/* does a Portmap GETPORT against the provided host for the specified
* program (and version, protocol) provided in the onc_endpoint structure.
* The results of the query will be put into the port member of the structure.
* RETURNS:
* 1 on success, 0 on failure
*/
int
s_onc_do_portmap_getport(char* host, struct onc_endpoint* endpoint)
{
struct spike* old_spike;
struct spike* onc_spike;
unsigned char responsebuf[BIG_BUF], responsedata[BIG_BUF];
uint responsebufsize = BIG_BUF, responsedatasize = BIG_BUF, xid = 0;
old_spike = getcurrentspike();
onc_spike = new_spike();
setspike(onc_spike);
xid = (uint)rand();
s_binary_block_size_onc_recordfrag("ONCRecordFrag");
s_block_start("ONCRecordFrag");
s_onc_call_header(xid, 100000, 2, 3);
s_onc_opaqueauth_none();
s_onc_verifier_none();
s_bigword(endpoint->prognum);
s_bigword(endpoint->progver);
s_bigword(endpoint->proto);
s_bigword(0);
s_block_end("ONCRecordFrag");
printf("\nXID: %u\tPORTMAP_GETPORTv2\nProg: %u Ver: %u\n",
xid, endpoint->prognum, endpoint->progver);
if (!spike_send_tcp(host, 111)) {
return 0;
}
s_onc_read_reply(onc_spike, responsebuf, &responsebufsize);
responsedatasize =
s_onc_parse_response(responsebuf,
responsebufsize,
responsedata,
responsedatasize);
if (responsedatasize >= 4) {
endpoint->port = ntohl(*(uint*)responsedata);
}
else {
endpoint->port = 0;
}
spike_close_tcp();
setspike(old_spike);
spike_free(onc_spike);
return 1;
}
int
main (int argc, char ** argv)
{
int port;
int result,listenfd,acceptfd;
if (argc!=2)
{
usage();
}
port=atoi(argv[1]);
our_spike=new_spike();
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
setspike(our_spike);
result=make_tcp_listener(port,&listenfd);
if (result!=1)
{
printf("Failed to listen on that port: %d\n",port);
usage();
}
/*very important line. don't forget it*/
s_init_fuzzing();
/*zeroth fuzz variable is first variable*/
s_resetfuzzvariable();
while (!s_didlastvariable())
{
s_resetfuzzstring();
/*zeroth fuzz string is no change*/
while(!s_didlastfuzzstring())
{
spike_clear();
/*now loop on connections to that port*/
acceptfd=s_tcp_accept(listenfd);
if (acceptfd==-1)
{
printf("Accept failed for some reason!\n");
continue;
}
/*change any of the s_string's into s_string_variable for extra
* fun */
s_read_packet(); /*read a 0d 0a */
s_string("2"); /*EDIT THIS*/
//s_string_variable("");
s_string_repeat("asdf",5);
s_string("\t");
s_string("2"); /*AND THIS*/
s_string("/");
s_string_repeat("asdf",5);
s_string_variable("");
s_string("\t");
s_string("localhost");
s_string(".");
s_string("localdomain");
s_string(".");
s_string("com");
s_string("\t");
s_string("70");
s_string("\t");
s_string("-");
s_string("\r\n");
s_string(".\r\n");
if (spike_send()<0)
{
printf("Couldn't send data!\r\n");
spike_close_tcp();
continue;
}
spike_close_tcp();
s_incrementfuzzstring();
}
s_incrementfuzzvariable();
}/*end for each variable*/
printf("Done.\n");
return 0;
} /*end program*/
int
main (int argc, char ** argv)
{
char * target;
char buffer[1500000];
int port;
char *pipename;
unsigned char uid[2];
unsigned char tid[2];
unsigned char fid[2];
#define SAVESLOTS 5
unsigned char *savedbuf[SAVESLOTS];
unsigned int savedsize[SAVESLOTS];
int currentsaveslot;
struct spike * our_spike;
unsigned long retval;
unsigned int number_of_tries, number_of_items;
unsigned short function_number;
int i,j,s;
unsigned int r;
int sent;
int randval;
int msrpcdo;
char * login = NULL, * password = NULL;
#define ARGCNEEDED 9
if (argc < ARGCNEEDED)
{
printf("Argc=%d not %d\n",argc,ARGCNEEDED);
usage();
}
target=argv[1];
printf("Target is %s\r\n",argv[1]);
msrpcdo=-1;
if (getenv("MSRPC_DO"))
{
msrpcdo=atoi(getenv("MSRPC_DO"));
}
function_number=atoi(argv[6]);
printf("Hitting function number %d\n",function_number);
number_of_tries=atoi(argv[7]);
number_of_items=atoi(argv[8]);
if(argc > ARGCNEEDED)
{
if(argc != ARGCNEEDED + 2)
{
usage();
}
login = argv[9];
password = argv[10];
}
port=445;
pipename=argv[2];
for (s=0;s<SAVESLOTS; s++)
{
savedbuf[s]=malloc(0);
savedsize[s]=0;
}
currentsaveslot=0;
signal(SIGPIPE,sig_pipe);
if (getenv("RANDVAL"))
randval=atoi(getenv("RANDVAL"));
else
randval=getpid();
printf("MSRPC_DO=%d and RANDVAL=%d\n",msrpcdo,randval);
srand(randval);
printf("Initialized random with %d\n",randval);
fprintf(stderr,"Initialized random with %d\n",randval);
for (i=0; i<number_of_tries; i++)
{
printf("Try Number %d on procedure %d\n",i,function_number);
fflush(0);
our_spike=new_spike();
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
/*this really only gets called once*/
s_init_fuzzing();
setspike(our_spike);
/*do unicode the MS way*/
s_set_unicode(1);
s_smb_negotiate(login, password);
sent=spike_send_tcp(target,port);
if (sent==0 || caught_sigpipe)
{
/*this means the server went down!*/
if (sent==0)
fprintf(stderr,"We killed it! \n");
else
{
fprintf(stderr,"We caught sigpipe!\n");
fprintf(stdout,"We caught sigpipe!\n");
}
for (s=0; s<SAVESLOTS;s++)
{
fprintf(stderr,"Current Save Slot = %d\n",currentsaveslot);
fprintf(stderr,"Printing save slot %d\n",s);
#if 0
pretty_print(savedbuf[s],savedsize[s]);
#endif
}
fprintf(stderr,"Done.\n");
if (sent==0)
{
//printf("Was not able to connect: Sleeping...\n");
//sleep(100);
//sleep(59999);
}
//exit(1);
}
else
{
#ifdef SAVEBUF
/*we always malloc it with something*/
free(savedbuf[currentsaveslot]);
#endif
}
s_fd_wait();
memset(buffer,0,sizeof(buffer));
alarm(1);
retval=read(getcurrentspike()->fd,buffer,1500);
alarm(0);
if (retval==-1)
{
printf("couldn't smb negotiate continuing\n");
spike_close_tcp();
spike_free(our_spike);
continue;
}
if (buffer[9]!=0x00) {
printf("Error value when trying to negotiate an SMB connection: %x\n",buffer[10]);
spike_close_tcp();
spike_free(our_spike);
continue;
}
spike_clear();
/*do the smb session startup*/
s_smb_session_setup(login, password);
spike_send();
s_fd_wait();
memset(buffer,0,sizeof(buffer));
alarm(1);
retval=read(getcurrentspike()->fd,buffer,1500);
alarm(0);
if (retval==-1)
{
printf("couldn't smb session startup continuing\n");
spike_close_tcp();
spike_free(our_spike);
continue;
}
if (*(unsigned int *)(buffer+9)!=0x00000000) {
printf("Error value when trying to start up an SMB session: %8.8x\n",*(unsigned int *)(buffer+9));
if (0x00080001==(*(unsigned int *)(buffer+9))) {
printf ("Error returned was out of memory.\n");
}
spike_close_tcp();
spike_free(our_spike);
continue;
}
memcpy(uid,buffer+32,2);
printf("Uid is %x%x\n",uid[0],uid[1]);
/*done with smb session startup*/
spike_clear();
/*start IPC$ connection */
s_smb_ipc_connect(uid);
spike_send();
s_fd_wait();
memset(buffer,0,sizeof(buffer));
alarm(1);
retval=read(getcurrentspike()->fd,buffer,1500);
alarm(0);
if (retval==-1)
{
printf("couldn't smb session IPC$ startup continuing\n");
spike_close_tcp();
spike_free(our_spike);
continue;
}
if (*(unsigned int *)(buffer+9)!=0x00000000) {
printf("Error value when trying to start up an SMB IPC$ session: %8.8x\n",*(unsigned int *)(buffer+9));
spike_close_tcp();
spike_free(our_spike);
continue;
}
memcpy(tid,buffer+32-4,2);
printf("Tree id is %x%x\n",uid[0],uid[1]);
/*done with IPC$ connection*/
/* do the NT Create AndX Request */
spike_clear();
s_nt_createandx(tid,uid,pipename);
spike_send();
printf ("Sent NT AndX request\n");
s_fd_wait();
memset(buffer,0,sizeof(buffer));
alarm(1);
retval=read(getcurrentspike()->fd,buffer,1500);
alarm(0);
if (retval==-1)
{
printf("couldn't NT Create AndX - continuing\n");
spike_close_tcp();
spike_free(our_spike);
continue;
}
if (*(unsigned int *)(buffer+9)!=0x00000000) {
printf("Error value when trying to start up an NT AndX: %8.8x\n",ntohl(*(unsigned int *)(buffer+9)));
if (0x220000c0==ntohl(*(unsigned int *)(buffer+9)))
{
printf("Error returned was Access Denied\n");
}
else
{
if (0xac0000c0==ntohl(*(unsigned int *)(buffer+9))) {
printf("Error returned was Pipe Not Available\n");
}
if (0x340000c0==ntohl((*(unsigned int *)(buffer+9)))) {
printf ("Error returned was File Not Found.\n");
}
}
spike_close_tcp();
spike_free(our_spike);
continue;
}
memcpy(fid,buffer+42,2);
printf("File id is %x%x\n",uid[0],uid[1]);
/*done with the NT Create AndX Request*/
spike_clear();
/*Send the Netbios and SMB header for the DCE-RPC packet*/
s_smbheader(fid,uid,tid);
/*i is sent in just to keep incrementing*/
/*hardcoded the transfer syntax and syntax version of 2...they
are always the same*/
s_dce_bind(argv[3], /*GUID "Interface" */
"8a885d04-1ceb-11c9-9fe8-08002b104860", /*syntax - always the same*/
i,
atoi(argv[4]), /*interface version major*/
atoi(argv[5]), /*interface version minor, usually zero*/
2); /*syntax version*/
s_block_end("DCEFragLength"); /*ALWAYS HAVE TO DO*/
/*phew! :>*/
/*had to add this for SMB block*/
s_block_end("smbblock");
s_block_end("bytecount");
sent=spike_send();
s_fd_wait();
/*clear the response*/
alarm(1);
fcntl(our_spike->fd, F_SETFL, O_NONBLOCK);
retval=read(our_spike->fd,buffer,1500);
if (retval==-1 && 0)
{
printf ("couldn't read, continuing\n");
perror("read()");
spike_close_tcp();
spike_free(our_spike);
continue;
}
alarm(0);
/*the offset of the DCE within the SMB stuff*/
#define DCEOFFSET 60
if (buffer[2+DCEOFFSET]!=DCE_BIND_ACK)
{
printf("Warning, did not recieve bind_ack! Instead got 0x%x\n",buffer[2+DCEOFFSET]);
if (buffer[2+DCEOFFSET]==0x0d)
printf("I believe 0x0d is provider reject - check your version number\n");
if (buffer[2+DCEOFFSET]==0x00)
{
/*this means the server went down!*/
fprintf(stderr,"We almost killed it! \n");
fprintf(stderr,"Current Save Slot = %d\n",currentsaveslot);
fprintf(stderr,"Printing save slot %d\n",s);
#if 0
pretty_print(savedbuf[currentsaveslot],savedsize[currentsaveslot]);
#endif
fprintf(stderr,"Done.\n");
}
}
/*send first packet*/
spike_clear();
s_smb_dce_call(4,buffer,0,fid,uid,tid);
s_smbdce_doreadx(fid,uid,tid,buffer,sizeof(buffer));
/*assume bind success...*/
/*send a random packet*/
spike_clear();
/*2nd arg is alloc hint*/
/*s_dce_call_header(1, 5300, function_number,1,1);*/
r=0+(unsigned int) (number_of_items*1.0*rand()/(RAND_MAX+1.0));
// r=number_of_items;
/*EntryNameSyntax*/
s_intelword(3);
/*I think this is a "pointer"*/
s_binary("70 b7 23 00");
/*EntryName*/
//s_dce_unistring("/.:/bob/bob");
s_dce_unistring(s_get_random_fuzzstring());
//s_dce_unistring("/.:/6");
/*some null pointers*/
s_intelword(0);
s_intelword(0);
s_intelword(0);
/*
push_random_msrpc_thing();
push_random_msrpc_thing();
*/
s_intelword(0x64);
s_intelword(0x1c20);
/*test*/
/*r=1;*/
for (j=0; j<r+1; j++)
{
//push_valid_thing();
//push_random_msrpc_thing();
}
printf("Pushing %u things with total size of %u\n",(unsigned int)r+1,(unsigned int)s_get_size());
/*save it off in our saved buffers*/
if (currentsaveslot==SAVESLOTS-1)
{
currentsaveslot=0;
}
else
{
currentsaveslot++;
}
#ifdef SAVEBUF
savedbuf[currentsaveslot]=malloc(s_get_size());
memcpy(savedbuf[currentsaveslot],s_get_databuf(),s_get_size());
savedsize[currentsaveslot]=s_get_size();
#endif
/*
Localization of bugs:
only actually send the packet if we eithar do not have a MSRPC_DO
value or if our current i is less than that number
Change the < to an == when you get close.
*/
if (msrpcdo==-1 || i==msrpcdo)
{
printf("Sending request\n");
/*read from 4 first...*/
pretty_print(s_get_databuf(),s_get_size());
if (!s_smb_dce_call(function_number,s_get_databuf(),s_get_size(),fid,uid,tid))
{
printf("do_dce_call failed\n");
spike_free(our_spike);
return 0;
}
}
s_fd_wait();
/*clear the response*/
memset(buffer,0,sizeof(buffer));
//alarm(1);
//s_fd_wait();
//retval=read(getcurrentspike()->fd,buffer,1500);
s_smbdce_doreadx(fid,uid,tid,buffer,sizeof(buffer));
//s_fd_wait();
//retval=read(getcurrentspike()->fd,buffer,1500);
alarm(0);
if (retval==-1)
{
printf("continuing\n");
spike_close_tcp();
spike_free(our_spike);
continue;
}
if (buffer[2+DCEOFFSET]==DCE_FAULT)
{
printf("Recieved DCE_FAULT packet. As expected.\n");
}
else
{
printf("Recived response packet with type %x\n",buffer[2+DCEOFFSET]);
printf("Type 0x0c is BIND_ACK\n");
}
if (retval==-1)
{
printf("dce call: Interesting - server closed socket!\n");
//return 0;
}
spike_close_tcp(); /*close the socket*/
spike_clear();
spike_free(our_spike);
}
return 0;
}
/* executes a Protmap DUMP request against the specified host and puts
* the results in onc_endpoint structures in the provided array. It will
* write at most arraysize number of endpoint elements into the array, so
* provide an array large enough to hold all the expected endpoints (32-64
* elements should be sufficient for most hosts).
* RETURNS:
* the number of endpoint elements written to the provided array
*/
int
s_onc_do_portmap_dump(char* host, struct onc_endpoint* eparray, uint arraysize)
{
struct spike* old_spike;
struct spike* onc_spike;
unsigned char responsebuf[BIG_BUF], responsedata[BIG_BUF];
uint responsebufsize = BIG_BUF, responsedatasize = BIG_BUF, xid = 0;
uint i = 0, processed = 0;
old_spike = getcurrentspike();
onc_spike = new_spike();
setspike(onc_spike);
xid = (uint)rand();
s_binary_block_size_onc_recordfrag("ONCRecordFrag");
s_block_start("ONCRecordFrag");
s_onc_call_header(xid, 100000, 2, 4);
s_onc_opaqueauth_none();
s_onc_verifier_none();
s_block_end("ONCRecordFrag");
printf("\nXID: %u\tPORTMAP_DUMPv2\n", xid);
if (!spike_send_tcp(host, 111)) {
return 0;
}
s_onc_read_reply(onc_spike, responsebuf, &responsebufsize);
responsedatasize =
s_onc_parse_response(responsebuf,
responsebufsize,
responsedata,
responsedatasize);
for (i = 0; i < arraysize; i++) {
uint more = 0;
if (processed + 4 <= responsedatasize) {
more = ntohl(*(uint*)(responsedata + processed));
processed += 4;
}
else {
break;
}
if (!more) {
break;
}
if (processed + 4 <= responsedatasize) {
eparray[i].prognum =
ntohl(*(uint*)(responsedata + processed));
processed += 4;
}
else {
break;
}
if (processed + 4 <= responsedatasize) {
eparray[i].progver =
ntohl(*(uint*)(responsedata + processed));
processed += 4;
}
else {
break;
}
if (processed + 4 <= responsedatasize) {
eparray[i].proto =
ntohl(*(uint*)(responsedata + processed));
processed += 4;
}
else {
break;
}
if (processed + 4 <= responsedatasize) {
eparray[i].port =
ntohl(*(uint*)(responsedata + processed));
processed += 4;
}
else {
break;
}
}
spike_close_tcp();
setspike(old_spike);
spike_free(onc_spike);
return (i);
}
int main (int argc, char **argv) {
struct spike * spike_instance;
int port;
char *host;
char buffer[1500000];
/* Get some parameters */
if (argc != 3) {
printf("Usage: ./lighttpd_fuzz <host> <port>\n");
exit(2);
}
host = argv[1];
port = atoi(argv[2]);
if (port < 1) {
fprintf(stderr, "Invalid port %d, using default of 9999\n", port);
port = 9999;
}
/* Set up Spike */
spike_instance = new_spike();
if (spike_instance == NULL) {
fprintf(stderr, "Malloc failed trying to allocate a spike.\n");
exit(-1);
}
setspike(spike_instance);
/* Print something so it's clear that we've started */
printf("Spike initialized\n");
/* Initialize the fuzzing and reset the fuzz variables */
s_init_fuzzing();
s_resetfuzzvariable();
/* The original generic_send_tcp had some nice ways to shortcut
in to specific variables. I'm skipping that for now to better
learn how this works */
while (!s_didlastvariable()) {
s_resetfuzzstring();
while(!s_didlastfuzzstring()) {
spike_clear();
/* Connect via TCP */
spike_connect_tcp(host, port);
if (spike_send() < 0) {
fprintf(stderr, "Could not send data \n");
}
/* Do some stuff: This is the core commands of the fuzz script */
s_readline(); //print received line from server
s_string("GET ");
s_string_variable("/cgi.pl");
s_string(" HTTP/1.0");
s_string("\n");
s_string_variable("COMMAND"); //send fuzzed string
spike_close_tcp();
//printf("%s", s_get_databuf());
/*see, the thing is that the spike is not guaranteed to be
null terminated, so just a plain printf on the
s_get_databuf() is ill-advised.*/
memset(buffer,0x00,sizeof(buffer));
if (s_get_size()>2500)
memcpy(buffer,s_get_databuf(),2500);
else
memcpy(buffer,s_get_databuf(),s_get_size());
printf("Request:\n%.2500s\nEndRequest\n",buffer);
s_incrementfuzzstring();
} /* while !s_didlastfuzzstring() */
