Ultra-simple Overflow Vulnerability Mining Technology Fuzzing

The origin of Fuzzing
 
Just as Watt invented the steam machine to free us from human hands and increase productivity, some or an outstanding hacker invented the Fuzzing technology when studying vulnerability mining technology. It can be said that this is a very fast and effective mining technology. The concept of Fuzzing technology is to use "brute force" to automate the testing of the Target Program, and then monitor and check its final results. If it meets certain conditions, the program may have some vulnerabilities or problems. Here, "Violence" does not mean that we generally say force, but that we use continuous transmission to or transmission of data in different formats to test the response of the target program.
Why Fuzzing test?
When we discover some overflow vulnerabilities, we often constantly input string variables of different lengths for the target program to test whether the target program has the overflow vulnerability.
Fuzzer
Fuzzer is a tool used for Fuzzing. The categories listed here are only common. The uncommon Fuzzer types are determined by the nature of the specific test target program. In the categories listed below, many Fuzzer programs have been implemented by some famous hackers or security companies. The results are well recognized. If you want to use Fuzzing to discover software vulnerabilities, you can use these famous Fuzzer tools to help you achieve what you want.
Classification of Fuzzing tools
File Type www.2cto.com
File-type Fuzzer mainly targets Fuzzing when a file is input as a program.
1. For readable files, you can change the specific value of the content to perform Fuzzing.
2. For unpublished formats, you can modify the file format according to certain rules for Fuzzing.
Network Type
Network-type Fuzzer is the most widely used Fuzzer. Therefore, the outstanding Fuzzer tools in this field are very rich.
1. Fuzzing is mainly used to discover XSS vulnerabilities, injection vulnerabilities, and so on.
2. Network-type Fuzzer used to detect overflow or denial-of-service vulnerabilities-protocol-based network-type Fuzzer
Interface Type
The interface-type Fuzzer is a tool that uses the external interfaces provided by the application for Fuzzing.
ActiveX Control Interface (put it in the subsequent 0-day and webpage Trojan creation course for details)
Library File Interface
System Function Interface
How Fuzzer works
One is to continuously send and Input random data or data in some format to the target program. This Fuzzer is in use, it is often because the sent data does not conform to the format required by the target program, but is directly rejected by the program and cannot be thoroughly detected within the program. The direct result is that the vulnerability discovery of the target program is greatly reduced and the efficiency is low.
There is also a Fuzzer built on the theoretical model of "probability coverage.
Probability coverage Theory
Probability coverage refers to dividing all the external data that the program may accept into different types through abstraction, and then selecting a test instance from each type, use these test instances to perform Fuzzing checks on the program.
Example
Suppose an application is the target program we test. We call it A. A can receive two integer numbers as parameters. We call these two parameters B and C, then, A performs A series of operations on the two parameters and returns A value to the user.
Analysis
First, there are two parameters for A. Then there is A possibility judgment. What if the number of parameters we pass to A is less than two or more? We can use characters to represent the two possibilities. Less than two parameters are Low, and More than two parameters are More. Then, we analyze the results, we know that the two parameters B and C must be integers. What if one parameter is an integer and the other parameter is a decimal? Or are both decimal parameters? Or are both strings? There are too many combinations. We will plot all these possibilities into a table, which should look like the following:
 
Mark value of parameter B parameter C
Integer integer II
Integer decimal ID
Integer Long IL
Integer string IC
Decimal integer DI
Long Integer LI
String integer CI
Fractional DD
Decimal Long DL
Decimal string DC
Long decimal LD
Long String LC
Long LL
String decimal point CD
String Long CL
String string CC
From the above table, we can see that there are sixteen possible combinations of program A input. We should select an instance for each of these sixteen combinations, that is, find a representative for Fuzzing. For example, for combination II, we can select the instance as (2,900), which indicates that B is 2, C is 900, which indicates the possibility that both parameters are integers. below is the combination ID, we will select (50, 8.21), so that the parameter B is 50 an integer, and C is 8.21 a decimal. The combination ID matches the possibility. You can push the following combination accordingly.
Now we have combined 18 possibilities (with the previous Low and More options), and we will compile the examples of these possibilities into Fuzzer, then, you can let Fuzzer extract an instance from it and perform Fuzzing on the target program.
The possibility coverage theory Fuzzer is relatively scientific and is built on a certain mathematical model.
Fuzzer that uses random data for Fuzzing often finds vulnerabilities that cannot be found by a combination of "Possibilities" and Fuzzer. This is because the random data-type Fuzzer can be an endless Fuzzing process, these random data can be combined into an unexpected data, causing the target program to crash or have vulnerabilities. Therefore, during the Fuzzing test, mining can be performed according to the specific environment, because random data-type Fuzzing may last for several days or even weeks.
How to monitor the Fuzzing test results
Don't let us sit in front of the screen all day and stare at the program with our eyes
To monitor the running status of the target program by using Fuzzer, we can use many methods. For Network-type programs, we can monitor the data returned by Fuzzer, or is there a very obvious error message like "The Connection Closed By Remote. For local programs, we have many options to query the system logs, because system logs often record all abnormal events in the system. You can also monitor whether the function used to display warnings or errors is called by the target program. Even in Windows, you can directly use the Fuzzer program after the Fuzzing target program, automatically Check if the system has an additional process name named DW20, which means that when we use some software or system errors in Windows, the "Report to Microsoft" dialog box program is often seen.