Tonight I'll be releasing a multi-format fuzzer I wrote codenamed "TagFuzz". This fuzzer edits tag information of a supported file, then executes the target application supplying the file as an argument.

Supported file formats include: MP3, M4A, M4P, MP4, M4B, 3GP, OGG and FLAC.

TagFuzz also features the ability to spawn the target application as child, wait five seconds, then kill the thread. No more manual pid killing!

kit:/home/aaaaa/tagfuzz # perl tagfuzz.pl -t realplay -f hittinhard.mp3
[!] Fuzzing process beginning [Target: realplay, File: hittinhard.mp3]
[+] Stage 0 [album]: ofnm

Note that the output "ofnm" refers to the pattern class recently completed. o = Overflow, f = FMTStrings, n = Numbers, m = MiscBugs.

Download: http://www.bmgsec.com.au/download/4/

I'm yet to have the time to search for bugs using this fuzzer.

Over the coming weeks, or months I'll be releasing more of my private fuzzers. These include my SSH Fuzzer (which discovered vulnerabilities in FreeSSHd, and GoodTech SSH Server), SMTP Fuzzer, FormatFuzz (which discovered vulnerabilities in Intellitamper and W3C Amaya Web Browser), and more...

In regard to W3C Amaya, have a look at the registers after an overflow of the URL bar...

EAX 00000000
ECX 00000000
EDX 00000695
EBX 0013FD0C ASCII "AAAAAAAA..." <-- Before
ESP 0013F900 ASCII "CCCCCCCC..." <-- After my RET
EBP 00000007
ESI 0000939F
EDI 000091CD
EIP 42424242

Perfect conditions. It was a pitty there were some byte conversions which caused problems when injecting opcode though. Similar events occur with the "id" property overflow as well.

During the creation of my website I decided to incorporate Google Adsense. All the research and application's I write I give away for free. Hopefully over time I will earn some money to help fund my research!