보기

     o      ooooo  oooo oooo     oooo      o      oooo   oooo
    888       888  88    8888o   888      888      8888o  88
   8  88        888      88 888o8 88     8  88     88 888o88
  8oooo88      88 888    88  888  88    8oooo88    88   8888
o88o  o888o o88o  o888o o88o  8  o88o o88o  o888o o88o    88

[SUMMARY]

AxMan is a web-based ActiveX fuzzing engine. The goal of AxMan is to
discover vulnerabilities in COM objects exposed through Internet
Explorer. Since AxMan is web-based, any security changes in the
browser will also affect the results of the fuzzing process. This
allows for a much more realistic test than other COM-based assessment
tools. AxMan is designed to be used with Internet Explorer 6 only.


[DOWNLOAD]

The latest version is 1.0.0


[DEMO]

An online demonstration is available. Running AxMan on a local web
server will be much faster. This demonstration uses typelib info
obtained from a Windows XP SP2 system with Office 2003 and Visual
Studio 2005 installed. 


[CONTACT]

AxMan was developed by H D Moore <hdm[at]metasploit.com> and is
available under the MIT license. The axscan.cpp component (and 
associated axman.exe) is based on Shane Hird's axenum tool included
with axfuzz (http://axfuzz.sf.net/). The latest version of AxMan can
be obtained from http://metasploit.com/users/hdm/tools/axman/


[HOWTO]

AxMan works by first enumerating all registered COM objects and their
associated typelib information, then using that information to test
each object's properties and methods. To enumerate the COM
information, copy bin\axman.exe to the target system, and execute it
as an administrative user:

C:\> axman.exe myoutput

The axman.exe executable will take anywhere from 10 minutes to 2
hours to complete, depending on the number of COM objects registered
on your system. While it runs, a number of new processes will be
spawned and random popup windows will open. You can safely close any
popup windows as they open, or just wait for the entire process to
complete. Once axman.exe completes, the resulting directory should
contain one javascript source file for every registered COM object.

At this point, you should reboot the system in order to kill the
spawned COM processes and free system resources.

The next step is to prepare a web server to host the AxMan user
interface. A web server running on the local system is the most
efficient way to do this, but you can use any server capable of
serving plain HTML and javascript files. Copy the html subdirectory of
the AxMan archive to the web root and then copy the output directory
created by axman.exe to a subdirectory named 'conf'. This should
result in a directory structure like the following:

/BASE/index.html
/BASE/conf/objects.js
/BASE/conf/{.....}.js

On the target system, open Internet Explorer and browse the index.html
page of the AxMan user interface. If everything has been installed
successfully, a status message will be shown indicating how many COM
object definitions were loaded.

Click the start button to begin the fuzzing process.


[DEBUG]

AxMan will trigger hundreds of crashes on a typical system. Trying to
determine what crashed and during what test is a challenge for a
browser-based fuzzing engine. My personal approach to install WinDbg
(available for free from Microsoft, search for 'Debugging Tools for
Windows') and attach to the iexplore.exe process prior to starting the
fuzzing process. After attaching the debugger, I hit F5 to continue
the process and switch back to Internet Explorer. AxMan will report
the current CLSID and tested property or method in the status bar of
the browser. This status bar is updated in real-time during the
testing process. I combine this with a 'tail' process on the log files
of the hosting web server to quickly identify which component crashed
and add the property or method to the blacklist. Keep in mind that the
Internet Explorer UI will not update while the method fuzzing stage
runs, which means that switching applications or doing basically
anything on the testing system will prevent you from seeing which
method triggered a specific crash.


[BLACKLIST]

The blacklist.js script contains a list of all objects, properties,
and methods to skip during the fuzzing process. This doubles as a
list of discovered bugs. As you find new vulnerabilities, update
the blacklist to exclude them in future runs. Please see the examples
in blacklist.js for more information.

In order to buy Microsoft some time, I have not included my AxMan
blacklist file with the current release. This blacklist took about
20 hours in total to create.


[TRACER]

AxMan uses a unique string as part of both the property and method
fuzzing operations. This allows you to run tools like filemon and
regmon to determine what system-level operations happen when a
specific property is set or method is called. The default magic string
is set to 'AXM4N', but this can be changed in axman.js. Some sample
findings include:

Setting the PrinterName property for 2337A8C-E11D-11D0-BE48-00C04FC30DF6
results in spoolsv.exe access the following registry key:
 HKCU\Printers\Connections\[VALUE]

Calling the parseURL method of 079aa557-4a18-424a-8eee-e39f0a8d41b9
results in the entire system path being scanned for a file matching
the argument name.


[FUTURE]

Server-side integration and asynchronous method testing are the two
big features that will be added to future versions. The current
implementation is very slow for methods with three arguments and may
cause the "Do you want to stop this script?" prompt to appear in
certain cases. Progress reporting needs an overhaul, possibly using
XMLHTTP and some form of server-side integration.

AxMan.pdf

Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted.

The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.

Fuzz testing was developed at the University of Wisconsin-Madison in 1989 by Professor Barton Miller and the students in his graduate Advanced Operating Systems class. Their work can be found at http://www.cs.wisc.edu/~bart/fuzz/.

What is Fuzz Testing?

Fuzz testing or Fuzzing is a software testing technique, often used to discover security weaknesses in applications and protocols. The basic idea is to attach the inputs of a program to a source of random or unexpected data. If the program fails (for example, by crashing, or by failing in-built code assertions), then there are defects to correct. It should be noted that the majority of security vulnerabilities, from buffer overflows to cross-site scripting attacks, are generally the result of insufficient validation of user-supplied input data. Bugs found using fuzz testing are frequently severe, exploitable bugs that could be used by a real attacker. This has become even more true as fuzz testing has become more widely known, as the same techniques and tools are now used by attackers to exploit deployed software. This is a major advantage over binary or source auditing, or even fuzzing’s close cousin, fault injection, which often rely on artificial fault conditions that are difficult or impossible to exploit.

Fuzzing Tools

The following tools and testing frameworks are used by professional penetration testers when performing a blackbox assessment of a network, server or application. If you would like to learn more about the black-box assessment methodology or to find out how to use fuzz-testing techniques for your application, please contact a Hacksafe senior consultant.

1. Fuzzer API’s and Frameworks

SPIKE - SPIKE is an attempt to write an easy to use generic protocol API that helps reverse engineer new and unknown network protocols. It features several working examples. Includes a web server NTLM Authentication brute forcer and example code that parses web applications and DCE-RPC (MSRPC).

Scratch - Scratch is an advanced protocol destroyer (”fuzzer”) which can routinely find a wide variety of vulnerabilities from a simple packet. scratch does complex parsing of binary files to determine what to fuzz with what data. scratch also comes with a framework for fuzzing binary protocols such as SSL and SMB.

LXAPI - Library Exploit API - A selection of python methods designed for bugtesting and exploitation of local and remote vulnerabilities. It includes a fuzz testing compenent, miscellaneous shellcode methods and a simple GUI. LxAPI is currently a work-in-progress.

PEACH - Peach Fuzzer Framework - Peach is a cross-platform fuzzing framework written in Python. Peaches main goals include: short development time, code reuse, ease of use, and flexability. Peach can fuzz just about anything from .NET, COM/ActiveX, SQL, shared libraries/DLL’s, network applications, web, you name it!

antiparser - antiparser is a fuzz testing and fault injection API. The purpose of antiparser is to provide an API that can be used to model network protocols and file formats by their composite data types. Once a model has been created, the antiparser has various methods for creating random sets of data that deviates in ways that will ideally trigger software bugs or security vulnerabilities. Requires Python 2.3 or later.

Autodafe - Autodafe is a fuzzing framework that can be used to identify boundary validation and other issues in protocols and applications. Written by Martin Vuagnoux.

dfuz - a remote protocol fuzzer/triggerer which can do many things such as sending random data/random sizes, together with the data you want. it has alot of ways to tell the program to use this data by using rule files which will be later parsed by the program itself, and with several options and ways to make it very specific, and very flexible. It’s not only a remote protocol fuzzer as itself, but it is a scripting-like motor on which you can create any kind of payload. User-friendly.

Web Application Fuzzing Tools

MielieTool - MielieTool v.1.0 is an easy to use Perl based web application fuzzer. It supports fuzzing of CGIs in forms and links and supports multiple sites. Requires HTTrack, Lynx, grep, find, and rm.

Wapiti - Wapiti is a fuzz tester for web applications, and version 1.1.1 was recently released to the public. Wapiti scans the frontend of the target application and identifies all the expected user inputs. It then runs a series of tests against each variable, such as injecting punctuation and special characters, and looks for unexpected output from the application. Wapiti can be used to automate the discovery of SQL and code injection attacks, cross-site scripting and directory traversal vulnerabilities.

WebFuzzer - WebFuzzer is a web application fuzzer that checks for remote vulnerabilities such as sql injection, cross site scripting, remote code execution, file disclosure, directory traversal, php includes, shell escapes and insecure perl open() calls.

SPI WebInspect - The commercial SPI WebInspect toolkit provides a professional Web fuzzing tool known as SPI Fuzzer. SPI ToolKit users benefit from a commercially supported product that ensures reliability, updates, and ease-of-use.

cfuzzer - A simple C-source fuzzer to test for HTTP chunked encoding issues in clients and servers.

Browser Fuzzing Tools

MangleMe - A simple fuzzer for generating odd HTML tags - it will also autolaunch a browser. Mangle found the infamous IE IFRAME bug.

AxMan - AxMan is a web-based ActiveX fuzzing engine. The goal of AxMan is to discover vulnerabilities in COM objects exposed through Internet Explorer. Since AxMan is web-based, any security changes in the browser will also affect the results of the fuzzing process. This allows for a much more realistic test than other COM-based assessment tools. AxMan is designed to be used with Internet Explorer 6 only.

COMRaider - COMRaider is a tool designed to fuzz COM Object Interfaces. COMRaider includes capability to easily enumerate safe for scripting objects, ability to scan for COM objects by path, filename, or guid; integrated type library viewer; integrated debugger to monitor exceptions, close windows,log api; external vbs script allows you to easily edit fuzzer permutations; built in webserver to test exploits on the fly; distributed auditing mode to allow entire teams to work together; ability to upload crash files to central server for group analysis; automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.

TagBruteForcer - TagBruteForcer is a client-side security tool designed to find overflows in applications that can be opened by default within Internet Explorer. It also includes basic functionality for testing ActiveX objects or Internet Explorer itself.

Hamachi - Hamachi is a community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff. Hamachi will look for common DHTML implementation flaws by specifying common “bad” values for method arguments and property values.

Service and Protocol Fuzzing Tools

SNMPFuzzer - SNMP fuzzer uses Protos test cases with an entirely new engine written in Perl. It provides efficient methods of determining which test case has caused a fault, offers more testing granularity and a friendlier user interface.

FTPFuzz - FTPFuzz is a simple GUI-based fuzzer for testing FTPD server implementations. It allows the user to specify FTP commands and parameters to fuzz, and the pattern of test strings to use for each case. Remotely exploitable vulnerabilities in many popular FTP services have been discovered using this utility.

PROTOS - The PROTOS project researches different approaches of testing implementations of protocols using black-box (i.e. functional) testing methods. The goal is to support pro-active elimination of faults with information security implications. Numerous PROTOS test cases have been provided for assessment: WAP fuzzers, LDAP and SNMP fuzzers, DNS fuzzers and more.

IRCfuzz - Digital Dwarf Society: fuzzing tool for IRC clients.

iCalFuzz - Digital Dwarf Society: fuzzing tool for the iCal calendar format.

tftpFuzz - Digital Dwarf Society: fuzzing tool for the tftp protocol.

dhcpFuzz - Digital Dwarf Society: fuzzing tool for the dhcp protocol.

SMTPFuzzer - BlackOps SMTP Fuzzing utility can be used to find weaknesses in server implementations of the SMTP protocol.

RIOT and Faultmon - RIOT testing utility and Faultmon exception catcher. May be used for attacking plain text protocols (Telnet, HTTP, SMTP). Used by Riley Hassell when he worked at eEye to discover the IIS .printer overflow and included in The Shellcoder’s Handbook.

TCP/IP Fuzzing Tools

Fuzzball2 - Fuzzball2 is a little fuzzer for TCP and IP options. It sends a bunch of more or less bogus packets to the host of your choice.

ISIC - ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendancies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments - but the percentages are arbitrary and most of the packet fields have a configurable tendancy. The packets are then sent against the target machine to either penetrate its firewall rules or find bugs in the IP stack. ISIC also contains a utility generate raw ether frames to examine hardware implementations.

ip6sic - ip6sic is a tool for stress testing an IPv6 stack implementation. It works in a way much similar to ISIC above. It was developed mainly on FreeBSD and is known to work on OpenBSD and Linux. Theoretically, it should work wherever libdnet works.

Other Fuzz Testings Tools

SyscallFuzz - A System Call Fuzzer for Linux. C Source provided.

Socket Fuzzer - A socket/file descriptor fuzzing tool for Unix. C Source provided.

Mangle - Trivial binary file fuzzer by Ilja van Sprundel. It’s usage is very simple, it takes a filename and headersize as input. It will then change between 0 and 10% of the header with random bytes. May be useful to testers with some scripting experience.

FileFuzz - A file format fuzzer for Windows PE binaries from iDefense.

SPIKEFile - SPIKEfile is a Linux based file format fuzzing tool, based on SPIKE 2.9. It was designed to automate the launching of applications and detection of exceptions caused by fuzzed files. It uses standard SPIKE scripts to generate files and utilizes ptrace to pick up interesting signals and dump register state.

FuzzyFiles - File fuzzer written by Reed Arvin. Creates multiple variations of a file - useful for finding local application flaws.

FuzzySniffandSend - Packet sniffer and replayer written by Reed Arvin. Can be used to capture data on the wire, modify it in various ways and resend to the target. Used to test for protocol and application vulnerabilities.

radiusfuzzer - A Radius protocol fuzzer written in C, by Thomas Biege of the SuSe Security Team.

msn fuzzer - C source code for a simple MSN protocol fuzzer. May be used to discover vulnerabilities in MSN client software.

Mistress - Mistress in an ‘Application Sadism Environment’ and can also be called a fuzzer. It is written in Python and was created for probing file formats on the fly and protocols with malformed data, based on pre-defined patterns. It is recommended that the project site be visited for further documentation and use cases.

If you have any tools you wish to contribute to this list, please email us! We will update this post as new fuzzers are released to the public.






http://www.hacksafe.com.au/blog/2006/08/21/fuzz-testing-tools-and-techniques/