Friday, January 7, 2011

Simple File Format Fuzzing

Originally Posted: SUNDAY, JULY 11, 2010 AT 1:20PM

A member of the Corelan forums, CodeZer0, ask for a short tutorial on file fuzzing. In particular he wanted to know how we would find the bug from CorelanCoders first Exploit Development tutorial in EASY RM to MP3.

Before we start we need to look at the file format we are going to fuzz.
In this case we are going to fuzz the M3U format so we start looking for documentation related to it. Luckly Wikipedia has a great writeup on how an M3U file is stractured (
Basically what we are going to do is insert a long string in the filename field and monitor for a crash.

#EXTINF:123,Sample Artist - Sample title
First we need to create a script to generate our files. To do this I created a short script that will output various lengths of "A's". Once my cases(the files) were generated I attached Immunity Debugger to EASY RM to MP3 and began loading the files one by one. See the video for a and walk thru.
# -*- coding: utf-8 -*-
# Simple M3U Fuzzer written for the Corelan Team.
# Tutorial posted to the Corelan Forums and
# Created by Nullthreat
# Define the test cases
num = [1,100,200,256,500,1000,5000,10000,25000,50000];
for count in num:
 countstr = str(count)
 junk = "#EXTM3U\n"
 junk += "#EXTINF:123,Sample Artist – Sample title\n"
 junk += "\x41" * count;
 # Generate file name with count in name
 filename = "crash" + countstr + ".m3u";
 # Generate the files
 file = open(filename,"w")
If you would like to learn how to create the exploit for this crash, please read my friend CorelanCoders post :

 Note: the script in the video and the one posted here are not the same. You will get the same results but the one included in the post is better quality.

No comments:

Post a Comment