[fuzzing] Fuzzing a Windows PE Application
Aviram Jenik
aviram at beyondsecurity.com
Tue Mar 13 07:53:07 CDT 2007
On Tuesday 13 March 2007 05:14, Jasper Smith wrote:
>
> Problem A:
>
> How 'd I frame my input strings (only strings are considered valid, program
> wont accept numeric or negative values).
Try different buffer types:
'\0' (null)
%
$
a valid parameter followed by a large buffer
the beginning of a valid parameter with an invalid ending
the list goes on...
>
> I have coded a perl script wherein I gave the strings (incremental with
> each successive steps of iteration as discussed on the list earlier in many
> posts) and tried it on the application but it always gave me the
> following message
>
> "unknown command/ option please use help for list of commands."
Ok, so for that particular combination the application correctly formatted the
input. What about the billion other combinations?
If you're expecting you third fuzzing attempt to succeed you need to
re-calibrate your expectations.
>
> Should I consider that this application is safely coded and can't be
> fuzzed?
>
You can consider this from the start and not bother trying to fuzz it. But
then again, the purpose of fuzzing is exactly to SHOW that it was coded
safely, right?
- Aviram
More information about the fuzzing
mailing list