In Exercise 3, we will find a crash in a real-world target, a crash that has been leveraged in actual exploits.

This exercise is a bit more challenging than the previous two, but it is also more realistic. You may need to do some research to find the vulnerability, and you will need to use some of the more advanced features of Boofuzz.

Our target is the lighttpd web server, specifically version 1.4.15, which has a known vulnerability.

Download

Download: lighttpd 1.4.15

Build Requirements

Ubuntu

sudo apt install build-essential

Build

1. Decompress: tar -xvf lighttpd-1.4.15.tar.gz
2. Move into source directory: cd lighttpd-1.4.15
3. Run configure: ./configure
4. Build: make
5. Ensure that the executable exists and runs: ./src/lighttpd -v

Configure

If you run lighttpd, you will receive an error about a missing configuration file:

> ./src/lighttpd 
2023-10-05 22:10:13: (server.c.521) No configuration available. Try using -f option. 

We can pass in a sample configuration file, which may give an error about a missing directory:

/src/lighttpd -f ./doc/lighttpd.conf
2023-10-05 22:16:12: (configfile.c.1114) base-docroot doesn't exist: /www/pages/ 
2023-10-05 22:16:12: (server.c.564) setting default values failed 

Let's copy that file:

cp ./doc/lighttpd.conf fuzz-target.conf

And then modify the following settings:

server.document-root        = "./src/"
server.errorlog             = "/path/to/workingg/dir/lighttpd.error.log"
accesslog.filename          = "/path/to/workingg/dir/access.log"
server.port                 = 8080
server.bind                 = "lo0"  # important since this is a vulnerable server!

Testing

When everythign is operating, lighttpd should exit and run in the background, printing nothing to the console.

> ./src/lighttpd -f fuzz-target.conf

You can test that it is running by making a request to it:

> curl localhost:8080/          
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html>

This is the challengign part– have at it!

Tips:

1. Spoiler: This vulneraility doesn't involve extremely long strings. You can pass max_len=100 to String to speed up iterations for the sake of time.
2. This vulnerability has a public exploit which you can look up to learn more about the vulenrable syntax.
3. The User-Agent header is involved.
4. The Repeat block will help you – see https://boofuzz.readthedocs.io/.