1
00:00:00,180 --> 00:00:01,180
All right everybody.

2
00:00:01,180 --> 00:00:06,210
So in this video we're going to be covering fuzzing fuzzing is very similar to spiking in the sense

3
00:00:06,210 --> 00:00:10,980
that we're going to be sending a bunch of characters at a specific command and trying to break it.

4
00:00:10,980 --> 00:00:15,810
The difference is with spiking we're trying to do that to multiple commands to try to find what's vulnerable

5
00:00:16,200 --> 00:00:18,960
now that we know the trend command is vulnerable.

6
00:00:18,960 --> 00:00:22,760
We're gonna go ahead and attack that command specifically.

7
00:00:22,890 --> 00:00:27,980
So a couple of housekeeping items we're gonna go ahead and boot up immunity debugger again.

8
00:00:28,020 --> 00:00:33,440
So we're gonna in a straighter and we're also going to run ball and server as administrator.

9
00:00:33,470 --> 00:00:39,530
So from here on out you can assume that Vulcan server is going to be running and immunity is going to

10
00:00:39,530 --> 00:00:41,970
be running and that we're gonna have it attached.

11
00:00:42,260 --> 00:00:49,770
So let's go ahead and show that process one more time and anytime that you do crash vol and server we're

12
00:00:49,770 --> 00:00:55,520
gonna go ahead and restart it and restart immunity as administrator and reattach.

13
00:00:55,530 --> 00:01:00,450
So there are issues sometimes where if you crash both in server and then you try to reload it with immunity

14
00:01:00,720 --> 00:01:02,940
already open it causes issues.

15
00:01:02,940 --> 00:01:07,780
So it's best to just close out the immunity as well reopen immunity and started again.

16
00:01:07,840 --> 00:01:11,110
So go ahead and make sure everything's running it is in the corner.

17
00:01:11,190 --> 00:01:11,500
OK.

18
00:01:11,520 --> 00:01:17,720
So let's go to our Kelly machine now that we have this out of the way and I've built out a script in

19
00:01:17,720 --> 00:01:20,000
Python that we're gonna use to fuzz.

20
00:01:20,060 --> 00:01:25,440
Let's go ahead and take a look at that script so we're gonna get it.

21
00:01:25,440 --> 00:01:26,760
I call this one dot pi.

22
00:01:26,760 --> 00:01:29,170
You could do that as well.

23
00:01:29,300 --> 00:01:32,940
And if you want to pause the video now and write this out.

24
00:01:32,970 --> 00:01:34,230
Copy this down.

25
00:01:34,290 --> 00:01:35,710
That's fine.

26
00:01:35,730 --> 00:01:39,010
You could also do it while I'm talking if you want to save some time.

27
00:01:39,060 --> 00:01:43,650
So I'm just in go line by line and kind of talk about this code and then we'll see what it does.

28
00:01:44,250 --> 00:01:47,190
So from the top we're just declaring that it's python.

29
00:01:47,190 --> 00:01:51,750
We're going to import a few modules here we're going to import sys socket that way that we can call

30
00:01:51,750 --> 00:01:54,640
out the specific IP import.

31
00:01:54,690 --> 00:02:00,180
We're also going to import sleep that way we can sleep it for a second before trying this process over

32
00:02:00,180 --> 00:02:01,490
again.

33
00:02:01,500 --> 00:02:07,470
So with those imports out of the way what we're really focused on is we're declaring a buffer variable

34
00:02:07,470 --> 00:02:08,310
here right.

35
00:02:08,340 --> 00:02:12,420
So these variables called buffer an inside buffer we have one hundred eight.

36
00:02:12,420 --> 00:02:14,520
We've got this a times 100.

37
00:02:14,520 --> 00:02:18,000
So what we're gonna do is we're going to say while true.

38
00:02:18,000 --> 00:02:20,520
So we're gonna loop this right we're gonna say while true.

39
00:02:20,520 --> 00:02:22,290
I want you to try something.

40
00:02:22,360 --> 00:02:26,030
We're gonna try as we're gonna try to connect to this socket and the socket.

41
00:02:26,040 --> 00:02:27,600
All that is is this a if I need it.

42
00:02:27,600 --> 00:02:30,140
That's your IP before and the SOC stream.

43
00:02:30,150 --> 00:02:31,600
That's your port.

44
00:02:31,680 --> 00:02:34,590
So we're gonna say hey let's connect to this IP address.

45
00:02:34,590 --> 00:02:38,800
Remember this is my IP address from my windows machine that's running Von server.

46
00:02:38,910 --> 00:02:42,000
So going to connect to this IP address we're going to connect this port.

47
00:02:42,450 --> 00:02:45,900
And then once we do that we're gonna send over a trend command.

48
00:02:45,900 --> 00:02:51,720
Remember we spiked the trunk command found it was vulnerable and when we spiked it we looked at the

49
00:02:52,530 --> 00:02:56,850
registers we actually saw this little bit of extra information here.

