Meddle: Framework for Piggy-back Fuzzing and Tool Development

DEF CON 22

Presented by: Geoff McDonald
Date: Friday August 08, 2014
Time: 10:00 - 10:50
Location: DEF CON 101

Towards simplifying the vulnerability fuzzing process, this presentation introduces a moddable framework called Meddle that can be used to piggy-back on existing application’s knowledge of protocol by performing piggy-back fuzzing. Meddle is an open source Windows x86 and x64 user-mode C# application that uses IronPython plugins to provide a familiar interface for fuzzing. Why bother spending time understanding the protocol just to try break it?

Two vulnerability fuzzing attacks using Meddle will be demonstrated - one attacking the open source rdp server XRDP, and the other attacking general driver communications from user-mode processes. Several vulnerabilities found with the XRDP server will be briefly discussed, including two that may be exploited for RCE prior to authentication. These attacks are typically based on a piggy-back application (such as the Remote Desktop Connection Client, mstsc.exe), the piggy-back application performs a benchmarking operation, and then fuzzing begins through a parallel set of the piggy-back instances attacking each event sequentially.

Although originally designed as a vulnerability fuzzing framework, Meddle is well-suited for developing reverse-engineering and malware analysis tools. Two simple tools will be presented based on Meddle, including:

  1. A capture tool for communication between usermode processes and kernel mode drivers along with a parser to view the captures in Windows Message Analyzer.
  2. Malware sandboxing environment proof-of-concept. In conclusion, the attendees should be able leave the session with a basic understanding of how to use the Meddle framework as well as their own ideas for tools to develop and targets to attack.

Geoff McDonald

Geoff is an anti-virus researcher working with Microsoft Malware Protection Center with most of his experience in reverse-engineering malware and related vulnerabilities. As a hobby, Geoff can often be found developing reverse-engineering and vulnerability fuzzing tools -some of which can be found on his personal website http://www.split-code.com/.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats