int main (int argc, char **argv) {
struct spike * spike_instance;
int port;
char *host;
char buffer[1500000];
/* Get some parameters */
if (argc != 3) {
printf("Usage: ./lighttpd_fuzz <host> <port>\n");
exit(2);
}
host = argv[1];
port = atoi(argv[2]);
if (port < 1) {
fprintf(stderr, "Invalid port %d, using default of 9999\n", port);
port = 9999;
}
/* Set up Spike */
spike_instance = new_spike();
if (spike_instance == NULL) {
fprintf(stderr, "Malloc failed trying to allocate a spike.\n");
exit(-1);
}
setspike(spike_instance);
/* Print something so it's clear that we've started */
printf("Spike initialized\n");
/* Initialize the fuzzing and reset the fuzz variables */
s_init_fuzzing();
s_resetfuzzvariable();
/* The original generic_send_tcp had some nice ways to shortcut
in to specific variables. I'm skipping that for now to better
learn how this works */
while (!s_didlastvariable()) {
s_resetfuzzstring();
while(!s_didlastfuzzstring()) {
spike_clear();
/* Connect via TCP */
spike_connect_tcp(host, port);
if (spike_send() < 0) {
fprintf(stderr, "Could not send data \n");
}
/* Do some stuff: This is the core commands of the fuzz script */
s_readline(); //print received line from server
s_string("GET ");
s_string_variable("/cgi.pl");
s_string(" HTTP/1.0");
s_string("\n");
s_string_variable("COMMAND"); //send fuzzed string
spike_close_tcp();
//printf("%s", s_get_databuf());
/*see, the thing is that the spike is not guaranteed to be
null terminated, so just a plain printf on the
s_get_databuf() is ill-advised.*/
memset(buffer,0x00,sizeof(buffer));
if (s_get_size()>2500)
memcpy(buffer,s_get_databuf(),2500);
else
memcpy(buffer,s_get_databuf(),s_get_size());
printf("Request:\n%.2500s\nEndRequest\n",buffer);
s_incrementfuzzstring();
} /* while !s_didlastfuzzstring() */
s_incrementfuzzvariable();
} /* while !s_didlastvariable() */
return 0;
}
int
main (int argc, char **argv)
{
char *target;
char buffer[1500000];
int port;
unsigned char *user, *domain;
unsigned char *password;
if (argc != 6)
{
usage ();
}
target = argv[1];
printf ("Target is %s\r\n", argv[1]);
port = atoi (argv[2]);
our_spike = new_spike ();
s_init_fuzzing ();
/*sheesh. */
signal (SIGPIPE, SIG_IGN);
if (our_spike == NULL)
{
fprintf (stderr, "Malloc failed trying to allocate a spike.\r\n");
exit (-1);
}
setspike (our_spike);
host = strdup ("localhost");
/*url=strdup("/iisadmin/iis.asp"); */
url = strdup (argv[5]);
memset (buffer, 0x41, sizeof (buffer));
buffer[sizeof (buffer)] = 0;
buffer[140000] = 0;
user = strdup (argv[3]);
domain = NULL; /*set domain with user@domain */
password = strdup (argv[4]);
s_resetfuzzvariable ();
while (!s_didlastvariable ())
{
s_resetfuzzstring ();
/*zeroth fuzz string is no change */
while (!s_didlastfuzzstring ())
{
spike_clear ();
spike_connect_tcp (target, port);
printf ("Connected.\n");
memset(buffer,0x00,sizeof(buffer));
printf("Getting page %s as %s:%s@%s\n",url,user,password,domain);
if (!get_ntlm_page (url, user, password, domain, buffer))
printf ("Couldn't get ntlm page\n");
else
{
printf ("Reponse: %s\n", buffer);
printf ("\nEnd of response\n");
}
printf("Closing socket\n");
spike_close_tcp ();
// sleep(5);
s_incrementfuzzstring();
}
s_incrementfuzzvariable();
}
return 0;
}