s_incrementfuzzvariable();
} /* while !s_didlastvariable() */
return 0;
}
int
main (int argc, char **argv)
{
char *target;
char buffer[1500000];
int port;
unsigned char *user, *domain;
unsigned char *password;
if (argc != 6)
{
usage ();
}
target = argv[1];
printf ("Target is %s\r\n", argv[1]);
port = atoi (argv[2]);
our_spike = new_spike ();
s_init_fuzzing ();
/*sheesh. */
signal (SIGPIPE, SIG_IGN);
if (our_spike == NULL)
{
fprintf (stderr, "Malloc failed trying to allocate a spike.\r\n");
exit (-1);
}
setspike (our_spike);
host = strdup ("localhost");
/*url=strdup("/iisadmin/iis.asp"); */
url = strdup (argv[5]);
memset (buffer, 0x41, sizeof (buffer));
buffer[sizeof (buffer)] = 0;
buffer[140000] = 0;
user = strdup (argv[3]);
domain = NULL; /*set domain with user@domain */
password = strdup (argv[4]);
s_resetfuzzvariable ();
while (!s_didlastvariable ())
{
s_resetfuzzstring ();
/*zeroth fuzz string is no change */
while (!s_didlastfuzzstring ())
{
spike_clear ();
spike_connect_tcp (target, port);
printf ("Connected.\n");
memset(buffer,0x00,sizeof(buffer));
printf("Getting page %s as %s:%s@%s\n",url,user,password,domain);
if (!get_ntlm_page (url, user, password, domain, buffer))
printf ("Couldn't get ntlm page\n");
else
{
printf ("Reponse: %s\n", buffer);
printf ("\nEnd of response\n");
}
printf("Closing socket\n");
spike_close_tcp ();
// sleep(5);
s_incrementfuzzstring();
}
s_incrementfuzzvariable();
}
return 0;
}
int
main (int argc, char ** argv)
{
int first;
char * target;
char buffer[150000];
char requestbuffer[150000];
int port;
char * file;
char * directory;
struct spike * our_spike;
unsigned long retval;
int notfin;
char * extention;
char * method;
int firstfuzz;
int fuzzvarnum,fuzzstrnum; /*for fuzz variable count*/
int SKIPVARIABLES,SKIPFUZZSTR;
if (argc!=9)
{
usage();
}
target=argv[1];
printf("Target is %s\r\n",argv[1]);
port=atoi(argv[2]);
method = argv[3];
directory = argv [4];
file = argv[5];
extention=argv[6];
SKIPVARIABLES=atoi(argv[7]);
SKIPFUZZSTR=atoi(argv[8]);
fuzzvarnum=0;
fuzzstrnum=0;
our_spike=new_spike();
s_init_fuzzing();
/*sheesh.*/
signal(SIGPIPE,SIG_IGN);
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
setspike(our_spike);
/*during s_variable push, if fuzzstring is == currentfuzzstring
then set didlastfuzzstring. If fuzzvariable is == current
variable, set didlastfuzzvariable*/
/*zeroth fuzz variable is first variable*/
s_resetfuzzvariable();
/*
fuzzvarnum=0;
fuzzstrnum=0;
*/
firstfuzz=1;
while (!s_didlastvariable())
{
s_resetfuzzstring();
/*zeroth fuzz string is no change*/
if (firstfuzz)
{
/*zeroth fuzz string is no change*/
/*see below for why we have this if statement and loop*/
if (fuzzvarnum<SKIPVARIABLES )
{
for (fuzzvarnum=0; fuzzvarnum<SKIPVARIABLES; fuzzvarnum++)
{
s_incrementfuzzvariable();
}
}
/*here is another part of where we implement the ability to jump to a particular
place in the fuzzing*/
if (fuzzstrnum<SKIPFUZZSTR)
{
for (fuzzstrnum=0; fuzzstrnum<SKIPFUZZSTR; fuzzstrnum++)
{
s_incrementfuzzstring();
}
}
firstfuzz=0;
}
else
{
/*we reset this here so every new variable gets a new count*/
fuzzstrnum=0;
}
while(!s_didlastfuzzstring())
{
printf("Fuzzing Variable %d:%d\n",fuzzvarnum,fuzzstrnum);
spike_clear();
/*reset this*/
/*controls when we put an ampersand or not*/
s_setfirstvariable();
s_string_variable(method);
s_string(" ");
s_string(directory);
s_string_variable(file);
s_string(extention);
/*url arguments*/
#ifdef USEARGS
s_string("?");
s_string_variable("View");
s_string_variable("=");
s_string_variable("Logon");
#endif
#ifdef RTSP
