (software development lifecycle), 91
SecurityReview, 43
SEH (Structured Exception Handler), 497
self.push(), , 416
set_callback(), , 350
setgid, , 115
setMaxSize(), , 373
setMode(), , 373
SetThreadContext(), , 344
setuid
, 115
, 60
Sharefuzz, 61
532
Sidewinder (), 452
SIGABRT, , 207
SIGALRM, , 208
SIGBUS, , 207
SIGCHLD, , 208
SIGFPE, , 208
SIGILL, , 207
SIGKILL, , 208
SIGSEGV, , 207
SIGSYS, , 207
SIGTERM, , 208
Simple Web Server,
, 180
SIP
, 475
, 472
SIPPhoneAPI, , 475
smart(), , 396
SPI Dynamics Free Bank,
, 184
SPI Fuzzer, 64, 161
SPIKE, 48, 63, 378
Proxy, 160

, 261
,
, 262
, 381
, 263
TCP, 259

, 378
FTP, 379
UNIX, 254
SPIKE NMAP,
, 263
, 255
, 259
SPIKEfile
UNIX, 207

, 202
, 203
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208

, 201
, 214
s_repeat(), , 414
SRM (snapshot restoration mutation),
328, 333
sscanf(), , 444
SSH ( ), , 87
s_sizer(), , 413
strcpy(), , 32
Structured Exception Handler (SEH), 497
'su', , , 114
Sulley, , 403
RPC, ,
, 427
, 431
, 431
, 428
, 429
, 410
, 410
, 412
, 411
, 403
$, 403
, 431
, 409
, 428
, 417
, 419
$, 422
, 419
, 417
, 429

, 419
, 408
, 404
, 406
, 422
, , 431
, 413
, 414
, 415
, 414
, 413
, 407
, 415
SuperGPF, 384
SW (Smith Waterman),
, 445
SWF (Shockwave Flash), 390
533

bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391
, 401
, 391
, 391
, 403
,
400
, 402
, 400
, 391
syslog(), , 490
T
taboo(), , 488
TCP/IP, , 248
TcpClient, , 171
Thread32First(),
, 345
to_binary(), , 396
to_decimal(), , 396
TRACE, , 146
Trend Micro Control Manager,
, 178
Trustworthy Computing Security Devel$
opment Lifecycle document (Microsoft),
38
TXT2AD, 389
type, length, value (TLV),
, 368
U
UNIX
,
207208
, 255
, 117
unmarshal(), , 325
UPGMA (Unweighted Pairwise Mean by
Arithmetic Averages), , 446
URL, , 299
User$Agent, , 144
V
Valgrind, 504
VARIANT, , 313
VirtualQueryEx(), , 346
VML ( ), 291
W
WebFuzz
, , 180
, 187
HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL, , 182

,
170
, 165
, 164
, 169
, 170
, 176
, 175
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
WinDbg, 42
Windows
Explorer, ,
225, 228
Live, 135
WMF, , 218
, 321
,
337
, ,
228
, 216
, 228
winnuke, 248
WinPcap, , 275
WinRAR, 193
WinZip
534

MIME, 189
WinZip,
FileView ActiveX Control Unsafe
Method Exposure, 317
Wireshark, 97
$, 351
, 256
WMF, , 218
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, $, 139
Wotsit, $, 438
write_process_memory(), , 361
WriteProcessMemory(), , 336
WS2_32.recv(), , 352
X
XDR (eXternal Data Representation), 249
xmlComposeString(), , 425
XML$, , 291
XSS (Cross$site scripting), 153, 184
, 33
, 30
, 368
, 494
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 95
, 96

, 95

, 445
, 448
, 439

, 59
, 251
, 491
, 489
, ,
301
(), 448
CFG ,
450
CFG
, 450
CFG
, 449
Sidewinder, 452

, 449
, 448
, 449

, 446
, 445
,
, 445
, ,
444
ProtoFuzz, , 270
(BVA), 45
, 341
, 112
, , 189
(WebFuzz), 172
, , 223
(), 154

/ , 456
, 456
, 459

cc_hits, 469
cc_tags, 469
, , 445
(SSH), 87
Microsoft, 509
, , 300
, 514
libdasm, 97
libdisasm, 97
Libnet, 98
LibPCAP, 98
Metro Packet Library, 98
535

PyDbg, 459
SIPPhoneAPI, 475
WinPcap, 275

, 97
, 275
, 120

, 109
, 108
, 108
, 104
, 105
, 107
, 101

, 43
, 40
, 444
, 403
Sulley, , 410
, 410
, 412
, 411
, 413
/ , 456
, 456
, 459
, 81
, 261
, 378
, 81
, 413
, 414
, 415
, 414
, 413

ActiveX, , 307
, 316
, 309
, 317
, ,
, 312
, 316
, 64
, 289
CSS, 293
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 286
, 301
, 287
, 295
, 288
, 299

$, 299
(MLI), 327

, 51
$ , 64
ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316
, 289
CSS, 293
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 295
, 299
, 286
536
, 301
, 287
, 295
, 288
, 299
$ , 139
$ (Sulley), 422
$, , 138
$ , 64
$ , 160
beSTORM, 161, 517
Codenomicon, 161
HTML, , 168
HTTP, , 167
SPI Fuzzer, 161
SPIKE Proxy, 160
WebScarab, 161
XSS$, , 184

cookies, 150
, 141
, 149
, 151
, 145
, 149
POST, 151

, 147
, 139
, ,
169
, 163
SQL, , 182
, 134

, 156

, 170

Ipswitch Imail Web Calendaring,
179
Trend Micro Control Manager, 178
, 138
, 165
, 164
, 154, 180
, 169
TcpClient, , 171
, 172
, 170

, 176
, 175
, ,
170
, 169
, 169
, 187
, 136
, 153, 168
$
CodeSpy, 33
Flawfinder, 33
ITS4, 33
Jlint, 33
Splint, 33
Wotsit, 438
RATS download, 33
AWStats Remote Command Execution
Vulnerability, 139
IpSwitch WhatsUp Professional 2005
(SP1) SQL Injection, 139
Microsoft Outlook Web Access Cross$
Site Scripting, 138
Multiple Vendor Cacti Remote File In$
clusion, 139
phpBB Group phpBB Arbitrary File
Disclosure, 138
SAP Web Application Server sap$exi$
turl Header HTTP Response Split$
ting, 139
Sulley, , 403
Tikiwiki tiki$user_preferences Com$
mand Injection, 138
Wireshark, 351
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, 139
OpenSSH, 246
RealServer ../ DESCRIBE, 246
RPC DCOM, 246

MIME WinZip, 189
, , 138
, 140
, 508
, 510
, 512
, 510
, 511
537

, 512
, 496
, 66
,
66
,
, 66
, 84
, 96
, 39
, ,
346
, 344
,
, 346
OllyDbg, 355
(RCE), 40

$
cookies, 150
, 141
POST, 151
, 149
, 151
, 145
, 149

, 147

, 193

$
CSS, 294
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 275
, 348
$,
141
cookies, 150
POST, 151
, 149
, 145
, 149

(URI), 147
, 71
, 493
(), 450
, 95
( ), 448
CFG
, 450
, 450
, 449
Sidewinder, 452

, 449
, 448
, 449
, 381
, 370
SWF, , 401
, 518

CCR, , 100

, 109
, 108
, 108
, 104
, 105
, 107
, 101
, 524
(PHP),
136
, 86
Sulley,
, 424
SMTP$, 417
, 455
, , 61
Peach, , 382
, 410
538
ProtoFuzz, , 279
, 270
ProtoFuzz, , 276
, 270
, 381
, 370
SWF, , 401
CCR, , 100
, 109
, 108
, 104
, 105
, 107
, 101
PStalker, 468
, 468
PStalker, 467

Dfuz, 373
, , 247
, 108
apKeywords(), 371
Sulley, , 403
, 409
, 109
, 108
, 108
, 335
, 105
, 409
, 103
, 104, 408
, 107
, 413
, 101
, 407
, 415
, 469
POST,
$, 151
(FileFuzz), 220

, 73
, 40
adbg, 388
DBI
DynamoRIO, 502
Pin, 502
, 503
GDB, 42
OllyDbg, 42, 352
WS2_32.recv(),
, 352
, 354
, 355
, 355
WinDbg, 42
,
493
DBI, 502
, 494
, , 494
, 488
, , 497
$ , 301
, 198
, 252
$, 157
$, 456
, 40
, 40

, 455
, 443
, 84
, 53
, 357
, 35
, 44
, 39
, 139
$, 157
(), 412
539

Accept, 143
Accept$Encoding, 143
Accept$Language, 143
Connection, 144
Cookie, 144
Host, 144
SWF$, , 391
User$Agent, 144
$,
149
HTTP, 144
,
, 503

, 492
, , 48
, 491
, , 336
GetTypeInfoCount(), 313
LoadTypeLib(), 313

(CCR), , 100
ap.getPayload(), 373
av_handler(), 495
bp_set(), 350
ContinueDebugEvent(), 340
DebugActiveProcess(), 338
DebugSetProcessKillOnExit(), 338
flatten(), 396
func_resolve(), 350
GetFuncDesc(), 314
GetNames(), 314
GetThreadContext(), 344
handler_bp(), 350
HTTP, 167
MMalloc(), 103
parse(), 325
process_restore(), 361
process_snapshot(), 359
randomize(), 396
record_crash(), 498
s_checksum(), 414
self.push(), 416
set_callback(), 350
setMaxSize(), 373
setMode(), 373
SetThreadContext(), 344
smart(), 396
s_repeat(), 414
sscanf(), 444
s_sizer(), 413
strcpy(), 32
syslog(), 490
Thread32First(), 345
to_binary(), 396
to_decimal(), 396
unmarshal(), 325
VirtualQueryEx(), 346
WebFuzz, 175, 177
write_process_memory(), 361
xmlComposeString, 425
, 169
$, 163, 165
(RFC), 77

, 57
, , 49, 65
(), 493
, , 48, 65
$, 208
, 442
Sulley, 404

Microsoft, 31
, . , 459
.
Autodafej, 387
beSTORM, 161, 517
BinAudit, 43
BoundsChecker, 504
BreakingPoint, 518
BugScam, 43
clfuzz, 61
Codenomicon, 519
, 47
HTTP, 64
COM Raider, 65
COMRaider, 49, 292
Convert, 385
crash binning, 498
crashbin_explorer.py, 423
CSSDIE, 293
DevInpect, 514
540
Dfuz, 373
fuzz_trend_server_protect_5168.
py, 429
GPF, 384
PDML2AD, 389
TXT2AD, 389
, 373
, , 374
, , 375
, 376
, 374
, 376
DOM$Hanoi, 65
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221

, 222
, 236
, 229
, 217
, 240
Hamachi, 65
Holodeck, 523
iFUZZ
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
iFuzz, 61
Inspector, 43
LogiScan, 43
mangleme, 65
Mu$4000, 521
Netcat, 72
notSPIKEfile, 62

forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201
,
, 211
$, 208
, 201

, 202

RealPix, 212
, 214
PAIMEIfilefuzz, 62
Pattern Fuzz, 384
Peach, 63, 381
, 381
, 382
, 383
,
381
, 382
, 382
ProtoFuzz
NDIS, , 274
, 270, 279
,
, 275
, 272
, , 269
, 272, 281
, 278
, 284
, 281
, 270
, 277
, 274
/,
281
, 275
PROTOS, 472, 519
ProxyFuzzer, 439
PStalker, 473
, 468
, 468

, 467
, 466
, 469
, 469
ptrace(), 98
PureFuzz, 384
SecurityReview, 43
Sharefuzz, 61
Sidewinder, 452
SPI Fuzzer, 64
SPIKE, 63, 378
Proxy, 160
,
, 261
, 380
, 263
TC, 259

, 378
FTP, 379
UNIX, 254

, 262
, 259
SPIKE Proxy, 160
SPIKEfile
forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201

, 202
,
, 211

, 203
$, 208
, 201
, 214
Sulley, , 403
RPC, ,
, 427
, 409
$, 403
, 431
, 409
, 428
, 408
541
, 404
, 406
, 422
, , 431
, 413
, 407
, 415
SuperGPF, 384
WebFuzz
HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL
, 182

,
170
, 178
, 165
, 164
, ,
180
, 169
, 170
, 175
, 187
, 169
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
, 33
Python, 99

, 463
PaiMei, , 464
PyDbg,

, 460
, 455
, 480
, 459
, 453
542
, 458
, 482

(IDE), 513
, 39

,
, 500
, ,
487
, 487

, 250
, 192
IObjectSafety, 311
PIDA, 465
ID (IID), 305
COM, 304
IAcroAXDocShim, 314
SQL
, 182
, 155

$, 156, 170
, 340
, 52
, 202, 222
, 203
,
500
, . , 454
, 52
, 514
COM, 304
SAMBA, 437
, 47
ActiveX, 49
Codenomicon, 47
PROTOS, 47
SPIKE, 48
, , 47
, 49
, 48

, 30
, 32
(CSS)
CSSDIE, 48
apKeywords(), 371
bit_field, 395
PyDbg, 348, 357
TcpClient, 171
, 242, 294, 299
Ethereal, 351
, 351

Peach, 381
, 371
(), 411
, 198
, 60
break, 119
commands, 119
CREA, 266
, , 300
, 109
, 516
beSTORM, 517
BreakingPoint, 518
Codenomicon, 64, 519
, 47
Holodeck, 523
Mu$4000, 521
( ), 456
,
(SPIKE), 263
,
, 262
, 514
, , 487

, 414

, , 198
, 485
$, 139
, , 415

,
, 252
, , 196
, 60
getenv, , 118
iFUZZ
getenv,
, 126
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
, 60, 112
ptrace, 122
, 117
, 121
, 115
, 61, 112
GDB, 118
, 120
, 114
, 122
, 62
, 48
,
, 300
(XSS), 153, 184
, , 48
, , 424
, 198
ActiveX, 312
BeginRead(), 174
BeginWrite(), 174
btnRequest_Click(), 175
CONNECT, 146
CreateFile(), 318
CreateProcess(), 318
DELETE, 146
543
DownloadFile(), 318
Execute(), 318
forking off
, 205
GET, 145
GetURL(), 318
HEAD, 145
HTTP, 154
OnReadComplete(), 174
OPTIONS, 146
POST, 145
ptrace, 122
PUT, 145
TRACE, 146

, 59
, 30
, 30

, 43
, 40
, 35
, 32
$ , 288
, 289
, 288
($),
141
, 59
,
57

, 58

, 327
, 334
, 329

, 328

, 334
, 40
, 44
,
59

, 57
SWF, 402
, 249
, 249
544

, 251
, 249
, 250
, 250
, 190
, 193
, 191
, 192
, 35
, 39
(beSTORM), 161, 517
, 36
, 38
, 370
, , , 47

(iFUZZ), 125
, 55

, 251
ctypes, 335
iFUZZ, 125

(SRM), 328
,
493
, 494
, , 494
, , 497
, 52
, 139
ActiveX, 316
, . ., 49, 65
, 46, 249
( ), 456
$ , 105
HTTP,
154
(NX)
, 489
, 60
, , 445

, 202
, 273
DBI, 503
$, 301
, , 488
, 424
, 491
,
, 500
, ,
487
, ,
487
, 485
, 487
, 330
, 252
, 273
,
, 488
, 370
, 489
, 197
, , 249
, ,
346

, 334
,
, 346
, 344
, 352

, 357
, 359
, 419

Ipswitch Imail Web Calendaring, 179
Trend Micro Control Manager, 178
, 179
, 108
setuid, , 60
Sulley, , 419

UNIX, 255
, 115
,
493
, 494
, , 494
, , 497
, 326
, 513
, 459
, 245
$
, 138
, 138
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 189
PStalker, 469
, 91
, 53
, 53
,
55
, 54
, 54
, 66

(iFUZZ), 125
, 65
WS2_32.recv(), ,
352
OllyDbg, 352
, 352
PyDbg, 356
, , 351
, , 352
, 66
, 329
, 66
, 327
, 334
545

, 328

, 334
, 333
, 320
, ,
348
, 330
/ ,
344
, 326
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, 65
fuzz_client, , 362
fuzz_server, , 362
fuzz_server, , 359
, 360
, , 351
, 355
, 357
, 359
,
361
/
, ,
346

, , 346
, 65
, 329
, 66
, 352
, 352
, , 348
, , 335
, 65
,
, 252
, 89
$, 90
DBI, 91
546

(OASIS), 77
, 263
TCP, 259
, ,
169
, 169

, 194

(OSCAR), 73
, 77
(Win$
dows), 337

, 349

, 198
, , 339
, , 340
, 205
, 89
, 203
, 35
, 44
, 39
, 273
,
DBI, 488
, 424
,
, 500
, , 487
, , 424
, 330
, 252
, 273

$, 301
, , 488
, 491
, ,
487
, 485
, 487

, 489
,
, 488
, 370
, , 89
$, 90
, 89
DBI, 91

, 275
, 269
, 322
Windows, 321
,
, ,
336
, 334

, 334
,
, 348
, , 348
. /
, 336
/
, 344
, 341
, , 348
, , 335

, 327
, 329
,
325

, 328
, 320
, 330
, 326
, 319
, 329

, 491
, ,
487
, 489

, 54
, 361
, , 346
, , 370
, 80
, 335
, 72
, 70
, 374
, 272
, 61
, 118
getenv, , 118
GDB, 118
, 120
, 276
$, 164
, 112
GDB, 118
, 120
getenv, 119

GDB, 118
, 120
getenv, 119
(), 264

($), 180
,
, 196

Novell Net$
Mail IMAPD, 103
, 150
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
, 342
, 89
, , 89
, , 62
, 154
, 120

ActiveX, 309
547

GDB, 118
, 120
getenv, 119
, 105
, 70
, 77
, 46
, forking off
, 205
, 444
, 346
, , 376
, 424
, 424
, ,
249
, 382
'su', , 114
setuid, 60
(ASP), 135
$, 64
, 139
, 134

, 156
, 138
,
151
, 150
, 136
, 153
, 114

ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 368
, 341
, 487
, 491
548
, ,
487
, 489

Antiparser, 371
CreateProcess(), 338
Windows, 337
$, 439
, 485
,
, 196
, 63
AIM (AOL Instant Messenger)
, , 48

, 340
AIM, 73
, 74
,
75
FTP, 72
HTTP, 149
ICMP, 445
NMAP, 255
SPIKE NMAP,
, 263
, 255
NNTP, 462
SIP
, 475
, 472

, 444
, 448
, 439
$,
149
, 73
, 274
, 442
, 69
, 368
, 68
, 68
, 77
, 72
, 70
, 77
, 63

, 76

, 270
, 274
, 249

, 251
,
, 247
,
, 249
, 245
, 243
, 272
, , 251, 273
, 272
,
, 249
, 270
, 269
,
, 248
, ,
248

, 243
,
, 248

, 63
, 63
, 63
TLV, 368
, 438
, 58
, 59
, 436
, 81
, 81
, 80
, 81
Dfuz, 376

, 197
$, 157
, 459
, 86
549

, 208
, , 421
/
, ,
346
,
, 346
, 344
, 336
, 336
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, , 348
, forking off
, 205
, 86

, 370
, 52
FileFuzz, 229
, 230
, 231
, , 230

, 233
, 229
, 230
, 229
, , 229
iFUZZ, 126
, 458
, 459
, 459
,
459
, 462
, , 462
DBI, 503
,
524
ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316

forking off/
, 205
UNIX, 207
, 203

, 202
UNIX,
208

, 203
, 513
, 103
, 49
, , 65

(PaiMei), 464
, , 414
, 91
, , 62
, 36
(ActiveX), 312
Microsoft, , 243
, 351
, , 352
, , 246
,
, 246
Sulley,
, ,
419
, 429
Sulley, , 417
, 419
, 419
, 413
, ,
420
550
, 417
, , 248
, 277
, 242
, 139, 420
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 245
, 242
UNIX, 254
SPIKE NMAP,
, 263
, 255

, 243
, , 247
, 63
, 249
, 273
, 243
, , 251
, 63
, , 274
, 63
, 269
SIGSEGV, 55
UNIX, 207
, 122
, 55
, 108
, 455
SPIKE NMAP, , 263

XSS$, , 184

, 262
, 154
, 153
, 35
, 44
, 66
, 67

, 63
, , 386
, 406
,
, 445
, 157
, 243
$, 156
, 86
, , 197
,
341
, 346
,
198
, 346
, 438

, 32
, 406
NMAP, , 264
, 496
, , 488
, 438
Sulley, , 408
, 104
, 400
, 107
, 107
, 196
RealPix
RealPlayer, 212
, 488
, 54
,
HTML, 290
XML, 291
SLDC, 512
, 30
, 35
, 32
, 30
, 40
551

, 40
, 44
, 35
, 36
, 39
, 38

RCE, 40
, 36
, 58

, 57
, 348

WS2_32.dll recv(), 352
ws2_32.dll, recv(), 350
, 341
, 350, 359
, 341

, 463
PaiMei, , 464
PStalker
, 468
, 468
, 467
, 466
, 469
, 469
PyDbg,

, 460
, 455
CFG, 456
, 455
, 480
, 459
, 453
, 458
, 459
,
459
, 462
, 459
, , 462
, 482
, , 437
, 62
$, 64
$, 64
, 63

, 524
,
524
,
($),
147
, 247 249
FileFuzz
, 230
, 231
, , 230

, 233
, 230
ProtoFuzz, 276, 281
, 279
, 281
, 278
, 277
/,
281
WebFuzz
TcpClient, , 171
, 172
, 176
, 175
, 53
Apple Macbook, 247

CSS, 293
ERP, 139
Excel eBay, 219
Flash, 298
GDI+ , 218
HTML
, 289
, 290
Ipswitch I$Mail, 437
Outlook Express NTTP, 463
PNG, 218
RPC$, 246
552
SPI Dynamics Free Bank,
, 184
TCP/IP, 248
winnuke$, 248
WMF, 218
, 155
$, 139
$, 138
$, 153
, 138
, 138
, 300
, 301
, 242, 299
, 294
, 109
, 300
, 246
, 247
, 249
, 108
,
300
, 299
, 487
, 491
, ,
487
, 489
, 154, 299
, 249
, 246
, 248
, 245
, 139
, 248
NMAP, , 264
,
NMAP, , 264
XML, 291
, 248
, 247 249
, 301
RealPix
RealPlayer, 212
, 107
Windows, 218

, 196
, 194
, 196

, 194
, 189
, 196
, 197
, 196
ActiveX, 292
(SLDC), 512
(GPF), 384
, 62
FileFuzz
ASCII, , 221
, , 223
, 219
, 220
, 231

, 222
, 217
notSPIKEfile
, 201
,
, 211
, 201

RealPix, 212
, 214
ODF, 77
Open XML, 78
SPIKEfile
, 201
,
, 211
, 201
, 214
Windows, 218
, 240
UNIX, 207
forking off/
, 205
, 190
, 193
, 191
, 192
UNIX, 208

, 197
, 224
Windows Explorer, 225
Windows, 228
, 236
$, 208
, 229
, 230
, 231
, , 230
, 203

, 202, 233
, 229
, 230
, 229
, , 229
, 196

, 194
, 194
, 196
, 189
, 196
, 197
, 196
, 240
Codenomicon, 47
SPIKE, 48
, , 47
PROTOS,
47
, 49
, 48
, 39
, 53
, 53
,
55
, 54
, 54
, 51
$
, 48

, 250
, 191
553
, 486
, , 493

,
52
, 52
, 51
, 52
, 51
,
51
.
SWF, 391
bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391
, 401
, 391
, 403
,
400
, 402
, 400
, 391
, 392
, 398
, 117
, 376
, 49
, , 462
, 301
,
RealPix RealPlayer, 212
, ,
107, 127
, 107
, 488
, 196
, 66
Antiparser, 371
,
370
Autodafej, 387
CRC, , 369
Dfuz, 373
, 373
, , 374
, , 376
554
, , 375
, 376
, 374
GPF, 384
PaiMei
SWF$, 391
, , 494
,
, 497
crash binning, 495
Peach, 381
, 381
, 382
, 383
,
381
, 382
, 382
SPIKE, 378
, 380

, 378
FTP, 379
Sulley, 403
, 409
, 403
$, 403
, , 428
, 409
, 417, 429
, , 431
, 408
, 404
, 406
, 422
, , 431
, 407
, 415
,
368
,
66

, 66
, 67
,
370
, 370
, 368
, 368
, 370

, 66
, 370
, 368
, 67
, 370
, 368
.
BindAdapter(), 278
byref(), 336
CreateProcess(), 36, 221
create_string_buffer(), 336
Dfuz, 374
GetCurrentProcessId(), 335
getenv, 118
printf(), 266
ReadProcessMemory(), 336
ReceivePacket(), 278
s_block_end(), 261, 410
s_block_start(), 261, 410
taboo(), 488
WriteProcessMemory(), 336
,
, 295
, , 331
(), 469
, 101

Sulley, , 407
, , 194
, 51
, 339
(CRC),
, 369
(Microsoft), 243
, 489
, , 336
555
/
, 281
, 370
, 100
ActiveX, 316
, 109
, 108
, 108
, 104
, 105
, 439
, 441
, 443
, 442
$, 439
, 107
, 101
, , 49
, , 63
ActiveX
, 49
, 169
(VML), 291

ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 335
, 368

Books.Ru
ISBN 9785932861479, Fuzzing:

Books.Ru .
,

. ,
(piracy@symbol.ru),
.

Fuzzing Issledovanie Uyazvimostei Metodom Gruboi Sily

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fuzzing Issledovanie Uyazvimostei Metodom Gruboi Sily

Uploaded by

Copyright:

Available Formats

SPI Dynamics : ,

Michael Sutton, Adam Greene

12. : UNIX . . . . . . . . . . 200

13. : Windows . . . . . . 215

15. : UNIX . . . . . . . 254

tive Disassembler (IDA) Pro1, . 1.2. IDA

. 1.2. DataRescue IDA Pro

BugScam Halvar Flake

BinAudit SABRE Security

1989 1989 1999

. 4.1. AIM Signon:

. 4.2. AIM Signon:

. 4.3. AIM Signon:

Microsoft Word 2003, $

. 5.6. Microsoft Windows Event Viewer

Metro Packet Library5

: C: A001 LOGIN {11}

; destination is attacker allocated

Microsoft Windows $ ASCII

Program exited normally.

HP$UX, QNX, MacOS X, AIX.

Fork, Execute Wait

Tikiwiki tiki$user_preferences Command Injection Vulnerability

WordPress Cookie cache_lastpostdate Variable Arbitrary PHP Code

(Enterprise Resource Planning,

AcceptEncoding: gzip, deflate

UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;

Cookie: PREF=ID=32b1c6fa8e9e9a7a:FF=4:LD=en:NR=10:TM= 1130820854:

: *.html (HyperText Markup Language $

. 10.1. SPIKE Proxy

WebScarab1. Open Web Application Security Project

WebFuzz SPI Fuz$

. 10.2. SPI Fuzzer

TCPClient NetworkStream, Begin

. 10.8. Trend Micro Control Manage

. 10.9. Ipswitch Imail Web Calendaring

404 Page Not Found (

. 10.13. Ipswitch Whatsup Professional (SP1)

. 10.14. SPI Dynamics Free Bank

#Fields: time cip csmethod csuristem scstatus

! 404 Page Not Found , Web$

"A"x5000 + "@" + "A"5000

Windows Picture and Fax Viewer

// target file name.

// command line options.

printf("[*] %s\n", GetCommandLine()); //Print the command line

// get the context of the offending thread.

// examine the exception code.

. 13.5. JPEG+ Create

. rundll32.exe. Windows Picture and Fax

. 13.6. FileFuzz Windows Picture and Fax Viewer

Code Red. IIS Web server

Black Hat 2006 $

Microsoft TCPView1 ( Sys Inter$

. 16.1. Wireshark AIM,

, JPG, GIF PNG,

<BODY ONLOAD="timer=setTimeout('move()',2000) ">

MOV EAX, [EAX]

. 17.2. OllyDbg Heap Vis

foo.method(arg, arg, arg)

. 18.1. PythonWin COM

Microsoft Windows Internals, Fourth Edition, Mark E. Russinovich, David A.

MLI parse_name() read_string(). $

print "Started process with pid %d" pi.dwProcessId