DIBF : Windows driver Dynamic Ioctl Brute-Forcer and fuzzers.

DIBF : Windows driver Dynamic Ioctl Brute-Forcer and fuzzers.

This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and an asynchronous fuzzer. You can run any combination of the 3 sequentially and can set time limits for each fuzzer run. The sync fuzzers will also warn you if too many requests fail in a row (indicating further fuzzing might be pointless due to lack permission for instance) and the async fuzzer allows you to set the percentage of requests to attempt cancelation on and the concurrency level (how many pending requests at once). Other features include control over the verbosity level and the ability to stop any fuzzer run cleanly with ctrl-c. Upon completion each fuzzer will display cumulative statistics.DIBF-Windows driver Dynamic Ioctl Brute-Forcer and fuzzers.

 Using the Named Pipe fuzzing provider

In order to provide fuzzed packet to the Named Pipe fuzzer, connect to \\.\pipe\dibf_pipe in PIPE_TYPE_MESSAGE mode and send the fuzzed data. The last 4 bytes of the packet will be interpreted as the IOCTL code. Additionally the named pipe peach publisher can be used to fuzz named pipe endpoints outside of DIBF scope.
Connecting to Peach

The provided Peach publisher can be used to connect Peach to the DIBF’s Named Pipe Fuzzing Provider. A sample Peach XML file peach_np.xml leveraging this provider can be found under the PeachNamedPipePublisher folder:

 DIBF Sample Output:


Simple encoding/decoding utility for IO codes
This very simple tool encodes and decodes windows IOCTL control codes. It provides a user-friendly way to deal with IO encoding of device types, function number, transfer method and access type.


Sending single IOCTL to a driver
This is a tool intended for proofing vulnerabilities and is meant to be used in conjunction with a hex-editor. Once the request of interest has been crafted in it, this utility will send it to the driver using command line parameters. The response gets sent to stdout. Arbitrary addresses can also be used as input and output buffer addresses.


Download : dibf.exe (138.24 kb)
Master.Zip  | Clone Url
Source: https://github.com/iSECPartners