Esempio n. 1
0
/* does a Portmap GETPORT against the provided host for the specified
 * program (and version, protocol) provided in the onc_endpoint structure.
 * The results of the query will be put into the port member of the structure.
 * RETURNS:
 * 1 on success, 0 on failure
 */
int
s_onc_do_portmap_getport(char* host, struct onc_endpoint* endpoint)
{
	struct spike* old_spike;
	struct spike* onc_spike;
	unsigned char responsebuf[BIG_BUF], responsedata[BIG_BUF];
	uint responsebufsize = BIG_BUF, responsedatasize = BIG_BUF, xid = 0;

	old_spike = getcurrentspike();
	onc_spike = new_spike();
	setspike(onc_spike);

	xid = (uint)rand();

	s_binary_block_size_onc_recordfrag("ONCRecordFrag");
	s_block_start("ONCRecordFrag");
	s_onc_call_header(xid, 100000, 2, 3);
	s_onc_opaqueauth_none();
	s_onc_verifier_none();
	s_bigword(endpoint->prognum);
	s_bigword(endpoint->progver);
	s_bigword(endpoint->proto);
	s_bigword(0);
	s_block_end("ONCRecordFrag");

	printf("\nXID: %u\tPORTMAP_GETPORTv2\nProg: %u Ver: %u\n", 
		xid, endpoint->prognum, endpoint->progver);
	if (!spike_send_tcp(host, 111)) {
		return 0;
	}

	s_onc_read_reply(onc_spike, responsebuf, &responsebufsize);
	responsedatasize =
	s_onc_parse_response(responsebuf, 
			     responsebufsize, 
			     responsedata, 
			     responsedatasize);

	if (responsedatasize >= 4) {
		endpoint->port = ntohl(*(uint*)responsedata);
	}
	else {
		endpoint->port = 0;
	}

	spike_close_tcp();
	setspike(old_spike);
	spike_free(onc_spike);

	return 1;
}
Esempio n. 2
0
int
main (int argc, char ** argv)
{
  int port;
  int result,listenfd,acceptfd;
  
  if (argc!=2)
    {
      usage();
    }
  
  port=atoi(argv[1]);
  
  our_spike=new_spike();
  
  
  if (our_spike==NULL)
    {
      fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
      exit(-1);
    }
  
  setspike(our_spike);
  
  
  result=make_tcp_listener(port,&listenfd);
  if (result!=1)
    {
      printf("Failed to listen on that port: %d\n",port);
      usage();
    }

  /*very important line. don't forget it*/
  s_init_fuzzing();

  /*zeroth fuzz variable is first variable*/
  s_resetfuzzvariable();
  
  while (!s_didlastvariable())
    {
      s_resetfuzzstring();
      /*zeroth fuzz string is no change*/
      while(!s_didlastfuzzstring())
	{
	  spike_clear();

	  /*now loop on connections to that port*/
	  acceptfd=s_tcp_accept(listenfd);
	  if (acceptfd==-1)
	    {
	      printf("Accept failed for some reason!\n");
	      continue;
	    }
	  
/*change any of the s_string's into s_string_variable for extra
 * fun */
	  s_read_packet(); /*read a 0d 0a */
	  s_string("2"); /*EDIT THIS*/
	  //s_string_variable("");
	  s_string_repeat("asdf",5);
	  s_string("\t");
	  s_string("2"); /*AND THIS*/
	  s_string("/");
	  s_string_repeat("asdf",5);
	  s_string_variable("");
	  s_string("\t");
	  s_string("localhost");
	  s_string(".");
	  s_string("localdomain");
	  s_string(".");
	  s_string("com");
	  s_string("\t");
	  s_string("70");
	  s_string("\t");
	  s_string("-");
	  s_string("\r\n");
	  s_string(".\r\n");
	  if (spike_send()<0)
	    {
	      printf("Couldn't send data!\r\n");
	      spike_close_tcp();
	      continue;
	    }
	  spike_close_tcp();
	  
	  s_incrementfuzzstring();
	}
      s_incrementfuzzvariable();
    }/*end for each variable*/
  printf("Done.\n");
  return 0;
} /*end program*/
Esempio n. 3
0
int
main (int argc, char ** argv)
{
  char * target;
  char buffer[1500000];
  int port;
  char *pipename;
  unsigned char uid[2];
  unsigned char tid[2];
  unsigned char fid[2];
#define SAVESLOTS 5
  unsigned char *savedbuf[SAVESLOTS];
  unsigned int savedsize[SAVESLOTS];
  int currentsaveslot;

  struct spike * our_spike;
  unsigned long retval;
  unsigned int number_of_tries, number_of_items;
  unsigned short function_number;
  int i,j,s;
  unsigned int r;
  int sent;
  int randval;
  int msrpcdo;
  char * login = NULL, * password = NULL;

#define ARGCNEEDED 9
  if (argc < ARGCNEEDED)
    {
      printf("Argc=%d not %d\n",argc,ARGCNEEDED);
      usage();
    }

  target=argv[1];
  printf("Target is %s\r\n",argv[1]);

  msrpcdo=-1;
  if (getenv("MSRPC_DO"))
    {
      msrpcdo=atoi(getenv("MSRPC_DO"));
    }

  function_number=atoi(argv[6]);
  printf("Hitting function number %d\n",function_number);

  number_of_tries=atoi(argv[7]);
  number_of_items=atoi(argv[8]);
  
  if(argc > ARGCNEEDED)
  {
  if(argc != ARGCNEEDED + 2)
  {
   usage();
  }
  
  login = argv[9];
  password = argv[10];
  }

  port=445;

  pipename=argv[2];

  for (s=0;s<SAVESLOTS; s++)
    {
      savedbuf[s]=malloc(0);
      savedsize[s]=0;
    }
  currentsaveslot=0;

  signal(SIGPIPE,sig_pipe);

  if (getenv("RANDVAL"))
    randval=atoi(getenv("RANDVAL"));
  else
    randval=getpid();

  printf("MSRPC_DO=%d and RANDVAL=%d\n",msrpcdo,randval);

  srand(randval);
  printf("Initialized random with %d\n",randval);
  fprintf(stderr,"Initialized random with %d\n",randval);
  for (i=0; i<number_of_tries; i++)
   {
     printf("Try Number %d on procedure %d\n",i,function_number);
     fflush(0);
     our_spike=new_spike();

     if (our_spike==NULL)
       {
	 fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
	 exit(-1);
       }
     /*this really only gets called once*/
     s_init_fuzzing();
     setspike(our_spike);

     /*do unicode the MS way*/
     s_set_unicode(1);
     
     s_smb_negotiate(login, password);
     sent=spike_send_tcp(target,port);
     
     if (sent==0 || caught_sigpipe)
       {
	 /*this means the server went down!*/
	 if (sent==0)
	   fprintf(stderr,"We killed it! \n");
	 else
	   {
	     fprintf(stderr,"We caught sigpipe!\n");
	     fprintf(stdout,"We caught sigpipe!\n");
	   }
	 
	 for (s=0; s<SAVESLOTS;s++)
	   {
	     fprintf(stderr,"Current Save Slot = %d\n",currentsaveslot);
	     fprintf(stderr,"Printing save slot %d\n",s);
#if 0
	     pretty_print(savedbuf[s],savedsize[s]);
#endif
	   }
	 fprintf(stderr,"Done.\n");
	 if (sent==0)
	   {
	     //printf("Was not able to connect: Sleeping...\n");
	     //sleep(100);
	     //sleep(59999);
	   }
	 //exit(1);
       }
     else
       {
#ifdef SAVEBUF
	 /*we always malloc it with something*/
	 free(savedbuf[currentsaveslot]);
#endif
       }



     s_fd_wait();
     memset(buffer,0,sizeof(buffer));
     alarm(1);
     retval=read(getcurrentspike()->fd,buffer,1500);
     alarm(0);
     if (retval==-1)
       {
	 printf("couldn't smb negotiate continuing\n");
	 spike_close_tcp();
	 spike_free(our_spike);
	 continue;
       }
     
     if (buffer[9]!=0x00) {
       printf("Error value when trying to negotiate an SMB connection: %x\n",buffer[10]);
       spike_close_tcp();
       spike_free(our_spike);
       continue;
     }

     spike_clear();


     /*do the smb session startup*/
     s_smb_session_setup(login, password);
     spike_send();
     s_fd_wait();
     
     memset(buffer,0,sizeof(buffer));
     alarm(1);
     retval=read(getcurrentspike()->fd,buffer,1500);
     alarm(0);
     if (retval==-1)
       {
	 printf("couldn't smb session startup continuing\n");
	 spike_close_tcp();
	 spike_free(our_spike);
	 continue;
       }
     
     if (*(unsigned int *)(buffer+9)!=0x00000000) {
       printf("Error value when trying to start up an SMB session: %8.8x\n",*(unsigned int *)(buffer+9));
       if (0x00080001==(*(unsigned int *)(buffer+9))) {
	 printf ("Error returned was out of memory.\n");
       }

       spike_close_tcp();
       spike_free(our_spike);
       continue;
     }

     

     memcpy(uid,buffer+32,2);
     printf("Uid is %x%x\n",uid[0],uid[1]);


     /*done with smb session startup*/

     spike_clear();

     /*start IPC$ connection */

     s_smb_ipc_connect(uid);
     spike_send();
     s_fd_wait();
     
     memset(buffer,0,sizeof(buffer));
     alarm(1);
     retval=read(getcurrentspike()->fd,buffer,1500);
     alarm(0);
     if (retval==-1)
       {
	 printf("couldn't smb session IPC$ startup continuing\n");
	 spike_close_tcp();
	 spike_free(our_spike);
	 continue;
       }
     
     if (*(unsigned int *)(buffer+9)!=0x00000000) {
       printf("Error value when trying to start up an SMB IPC$ session: %8.8x\n",*(unsigned int *)(buffer+9));
       spike_close_tcp();
       spike_free(our_spike);
       continue;
     }

     memcpy(tid,buffer+32-4,2);
     printf("Tree id is %x%x\n",uid[0],uid[1]);

     /*done with IPC$ connection*/

     /* do the NT Create AndX Request */
     spike_clear();
     



     s_nt_createandx(tid,uid,pipename);
     spike_send();

     printf ("Sent NT AndX request\n");
     s_fd_wait();
     
     memset(buffer,0,sizeof(buffer));
     alarm(1);
     retval=read(getcurrentspike()->fd,buffer,1500);
     alarm(0);
     if (retval==-1)
       {
	 printf("couldn't NT Create AndX -  continuing\n");
	 spike_close_tcp();
	 spike_free(our_spike);
	 continue;
       }
     
     if (*(unsigned int *)(buffer+9)!=0x00000000) {
       printf("Error value when trying to start up an NT AndX: %8.8x\n",ntohl(*(unsigned int *)(buffer+9)));
       if (0x220000c0==ntohl(*(unsigned int *)(buffer+9)))
	 {
	   printf("Error returned was Access Denied\n");
	 }
       else 
	 {
	   if (0xac0000c0==ntohl(*(unsigned int *)(buffer+9))) {
	     printf("Error returned was Pipe Not Available\n");

	   }
	   if (0x340000c0==ntohl((*(unsigned int *)(buffer+9)))) {
	     printf ("Error returned was File Not Found.\n");
	   }
	 }

       spike_close_tcp();
       spike_free(our_spike);
       continue;
     }
     memcpy(fid,buffer+42,2);
     printf("File id is %x%x\n",uid[0],uid[1]);
     /*done with the NT Create AndX Request*/       

     spike_clear();

     /*Send the Netbios and SMB header for the DCE-RPC packet*/

     s_smbheader(fid,uid,tid);

     /*i is sent in just to keep incrementing*/
     /*hardcoded the transfer syntax and syntax version of 2...they
       are always the same*/
     s_dce_bind(argv[3], /*GUID "Interface" */
		"8a885d04-1ceb-11c9-9fe8-08002b104860", /*syntax - always the same*/
		i, 
		atoi(argv[4]), /*interface version major*/
		atoi(argv[5]), /*interface version minor, usually zero*/
		2); /*syntax version*/
     s_block_end("DCEFragLength"); /*ALWAYS HAVE TO DO*/

     /*phew! :>*/
     /*had to add this for SMB block*/
     s_block_end("smbblock");
     s_block_end("bytecount");
     sent=spike_send();

     

     

     s_fd_wait();
     /*clear the response*/
     alarm(1);
     fcntl(our_spike->fd, F_SETFL, O_NONBLOCK);
     retval=read(our_spike->fd,buffer,1500);
     if (retval==-1 && 0) 
       {
	 printf ("couldn't read, continuing\n");
	 perror("read()");
	 spike_close_tcp();
	 spike_free(our_spike);
	 continue;
       }
     alarm(0);
     /*the offset of the DCE within the SMB stuff*/
#define DCEOFFSET 60

     if (buffer[2+DCEOFFSET]!=DCE_BIND_ACK)
       {
	 printf("Warning, did not recieve bind_ack! Instead got 0x%x\n",buffer[2+DCEOFFSET]);
	 if (buffer[2+DCEOFFSET]==0x0d)
	   printf("I believe 0x0d is provider reject - check your version number\n");

	 if (buffer[2+DCEOFFSET]==0x00)
	   {
	     /*this means the server went down!*/
	 fprintf(stderr,"We almost killed it! \n");
	 fprintf(stderr,"Current Save Slot = %d\n",currentsaveslot);
	 fprintf(stderr,"Printing save slot %d\n",s);
#if 0
	 pretty_print(savedbuf[currentsaveslot],savedsize[currentsaveslot]);
#endif

	 fprintf(stderr,"Done.\n");

	   }
       }

     /*send first packet*/
     spike_clear();
     s_smb_dce_call(4,buffer,0,fid,uid,tid);
     s_smbdce_doreadx(fid,uid,tid,buffer,sizeof(buffer));

     /*assume bind success...*/
     /*send a random packet*/
     spike_clear();

     /*2nd arg is alloc hint*/
     /*s_dce_call_header(1, 5300, function_number,1,1);*/

     r=0+(unsigned int) (number_of_items*1.0*rand()/(RAND_MAX+1.0));
     

     // r=number_of_items;

     /*EntryNameSyntax*/
     s_intelword(3);
     /*I think this is a "pointer"*/
     s_binary("70 b7 23 00");
     /*EntryName*/
     //s_dce_unistring("/.:/bob/bob");
     s_dce_unistring(s_get_random_fuzzstring());
     //s_dce_unistring("/.:/6");

     /*some null pointers*/
     s_intelword(0);
     s_intelword(0);
     s_intelword(0);
     /*
     push_random_msrpc_thing();
     push_random_msrpc_thing();
     */
     
     s_intelword(0x64);
     s_intelword(0x1c20);
     


     /*test*/
     /*r=1;*/
     for (j=0; j<r+1; j++)
       {
	 //push_valid_thing();
	 //push_random_msrpc_thing();
       }
     printf("Pushing %u things with total size of %u\n",(unsigned int)r+1,(unsigned int)s_get_size());

     /*save it off in our saved buffers*/
     if (currentsaveslot==SAVESLOTS-1)
       {
	 currentsaveslot=0;
       }
     else
       {
	 currentsaveslot++;
       }
#ifdef SAVEBUF
     savedbuf[currentsaveslot]=malloc(s_get_size());
     memcpy(savedbuf[currentsaveslot],s_get_databuf(),s_get_size());
     savedsize[currentsaveslot]=s_get_size();
#endif
     
     /*
       Localization of bugs:
       only actually send the packet if we eithar do not have a MSRPC_DO
       value or if our current i is less than that number

       Change the < to an == when you get close.
     */
     if (msrpcdo==-1 || i==msrpcdo)
       {
	 printf("Sending request\n");
	 /*read from 4 first...*/

	 pretty_print(s_get_databuf(),s_get_size());
	 if (!s_smb_dce_call(function_number,s_get_databuf(),s_get_size(),fid,uid,tid))
	   {
	     printf("do_dce_call failed\n");
	     spike_free(our_spike);
	     return 0;
	   }
       }

  s_fd_wait();
  /*clear the response*/
  memset(buffer,0,sizeof(buffer));
  //alarm(1);
  //s_fd_wait();
  //retval=read(getcurrentspike()->fd,buffer,1500);
  s_smbdce_doreadx(fid,uid,tid,buffer,sizeof(buffer));

  //s_fd_wait();
  //retval=read(getcurrentspike()->fd,buffer,1500);
  alarm(0);
  if (retval==-1)
    {
      printf("continuing\n");
      spike_close_tcp();
      spike_free(our_spike);
      continue;
    }
  if (buffer[2+DCEOFFSET]==DCE_FAULT)
       {
	 printf("Recieved DCE_FAULT packet. As expected.\n");
       }
  else
    {
      printf("Recived response packet with type %x\n",buffer[2+DCEOFFSET]);
      printf("Type 0x0c is BIND_ACK\n");
    }

  if (retval==-1)
    {
      printf("dce call: Interesting - server closed socket!\n");
      //return 0;
    }


  spike_close_tcp(); /*close the socket*/

  spike_clear();
  spike_free(our_spike);
   }

  return 0;
}
Esempio n. 4
0
/* executes a Protmap DUMP request against the specified host and puts
 * the results in onc_endpoint structures in the provided array.  It will
 * write at most arraysize number of endpoint elements into the array, so
 * provide an array large enough to hold all the expected endpoints (32-64
 * elements should be sufficient for most hosts).
 * RETURNS:
 * the number of endpoint elements written to the provided array
 */
int
s_onc_do_portmap_dump(char* host, struct onc_endpoint* eparray, uint arraysize)
{
	struct spike* old_spike;
	struct spike* onc_spike;
	unsigned char responsebuf[BIG_BUF], responsedata[BIG_BUF];
	uint responsebufsize = BIG_BUF, responsedatasize = BIG_BUF, xid = 0;
	uint i = 0, processed = 0;

	old_spike = getcurrentspike();
	onc_spike = new_spike();
	setspike(onc_spike);

	xid = (uint)rand();

	s_binary_block_size_onc_recordfrag("ONCRecordFrag");
	s_block_start("ONCRecordFrag");
	s_onc_call_header(xid, 100000, 2, 4);
	s_onc_opaqueauth_none();
	s_onc_verifier_none();
	s_block_end("ONCRecordFrag");

	printf("\nXID: %u\tPORTMAP_DUMPv2\n", xid);

	if (!spike_send_tcp(host, 111)) {
		return 0;
	}

	s_onc_read_reply(onc_spike, responsebuf, &responsebufsize);
	responsedatasize =
	s_onc_parse_response(responsebuf, 
			     responsebufsize, 
			     responsedata, 
			     responsedatasize);

	for (i = 0; i < arraysize; i++) {
		uint more = 0;
		if (processed + 4 <= responsedatasize) {
			more = ntohl(*(uint*)(responsedata + processed));
			processed += 4;
		}
		else {
			break;
		}
		if (!more) {
			break;
		}
		if (processed + 4 <= responsedatasize) {
			eparray[i].prognum = 
				ntohl(*(uint*)(responsedata + processed));
			processed += 4;
		}
		else {
			break;
		}
		if (processed + 4 <= responsedatasize) {
			eparray[i].progver = 
				ntohl(*(uint*)(responsedata + processed));
			processed += 4;
		}
		else {
			break;
		}
		if (processed + 4 <= responsedatasize) {
			eparray[i].proto =
				ntohl(*(uint*)(responsedata + processed));
			processed += 4;
		}
		else {
			break;
		}
		if (processed + 4 <= responsedatasize) {
			eparray[i].port = 
				ntohl(*(uint*)(responsedata + processed));
			processed += 4;
		}
		else {
			break;
		}
	}

	spike_close_tcp();
	setspike(old_spike);
	spike_free(onc_spike);

	return (i);
}
int main (int argc, char **argv) {
	struct spike * spike_instance;
	int port;
	char *host;
	char buffer[1500000];

	/* Get some parameters */
	if (argc != 3) {
		printf("Usage: ./lighttpd_fuzz <host> <port>\n");
		exit(2);
	}

	host = argv[1];
	port = atoi(argv[2]);

	if (port < 1) {
		fprintf(stderr, "Invalid port %d, using default of 9999\n", port);
		port = 9999;
	}

	/* Set up Spike */
	spike_instance = new_spike();

	if (spike_instance == NULL) {
		fprintf(stderr, "Malloc failed trying to allocate a spike.\n");
		exit(-1);
	}

	setspike(spike_instance); 



	/* Print something so it's clear that we've started */
	printf("Spike initialized\n");	


	/* Initialize the fuzzing and reset the fuzz variables */
	s_init_fuzzing();
	s_resetfuzzvariable();
	
	/* The original generic_send_tcp had some nice ways to shortcut
      in to specific variables.  I'm skipping that for now to better
      learn how this works */

	while (!s_didlastvariable()) {
		s_resetfuzzstring();

		while(!s_didlastfuzzstring()) {

			spike_clear();

			/* Connect via TCP */
			spike_connect_tcp(host, port);
			if (spike_send() < 0) {
				fprintf(stderr, "Could not send data \n");
			}
		
		
			/* Do some stuff: This is the core commands of the fuzz script */
		
			s_readline(); //print received line from server
			s_string("GET ");
			s_string_variable("/cgi.pl");
			s_string(" HTTP/1.0");
			s_string("\n");
			s_string_variable("COMMAND"); //send fuzzed string
		
			spike_close_tcp();

	//printf("%s", s_get_databuf());

    /*see, the thing is that the spike is not guaranteed to be
            null terminated, so just a plain printf on the
            s_get_databuf() is ill-advised.*/
	     memset(buffer,0x00,sizeof(buffer));
	     if (s_get_size()>2500)
	       memcpy(buffer,s_get_databuf(),2500);
	     else
	       memcpy(buffer,s_get_databuf(),s_get_size());
	
			printf("Request:\n%.2500s\nEndRequest\n",buffer); 

			s_incrementfuzzstring();
		} /* while !s_didlastfuzzstring() */

		s_incrementfuzzvariable();
	} /* while !s_didlastvariable() */

	return 0;
}
Esempio n. 6
0
int
main (int argc, char **argv)
{
  char *target;
  char buffer[1500000];

  int port;

  unsigned char *user, *domain;
  unsigned char *password;

  if (argc != 6)
    {
      usage ();
    }

  target = argv[1];
  printf ("Target is %s\r\n", argv[1]);

  port = atoi (argv[2]);

  our_spike = new_spike ();
  s_init_fuzzing ();
  /*sheesh. */
  signal (SIGPIPE, SIG_IGN);




  if (our_spike == NULL)
    {
      fprintf (stderr, "Malloc failed trying to allocate a spike.\r\n");
      exit (-1);
    }

  setspike (our_spike);
  host = strdup ("localhost");
  /*url=strdup("/iisadmin/iis.asp"); */
  url = strdup (argv[5]);
  memset (buffer, 0x41, sizeof (buffer));
  buffer[sizeof (buffer)] = 0;

  buffer[140000] = 0;

  user = strdup (argv[3]);
  domain = NULL;		/*set domain with user@domain */
  password = strdup (argv[4]);

  s_resetfuzzvariable ();
  while (!s_didlastvariable ())
    {
      s_resetfuzzstring ();
      /*zeroth fuzz string is no change */

      while (!s_didlastfuzzstring ())
	{
	  spike_clear ();
	  spike_connect_tcp (target, port);
	  printf ("Connected.\n");
	  memset(buffer,0x00,sizeof(buffer));

	  printf("Getting page %s as %s:%s@%s\n",url,user,password,domain);
	  if (!get_ntlm_page (url, user, password, domain, buffer))
	    printf ("Couldn't get ntlm page\n");
	  else
	    {
	      printf ("Reponse: %s\n", buffer);
	      printf ("\nEnd of response\n");
	    }
	  printf("Closing socket\n");
	  spike_close_tcp ();
	 // sleep(5);
s_incrementfuzzstring();

	  

	}
        s_incrementfuzzvariable();
    }
  return 0;
}
int
main (int argc, char ** argv)
{
  int first;
  char * target;
  char buffer[150000];
  char requestbuffer[150000];
  int port;
  char * file;
  char * directory;

  struct spike * our_spike;
  unsigned long retval;
  int notfin;
  char * extention;
  char * method;
  int firstfuzz;
  int fuzzvarnum,fuzzstrnum; /*for fuzz variable count*/
  int SKIPVARIABLES,SKIPFUZZSTR;

  if (argc!=9)
    {
      usage();
    }

  target=argv[1];
  printf("Target is %s\r\n",argv[1]);

  port=atoi(argv[2]);

  method = argv[3];
  
  directory = argv [4];
  file = argv[5];

  extention=argv[6];

  SKIPVARIABLES=atoi(argv[7]);
  SKIPFUZZSTR=atoi(argv[8]);

  fuzzvarnum=0;
  fuzzstrnum=0;

  our_spike=new_spike();
  s_init_fuzzing();

  /*sheesh.*/
  signal(SIGPIPE,SIG_IGN);

  if (our_spike==NULL)
    {
      fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
      exit(-1); 
    }

  setspike(our_spike);
  
  /*during s_variable push, if fuzzstring is == currentfuzzstring
    then set didlastfuzzstring. If fuzzvariable is == current
    variable, set didlastfuzzvariable*/


