void func( int x ) { char* pleak = new char[1024]; // might be lost => memory leak std::string s_string( "hello world" ); // will be properly destructed if ( x ) throw std::runtime_error( "boom" ); delete [] pleak; // will only get here if x == 0. if x!=0, throw exception }
int main (int argc, char ** argv) { int port; int result,listenfd,acceptfd; if (argc!=2) { usage(); } port=atoi(argv[1]); our_spike=new_spike(); if (our_spike==NULL) { fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n"); exit(-1); } setspike(our_spike); result=make_tcp_listener(port,&listenfd); if (result!=1) { printf("Failed to listen on that port: %d\n",port); usage(); } /*very important line. don't forget it*/ s_init_fuzzing(); /*zeroth fuzz variable is first variable*/ s_resetfuzzvariable(); while (!s_didlastvariable()) { s_resetfuzzstring(); /*zeroth fuzz string is no change*/ while(!s_didlastfuzzstring()) { spike_clear(); /*now loop on connections to that port*/ acceptfd=s_tcp_accept(listenfd); if (acceptfd==-1) { printf("Accept failed for some reason!\n"); continue; } /*change any of the s_string's into s_string_variable for extra * fun */ s_read_packet(); /*read a 0d 0a */ s_string("2"); /*EDIT THIS*/ //s_string_variable(""); s_string_repeat("asdf",5); s_string("\t"); s_string("2"); /*AND THIS*/ s_string("/"); s_string_repeat("asdf",5); s_string_variable(""); s_string("\t"); s_string("localhost"); s_string("."); s_string("localdomain"); s_string("."); s_string("com"); s_string("\t"); s_string("70"); s_string("\t"); s_string("-"); s_string("\r\n"); s_string(".\r\n"); if (spike_send()<0) { printf("Couldn't send data!\r\n"); spike_close_tcp(); continue; } spike_close_tcp(); s_incrementfuzzstring(); } s_incrementfuzzvariable(); }/*end for each variable*/ printf("Done.\n"); return 0; } /*end program*/
int main (int argc, char **argv) { struct spike * spike_instance; int port; char *host; char buffer[1500000]; /* Get some parameters */ if (argc != 3) { printf("Usage: ./lighttpd_fuzz <host> <port>\n"); exit(2); } host = argv[1]; port = atoi(argv[2]); if (port < 1) { fprintf(stderr, "Invalid port %d, using default of 9999\n", port); port = 9999; } /* Set up Spike */ spike_instance = new_spike(); if (spike_instance == NULL) { fprintf(stderr, "Malloc failed trying to allocate a spike.\n"); exit(-1); } setspike(spike_instance); /* Print something so it's clear that we've started */ printf("Spike initialized\n"); /* Initialize the fuzzing and reset the fuzz variables */ s_init_fuzzing(); s_resetfuzzvariable(); /* The original generic_send_tcp had some nice ways to shortcut in to specific variables. I'm skipping that for now to better learn how this works */ while (!s_didlastvariable()) { s_resetfuzzstring(); while(!s_didlastfuzzstring()) { spike_clear(); /* Connect via TCP */ spike_connect_tcp(host, port); if (spike_send() < 0) { fprintf(stderr, "Could not send data \n"); } /* Do some stuff: This is the core commands of the fuzz script */ s_readline(); //print received line from server s_string("GET "); s_string_variable("/cgi.pl"); s_string(" HTTP/1.0"); s_string("\n"); s_string_variable("COMMAND"); //send fuzzed string spike_close_tcp(); //printf("%s", s_get_databuf()); /*see, the thing is that the spike is not guaranteed to be null terminated, so just a plain printf on the s_get_databuf() is ill-advised.*/ memset(buffer,0x00,sizeof(buffer)); if (s_get_size()>2500) memcpy(buffer,s_get_databuf(),2500); else memcpy(buffer,s_get_databuf(),s_get_size()); printf("Request:\n%.2500s\nEndRequest\n",buffer); s_incrementfuzzstring(); } /* while !s_didlastfuzzstring() */ s_incrementfuzzvariable(); } /* while !s_didlastvariable() */ return 0; }
int send_ntlm_packet (unsigned char *packet, char *method) { /*takes a url, host, and posts it */ s_string (method); s_string (" "); s_string (url); s_string (" HTTP/1.1\r\n"); s_string ("Host: "); s_string (host); //s_string ("localhost"); s_string ("\r\n"); s_string ("Authorization: NTLM "); s_string (packet); s_string ("\r\n"); s_string ("Connection: Keep-Alive\r\n"); //s_string ("User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)\r\n"); s_string ("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n"); //s_string ("Accept-Encoding: \r\n"); s_string ("Accept-Language: en\r\n"); s_string ("Accept-Charset: iso-8859-1,*,utf-8\r\n"); s_string ("Content-Type: application/x-www-form-urlencoded\r\n"); s_string ("Content-Length: "); s_blocksize_string ("post", 7); s_string ("\r\n\r\n"); s_block_start ("post"); do_body (); /*here is the magic body */ s_block_end ("post"); if (spike_send () == 0) /*failure */ { printf ("Couldn't connect to host or send data!\r\n"); return 0; } printf("sent: \n%s\n",getcurrentspike()->databuf); return 1; }
int main (int argc, char ** argv) { char * target; char buffer[1500000]; char *url,*host; int port; char * optional; struct spike * our_spike; unsigned long retval; int i; if (argc!=4) { usage(); } target=argv[1]; printf("Target is %s\r\n",argv[1]); port=atoi(argv[2]); if (argc>3) optional=argv[3]; our_spike=new_spike(); if (our_spike==NULL) { fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n"); exit(-1); } setspike(our_spike); memset(buffer,0x41,sizeof(buffer)); buffer[sizeof(buffer)]=0; for (i=0; i<500; i+=4) { memcpy(buffer+i,"%25s",4); } /* Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, SUBSCRIBE, UNSUBSCRIBE, POLL, BDELETE, BCOPY, BMOVE, BPROPPATCH, BPROPFIND, LOCK, UNLOCK */ buffer[140000]=0; printf("Buffer size = %d\r\n",strlen(buffer)); host=strdup("target.com"); url=strdup("/bob.jsp"); /*takes a url, host, and posts it*/ s_string("POST "); s_string(url); // s_string_repeat("%n",15000); s_string(" HTTP/1.1\r\n"); s_string("Host: "); s_string(host); s_string("\r\n"); s_string("Authorization: Basic AWa1aaaabraaaaaaZaNz\r\n"); s_string("Cookie: WebLogicSession=O41clZpkwpdYKbR0V3j37TOo4wjw9Pv7Qiswl3eZH3ZjxBYs2qxk|-6489024939146873433/-1408236330/6/7001/7001/7002/7002/7001/-1|659794130148480037/-1408236350/6/7001/7001/7002/7002/7001/-1\r\n"); s_string("Referer: http://target.com/emailafriend.jsp\r\n"); s_string("Content-type: application/x-www-form-urlencoded\r\n"); s_string("Connection: Keep-Alive\r\n"); s_string("User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)\r\n"); s_string("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n"); s_string("Accept-Encoding: gzip\r\n"); s_string("Accept-Language: en\r\n"); s_string("Accept-Charset: iso-8859-1,*,utf-8\r\n"); s_string("Content-length: "); s_blocksize_string("post",7); s_string("\r\n\r\n"); s_block_start("post"); /*start post here*/ /*END OF POST*/ s_block_end("post"); /* s_print_buffer(); s_printf_buffer(); */ printf("Sending to %s on port %d\r\n",target,port); if (spike_send_tcp(target,port)<0) { printf("Couldn't connect to host or send data!\r\n"); exit(-1); } printf("sleeping\r\n"); sleep(2); printf("reading\r\n"); retval=1; while(retval) { memset(buffer,0x00,sizeof(buffer)); retval=read(our_spike->fd,buffer,2500); if (retval) { printf("%s",buffer); sleep(2); } } return 0; }
int main (int argc, char ** argv) { int first; char * target; char buffer[150000]; char requestbuffer[150000]; int port; char * file; char * directory; struct spike * our_spike; unsigned long retval; int notfin; char * extention; char * method; int firstfuzz; int fuzzvarnum,fuzzstrnum; /*for fuzz variable count*/ int SKIPVARIABLES,SKIPFUZZSTR; if (argc!=9) { usage(); } target=argv[1]; printf("Target is %s\r\n",argv[1]); port=atoi(argv[2]); method = argv[3]; directory = argv [4]; file = argv[5]; extention=argv[6]; SKIPVARIABLES=atoi(argv[7]); SKIPFUZZSTR=atoi(argv[8]); fuzzvarnum=0; fuzzstrnum=0; our_spike=new_spike(); s_init_fuzzing(); /*sheesh.*/ signal(SIGPIPE,SIG_IGN); if (our_spike==NULL) { fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n"); exit(-1); } setspike(our_spike); /*during s_variable push, if fuzzstring is == currentfuzzstring then set didlastfuzzstring. If fuzzvariable is == current variable, set didlastfuzzvariable*/ /*zeroth fuzz variable is first variable*/ s_resetfuzzvariable(); /* fuzzvarnum=0; fuzzstrnum=0; */ firstfuzz=1; while (!s_didlastvariable()) { s_resetfuzzstring(); /*zeroth fuzz string is no change*/ if (firstfuzz) { /*zeroth fuzz string is no change*/ /*see below for why we have this if statement and loop*/ if (fuzzvarnum<SKIPVARIABLES ) { for (fuzzvarnum=0; fuzzvarnum<SKIPVARIABLES; fuzzvarnum++) { s_incrementfuzzvariable(); } } /*here is another part of where we implement the ability to jump to a particular place in the fuzzing*/ if (fuzzstrnum<SKIPFUZZSTR) { for (fuzzstrnum=0; fuzzstrnum<SKIPFUZZSTR; fuzzstrnum++) { s_incrementfuzzstring(); } } firstfuzz=0; } else { /*we reset this here so every new variable gets a new count*/ fuzzstrnum=0; } while(!s_didlastfuzzstring()) { printf("Fuzzing Variable %d:%d\n",fuzzvarnum,fuzzstrnum); spike_clear(); /*reset this*/ /*controls when we put an ampersand or not*/ s_setfirstvariable(); s_string_variable(method); s_string(" "); s_string(directory); s_string_variable(file); s_string(extention); /*url arguments*/ #ifdef USEARGS s_string("?"); s_string_variable("View"); s_string_variable("="); s_string_variable("Logon"); #endif #ifdef RTSP s_string(" RTSP/1.0"); #else s_string(" HTTP/1.1"); #endif s_string_variable(""); s_string("\r\n"); #ifdef RTSP //a simple per-request sequence number s_string("CSeq: "); s_string_variable("1"); s_string("\r\n"); s_string("Session: "); s_string_variable("260778254-1"); s_string("\r\n"); s_string("PlayerStats: "); s_string_variable("Stat3"); s_string(":"); s_string_variable("331"); s_string("|"); s_string_variable("0"); s_string("|"); s_string_variable("STOP"); s_string("|"); s_string(";]["); s_string_variable("Stat4"); s_string(":"); s_string_variable("0"); s_string(" "); s_string("0 0 0"); s_string("|"); s_string_variable("0"); s_string("|"); s_string_variable("0"); s_string("|"); s_string(" 0 2]\r\n"); #endif #ifndef RTSP s_string("Referer: http://localhost/"); s_string_variable("bob"); s_string("\r\n"); s_string("Content-Type: "); s_string_variable("application/x-www-form-urlencoded"); #ifdef XML s_string_variable("application/xml"); #endif s_string("\r\n"); s_string("Connection: "); s_string_variable("close"); #ifdef WEBDAV s_string_variable("TE"); #endif s_string("\r\n"); #ifdef WEBDAV s_string("TE: "); s_string_variable("trailers"); s_string("\r\n"); s_string("Depth: "); s_string_variable("0"); s_string("\r\n"); #endif //Cookie: JSESSIONID=2CB3ED5F0D71E3C6CD504705BAFD67E0.tomcatinstance1 s_string("Cookie: "); #ifdef WEBADMIN s_string_variable("User"); s_string("="); s_string_variable("bob"); s_string("; Lang="); s_string_variable("en"); s_string("; Theme=standard"); #endif #ifdef TOMCAT s_string_variable("JSESSIONID"); s_string("="); s_string_variable("B3ED5F0D71E3C6CD504705BAFD67E0"); s_string("."); s_string_variable("tomcatinstance1"); #endif s_string("\r\n"); #ifdef BASIC_AUTH s_string("Authorization: "); s_string_variable("Basic"); s_string(" "); s_string_variable("QWxhZGRpbjpvcGVuIHNlc2FtZQ"); s_string("==\r\n"); #endif s_string("User-Agent: "); s_string_variable("Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)"); s_string("\r\n"); s_string_variable("Variable"); s_string(": "); s_string_variable("result"); s_string("\r\n"); s_string_variable(""); s_string("Host: "); s_string_variable("localhost"); s_string("\r\n"); #endif #ifdef BODY s_string("Content-length: "); s_string_variable(""); s_blocksize_unsigned_string_variable("post",7); s_string("\r\n"); #endif #ifdef RTSP s_string("Accept: application/sdp"); #else s_string("Accept: "); s_string_variable("image/"); s_string_variable("gif"); s_string(", image/x-xbitmap, image/jpeg, image/pjpeg, image/png"); #endif s_string("\r\n"); #ifdef RTSP #ifdef RTSP_DESCRIBE s_string("Bandwidth: "); s_string_variable("393216"); s_string("\r\n"); s_string("ClientID: "); s_string_variable("WinNT_5.1_6.0.11.868_RealPlayer_RN10PD_e-us_UNK"); s_string("\r\n"); s_string("RegionData: "); s_string_variable("10034"); s_string("\r\n"); s_string("Require: "); s_string_variable("com.real.retain-entity-for-setup"); s_string("\r\n"); s_string("SupportsMaximumASMBandwidth: "); s_string_variable("1"); s_string("\r\n"); s_string("ClientChallenge: "); s_string_variable("deee2996aca6c64db4ff59e0e3fb386f"); s_string("\r\n"); s_string("CompanyID: "); s_string_variable("nB9UbGcLzuKoS++5MTGHIg"); s_string("==\r\n"); s_string("GUID: "); s_string_variable("00000000-0000-0000-0000-000000000000"); s_string("\r\n"); s_string("Pragma: "); s_string_variable("initiate-session"); s_string("\r\n"); #endif #endif #ifndef RTSP s_string("Accept-Encoding: "); s_string_variable("gzip"); s_string("\r\n"); s_string("Accept-Language: "); s_string_variable("en"); s_string("\r\n"); s_string("Accept-Charset: "); s_string_variable("iso-8859-1,*,utf-8"); s_string("\r\n"); #endif s_string("\r\n"); /*Done with Headers*/ s_block_start("post"); /*begin POST block*/ s_setfirstvariable(); #ifdef BODY s_string_variables('&',"User=bob&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n "); #endif #ifdef XML s_string("<?xml version=\"1.0\"?>\n"); s_string("<g:searchrequest xmlns:g=\"DAV:\">\n"); s_string("<g:sql>\n"); s_string("SELECT \"DAV:"); s_string_variable(""); s_string("displayname\" from scope()\n"); s_string("</g:sql"); s_string_variable(""); s_string(">\n"); s_string("</g:searchrequest>"); #endif /* s_string("username="******""); s_string_repeat("A",500); */ s_block_end("post"); /* Start webfuzzpostlude.c */ if (spike_send_tcp(target,port)==0) { /*this whole block is a bit wrong. Really we need to exit or something.*/ printf("Couldn't connect to host or send data!\r\n"); spike_close_tcp(); if (fuzzstrnum==s_get_max_fuzzstring()) { break; } fuzzstrnum++; s_incrementfuzzstring(); //sleep(5); continue; } /*see, the thing is that the spike is not guaranteed to be null terminated, so just a plain printf on the s_get_databuf() is ill-advised.*/ memset(requestbuffer,0x00,sizeof(requestbuffer)); if (s_get_size()>2500) memcpy(requestbuffer,s_get_databuf(),2500); else { memcpy(requestbuffer,s_get_databuf(),s_get_size()); } /*here we print out our request*/ printf("Request:\n%.2500s\nEndRequest\n",requestbuffer); first=1; notfin=1; retval=1; printf("Response:\n"); while(retval && notfin) { memset(buffer,0x00,sizeof(buffer)); notfin=s_fd_wait(); notfin=s_fd_wait(); notfin=s_fd_wait(); if (!notfin) { printf("Server didn't answer in time limit\n"); break; } retval=read(our_spike->fd,buffer,2500); if (first && (retval==-1 || retval==0) ) { printf("***Server closed connection!\n"); fprintf(stderr,"Request: %s\n",requestbuffer); fprintf(stderr,"***Server closed connection!\n"); break; } first=0; if (retval) { if (strstr(buffer, "500 ok") || strstr(buffer,"Internal Server Error") ) { fprintf(stderr,"Request: %s\n",requestbuffer); fprintf(stderr,"Response: %s\n",buffer); } printf("**%.500s**\n",buffer); /*this is where you filter responses out that you don't want to bother seeing.*/ #if 0 /*don't print out 404 errors*/ if (!strstr(buffer,"404") && !strstr(buffer,"400 Bad Request") && !strstr(buffer,"check that it is entered correctly")) break; #endif /*here we speed things up by no continuing to read past this dumb error message*/ /*do this same thing for any request that continues to slow you down and is non-interesting*/ if (strstr(buffer,"<TITLE>404")) break; if (strstr(buffer,"<TITLE>401")) break; if (strstr(buffer,"401 Access denied")) break; if (strstr(buffer,"Public: OPTIONS")) break; if (strstr(buffer,"Please do not alter this file")) break; if (strstr(buffer,"GIF89a")) break; if (strstr(buffer,"This object may be found <a HREF=\"localstart.asp\"")) break; if (strstr(buffer,"home page, and then look for links to the information you want")) break; if(strstr(buffer,"Location: localstart.asp")) break; if (strstr(buffer,"This is the default page that appears on new AOLserver installations")) break; if (strstr(buffer,"This page intentionally left blank.")) break; } }/*end while read loop*/ printf("End response\n"); fuzzstrnum++; s_incrementfuzzstring(); spike_close_tcp(); /*Use this for testing against netcat*/ /* sleep(1); */ }/*end for each fuzz string*/ fuzzvarnum++; s_incrementfuzzvariable(); }/*end for each variable*/ printf("Done.\n"); return 0; } /*end program*/