Introduction to Spike - Computer Network - Lecture Slides, Slides of Computer Networks

Download Introduction to Spike - Computer Network - Lecture Slides and more Slides Computer Networks in PDF only on Docsity!

An Introduction to SPIKE,

the Fuzzer Creation Kit

Agenda

Demo and Vulnerability

Theory

● Goals ● Using the SPIKE API ● Useful samples included with SPIKE

Questions throughout and at end

i used to laugh at fuzzers, but then you changed my whole outlook on life!

Theory

SPIKE is a GPL'd API and set of tools that allows you to quickly create network protocol stress testers

Most protocols are built around extremely similar data formatting primitives

Many of these are already supported in SPIKE

Others soon will be. :>

Fes: “I'm always surprised at how effective fuzzers actually are!

The Goals of SPIKE

Find new vulnerabilities by

● Making it easy to quickly reproduce a complex binary protocol

● Develop a base of knowledge within SPIKE about different kinds of bugclasses affecting similar protocols

● Test old vulnerabilities on new programs

● Make it easy to manually mess with protocols

The SPIKE Datastructure

A SPIKE is a kind of First In First Out Queue or

“Buffer Class”

A SPIKE can automatically fill in “length fields”

● s_size_string(“post”,5);

● s_block_start(“Post”);

● s_string_variable(“user=bob”);

● s_block_end(“post”);

Length Fields

Length fields come in many varieties

● Word/halfword/string

● Big endian, little endian

More than one length field can “listen” for

a particular block to be closed

Blocks can be nested or intertwined

Setting up/destroying a SPIKE

Global variables you have to deal with:

● set_current_spike(*struct spike);

● spike_clear();

Malloc fun

● spike_new();

● spike_free();

Network SPIKE calls

Basic TCP connectivity

● spike_tcp_connect(host,port);

● spike_send();

● spike_close_tcp();

Basic UDP Connectivity

● spike_udp_connect(host,port);

● spike_send();

Advantages to using SPIKE’s fuzzing

framework over a perl script

Size values will automatically get updated

Can handle binary data cleanly via s_binary();

Already knows about many different types of interesting strings to use for fuzzstrings

Integrates cleanly with libntlm or other GPL’d libraries in C for doing encryption or other things for which you don’t already have perl modules

The Process of Using SPIKE on an unknown

protocol

Use Ethereal to cut and paste the packets into s_binary();

Replace as much of the protocol as possible with deeper level spike calls

● s_xdr_string(); s_word(); etc

Find length fields and mark them out with size calls and s_block_start(), s_block_end();

Make sure protocol still works :>

Integrate with fuzzing framework (2 while() loops) and let the SPIKE fuzzer do the boring work

Manually mess with the packets to see if you can cause any aberrant behaviour (attach ollydebug first)

Write up the exploits

Current Demo SPIKEs

Web Focused

MSRPC protocol support

Miscellaneous other demos

SPIKE Programs for non Web Apps

msrpcfuzz

Citrixfuzz

Quake,halflife (UDP demos)

SPIKE Programs for Web Apps

ntlm2/ntlm_brute

webmitm

makewebfuzz.pl

webfuzz.c

closed_source_web_server_fuzzer

generic_web_server_fuzz

ntlm_brute and ntlm

Tries to do a dictionary attack on NTLM authenticating web servers

Somewhat slow but easy to parallelize

Very simple to use with provided do_ntlm_brute.sh

Ntlm2 useful for doing “webfuzz” activity on a page that requires NTLM authentication