DLL / API Fuzzing with beSTORM
Background: beSTORM requires two things to be done in order to test DLLs directly: (1) It needs to have a mapping of functions and parameters for this DLL so that beSTORM will know what to fuzz. This is done via the “Build DLL Module” option
(2) beSTORM cannot load and execute the DLL directly since a crash in the DLL will cause the entire parent application to crash (and therefore beSTORM will crash upon a successful finding). To go around this limitation, beSTORM can use a “Minion” to execute the DLL. This minion communicates with beSTORM over a TCP port and thus can run from a separate machine if needed. This is optional: the two applications can communicate even if they run on the same host; the Minion will be the target application to monitor.
Preparation: Get the list of functions that need to be tested and their parameters. This is typically found in the header files of the DLL that is being tested. Some helper applications (that will provide some, but not all of the required information): – dumpbin.exe (shipped with Microsoft Visual Studio) – DLL Export Viewer: http://www.nirsoft.net/utils/dll_export_viewer.html
Step 1:
On the machine where the DLL is located, start the application beSTORM Minion (which is a part of the beSTORM package) and choose a password for the session:
After choosing the password, the minion will be active, waiting for beSTORM to connect to it and give it further instructions:
NOTE: The minion is capable of receiving commands to execute applications remotely; the password protects from just anyone connecting and running commands remotely, but this application is intended to run on a local network, with no access to it from any external networks. Be aware that while the Minion is active, there is the possibility of anyone who has the password to connect to the Minion and instruct it to run commands on this server.
Step 2:
Run the beSTORM Monitor on the target machine. Select the process beSTORMMinion.exe and enter the hostname where the beSTORM Client (the attack program) is running. If everything is on the same machine, this will be set to localhost. Click on Attach when ready:
Step 3:
On the client machine that will be doing the attack, start beSTORM and click on the ‘New Project’ button:
Step 4:
Give the project a name, accept all other defaults and click “Next”
Step 5:
Choose “Build a DLL (API) module” and enter the address of the target in the “minion host settings” box. If you will be testing a DLL that is on the local machine, use the address 127.0.0.1:
Now, click on the Learn button.
Step 6:
Fill in the following fields:
DLL to load (this is the name of the DLL to test) Function(the function of the DLL that will be tested) and add the parameters by filling in Parameter value and Parameter type and clicking Add until all function parameters have been added. Make sure to check Fuzz this parameter if you want beSTORM to actively fuzz that particular parameter (recommended for all parameters).
Click on the function operator Add button to add this function and define the next function. The following screenshot shows the result of entering the “Add” function on the DLL Math Utils.dll which is a part of the beSTORM package. The Add function receives 3 parameters: A, B, Size and returns a signed long value:
Step 7:
After adding all the functions, click on Use to use the module you have created.
Step 8:
The next screen will ask you for environment variables. Here you would enter the Minion’s IP address (in this case, localhost since it will be running on the same machine) and a password to access the Minion:
Step 9:
Select the beSTORM Monitor option and enter the location where the DLL is running (in this case, localhost):
Step 10:
Click ‘Finish’ to end the wizard and save settings as a ‘Project’. The testing will start automatically if the Auto-Start box is checked.
Step 11:
The fuzzing session will begin:
If an exception happens (an attack is successful) a message will pop up briefly to let you know the remote server is not responding.
This indicates a possible vulnerability. Testing will resume in 5 seconds unless Pause Test is pressed.
When the testing is finished, click on ‘Report’ to see a short report.
You can also select “Report”->”Generate Report” from the menu to generate a more complete report of the testing: