Results 1 to 2 of 2

Thread: Fuzzing your browser

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    188

    Fuzzing your browser

    Attacks on browsers are becoming common day by day, for example the latest
    IMG tag bug in Internet Explorer, lets discuss a tool to find bugs in browsers.
    The program we are going to discuss is mangleme, from famous security guru Michal Zalewski.

    Things you will need

    1. A web server , Apache recommened.
    2. A compiler to build the program, gcc or Mingw recommended.
    3. The program
    Mangleme .

    What's mangleme ?

    It is a cgi program used to automatically check for HTML parsing flaws. Generates
    a basic set of badly mangled tags on request, with auto-refresh back to the
    script, so that you can point a browser to it once, and let it run until
    it crashes.

    At this point i assume you have got Apache working. To build mangle me run these commands

    gcc -Wall -O3 -fomit-frame-pointer -funroll-loops -o mangle.cgi mangle.cgi.c
    gcc -Wall -O3 -fomit-frame-pointer -funroll-loops -o remangle.cgi remangle.cgi.c

    at this point you have two cgi programs mangle.cgi and remangle.cgi copy them to the
    apache cgi-bin directory.

    Run apache and point your browser to http://localhost/cgi-bin/mangle.cgi
    and see the browser being fuzzed if it crashes you have found a bug.

    To reproduce the request which crahed the browser remangle is used, look for
    the last request that crashed the browser in tha apache logs and extract the
    hexadecimal value, then invoke remangle.cgi?hex_value from the browser again. For
    example if the following request crashed your browser

    [Wed Jan 18 09:01:37 2006] [error] [client 127.0.0.1] [1137555097] Mangle attempt 0x472db699 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6) -- 127.0.0.1\n

    The hexvalue would be 0x472db699. Then do

    wget http://127.0.0.1/cgi-bin/remangle.cgi?0x472db699

    To save the faulting page, you could use any other browser or utility
    other that wget, that woud not crash.

    My browser did not crash !.

    Mangleme is also extensible in a way that you can add new tags by editing tags.h
    header file which looks like

    #define MAXTAGS 80
    #define MAXPARS 20

    static char* tags[MAXTAGS][MAXPARS] = {
    { "A", "NAME", "HREF", "REF", "REV", "TITLE", "TARGET", "SHAPE", "onLoad", "STYLE", 0 },
    .......
    .......
    { 0 }
    };

    for example if i wanted to fuzz the <P> (the paragrah tag) , i would increase MAXTARGS value by
    1 and add a entry
    {"P","STYLE","ALIGN",0},
    and rebuild mangleme.

    I have full package built for convinience, it is apache 1.3.31 which would listen on locahost
    *only* on port 80, also mangleme source and binaries are included

  2. #2
    Banned
    Join Date
    Jul 2004
    Posts
    119
    i was intrigued since i use to run apache when i had cable, but i got lost in the technical stuff

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •