Attachment 'fuzzer.txt'
Download 1 #!/usr/bin/perl
2 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
3 #
4 # ************************************************** !!! WARNING !!! ***********************************************************
5 # * FOR SECURITY TESTiNG ONLY! *
6 # ******************************************************************************************************************************
7 # * By using this code you agree that I makes no warranties or representations, express or implied, about the *
8 # * accuracy, timeliness or completeness of this, including without limitations the implied warranties of *
9 # * merchantability and fitness for a particular purpose. *
10 # * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors. *
11 # * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever. *
12 # * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand *
13 # * and approve of all the parts written in this notice. *
14 # * This program may NOT be used by any Danish company, unless explicit written permission from the developer . *
15 # * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
16 # * or punitive damages arising out of access to, inability to access, or any use of the content of this code, *
17 # * including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
18 # * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit *
19 # * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
20 # * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read *
21 # * this disclaimer. Once again this code is for penetration testing purposes only. *
22 # ******************************************************************************************************************************
23 #
24 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
25 #
26 # Author/Developer: Dennis Rand - CIRT.DK
27 # Website: http://www.cirt.dk
28 # Copyright: (c)2007 by Dennis Rand
29 # Remember: This program may NOT be used, published or downloaded by any Danish company, unless explicit written permission.
30 # This would be violation of the law on intellectual property rights, and legal actions will be taken.
31 # Remember:
32 # Features / Bugs should be reported to Dennis Rand for fix or creation
33 # All ideas are higly welcome to make this as complete as possible.
34 # And remember this may never be used to earn money, so KEEP IT FREE.
35 #
36 # What this tool does:
37 # "Fuzzing" is an automated software testing technique that generates and submits random or sequential data to various
38 # areas of an application in an attempt to uncover security vulnerabilities.
39 # For example, when searching for buffer overflows, a tester can simply generate data of various sizes and send it to one
40 # of the application entry points to observe how the application handles it.
41 #
42 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
43 #
44 # Version 1.0
45 # This is the first version, and it is damn simple, and will take long time, but I have had
46 # some luck with it.
47 #
48 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
49 #
50 # Usage example (string overflow):
51 # fuzz.pl -host 192.168.1.2 -port 80 -type string -load template.txt
52 #
53 # Making the template:
54 # Make a file where you can put any request into, and the place you want to Fuzz insert the tag <FUZZER>
55 #
56 # if you need to count size of data you eg. like in a POST request of a HTTP server, use the tags <COUNT>data<COUNT>
57 # and <SIZE>, it could be done as follows:
58 #
59 # POST /cgi-sys/FormMail.cgi HTTP/1.1
60 # Host: 127.0.0.1
61 # User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041128 Firefox/1.0 (Debian package 1.0-4)
62 # Keep-Alive: 300
63 # Connection: keep-alive
64 # Referer: http://127.0.0.1/
65 # Content-Type: application/x-www-form-urlencoded
66 # Content-Length: <SIZE>
67 #
68 # <COUNT>recipient=test%40127.0.0.1&subject=Fuzzing&Name=test&email=test%40localhost&request=test<FUZZER>&redirect=/<COUNT>
69 #
70 # You can also use hex values like \x41 or 0x41 values in the template if the protocol is binary
71 #
72 #
73 #
74
75 use IO::Socket;
76 use Getopt::Long;
77 use Algorithm::GenerateSequence;
78 use Net::SSLeay::Handle qw/shutdown/;
79 use Time::HiRes qw(usleep);
80
81
82 $version = "Version 1.0";
83 $copyright = "(c)2007 by Dennis Rand - CIRT.DK";
84 $host = "127.0.0.1";
85 $port = "80";
86 $timeout = "15";
87 $delay = "0";
88 @overflowstrings = ("A" x 33, "A" x 254, "A" x 255, "A" x 511,"A" x 1023, "A" x 1024, "A" x 2047, "A" x 2048, "A" x 4096, "A" x 5000, "A" x 10000, "A" x 20000, "A" x 30000, "A" x 40000, "A" x 65530, "A" x 65536, "A" x 75536);
89 @formatstrings = ("%s" x 4, "%s" x 8, "%s" x 15, "%s" x 30, "%x" x 1024, "%n" x 1025 , "%s" x 2048, "%s%n%x%d" x 5000, "%s" x 30000, "%s" x 40000, "%.1024d", "%.2048d", "%.4096d", "%.8200d", "%99999999999s", "%99999999999d", "%99999999999x", "%99999999999n", "%99999999999s" x 1000, "%99999999999d" x 1000, "%99999999999x" x 1000, "%99999999999n" x 1000, "%08x" x 100, "%%20s" x 1000,"%%20x" x 1000,"%%20n" x 1000,"%%20d" x 1000, "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x");
90 @specchars = ("\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x09","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F","\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F","\x20","\x21","\x22","\x23","\x24","\x25","\x26","\x27","\x28","\x29","\x2A","\x2B","\x2C","\x2D","\x2E","\x2F","\x30","\x3A","\x3B","\x3C","\x3D","\x3E","\x3F","\x40","\x41","\x5B","\x5C","\x5D","\x5E","\x5F","\x60", "\x7B","\x7C","\x7D","\x7E","\x7F","\x80","\x81","\x82","\x83","\x84","\x85","\x86","\x87","\x88","\x89","\x8A","\x8B","\x8C","\x8D","\x8E","\x8F","\x90","\x91","\x92","\x93","\x94","\x95","\x96","\x97","\x98","\x99","\x9A","\x9B","\x9C","\x9D","\x9E","\x9F","\xA0","\xA1","\xA2","\xA3","\xA4","\xA5","\xA6","\xA7","\xA8","\xA9","\xAA","\xAB","\xAC","\xAD","\xAE","\xAF","\xB0","\xB1","\xB2","\xB3","\xB4","\xB5","\xB6","\xB7","\xB8","\xB9","\xBA","\xBB","\xBC","\xBD","\xBE","\xBF","\xC0","\xC1","\xC2","\xC3","\xC4","\xC5","\xC6","\xC7","\xC8","\xC9","\xCA","\xCB","\xCC","\xCD","\xCE","\xCF","\xD0","\xD1","\xD2","\xD3","\xD4","\xD5","\xD6","\xD7","\xD8","\xD9","\xDA","\xDB","\xDC","\xDD","\xDE","\xDF","\xE0","\xE1","\xE2","\xE3","\xE4","\xE5","\xE6","\xE7","\xE8","\xE9","\xEA","\xEB","\xEC","\xED","\xEE","\xEF","\xF0","\xF1","\xF2","\xF3","\xF4","\xF5","\xF6","\xF7","\xF8","\xF9","\xFA","\xFB","\xFC","\xFD","\xFE","\xFF");
91 $count = 0;
92 $proto = "tcp";
93 $delay = "50000"; # Half a milisecond delay as standard between each test.
94 $wait = "500000"; # Half a second
95 $noresponse = ": The server answers very slow or is dead ==> Retry number: ";
96 $brute;
97 $template_fuzz;
98
99
100 GetOptions(
101
102 "host=s" => \$host,
103 "port=i" => \$port,
104 "ssl" => \$ssl,
105 "timeout=i" => \$timeout,
106 "delay=i" => \$delay,
107 "minimum=i" => \$inc_minimum,
108 "maximum=i" => \$inc_maximum,
109 "protocol=s" => \$proto,
110 "wait=i" => \$wait,
111 "load=s" => \$template,
112 "type=s" => \$overflowtype,
113 "noupdate" => \$noupdate,
114
115 "help|?" => sub {
116 print "\n" x 2;
117 print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
118 print "\t\to Simple TCP/UDP Protocol Fuzzer $version o\n";
119 print "\t\t0 ************* !!! WARNING !!! ************ 0\n";
120 print "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n";
121 print "\t\t0 ****************************************** 0\n";
122 print "\t\to $copyright o\n";
123 print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
124 print "\t\t Basic settings\r\n";
125 print "\t\t -host\t\t Set the host ip or hostname to scan\r\n";
126 print "\t\t -port\t\t Set the port where the webserver are located\r\n";
127 print "\t\t -protocol\t Set if connection is TCP or UDP\r\n";
128 print "\t\t -timeout\t Set a maximum timeout for each try\r\n";
129 print "\t\t -delay\t Set a delay between each attempt\r\n";
130 print "\t\t -wait\t\t Set the wait time after data sent before killing connection\r\n";
131 print "\t\t -load\t\t Load template file\r\n";
132 print "\t\t -ssl\t\t Run against SSL ports\r\n";
133 print "\t\t -noupdate\t Do not check for updates of Protocol Fuzzer\r\n";
134 print "\r\n";
135 print "\t\t -type\t\t Use: string, format or special\r\n";
136 print "\t\t -minimum\t Set the min chars for special\r\n";
137 print "\t\t -maximum\t Set the max chars for special\r\n\r\n\r\n";
138
139 exit;
140 }
141 );
142
143 if ($port >= 0 and $port <= 65535){} else { print "Error: Port number invalid, please use from 1-65535\r\n"; exit;}
144 if (($inc_minimum) > ($inc_maximum)) {print "Error: The Maximum are larger then the Minimum\r\n"; exit;}
145 if (!$inc_minimum){$inc_minimum = "1"};
146 if (!$inc_maximum){$inc_maximum = "1"};
147
148 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
149 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
150 # Catch Interupt - CTRL + C
151
152 sub catchInterrupt {
153 $SIG{INT} = sub {exit;};
154 print "\n\n ", "oo00" x 12, "\n [X] Interrupted\t\t\t - DONE\n ", "oo00" x 12, "\r\n\r\n";
155 exit;
156 };
157
158 $SIG{INT} = \&catchInterrupt;
159
160 # verify that interrupt handler was installed properly
161
162 unless(defined($SIG{INT})){print "Unable to install signal handler, contact $copyright";}
163 unless($SIG{INT} == \&catchInterrupt){print "There was an unexpected error installing the signal handler, contact $copyright";}
164
165 print "\n\n\n oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
166 print " o Simple TCP/UDP Protocol Fuzzer $version o\n";
167 print " 0 ************* !!! WARNING !!! ************ 0\n";
168 print " 0 ******* FOR PENETRATION USE ONLY ********* 0\n";
169 print " 0 ****************************************** 0\n";
170 print " o $copyright o\n";
171 print " oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
172 print " ","oo00" x 12, "\r\n\r\n [X] Host: $host\r\n [X] Port: $port\r\n [X] Protocol: $proto \r\n";
173
174 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
175 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
176 # Check for updates at www.cirt.dk
177 sub ChkUpdatesCon
178 {
179 $| = 1;
180 $updates = IO::Socket::INET->new(
181 Proto => "tcp",
182 PeerAddr => "www.cirt.dk",
183 PeerPort => "80",
184 Reuse => 1,
185 Timeout => 10,) || print "\t\t - NO ROUTE TO WWW.CIRT.DK";
186 }
187
188 print " [X] Checking for updates";
189 if(!$noupdate)
190 {
191 ChkUpdatesCon();
192 $response = undef;
193 print $updates "GET /tools/fuzzer/fz_update.txt HTTP/1.0\r\nHost: www.cirt.dk\r\nUser-Agent: Mozilla/4.0 (Fuzzer Update Check)\r\n\r\n";
194 while(<$updates>)
195 {
196 if(!defined($response)){$response = $_;}
197 $result .= $_;
198 }
199 if ($result =~ m/200 OK/mgsi)
200 {
201 if($result !~ m/$version/mgsi)
202 {
203 ($result) = $result =~ m/Update_Info:\s+(.*)/;
204 $result =~ s/<CN>/\r\n\t/g;
205 print "\t\t - FOUND\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\nINFORMATION:\r\nCIRT.DK Simple TCP/UDP Protocol Fuzzer has been updated,\r\nget the latest version at www.cirt.dk\r\nUpdate includes following features: $result\r\nThe scan will continue in 5 seconds\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\n";
206 close(updates);
207 sleep(5);
208 }
209 else
210 {
211 print "\t\t - NO UPDATES";
212 }
213 }
214 }
215 else
216 {
217 print "\t\t - NO CHECK";
218 }
219 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
220 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
221 sub read_template
222 {
223 foreach (split(/,/, $template))
224 {
225 print "\r\n [X] Loading Template";
226 if (-f $_)
227 {
228 print "\t\t\t - DONE\n";
229 print " [X] Starting Fuzzer\t\t\t - OK\n";
230 open(_FILE, $_);
231 while (<_FILE>)
232 {
233 $template_fuzz .= $_;
234 }
235 $template_fuzz =~ s/\\x(..)/pack("C",hex($1))/egi; # Converts if \x41
236 $template_fuzz =~ s/0x(..)/pack("C",hex($1))/egi; # Converts if 0x41
237
238 close(_FILE);
239 }
240 else
241 {
242 print "\t\t\t - FAILED\n";
243 print " The template file you are trying to use: '$_' could not be found\n";
244 exit;
245 }
246 }
247 }
248 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
249 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
250 read_template();
251 print " [X] Load Fuzzer with";
252 @choice = split(/,/, $overflowtype);
253 foreach $input (@choice)
254 {
255 if ($input eq "string") {@do_choice = @overflowstrings;$inc_maximum = 1;$input_txt = "string";}
256 elsif ($input eq "format") {@do_choice = @formatstrings;$inc_maximum = 1;$input_txt = "format";}
257 elsif ($input eq "special") {@do_choice = @specchars;$input_txt = "special";break;}
258 else
259 {
260 print "\t\t - FAILED\n";
261 print " Error: You have to specify the -type with string, format or special\r\n\r\n"; exit;
262 }
263 }
264 print " \"$input_txt\" attack\t - OK\r\n";
265
266 $start_pos = ($inc_minimum - 1);
267 do
268 {
269 my $len = $start_pos;
270 my $gen = Algorithm::GenerateSequence->new(
271 map {[@do_choice]} (0 .. $len)
272 );
273
274 local $" = "";
275 while(my @c = $gen->next)
276 {
277 $fuzz = $template_fuzz;
278 $brute = join("",@c);
279 $log = $brute;
280 $fuzz =~ s/<FUZZER>/$brute/g;
281 ($counter) = $fuzz =~ m/<COUNT>([^\]]*)<COUNT>/g;
282 $fuzz =~ s/<SIZE>/length($counter)/egi;
283 $fuzz =~ s/<COUNT>//egi;
284 $log =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
285 start_fuzzing();
286 usleep($delay);
287 $fuzz = "";
288 }
289 $start_pos++;
290 } until ($start_pos >= $inc_maximum);
291
292
293
294
295 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
296 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
297 # The connection are setup here.
298 sub connection {
299 $| = 1;
300 $remote = IO::Socket::INET->new(
301 Proto => $proto,
302 PeerAddr => $host,
303 PeerPort => $port,
304 Reuse => 1,
305 Timeout => $timeout,);
306 }
307
308
309 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
310 #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
311 # Let the start_fuzzing begin
312 sub start_fuzzing
313 {
314 $firsttimeout = 0;
315 connection();
316 while(!defined $remote)
317 {
318 connection();
319 if(!defined $remote)
320 {
321 if($ssl)
322 {
323 $whattime = localtime;
324 print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
325 sleep 5;
326 $firsttimeout = 1;
327 }
328 else
329 {
330 $whattime = localtime;
331 print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
332 sleep 5;
333 $firsttimeout = 1;
334 }
335 }
336 }
337 $count++;
338 if($ssl)
339 {
340 $ssl=1;
341 eval
342 {
343 tie(*SSL, "Net::SSLeay::Handle", $target,$port);
344 };
345 print SSL "";
346 print SSL "$fuzz";
347 usleep($wait);
348 shutdown(\*SSL, 2);
349 }
350 else
351 {
352 print $remote "";
353 print $remote "$fuzz";
354 usleep($wait);
355 shutdown($remote,2);
356 }
357 #Progressbar
358 printf STDERR "\r [X] Running attack count \t\t - $count";
359 }
360 close($remote);
361 print "\r\n\r\n";
362 print " ","oo00" x 12, "\n [X] Scan complete\t\t\t - DONE\n ", "oo00" x 12, "\r\n\r\n";
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.