Fuzzing IOCTL

Topics:
Forums
1
14 Sep, 21
198
1
4

Hi,

 

What methodology/tools do you use to fuzz the IOCTLs of your driver ?

 

Thx

4 Comments

15 Sep, 21

FileTool gives a nice user-friendly interface to mess with input and receive output using IOCTL. I've used it time to time whenever I think I've discovered a vulnerable driver: http://www.zezula.net/en/fstools/filetest.html

15 Sep, 21

Google has a tool https://code.google.com/archive/p/ioctlfuzzer/

Another more generic method is to intercept IRPs (using a filter driver or hooking IoCallDriver) and modify the buffers on the way way down. You can target a specific device_object or all device objects under a given driver_object.

15 Sep, 21

Another more generic method is to intercept IRPs (using a filter driver or hooking IoCallDriver) and modify the buffers on the way way down.

I found this method very efficient: I use CFB to monitor and capture IRPs and easily get some trigger scripts. You can extend it too for automating the fuzzing process (capture -> mutation -> replay).

15 Sep, 21

If you don’t have access to source then I’d open the driver in IDA, start at DriverEntry to grab the device name and find the IRP_MJ_DEVICE_CONTROL handler. Once you’ve got the handler it’s pretty easy to figure out the range of IOCTL’s the driver will accept, than you could build a targeted fuzzer for that driver. Not a very scalable approach if that’s what you’re after.

 Also worthwhile checking out this article (if you haven’t already):

https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/