I'm currently studying Windows exploit development and am working on locating some crashes in an application via Spike. I have manually located a crash via a scapy script I've written, and modifying certain data. My current issue is attempting to write a Spike template to fuzz for other crashes, but I'm not currently able to make Spike fuzz the binary data I'm sending-- it always sends the same thing. Utilizing other Spike calls, i.e. s_word, s_binary_bigendian_word all result in:
generic_send_tcp: undefined symbol: s_word
generic_send_tcp: undefined symbol: s_binary_bigendian_word etc.
The application in question is 'Disk Saavy 10.4.18', which has a known buffer overflow via SEH. I know there is an exploit available-- please don't just link me to that. I'm attempting to learn how to go from fuzzing a binary protocol to a full exploit.
I've captured some initial traffic and worked it into a scapy script to 3WHS, then PSH,ACK my data. Below, a sample packet's raw data:
0000 75 19 ba ab 03 00 00 00 00 00 00 00 1a 00 00 00 u...............
0010 20 00 00 00 00 00 00 00 53 45 52 56 45 52 5f 47 .......SERVER_G
0020 45 54 5f 49 4e 46 4f 02 32 01 44 41 54 41 01 30 ET_INFO.2.DATA.0
0030 01 00 00 00 60 c0 f1 02 ....`.......`...
The first 12 bytes must remain as they are (seemingly-- not part of my question) or the application does not properly parse it. The four bytes directly afterward however, are plugged into ECX. Changing those four to something akin to 1A CC CC CC causes ECX to well, be CC CC CC 1A and the application crashes. That's all well and good. Scapy is awesome, but I'd rather fuzz with a fuzzing framework like SPIKE.
First (and sorta second) Question : Although reviewing Spike's "documentation" has allowed me to create a fuzzing template and send my data, I'm not currently able to actually 'fuzz' the bytes I'm targeting. My Spike script is (probably bad) below:
s_binary("\\x75\\x19\\xBA\\xAB\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00");
s_block_start("ecx");
s_binary("0x1A000000");
s_block_end("ecx");
s_binary("\\x20\\x00\\x00\\x00\\x00\\x00\\x00\\x00");
s_string("SERVER_GET_INFO");
s_binary("\\x02");
s_string("2");
s_binary("\\x01");
s_string("DATA");
s_binary("\\x01");
s_string("0");
s_binary("\\x01\\x00\\x00\\x00");
s_string("`");
s_binary("\\xC0\\xF1\\x02");
Side note-- if there's a better way to write this script, let me know.
(minus the block, that's just for learning)
Running the template with generic_send_tcp 192.168.138.134 9124 diskSaavy.spk ecx 0 works and the server responds, but the bytes in the payload are never modified, and the same payload is sent over and over. What am I doing incorrectly?
Now, looking at the documentation and lots of googles later, resulted in trying many other, more targeted values, such as s_word, s_binary_word s_binary_bigendian_word_variable and LE respectively. All above located via googles and articles like An Introduction to SPIKE, the Fuzzer Creation Kit, and Fuzzing Frameworks
So I change s_binary("0x1A000000"); to s_binary_variable("0x1A000000");, s_word("0x1A000000"); etc, and every time I get:
# generic_send_tcp 192.168.138.134 9124 diskSaavy.spk ecx 0
Total Number of Strings is 681
Fuzzing
Fuzzing Variable 0:0
generic_send_tcp: undefined symbol: s_word <--- my call
It's driving me nuts. So far I've tried all sorts of different calls such as the above examples, and installing binutils as suggested by an answer to a related question on SO, but no solution has worked. I have read that the undefined symbol likely has to do with a linker issue, but that's a bit beyond my knowledge level. I'd appreciate any help I can get.
Any ideas? Thanks.
Ok, so I was actually doing a few things wrong in this (obviously). Maybe someone struggling with this will see my question and this could help.
SPIKE is not meant for hex / binary fuzzing-- it excels at fuzzing strings and integer values, but there are no built in methods for fuzzing binary strings (that I'm aware of). Those need to be added manually, and many of the articles I've read invoke methods I do not have access to, thus causing much difficulty. Binary strings are considered static strings, so they will always be sent, as is. You can get a readout of all the methods SPIKE supports natively by viewing the spike.h file and looking at all the structs within. This is why I was getting unknown symbol: XXXX while attempting to use them-- they were never defined.
Secondly, you can't target a 'block' via calling it on the command line as the starting point, that's not what blocks are for. This wasn't actually part of my above question, and didn't pose any issue as I wasn't defining other points to fuzz, but just in case someone else attempts it, it doesn't work.