A member of the Corelan forums, CodeZer0, ask for a short tutorial on file fuzzing. In particular he wanted to know how we would find the bug from CorelanCoders first Exploit Development tutorial in EASY RM to MP3.
Before we start we need to look at the file format we are going to fuzz.
In this case we are going to fuzz the M3U format so we start looking for documentation related to it. Luckly Wikipedia has a great writeup on how an M3U file is stractured (http://en.wikipedia.org/wiki/M3U).
Basically what we are going to do is insert a long string in the filename field and monitor for a crash.
#EXTM3UIf you would like to learn how to create the exploit for this crash, please read my friend CorelanCoders post : http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
#EXTINF:123,Sample Artist - Sample title
<LONG STRING HERE>
First we need to create a script to generate our files. To do this I created a short script that will output various lengths of "A's". Once my cases(the files) were generated I attached Immunity Debugger to EASY RM to MP3 and began loading the files one by one. See the video for a and walk thru.
# -*- coding: utf-8 -*-
# Simple M3U Fuzzer written for the Corelan Team.
# Tutorial posted to the Corelan Forums and http://www.nullthreat.net
# Created by Nullthreat
# Define the test cases
num = [1,100,200,256,500,1000,5000,10000,25000,50000];
for count in num:
countstr = str(count)
junk = "#EXTM3U\n"
junk += "#EXTINF:123,Sample Artist – Sample title\n"
junk += "\x41" * count;
# Generate file name with count in name
filename = "crash" + countstr + ".m3u";
# Generate the files
file = open(filename,"w")
Note: the script in the video and the one posted here are not the same. You will get the same results but the one included in the post is better quality.