September 14, 2009

My fuzzer-like application II

In the past weeks, I allowed a bit more time for development of my fuzzer. In spite of the fact it is still not a file format aware one it does very good jobs. It is now working automatically without any user interaction.

I developed a hook module that needs to be injected into the process address space. I use this module to be injected in Firefox process. I set it to hook ReadFile() to fuzz lpBuffer as long as hFile is a handle of any SWF file.

I wrote a Perl script that opens each SWF in Firefox. When any SWF accessed by ReadFile() my fuzzer does its job.

I also wrote a DOS batch script called from the above Perl script. This script is to attach CDB debugger to Firefox to intercept exceptions. If exception occurs it calls !exploitable to analyze exception and saves the logs and data for reproducation to a customized folder.

Results of running of last 12 hours seen below. Number of crashes in the brackets.

PROBABLY_EXPLOITABLE::User Mode Write AV near NULL (2)
UNKNOWN::Read Access Violation (1)
UNKNOWN::Data from Faulting Address controls Branch Selection (82)
UNKNOWN::Data from Faulting Address may be used as a return value (1)

I haven't tried to reproduce all issues due to the lack of time but I both was and wasn't able to reproduce some of crashes. I think I should write a script that will separate the consistently reproduceable issues to being focused on the most important things.
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.