Meddle: Framework for Piggy-back Fuzzing and Tool Development

Presented at DEF CON 22 (2014), Aug. 8, 2014, 10 a.m. (60 minutes).

Towards simplifying the vulnerability fuzzing process, this presentation introduces a moddable framework called Meddle that can be used to piggy-back on existing application’s knowledge of protocol by performing piggy-back fuzzing. Meddle is an open source Windows x86 and x64 user-mode C# application that uses IronPython plugins to provide a familiar interface for fuzzing. Why bother spending time understanding the protocol just to try break it? Two vulnerability fuzzing attacks using Meddle will be demonstrated - one attacking the open source rdp server XRDP, and the other attacking general driver communications from user-mode processes. Several vulnerabilities found with the XRDP server will be briefly discussed, including two that may be exploited for RCE prior to authentication. These attacks are typically based on a piggy-back application (such as the Remote Desktop Connection Client, mstsc.exe), the piggy-back application performs a benchmarking operation, and then fuzzing begins through a parallel set of the piggy-back instances attacking each event sequentially. Although originally designed as a vulnerability fuzzing framework, Meddle is well-suited for developing reverse-engineering and malware analysis tools. Two simple tools will be presented based on Meddle, including: 1. A capture tool for communication between usermode processes and kernel mode drivers along with a parser to view the captures in Windows Message Analyzer. 2. Malware sandboxing environment proof-of-concept. In conclusion, the attendees should be able leave the session with a basic understanding of how to use the Meddle framework as well as their own ideas for tools to develop and targets to attack.


Presenters:

  • Geoff McDonald - Anti-Virus Researcher at Microsoft
    Geoff is an anti-virus researcher working with Microsoft Malware Protection Center with most of his experience in reverse-engineering malware and related vulnerabilities. As a hobby, Geoff can often be found developing reverse-engineering and vulnerability fuzzing tools -some of which can be found on his personal website http://www.split-code.com/.

Links:

Similar Presentations: