Picking up where Taof left off with Python – fuzzing the vulnerable FTP server

We configured Taof to fuzz on the USER anonymous request sent to the 3Com Daemon, and we watched it crash. We know what both ends saw, but we need to understand what happened on the network. There's no better tool than Wireshark for this task. Set up a sniffing session and then run the test again. Filter out the FTP communication and take a look at the conversation:

Note that after the three-way TCP handshake is completed and the connection is thus established, the very first communication comes from the server in the form of an FTP 220 message. The client fires back the USER anonymous request, and as expected from any FTP server, a 331 comes back. After the PASS command, we get a 230 (if the server allows anonymous logins, of course). Don't fall asleep on me – this particular sequence is important for us because we're constructing the socket in Python. As you may recall from Chapter 9, Weaponizing Python, we connected to a server with our newly created socket and initiated the communication.

We have to tell our script to wait for the server's greeting before we send anything. What's going to save us a lot of time is the fact that our fuzzer crashed the server with the USER anonymous request – that's only the second packet in the established session! Thus, we can get away with one tiny little script – 10 lines, in my case. (Forget the final status message and put the fuzzing payload into the webclient.send() function, and you're down to eight lines.) Let's take a look:

#!/usr/bin/python
import socket
webhost = "192.168.63.130"
webport = 21
fuzz = 'x7a' * 10
webclient = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
webclient.connect((webhost, webport))
webclient.recv(512)
webclient.send("USER anonymous" + fuzz)
print "

*** Payload sent! ***

"

This adorable little program should look familiar. The difference here is very simple:

  • Our first order of business immediately after establishing the TCP session is to receive a message from the server. Note that there is no variable set up for it; we're simply telling the script to receive a maximum of 512 bytes but we're not provisioning a way to read the received message.
  • We send exactly what the server expects: a USER anonymous request. We're building a fuzzer, though, so we concatenate the string stored in fuzz.

Now, I was considering telling you about the logs that Taof creates in its home directory so you can see the details of what the fuzzer did and when it detected a crash – but I won't. I'll leave it to you to find out what inputs it takes to crash the server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.242.165