Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of the post was interested in binary only fuzzing via snapshots and fuzzing highly structured inputs. Given their requirements, they saw Trackmaina Nations Forever from 2008 to be a good target.

To fuzz something, you need to write a harness to take in the fuzzing input and process it. Since the application uses XML-RPC over TCP, this is not trivial. Sockets are slow and messy.

To get around this, the author takes a snapshot right before the processing of the XML-RPC message occurs. Then, they modify the memory location of the message by updating the size, the buffer and edit the session_object information to bypass auth.

LibAFL is an amazing for building these types of fuzzers. There is a magic qemu launcher that is used for fuzzing this, which can be used for the snapshot functionality. To generate XML messages, they use Nautilus. The author links to some good resources for getting this working.

To fuzz the XML input, we need to ensure it has a valid XML message. The XML-RPC protocol is well defined by Trackmania, luckily. Additionally, we can reverse engineer the application to find out more messages that can be sent.

The fuzzer more so fuzzes the inputs within the XML tags than the XML itself. For instance, the first rule for Nautilus includes the content <?xml version=\"1.0\"?<methodCall>{METHOD_CALL}</methodCall> with a small substitution in it for the method call ({METHOD_CALL}). All other inputs are done in a similar fashion, with only small substitutions done for the values within the XML.

After setting up the grammar by adding rules with Nautilus and setting up some test inputs, they fuzzed the application. Additionally, they setup a repro mode that does the same thing as the fuzzer but only for a single input. From fuzzing, they instantly found a bunch of format string bugs! More on this in part 2.

They patched the format string bug, which was simply in a logging function, in order to find other bugs. This was done by a simple memory write to the QEMU process. Besides the format string bug, they found a few other crashes.

Their favorite bug was an issue where the spectators could be forced to look at a specific player. By forcing the game into a freecam on all of the spectators, it hits an edge case that causes a crash. Pretty interesting edge case that was found! Overall, awesome post on snapshot binary fuzzing, which I didn't have much experience in.