Jump to content
Tuts 4 You

Kernel Driver Fuzzing

JMC31337

By JMC31337
in Malware Reverse Engineering

 Share

Recommended Posts

JMC31337

JMC31337

Posted
Posted (edited)

Came across a cool little prog called ioctlbf...

Its used to try and BSOD the system via DeviceIOControl IRQ's which is how user talks to kernel via its sys drivers

 

For a quick example:

C:\ioctlbf_0.4\bin>ioctlbf -d IP -r 120040-120050    _                   _  _       ___   (_)              _  | || |     / __)    _  ___   ____ _| |_| || |__ _| |__   | |/ _ \ / ___|_   _) ||  _ (_   __)   | | |_| ( (___  | |_| || |_) )| |   |_|\___/ \____)  \__)\_)____/ |_|    v0.4[~] Open handle to the device \\.\IP ... OK  Summary  -------  IOCTL scanning mode   : Range mode 0x00120040 - 0x00120050  Filter mode           : Filter disabled  Symbolic Device Name  : \\.\IP  Device handle         : 0x000007e8[~] Bruteforce function code + transfer type and determine input sizes...[+] 2 valid IOCTL have been found  Valid IOCTLs found  ------------------  0x00120044    function code: 0x0011                transfer type: METHOD_BUFFERED                input bufsize: min = 4 (0x4) | max = 4096 (0x1000)  0x00120040    function code: 0x0010                transfer type: METHOD_BUFFERED                input bufsize: min = 264 (0x108) | max = 4096 (0x1000)[?] Choose an IOCTL to fuzz...        [0] 0x00120044        [1] 0x00120040Choice : 0

which begs my next question: If you have used this prog, does it take a LOOOOONNNNNGGGG time to fill up the DWORD buffers?

Filling the whole buffer with predetermined DWORDsInput buffer: 849 (0x351) bytesError 259: No more data is available.-------------------------------------------------------------------fe ff ff ff 00 6b 41 00  00 6b 41 00 01 00 00 00  | .....kA..kA.....e0 49 41 00 fc ff ff ff  fe ff ff ff 00 6b 41 00  | .IA..........kA.00 00 00 70 f0 ff ff ff  e0 35 41 00 fe ff ff ff  | ...p.....5A.....f0 ff ff ff f0 ff ff ff  c0 35 41 00 00 00 ff ff  | .........5A.....ff ff fe 7f 00 6b 41 00  ff ff ff 7f c0 35 41 00  | .....kA......5A.e0 45 41 00 ff ff fe 7f  c0 35 41 00 f0 ff ff ff  | .EA......5A.....00 00 00 80 fc ff ff ff  00 00 00 70 c0 35 41 00  | ...........p.5A.00 4a 41 00 00 00 00 70  00 6b 41 00 fc ff ff ff  | .JA....p.kA.....ff ff fe 7f 00 00 00 80  04 00 00 00 ff ff fe 7f  | ................fe ff ff ff ff ff fe 7f  01 00 00 00 ff ff fe 7f  | ................fc ff ff ff 00 00 00 70  00 6a 41 00 00 6b 41 00  | .......p.jA..kA.01 00 00 00 00 6a 41 00  00 4a 41 00 fc ff ff ff  | .....jA..JA.....00 00 ff ff 00 00 00 00  01 00 00 00 00 6a 41 00  | .............jA.00 6a 41 00 00 6b 41 00  e0 49 41 00 00 00 ff ff  | .jA..kA..IA.....00 00 00 80 ff ff ff 7f  00 10 00 00 fe ff ff ff  | ................e0 45 41 00 01 00 00 00  00 00 00 70 00 00 ff ff  | .EA........p....f0 ff ff ff 00 00 00 80  fe ff ff ff 00 00 00 70  | ...............pf0 ff ff ff 00 6b 41 00  01 00 00 00 00 6b 41 00  | .....kA......kA.00 00 00 80 ff ff ff ff  e0 35 41 00 fc ff ff ff  | .........5A.....e0 35 41 00 e0 49 41 00  00 00 00 80 00 00 00 80  | .5A..IA.........ff ff fe 7f f0 ff ff ff  ff ff ff ff 00 6a 41 00  | .............jA.04 00 00 00 fc ff ff ff  f0 ff ff ff c0 35 41 00  | .............5A.f0 ff ff ff e0 35 41 00  00 00 00 00 00 00 00 70  | .....5A........pf0 ff ff ff f0 ff ff ff  e0 45 41 00 ff ff fe 7f  | .........EA.....00 6a 41 00 00 4a 41 00  00 00 00 70 e0 49 41 00  | .jA..JA....p.IA.00 00 00 70 c0 35 41 00  04 00 00 00 00 00 ff ff  | ...p.5A.........00 6a 41 00 ff ff ff 7f  ff ff ff ff 00 6a 41 00  | .jA..........jA.00 00 00 80 00 00 00 70  e0 35 41 00 e0 49 41 00  | .......p.5A..IA.ff ff ff ff fe ff ff ff  fe ff ff ff c0 35 41 00  | .............5A.00 00 00 00 00 6a 41 00  fe ff ff ff 04 00 00 00  | .....jA.........fc ff ff ff 00 4a 41 00  00 6a 41 00 00 00 00 70  | .....JA..jA....p01 00 00 00 ff ff ff 7f  ff ff ff 7f 00 6a 41 00  | .............jA.ff ff fe 7f ff ff ff 7f  ff ff ff ff e0 49 41 00  | .............IA.00 4a 41 00 ff ff ff 7f  00 6b 41 00 01 00 00 00  | .JA......kA.....00 6b 41 00 04 00 00 00  00 4a 41 00 00 00 ff ff  | .kA......JA.....00 00 00 00 00 00 00 70  e0 45 41 00 00 6b 41 00  | .......p.EA..kA.e0 49 41 00 00 00 00 80  f0 ff ff ff 01 00 00 00  | .IA.............e0 45 41 00 04 00 00 00  fe ff ff ff ff ff fe 7f  | .EA.............00 00 00 70 01 00 00 00  00 00 ff ff 00 00 00 70  | ...p...........petc etc

