FUZZING FOR BEGINNERS (KUGG teaches STÖK American fuzzy lop)

00:00

hi I'm stick and today I'm gonna learn

00:04

something new and for this reason I

00:07

brought on Christopher yeah also known

00:10

as cook to help me understand the

00:14

beginner's guide to fussing or a mean

00:18

audience in a beginner's guide but it's

00:20

gonna be an introduction to using AFL

00:22

thank you so far

00:24

hi I'm cook hi cook cook instead show

00:28

yeah so we you and I outside of this

00:33

camera

00:34

situation has had been has been playing

00:37

around a little bit with fussing and I

00:39

kind convince you to get on here and

00:43

teach me and others how this actually

00:45

works and talk a little bit about

00:46

fussing so without any further ado

00:49

please take it away

00:51

all right so today we're gonna play with

00:53

AFL AFL is fast testing tool and it's a

00:59

method to find bugs in binary programs

01:03

fussing is sending a lot of like

01:05

requests into something right is that

01:08

the idea yeah so you have an original

01:12

input in a dictionary of possible inputs

01:15

and then it's taking that original thing

01:18

and transforming it every time it runs a

01:21

new iteration and it runs thousands of

01:24

iterations every second so this is

01:27

automation yeah definitely you have to

01:29

automate it otherwise it won't work okay

01:34

show us how you did it okay so

01:38

essentially when you want to do this

01:40

when you want to run AFL you have to use

01:43

a compiler so compiling software you do

01:49

it with in Linux you do it with GCC

01:52

normally and GCC is by the compiler

01:57

program called make or make file sis is

02:00

define an environment variable called CC

02:02

so CC equals GCC is an environment

02:06

variable that's automatically assumed

02:07

every

02:08

you do a compilation and compiling

02:11

programs means to take all that C code

02:13

and turn it into turn it into a binary

02:18

program cool with AFL you're going to

02:21

replace GCC with with your thing so our

02:26

thing is AF - GCC and setting that

02:33

environment variable we can now compile

02:36

the program with something called

02:39

instrumentation built-in and that means

02:41

that it's changing the code that you're

02:43

building so that every time it comes the

02:46

program turns into a certain state then

02:49

that's registered by something called

02:50

the instrumentation instrument or the

02:52

instrumentation state oh cool right so

02:55

having instrumentation means that you

02:59

can know what's going on inside of the

03:01

program when you run it and this is a

03:03

really nice feature with a FL that other

03:06

Foster's aren't that good at and that

03:09

means that if al can understand when you

03:12

have reached into a point that you're

03:15

interested in reaching say you want to

03:18

you want to break a certain point in a

03:21

certain place than a FL will know if you

03:23

are there so it's some kind of break

03:25

points so taking its just measuring all

03:28

the time like where are you in the code

03:30

and if something breaks breaks it's

03:32

gonna know instantly yeah yeah it's

03:34

definitely like a break point I think

03:37

this is more more what you could call a

03:39

function hook where you take a regular

03:41

function you put yourself in a place of

03:43

it and and that's something that it can

03:46

put into some kind of a live

03:48

documentation that it's understanding

03:51

and learning from that so it's a sort of

03:53

a self learning program cool so once you

03:57

have compiled your program you can start

04:00

it using the AFL foster that looks a bit

04:04

like this AFL fuss is name of the

04:07

program you want to run efl by the way

04:09

is a program that you can download using

04:11

apt-get install AFL that's it

04:14

so it's it's super easy to set up just

04:17

get started and yeah now you're up and

04:19

running on different CPUs you have some

04:22

different tuning options that you want

04:24

to set and those tuning options is

04:26

something that AFL will tell you what to

04:29

do with so you can adapt to multiple

04:31

cores and you can do different things

04:33

but it depends on your architecture

04:35

we've already done this but if I will

04:37

tell you exactly what you need to do for

04:39

your CPU cool so the - I argument it

04:45

gives you the inputs to the program and

04:48

we're gonna take a look at the input to

04:50

this program because we are today

04:52

fussing HTTP server no I got cool and

04:55

the HTTP server we are fussing we did

04:58

one more take with this last week and we

05:01

are ready to publish it when we realize

05:03

that we have found this here today and

05:04

we had to report it and that meant that

05:06

we couldn't really publish it at that

05:08

time right so this is the second

05:10

recording for that obviously yeah when

05:13

you financier days do during your

05:16

fussing sessions it's a good thing to

05:19

report those yeah so we're gonna show

05:22

you how we found that Saturday but we're

05:23

not going to show you what program it's

05:25

in but it's a HTTP server we'll give you

05:27

that much so if you look it into the

05:31

input directory I have a default

05:33

configuration file that sort of looks a

05:35

bit this is this a fake configuration

05:38

folder I wrote it's this similar to the

05:41

default file where the domain domain

05:44

name is f-secure comm which is my my

05:47

employer the the configuration file is

05:49

pretty straightforward we are today

05:53

going to fuss the configuration file

05:55

parser and the reason why we want to

05:58

fastest parser is because we are

06:00

assuming that an attacker has arbitrary

06:03

write access but once the escalator

06:06

privileges to root or get access to

06:09

whatever that server is is doing and

06:12

since you have write access if you write

06:14

to that configuration file something

06:16

arbitrary and bad

06:17

then maybe you can make the process

06:19

crash and if the process crashes then

06:22

you can overwrite this memory and that's

06:23

what we're gonna try to do or already

06:25

used wait for it let's say that we had a

06:27

malicious conferral that we created and

06:30

uh well we would use do is to either use

06:33

crash the daemon itself right or or just

06:36

wait for it to reboot and then hopefully

06:38

you know nobody's noticing what's going

06:40

on in wala suddenly we have root axes

06:43

yeah exactly

06:45

and in this case the input to a FL is

06:49

that configuration file so the default

06:53

the default configuration file is pretty

06:57

much what we need as an input as an

07:01

output output in this case is a

07:03

directory where a FL is syncing whatever

07:06

it's doing with other processes so if

07:09

you run this with multiple course you

07:11

can synchronize that output using the

07:13

output directory and this is something

07:16

that you can synchronize between

07:18

multiple machines even so if you're

07:20

having a cluster running it and you want

07:22

all these machines to know what's going

07:25

on

07:25

that's good things just meant can you

07:28

map this over network or is that not

07:30

recommended yeah you can so what what

07:34

the master process does is it

07:36

synchronizes multiple slaves using the

07:39

output directory and then it gives the

07:41

slaves a queue of things to do so if

07:44

there is a certain lag between the

07:46

machines that queue will sort of work

07:49

itself out so as long as the lag is not

07:51

longer than the queue then the slaves

07:53

will have something to do to do until

07:55

the master realizes that this is where

07:58

we want to go with with the fussing so

08:01

all the directory is pretty important it

08:03

also contains wherever our like crashes

08:07

and things that we found out during the

08:09

this attempt is going to end up in the

08:10

output directory

08:11

oh cool I got a question though and I

08:14

know last time we talked a little bit

08:15

about it we and it didn't really strike

08:19

me self out for me but you've mentioned

08:20

that it would be a good idea to not run

08:23

this on SSD drives right so the output

08:26

directory is some directory that is

08:29

written to a lot of times so it's

08:31

written for every single instance in my

08:34

case is writing 2000 times every second

08:38

and that means a lot of Rights and for

08:41

an SSD that can be a bit harmful SSDs

08:44

are are not always ready to handle that

08:46

much data and it can wear them out

08:48

quickly and therefore there is something

08:50

called tmpfs which is like what do you

08:53

have in /tmp in your machine where you

08:55

can write as many times as you like

08:57

because it's on the RAM and it's all

08:59

very quick so so we have the input which

09:02

is the config file actually we can have

09:04

a directory full of inputs so if we had

09:06

a bunch of other bunch of other config

09:10

files there that would be fine and that

09:12

gives a file inspiration to how to

09:15

destroy things oh okay so it's fetching

09:18

all this other stuff as well and yes

09:20

thinks about maybe this you can put

09:22

random data in there and you can put

09:24

legitimate data in there eventually AFL

09:28

will figure out what type of data this

09:30

program wants

09:32

so it's or doesn't want so the next

09:34

argument for AFL is to type in hd-dvd

09:38

and that's the name of the server that

09:41

we are fussing and there C is the

09:46

arguments for a config file and then we

09:48

type in at-at-at that is the variable

09:50

where EFL will input the forcing

09:54

mechanism so this is where it will go

09:55

and attack so if we run this it's going

09:58

to initiate by trying to find basic

10:02

paths into the program and just try to

10:05

understand the program and now it's

10:06

started and even like in the first

10:10

second here we found a crash and when

10:12

this turns red and it says one unique

10:14

crash then we have essentially we have

10:17

the beginning of a CRT

10:19

because this is yeah and that's not the

10:24

time it takes to sometimes there's the

10:26

second one

10:28

and so now we're running in two thousand

10:32

attempts a second you can I mean you can

10:35

scale this as much as you want to if you

10:37

have more course you can scale this much

10:39

much faster and if you do that then you

10:42

can find more bugs basically and if you

10:46

are pressed with time let's say that

10:49

you're a developer and you want to test

10:50

your own software then maybe you want to

10:52

do this in the cloud or you run it on

10:54

multiple cores and you get it up to

10:56

maybe thirty thousand twice a second

10:58

because that's gonna take the tax base

11:01

or make it much shorter absolutely it's

11:05

like if you can run this like not just

11:08

one time faster like ten or twenty times

11:10

faster yeah horse you're gonna save like

11:12

a lot of time where it yeah isn't it

11:14

gonna be like very CPU intensive and

11:16

very expensive that if you let's say

11:19

you're putting it in a cloud storage

11:20

somewhere yeah I mean it uses only CPU

11:23

so if you have a story solution where

11:27

where CPU is cheap and the rest is

11:29

expensive then that's fine

11:31

but but it's using a lot of CPU and

11:34

somewhat a bit of network if you have it

11:37

networked but but it's only using as

11:41

much as you allow it to use so you can

11:43

make it make it crash and hang in

11:45

different different ways

11:47

damn it that means that I'm gonna have

11:50

to buy back all my old rack servers now

11:52

again yeah yeah so CPU cost nothing if

11:56

you own the server if you have your own

11:58

servers and this is what they're for

11:59

right used abuse for cracking and CPUs

12:02

for fussing yeah oh man oh man so right

12:06

now we're running on 12% of the CPU that

12:10

means in this case that we're running on

12:12

bond core only which is enough for our

12:14

example and in another caste we can show

12:17

maybe how to increase that number

12:19

because if you use more than or up to a

12:22

hundred percent of the CPU that means

12:24

all course then you can then you can

12:28

make a lot of damage

12:30

hey let's do that that would be exciting

12:33

but and it's this ever going to stop

12:38

though or or it doesn't ever feel like

12:42

I'm done now this this never exhausts

12:45

because it actually has ways of muting

12:50

the output and coming up with new ideas

12:51

until forever so I think this can pretty

12:55

much go on forever in this case but you

12:59

can exhaust the search space for a given

13:02

input so imagine you have you know that

13:05

a program only takes true or false as an

13:07

argument then that search space will be

13:11

exhausted pretty quickly and the program

13:13

will just run on hot fuse basically cool

13:16

so we we currently have two crashes what

13:22

does that really mean like what do one

13:24

simply do with the crashes yeah so now I

13:27

interrupted the program typing control-c

13:29

and it says we're done have a nice day

13:31

thanks and I'm done too right so now we

13:34

have the output directory let's take a

13:35

look at that so in the output directory

13:38

you can see the crashes directory the

13:40

first bitmap that gives an information

13:42

about where in RAM are we at this point

13:45

statistics hangs that's an option to

13:48

crashes so the hang is when a program

13:50

doesn't finish in a given certain time

13:52

so you put a timeout on a program you

13:55

can assume that it's not supposed to

13:57

hang until this or that or it's supposed

13:59

to finish before that's the particular

14:01

time and and every input that exceeds

14:04

that ends up in hang block data don't

14:08

know the queue is where the next input

14:11

is queued let's look at the queue yet

14:13

for now because this is pretty pretty

14:15

interesting so looking at what it's

14:17

doing it shows the original file in the

14:20

queue where it started and then it shows

14:21

where it's at so right now this queue

14:24

data here is on position 25 and it's

14:26

flipping one bit and

14:29

we can look at what that looks like it

14:31

pretty much looks like a shorter version

14:33

of the previous file it's flip flip flip

14:36

they stopped what it did previously and

14:38

every time it does this it learns that

14:41

parsing the config file at this point

14:44

gave that output and config parsing the

14:46

config file it and another point Kay

14:48

gave something else in terms of of we're

14:51

in the matheletes ending up let's move

14:54

into the crashes directory because

14:56

that's what you wanted to see right

14:57

whoopsie yep

14:58

so there is a readme file and this

15:01

readme file is pretty good the readme

15:03

file shows what you actually ran to find

15:06

this bug and that's something that you

15:10

can give to a to a organization that the

15:15

dust is testing so that they can

15:17

actually know what's going on I mean if

15:20

they want to reproduce this bug then

15:22

then it's good to have that command line

15:24

saved so this entire directory is

15:27

relevant for anyone who wants to

15:28

reproduce it cool inside of here we have

15:33

the config file that caused the crash so

15:37

this is a config file that has a

15:38

character called 8a in it and that's

15:43

like a non ASCII character maybe that's

15:45

the reason white crashed maybe there is

15:47

another reason it says that the log

15:49

access file is called hard bracket that

15:52

looks kind of weird as well and the doc

15:55

index has bracket as well maybe that's

15:57

not it we don't know exactly but we can

16:00

find out eventually we can look at the

16:02

other file for now so this is two files

16:05

representing two different crashes

16:09

all right so this is a weird one and

16:12

weird is good the weirder the better

16:15

yeah so now it's actually advantage to

16:18

produce this kind of a string here where

16:20

it says TMM Vernis whatever that means

16:23

yeah and that's yes the the machine

16:26

talking and in other cases woman when I

16:30

did fussing with with pictures before I

16:32

started with basically an empty file and

16:34

it actually managed to produce in a few

16:37

days it managed to produce a valid JPEG

16:41

header by us looking at the reaction

16:43

from the programs like if I want to get

16:45

a step further I have to type in this in

16:47

this position oh cool so here it's

16:50

actually created the image for you yeah

16:53

yeah and that's built it up yeah that's

16:56

the definition of mutation right cool so

17:01

this is a configuration file that also

17:04

causes a crash and there's also non

17:06

ASCII characters in a comment on the

17:09

last line maybe that has something to do

17:11

with it I'm not exactly sure yet so I'm

17:13

gonna back out to this directory where

17:17

the HTTP server was yeah and now I'm

17:20

gonna run gdb and gdb sounds for annuity

17:23

bugger it's if you are into CTF or any

17:30

type of security research gdb is a good

17:32

tool to know it's older than me and it

17:35

has a lot of good plugins for its that

17:39

can enable you to write exploits later

17:41

cool so we're gonna run gdb on httpd

17:46

which is the name of the server and

17:48

right now I didn't compile it with the

17:51

bug symbol so it's not super easy to

17:53

find out what I what's going on but if I

17:55

have debug symbols on it's going to tell

17:57

me on what line in the code the bug

18:00

exists which is pretty nice sorry I'm

18:03

gonna set up an argument which is - see

18:09

this is the configuration I do for the

18:12

programs I typeset args - C and then

18:16

output crashes and then I paste in the

18:19

name of that file the second file that

18:21

cost a problem for us

18:24

so this is now the configuration file of

18:27

the program at this point I can set up a

18:30

breakpoint myself if I happen to know

18:32

what I'm going for if there's something

18:34

in particular I'm interested in but yet

18:36

right now I don't know so now I can run

18:38

some people put the breakpoint on main

18:40

for instance which is usually a function

18:43

that starts initially in the pro in the

18:45

program in this case I know there is no

18:47

main function so it's not gonna work the

18:49

main function doesn't work necessarily

18:51

the way I wanted to but you can put the

18:53

breakpoint on either and offset into the

18:55

file or into a function that you think

18:58

caused the crash this is much easier to

19:00

do if you have debug symbols on so if I

19:04

type on run right now then you'll see

19:08

that there is a segmentation fault and

19:10

this is not supposed to happen normally

19:12

like a program is not supposed to seg

19:14

fault every time it reads the cosmic

19:16

file then you have a serious

19:18

vulnerability in this case this is a

19:21

vulnerability where we are running as an

19:23

unprivileged user writing to a config

19:25

file right and the service is reading

19:29

that config file and it's corrupting

19:31

memory causing a seg fault somehow yes

19:35

and it's doing it as root because root

19:37

is needed to start this service and bind

19:40

port 80 and this is running as root

19:42

initially and then when it's running

19:45

it's it's crashing and I have Minkoff

19:48

all of the memory so that's a privilege

19:50

escalation on the kind of suite and and

19:55

here we can do a back trace

19:56

oops sorry a back trace where it shows

20:03

the states of of the program and you can

20:07

look into the info about the registers

20:10

that you're dealing with right now

20:14

no idea

20:16

I'm sorry about that there are more

20:18

tutorials that can go into depth and

20:20

show how to do this the exploitation and

20:23

proof of concept state because what we

20:25

have right now is a crash right we have

20:27

a denial of service vulnerability that's

20:29

local by the way but it's still

20:31

something after this point in time we

20:34

start figuring out why is the return

20:36

winter here at this point why is it

20:38

there what happened how did it secure if

20:42

we do that using gdb we can start

20:45

figuring out writing a proof-of-concept

20:48

exploit have you done osip by the way

20:51