50
00:02:56,850 --> 00:03:01,950
So we've got this little command that goes after the trend that needs to go in there in order for the

51
00:03:01,950 --> 00:03:03,590
program to actually understand it.

52
00:03:03,600 --> 00:03:10,320
So that's why this has been added here so we say hey send over this message send over Tron and then

53
00:03:10,350 --> 00:03:12,380
also send over the buffer.

54
00:03:12,450 --> 00:03:14,960
So send Tron with 100 days.

55
00:03:14,970 --> 00:03:17,580
OK then close out close that connection.

56
00:03:17,580 --> 00:03:23,160
Go to sleep for a second and then we're going to append to buffer another one hundred days.

57
00:03:23,190 --> 00:03:28,080
So we're going keep doing is as long as there's a connection here we're going to keep sending you buffers

58
00:03:28,590 --> 00:03:30,260
and is gonna get bigger and bigger.

59
00:03:30,270 --> 00:03:36,660
So next time we're going to send two hundred then we're gonna send 300 400 etc. until this thing breaks.

60
00:03:36,750 --> 00:03:41,790
So we're trying to do as we're trying to really narrow down where it's breaking and at what specific

61
00:03:41,790 --> 00:03:42,950
bite size.

62
00:03:42,960 --> 00:03:45,280
So what we're doing here is we're going to fuzz it.

63
00:03:45,540 --> 00:03:51,660
And then once it breaks it should print out an exception that says K fuzzing crash at X bytes right.

64
00:03:51,660 --> 00:03:57,770
So let's go ahead and see what that's going to look like so go ahead and save this file if you haven't

65
00:03:57,770 --> 00:03:58,990
already.

66
00:03:59,000 --> 00:04:04,580
One other important thing we need to do is we need to change the mode on this to execute we'll say change

67
00:04:04,580 --> 00:04:07,840
mode plus X one dot PI.

68
00:04:07,850 --> 00:04:09,730
That way we can execute this.

69
00:04:09,950 --> 00:04:14,220
And just again to confirm we've got immunity running.

70
00:04:14,450 --> 00:04:18,890
So let's go ahead now and say one dot pie

71
00:04:22,110 --> 00:04:26,880
hit enter and you should see the connections coming through here on bold server.

72
00:04:26,880 --> 00:04:30,780
So every time it's doing this is sending a new one hundred bytes.

73
00:04:31,020 --> 00:04:32,970
We can watch immunity for the crash.

74
00:04:32,970 --> 00:04:36,210
The crash should happen pretty quick.

75
00:04:36,210 --> 00:04:41,350
And then once it does you can kill the program because sometimes it doesn't kill itself.

76
00:04:41,430 --> 00:04:42,570
So it's not the best.

77
00:04:42,570 --> 00:04:43,050
There we go.

78
00:04:43,050 --> 00:04:45,110
We posit no more connections.

79
00:04:45,220 --> 00:04:46,100
So let's go ahead.

80
00:04:46,110 --> 00:04:53,040
Go into Cally it controls C and we crashed somewhere around twenty seven hundred bytes.

81
00:04:53,040 --> 00:04:55,110
Give or take OK.

82
00:04:55,120 --> 00:04:56,970
So let's look at the crash.

83
00:04:57,140 --> 00:05:02,340
So again we see the crash came through and we've got a bunch of a sitting here.

84
00:05:02,450 --> 00:05:05,120
We didn't look like we actually overrode the VIP.

85
00:05:05,150 --> 00:05:07,050
That's fine.

86
00:05:07,130 --> 00:05:11,680
We just need to know approximately where we crashed at.

87
00:05:11,720 --> 00:05:18,450
So we'll just call it for even round numbers that we crashed somewhere around three thousand bytes.

88
00:05:18,500 --> 00:05:23,180
So what we're gonna be doing in the next video is we're actually going to be finding where the E IP

89
00:05:23,180 --> 00:05:24,080
is at.

90
00:05:24,110 --> 00:05:29,930
So how we're gonna do that is we're gonna use a tool that's going to create these random not really

91
00:05:29,930 --> 00:05:35,890
random their psychical values that we're gonna send out and then we're gonna say OK where.

92
00:05:35,990 --> 00:05:42,130
What is the VIP value and where does it correspond in specific number of bytes that we sent over.

93
00:05:42,140 --> 00:05:48,170
So remember controlling this e IP value let's go back to it controlling this e IP value is what's the

94
00:05:48,170 --> 00:05:51,420
most important once we can control the C IP value.

95
00:05:51,500 --> 00:05:57,470
We do a little bit of housekeeping in our exploit development process and then we point this guy to

96
00:05:57,470 --> 00:05:59,420
our malicious code and we get root.

97
00:05:59,420 --> 00:06:02,130
So we want to see IP we want to control it.

98
00:06:02,270 --> 00:06:05,450
And in the next couple of videos we're going to learn how to do just that.

99
00:06:05,480 --> 00:06:09,700
So I will catch you over in the next video when we cover finding the offset.