Fuzzing IOCTL using peach

While doing code auditing i wanted to run a fuzzer against a driver that process IOCTL. I tried “ioctlfuzzer” (http://code.google.com/p/ioctlfuzzer/). The problem with ioctlfuzzer is , it needs to see particular IOCTL being sent from the process/service. But the product i was analysing don’t use all the IOCTL calls. Wondering what to do, having experience in using peach fuzzer, i tried the “KernelPublisher” that comes with the Peach. It didn’t work out for me. Bad luck. So i wrote a custom publisher for my usage.

Attaching the code. Code is still in initial stage but it served my purpose.

 

Custom publisher (ioctl.py):

”’
Windows IOCTL publishers.

@author:

”’

try:
    import time, sys, pywintypes, signal, os
    import win32file
except:
    pass
from Peach.publisher import Publisher

class IOCTL(Publisher):
    _devicename = None
    _devicehandle = None
    _methodFormat = None #  Not used
    _lastReturn = None   #  Not used
   
    def __init__(self, devicename):
        Publisher.__init__(self)
        self._devicename = devicename
        print "[DEBUG]Passed devicename: [%s]" % self._devicename
        # Disabling this
        #self.withNode = True
   
    def start(self):
        try:
            self._devicehandle = None
            self._devicehandle = win32file.CreateFile(self._devicename, 0, win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None, win32file.OPEN_EXISTING, 0, None)
       
        except:
            print "Caught unkown exception opening device file [%s]" % sys.exc_info()[0]
            raise
   
    def stop(self):
        win32file.CloseHandle(self._devicehandle)
        self._devicehandle = None
   
    #def callWithNode(self, method, args, argNodes):
    def call(self, method, args):
        self._lastReturn = None
       
        ”’
        BOOLEAN DeviceIoControl(
            HANDLE Device,                 // Code
            DWORD IoControlCode,           // Device handle
            LPVOID InBuffer,               // Buffer TO driver
            DWORD InBufLen,                // Size of InBuffer
            LPVOID OutBuffer,              // Buffer FROM driver
            DWORD OutBufLen,               // Size of OutBuffer
            LPDWORD BytesReturned,        // Bytes output
            LPOVERLAPPED Overlapped     // Overlapped struc
        );
       
        win32file.DeviceIoControl
            str/buffer = DeviceIoControl(Device, IoControlCode , InBuffer , OutBuffer , Overlapped )
        ”’
       
        callStr =  "win32file.%s(" % str(method)
        callStr += "self._devicehandle,"
       
        #h = win32file.CreateFile(….)
        #windll.kernel32.DeviceIoControl(h.handle, …)
       
        if len(args) > 0:
            for i in range(0, len(args)):
                if i == 0:
                    callStr += "int(args[%d],16)," % i
                    continue
                if args[i] == "":
                    callStr += "None,"
                else:
                    callStr += "args[%d]," % i
                #print "Arg : %s" % (args[i])
            callStr += "None)"
        else:
            callStr += ")"
       
        print "[DEBUG]callStr: %s" % callStr
        try:
            ret = None
            try:
                # OK. Send the IOCTL now.
                ret = eval(callStr)
                print "test"
            except:
                print "Caught unkown exception when sending IOCTL"
                raise
            return ret
           
        except NameError, e:
            print "Caught NameError on call [%s]" % e
            raise
       
        except:
            print "IOCTL::Call(): Caught unknown exception"
            raise
       
        return None

# end

Pit file (ioctlfuzzingexample.xml):

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="
http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

    <!– Import defaults for Peach instance –>
    <Include ns="default" src="file:defaults.xml"/>
    <Import import="ioctl" />
   
    <DataModel name="ioctlint">
        <String value="DEADBABA"/>
    </DataModel>
   
    <DataModel name="inbuffer_custom">
        <!– custom definition of your buffer –>
    </DataModel>
   
    <DataModel name="inbuffer_data_generator">
        <Choice minOccurs="1" maxOccurs="1">
            <!– 32-bit –>
            <Number size="32" signed="false" endian="big" />
            <String/>
            <Block ref="inbuffer_custom"/>
        </Choice>
    </DataModel>
   
    <DataModel name="inbuffer">
        <Block ref="inbuffer_data_generator"/>
    </DataModel>
   
    <DataModel name="outbuffer">
        <String/>
    </DataModel>
   
    <StateModel name="TheState" initialState="Initial">
        <State name="Initial">
            <Action type="call" method="DeviceIoControl">
                <Param name="ioctl" type="in">
                    <DataModel ref="ioctlint" />
                </Param>
                <Param name="InBuffer" type="in">
                    <DataModel ref="inbuffer" />
                </Param>
                <Param name="OutBuffer" type="in">
                    <DataModel ref="outbuffer" />
                </Param>
            </Action>
        </State>
    </StateModel>

    <Test name="TheTest">
        <StateModel ref="TheState"/>
        <Publisher class="ioctl.IOCTL">
            <Param name="devicename" value="MYDEVICEFILENAME" />
        </Publisher>
    </Test>

    <!– Configure a single run –>
    <Run name="DefaultRun">
        <Test ref="TheTest">
        </Test>
        <Logger class="logger.Filesystem">
            <Param name="path" value="logs"/>
        </Logger>
    </Run>

</Peach>
<!– end –>

Advertisements
This entry was posted in Fuzzing, IOCTL, Peach and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s