with 1024 DWORD buffers in this case some are filled others dont give that Error 259: No more data is available.

 

and if ya wanna play mean with other IRQ's

here are some i picked up in Russia.. HAVE FUN!// Interface for \Device\Ip and\Device\IPMULTICAST/************************************************************************//************************************************************************//*                            \Device\Ip                                    *//************************************************************************//************************************************************************//************************************************************************//*                        IOCTL_ICMP_ECHO_REQUEST (0x120000)                *//************************************************************************//************************************************************************//*                        IOCTL_ARP_SEND_REQUEST(0x12003C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_INTERFACE_INFO (0x120040)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IGMPLIST (0x120054)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_BEST_INTERFACE    (0x120044)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_ADDRESS (0x128004)                    *//*                        IOCTL_IP_SET_ADDRESS_DUP (0x1280A0)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_BLOCKOFROUTES(0x12805C)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_ROUTEWITHREF (0x128060)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_MULTIHOPROUTE (0x128074)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_ADD_NTE (0x12801C)                        *//************************************************************************//************************************************************************//*                        IOCTL_IP_DELETE_NTE    (0x128020)                    *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_DHCP_INTERFACE    (0x128008)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_IF_CONTEXT (0x12800C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_IF_PROMISCUOUS    (0x12804C)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_BESTINTFC_FUNC_ADDR (0x128070)        *//* Request should be initiated from the kernel mode, otherwise            *//* STATUS_ACCESS_DENIED returned. This requests returnes 4 bytes pointer*/ /* to the TCPIP.SYS internal routine IPGetBestInterfaceIndex (see        *//* declaration below):                                                    *//*                                                                        *//* NTSTATUS __stdcall                                                    *//*    IPGetBestInterfaceIndex (                                            *//*        unsigned long Address,                                            *//*        unsigned long* pIndex,                                            *//*        unsigned long* pMetric);                                        *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_FILTER_POINTER (0x128010)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_FIREWALL_HOOK (0x128030)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_MAP_ROUTE_POINTER (0x128014)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_RTCHANGE_NOTIFY_REQUEST (0x120034)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_RTCHANGE_NOTIFY_REQUEST_EX    (0x12007C)    *//************************************************************************//************************************************************************//*                        IOCTL_IP_ADDCHANGE_NOTIFY_REQUEST (0x120038)    *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_PNP_ARP_POINTERS (0x128018)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_WAKEUP_PATTERN    (0x128028)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_WOL_CAPABILITY                        *//************************************************************************/// Can't find in the code !!!/************************************************************************//*                        IOCTL_IP_GET_IP_EVENT (0x12802C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_FLUSH_ARP_TABLE (0x128050)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IF_INDEX (0x120068)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IF_NAME (0x12006C)                    *//************************************************************************//************************************************************************//*                        IOCTL_IP_ENABLE_ROUTER_REQUEST (0x128080)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_UNENABLE_ROUTER_REQUEST (0x128084)        *//************************************************************************//************************************************************************//*                        \Device\IPMULTICAST                                *//************************************************************************//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_SET_MFE (0x128000)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_GET_MFE (0x128004)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_DELETE_MFE (0x128008)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_SET_TTL (0x12800C)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_GET_TTL (0x128010)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_POST_NOTIFICATION (0x128014)        *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_START_STOP (0x128018)                *//************************************************************************//************************************************************************//*                         IOCTL_IPMCAST_SET_IF_STATE (0x12801C)            *//************************************************************************/

Another world, another time
In the age of wonder
Another world, another time
This land was green and good
Until the crystal cracked

Once more
They will replenish themselves
Cheat death again
The power of their source

The crystal

Oh my God this is the best

Uh, I want you to trip like me, I want you to have fun

...

sorry OPs, sometimes i get a lil carried away
 

Edited by JMC31337
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...