the buffer overflow part is very much

20:53

like this right so this is exactly

20:56

that's that you have to do at this point

20:59

you can you can input a certain pattern

21:01

into the program see if that pattern

21:04

reoccurs and if you do that you can see

21:06

where this is a memory and what you were

21:08

able to overwrite using the original

21:10

config file that we looked at and this

21:13

is pretty much how you say a file that's

21:16

amazing so the whole idea with AFL is

21:18

for us to by automation and a little bit

21:21

of and I wouldn't called ai but at least

21:23

a little bit of learning that it learns

21:26

what's going on in the process and then

21:28

when it crashes its try to replicate it

21:30

and see what happens again again again

21:32

again until you know whatever kind of

21:34

break it then this happens and it

21:37

outputs that file and that's where the

21:38

exploitation creation begins right yeah

21:42

we're we're people this is where when

21:44

people write exploits this is what they

21:46

do

21:46

yeah and this is how you this is how you

21:49

find a bug and and this is something

21:52

that I already in this point

21:54

reported to the vendors I told the HTTP

21:58

server vendor what the bug was about how

22:00

it was found what the stack looked like

22:03

by using gdb and gave the core dump file

22:06

to them so they could reproduce that bug

22:08

in their local environment and see that

22:09

this is a problem that's very

22:11

responsible of you I'm I'm very proud in

22:15

bug bounty do you think this is useful

22:18

for you maybe it's not this situation

22:21

because in bug bounties you don't if you

22:26

get this far you report it and get out

22:29

right you can touch just a part of it

22:33

this that's that's game over you've done

22:35

your work you don't privilege escalate

22:38

further on you might just be doing it in

22:40

pen testing my buddy bounties you don't

22:42

do it but I see other areas where this

22:45

can be very interesting like there's

22:47

file formats there's

22:49

different other servers parsers and

22:52

things that are being used by our

22:54

industry that if you can find an exploit

22:57

or something that breaks that that could

22:59

turn into I don't know a DOS or some

23:02

kind of other this configuration

23:04

happening maybe I don't know maybe even

23:06

a little bit of memory leak if you're

23:07

lucky right so I mean if you have an

23:10

input like a sip file or a JavaScript

23:13

parser or something where you can upload

23:15

maybe a HTML document that's key

23:17

getting parsed or CSS getting parsed or

23:21

maybe maybe a video file or something

23:24

mm-hmm there's there's all these parsers

23:28

out there that that's gonna have to deal

23:30

with and I know you and I have been

23:33

goons and reaches research on this and

23:35

eventually yeah I would recommend anyone

23:39

to to you at least started to doing a

23:41

little bit of fussing I think it's super

23:43

super fun and and so rewarding when you

23:46

see that crashes sign coming up you're

23:48

like yeah so I mean it's it's so easy to

23:52

get started with and the types of bugs

23:54

you find you can use them on the large

23:58

scale for much longer time because this

24:01

low-level level programs are reused

24:03

identically on multiple platforms I mean

24:07

so imagine that you we were playing with

24:09

a media transformation for Matt I found

24:12

the bug the other week and that's

24:14

something you can reproduce forever you

24:16

know like it's reported and all and they

24:19

don't seem to want to fix it because

24:20

it's just a hang and not a crash I was

24:23

like okay fine so then you can use that

24:26

to identify this media transformer tool

24:28

well all this is super interesting but

24:31

could you've been you've been doing this

24:33

for a while and I know you got some aces

24:36

up your sleeve can you tell us a little

24:38

bit more about that so we're setting up

24:40

we're setting up in web casts where you

24:43

can follow along and live answer and ask

24:46

questions how to get a get started with

24:49

fussing and if you have getting got

24:52

stuck recently with it you can get help

24:54

there in the web cast and it's on a

24:56

secure Labs where me my colleagues

24:59

publish lots of talks of

25:02

we're doing basically that's amazing so

25:05

so it's going to be a community-based

25:07

thing that if security is doing to get

25:10

more people into fussing yes so this is

25:12

the f-secure lab channel on youtube and

25:14

it's it's available to anyone who wants

25:17

to wash it that's amazing

25:20

god damn it I learned something new

25:21

today as well and and I'm gonna be a

25:24

huge fan of the channel of course I'm

25:26

gonna glue myself to that so thank you

25:29

very much for taking your time and

25:31

learning me or teach me about AFL thanks

25:35

for for joining in guys so this is it's

25:37

really fun to teach and thank you stuck

25:40

for having me appreciate it

25:41

awesome a my bike

25:44

[Music]

25:54

[Music]