s_string(" RTSP/1.0");
#else
s_string(" HTTP/1.1");
#endif
s_string_variable("");
s_string("\r\n");
#ifdef RTSP
//a simple per-request sequence number
s_string("CSeq: ");
s_string_variable("1");
s_string("\r\n");
s_string("Session: ");
s_string_variable("260778254-1");
s_string("\r\n");
s_string("PlayerStats: ");
s_string_variable("Stat3");
s_string(":");
s_string_variable("331");
s_string("|");
s_string_variable("0");
s_string("|");
s_string_variable("STOP");
s_string("|");
s_string(";][");
s_string_variable("Stat4");
s_string(":");
s_string_variable("0");
s_string(" ");
s_string("0 0 0");
s_string("|");
s_string_variable("0");
s_string("|");
s_string_variable("0");
s_string("|");
s_string(" 0 2]\r\n");
#endif
#ifndef RTSP
s_string("Referer: http://localhost/");
s_string_variable("bob");
s_string("\r\n");
s_string("Content-Type: ");
s_string_variable("application/x-www-form-urlencoded");
#ifdef XML
s_string_variable("application/xml");
#endif
s_string("\r\n");
s_string("Connection: ");
s_string_variable("close");
#ifdef WEBDAV
s_string_variable("TE");
#endif
s_string("\r\n");
#ifdef WEBDAV
s_string("TE: ");
s_string_variable("trailers");
s_string("\r\n");
s_string("Depth: ");
s_string_variable("0");
s_string("\r\n");
#endif
//Cookie: JSESSIONID=2CB3ED5F0D71E3C6CD504705BAFD67E0.tomcatinstance1
s_string("Cookie: ");
#ifdef WEBADMIN
s_string_variable("User");
s_string("=");
s_string_variable("bob");
s_string("; Lang=");
s_string_variable("en");
s_string("; Theme=standard");
#endif
#ifdef TOMCAT
s_string_variable("JSESSIONID");
s_string("=");
s_string_variable("B3ED5F0D71E3C6CD504705BAFD67E0");
s_string(".");
s_string_variable("tomcatinstance1");
#endif
s_string("\r\n");
#ifdef BASIC_AUTH
s_string("Authorization: ");
s_string_variable("Basic");
s_string(" ");
s_string_variable("QWxhZGRpbjpvcGVuIHNlc2FtZQ");
s_string("==\r\n");
#endif
s_string("User-Agent: ");
s_string_variable("Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)");
s_string("\r\n");
s_string_variable("Variable");
s_string(": ");
s_string_variable("result");
s_string("\r\n");
s_string_variable("");
s_string("Host: ");
s_string_variable("localhost");
s_string("\r\n");
#endif
#ifdef BODY
s_string("Content-length: ");
s_string_variable("");
s_blocksize_unsigned_string_variable("post",7);
s_string("\r\n");
#endif
#ifdef RTSP
s_string("Accept: application/sdp");
#else
s_string("Accept: ");
s_string_variable("image/");
s_string_variable("gif");
s_string(", image/x-xbitmap, image/jpeg, image/pjpeg, image/png");
#endif
s_string("\r\n");
#ifdef RTSP
#ifdef RTSP_DESCRIBE
s_string("Bandwidth: ");
s_string_variable("393216");
s_string("\r\n");
s_string("ClientID: ");
s_string_variable("WinNT_5.1_6.0.11.868_RealPlayer_RN10PD_e-us_UNK");
s_string("\r\n");
s_string("RegionData: ");
s_string_variable("10034");
s_string("\r\n");
s_string("Require: ");
s_string_variable("com.real.retain-entity-for-setup");
s_string("\r\n");
s_string("SupportsMaximumASMBandwidth: ");
s_string_variable("1");
s_string("\r\n");
s_string("ClientChallenge: ");
s_string_variable("deee2996aca6c64db4ff59e0e3fb386f");
s_string("\r\n");
s_string("CompanyID: ");
s_string_variable("nB9UbGcLzuKoS++5MTGHIg");
s_string("==\r\n");
s_string("GUID: ");
s_string_variable("00000000-0000-0000-0000-000000000000");
s_string("\r\n");
s_string("Pragma: ");
s_string_variable("initiate-session");
s_string("\r\n");
#endif
#endif
#ifndef RTSP
s_string("Accept-Encoding: ");
s_string_variable("gzip");
s_string("\r\n");
s_string("Accept-Language: ");
s_string_variable("en");
s_string("\r\n");
s_string("Accept-Charset: ");
s_string_variable("iso-8859-1,*,utf-8");
s_string("\r\n");
#endif
s_string("\r\n");
/*Done with Headers*/
s_block_start("post");
/*begin POST block*/
s_setfirstvariable();
#ifdef BODY
s_string_variables('&',"User=bob&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n ");
#endif
#ifdef XML
s_string("<?xml version=\"1.0\"?>\n");
s_string("<g:searchrequest xmlns:g=\"DAV:\">\n");
s_string("<g:sql>\n");
s_string("SELECT \"DAV:");
s_string_variable("");
s_string("displayname\" from scope()\n");
s_string("</g:sql");
s_string_variable("");
s_string(">\n");
s_string("</g:searchrequest>");
#endif
/*
s_string("username="******"");
s_string_repeat("A",500);
*/
s_block_end("post");
/* Start webfuzzpostlude.c */
if (spike_send_tcp(target,port)==0)
{
/*this whole block is a bit wrong. Really we
need to exit or something.*/
printf("Couldn't connect to host or send data!\r\n");
spike_close_tcp();
if (fuzzstrnum==s_get_max_fuzzstring())
{
break;
}
fuzzstrnum++;
s_incrementfuzzstring();
//sleep(5);
continue;
}
/*see, the thing is that the spike is not guaranteed to be
null terminated, so just a plain printf on the
s_get_databuf() is ill-advised.*/
memset(requestbuffer,0x00,sizeof(requestbuffer));
if (s_get_size()>2500)
memcpy(requestbuffer,s_get_databuf(),2500);
else
{
memcpy(requestbuffer,s_get_databuf(),s_get_size());
}
/*here we print out our request*/
printf("Request:\n%.2500s\nEndRequest\n",requestbuffer);
first=1;
notfin=1;
retval=1;
printf("Response:\n");
while(retval && notfin)
{
memset(buffer,0x00,sizeof(buffer));
notfin=s_fd_wait();
notfin=s_fd_wait();
notfin=s_fd_wait();
if (!notfin)
{
printf("Server didn't answer in time limit\n");
break;
}
retval=read(our_spike->fd,buffer,2500);
if (first && (retval==-1 || retval==0) )
{
printf("***Server closed connection!\n");
fprintf(stderr,"Request: %s\n",requestbuffer);
fprintf(stderr,"***Server closed connection!\n");
break;
}
first=0;
if (retval)
{
if (strstr(buffer, "500 ok")
|| strstr(buffer,"Internal Server Error")
)
{
fprintf(stderr,"Request: %s\n",requestbuffer);
fprintf(stderr,"Response: %s\n",buffer);
}
printf("**%.500s**\n",buffer);
/*this is where you filter responses out that you don't want to bother seeing.*/
#if 0
/*don't print out 404 errors*/
if (!strstr(buffer,"404") && !strstr(buffer,"400 Bad Request") && !strstr(buffer,"check that it is entered correctly"))
break;
#endif
/*here we speed things up by no continuing to read past this dumb error message*/
/*do this same thing for any request that continues to slow you down and is non-interesting*/
if (strstr(buffer,"<TITLE>404"))
break;
if (strstr(buffer,"<TITLE>401"))
break;
if (strstr(buffer,"401 Access denied"))
break;
if (strstr(buffer,"Public: OPTIONS"))
break;
if (strstr(buffer,"Please do not alter this file"))
break;
if (strstr(buffer,"GIF89a"))
break;
if (strstr(buffer,"This object may be found <a HREF=\"localstart.asp\""))
break;
if (strstr(buffer,"home page, and then look for links to the information you want"))
break;
if(strstr(buffer,"Location: localstart.asp"))
break;
if (strstr(buffer,"This is the default page that appears on new AOLserver installations"))
break;
if (strstr(buffer,"This page intentionally left blank."))
break;
}
}/*end while read loop*/
printf("End response\n");
fuzzstrnum++;
s_incrementfuzzstring();
spike_close_tcp();
/*Use this for testing against netcat*/
/*
sleep(1);
*/
}/*end for each fuzz string*/
fuzzvarnum++;
s_incrementfuzzvariable();
}/*end for each variable*/
printf("Done.\n");
return 0;
} /*end program*/
