int main (int argc, char **argv) {
	struct spike * spike_instance;
	int port;
	char *host;
	char buffer[1500000];

	/* Get some parameters */
	if (argc != 3) {
		printf("Usage: ./lighttpd_fuzz <host> <port>\n");
		exit(2);
	}

	host = argv[1];
	port = atoi(argv[2]);

	if (port < 1) {
		fprintf(stderr, "Invalid port %d, using default of 9999\n", port);
		port = 9999;
	}

	/* Set up Spike */
	spike_instance = new_spike();

	if (spike_instance == NULL) {
		fprintf(stderr, "Malloc failed trying to allocate a spike.\n");
		exit(-1);
	}

	setspike(spike_instance); 



	/* Print something so it's clear that we've started */
	printf("Spike initialized\n");	


	/* Initialize the fuzzing and reset the fuzz variables */
	s_init_fuzzing();
	s_resetfuzzvariable();
	
	/* The original generic_send_tcp had some nice ways to shortcut
      in to specific variables.  I'm skipping that for now to better
      learn how this works */

	while (!s_didlastvariable()) {
		s_resetfuzzstring();

		while(!s_didlastfuzzstring()) {

			spike_clear();

			/* Connect via TCP */
			spike_connect_tcp(host, port);
			if (spike_send() < 0) {
				fprintf(stderr, "Could not send data \n");
			}
		
		
			/* Do some stuff: This is the core commands of the fuzz script */
		
			s_readline(); //print received line from server
			s_string("GET ");
			s_string_variable("/cgi.pl");
			s_string(" HTTP/1.0");
			s_string("\n");
			s_string_variable("COMMAND"); //send fuzzed string
		
			spike_close_tcp();

	//printf("%s", s_get_databuf());

    /*see, the thing is that the spike is not guaranteed to be
            null terminated, so just a plain printf on the
            s_get_databuf() is ill-advised.*/
	     memset(buffer,0x00,sizeof(buffer));
	     if (s_get_size()>2500)
	       memcpy(buffer,s_get_databuf(),2500);
	     else
	       memcpy(buffer,s_get_databuf(),s_get_size());
	
			printf("Request:\n%.2500s\nEndRequest\n",buffer); 

			s_incrementfuzzstring();
		} /* while !s_didlastfuzzstring() */

		s_incrementfuzzvariable();
	} /* while !s_didlastvariable() */

	return 0;
}
Example #2
0
int
main (int argc, char **argv)
{
  char *target;
  char buffer[1500000];

  int port;

  unsigned char *user, *domain;
  unsigned char *password;

  if (argc != 6)
    {
      usage ();
    }

  target = argv[1];
  printf ("Target is %s\r\n", argv[1]);

  port = atoi (argv[2]);

  our_spike = new_spike ();
  s_init_fuzzing ();
  /*sheesh. */
  signal (SIGPIPE, SIG_IGN);




  if (our_spike == NULL)
    {
      fprintf (stderr, "Malloc failed trying to allocate a spike.\r\n");
      exit (-1);
    }

  setspike (our_spike);
  host = strdup ("localhost");
  /*url=strdup("/iisadmin/iis.asp"); */
  url = strdup (argv[5]);
  memset (buffer, 0x41, sizeof (buffer));
  buffer[sizeof (buffer)] = 0;

  buffer[140000] = 0;

  user = strdup (argv[3]);
  domain = NULL;		/*set domain with user@domain */
  password = strdup (argv[4]);

  s_resetfuzzvariable ();
  while (!s_didlastvariable ())
    {
      s_resetfuzzstring ();
      /*zeroth fuzz string is no change */

      while (!s_didlastfuzzstring ())
	{
	  spike_clear ();
	  spike_connect_tcp (target, port);
	  printf ("Connected.\n");
	  memset(buffer,0x00,sizeof(buffer));

	  printf("Getting page %s as %s:%s@%s\n",url,user,password,domain);
	  if (!get_ntlm_page (url, user, password, domain, buffer))
	    printf ("Couldn't get ntlm page\n");
	  else
	    {
	      printf ("Reponse: %s\n", buffer);
	      printf ("\nEnd of response\n");
	    }
	  printf("Closing socket\n");
	  spike_close_tcp ();
	 // sleep(5);
s_incrementfuzzstring();

	  

	}
        s_incrementfuzzvariable();
    }
  return 0;
}