In order to get useful results while from fuzzing our target application, we need to first set up the target machine to include a debugger and an agent to log crashes and restart the target application after a crash. For this we’ll be using the following applications:
- WinDbg
- !exploitable (WinDbg plugin)
- Peach Fuzzer
Installation
WinDbg
WinDbg is a debugging platform provided by Microsoft for debugging both user level programs and kernel level code. Attaching WinDbg to our target application will enable us to retrieve detailed information about it post-mortem.
WinDbg is freely available from Microsoft as a part of their SDK that is posted here. You don’t have to install the SDK itself or a number of the other tools that are packaged along with it.
!exploitable
!exploitable is a WinDbg plugin used to create automated crash reports and risk assessments. It can classify the likeliness of a crash being the result of an exploitable vulnerability. We will log the output from !exploitable and WinDbg.
!exploitable is freely available here. You can unzip the directory and copy the contents of msecextensions/<x86 or x64>/Release to C:/Program Files (x86)\Windows Kits\8.0\Debuggers\<x86 or x64>\.
Peach
Peach is not only our fuzzing platform but we will also use it’s agent on the target machine to facilitate restarting the target application and logging the information from WinDbg and !exploitable.
- Install the Microsoft .NET V4 Framework.
- If you didn’t install WinDbg before… do it
- Download the binary release of Peach and unzip to a working directory
By running Peach on the target machine with a copy of the Peach pit file we are using for fuzzing, Peach will automatically restart the target application and store crash information from WinDbg when it finds a value that crashes the software.