  
  /*zeroth fuzz variable is first variable*/
  s_resetfuzzvariable();
  /*
  fuzzvarnum=0;
  fuzzstrnum=0;
  */
  firstfuzz=1;

  while (!s_didlastvariable())
    {
      s_resetfuzzstring();
      /*zeroth fuzz string is no change*/


      if (firstfuzz)
      {
      /*zeroth fuzz string is no change*/
      /*see below for why we have this if statement and loop*/
      if (fuzzvarnum<SKIPVARIABLES )
        {
          for (fuzzvarnum=0; fuzzvarnum<SKIPVARIABLES; fuzzvarnum++)
            {
              s_incrementfuzzvariable();
            }
        }

      /*here is another part of where we implement the ability to jump to a particular
        place in the fuzzing*/
      if (fuzzstrnum<SKIPFUZZSTR)
        {
          for (fuzzstrnum=0; fuzzstrnum<SKIPFUZZSTR; fuzzstrnum++)
            {
              s_incrementfuzzstring();
            }
        }
      firstfuzz=0;
      }
      else
      {
              /*we reset this here so every new variable gets a new count*/
              fuzzstrnum=0;
      }


      
      while(!s_didlastfuzzstring())
	{
 	          printf("Fuzzing Variable %d:%d\n",fuzzvarnum,fuzzstrnum);

	  spike_clear();

	  /*reset this*/
	  /*controls when we put an ampersand or not*/
	  s_setfirstvariable();	  

          s_string_variable(method);
	  s_string(" ");
	  s_string(directory);
	  s_string_variable(file);
	  s_string(extention);

	  /*url arguments*/
#ifdef USEARGS
	  s_string("?");
	  s_string_variable("View");
	  s_string_variable("=");
	  s_string_variable("Logon");
#endif
#ifdef RTSP 
	  s_string(" RTSP/1.0");
#else
	  s_string(" HTTP/1.1");
#endif
          s_string_variable("");
	  s_string("\r\n");
#ifdef RTSP
	  //a simple per-request sequence number
	  s_string("CSeq: ");
	  s_string_variable("1");
	  s_string("\r\n");

	  s_string("Session: ");
	  s_string_variable("260778254-1");
	  s_string("\r\n");

	  s_string("PlayerStats: ");
	  s_string_variable("Stat3");
	  s_string(":");
	  s_string_variable("331");
	  s_string("|");
	  s_string_variable("0");
	  s_string("|");
	  s_string_variable("STOP");
	  s_string("|");
	  s_string(";][");
	  s_string_variable("Stat4");
	  s_string(":");
	  s_string_variable("0");
	  s_string(" ");
	  s_string("0 0 0");
	  s_string("|");
	  s_string_variable("0");
	  s_string("|");
	  s_string_variable("0");
	  s_string("|");
	  s_string(" 0 2]\r\n");

#endif
#ifndef RTSP
	  s_string("Referer: http://localhost/");
	  s_string_variable("bob");
	  s_string("\r\n");
	  s_string("Content-Type: ");
	  s_string_variable("application/x-www-form-urlencoded");
#ifdef XML
	  s_string_variable("application/xml");
#endif
	  s_string("\r\n");

	  s_string("Connection: ");
	  s_string_variable("close");
#ifdef WEBDAV
	  s_string_variable("TE");
#endif

	  s_string("\r\n");
#ifdef WEBDAV
	  s_string("TE: ");
	  s_string_variable("trailers");
	  s_string("\r\n");

	  s_string("Depth: ");
	  s_string_variable("0");
	  s_string("\r\n");
#endif
	  //Cookie: JSESSIONID=2CB3ED5F0D71E3C6CD504705BAFD67E0.tomcatinstance1 
	  s_string("Cookie: ");
#ifdef WEBADMIN
	  s_string_variable("User");
	  s_string("=");
	  s_string_variable("bob");
	  s_string("; Lang=");
	  s_string_variable("en");
	  s_string("; Theme=standard");
#endif
#ifdef TOMCAT
  	  s_string_variable("JSESSIONID");
	  s_string("=");
	  s_string_variable("B3ED5F0D71E3C6CD504705BAFD67E0");
	  s_string(".");
	  s_string_variable("tomcatinstance1");
#endif
	  s_string("\r\n");

#ifdef BASIC_AUTH
          s_string("Authorization: ");
          s_string_variable("Basic"); 
          s_string(" ");
          s_string_variable("QWxhZGRpbjpvcGVuIHNlc2FtZQ");
          s_string("==\r\n");
#endif

	  s_string("User-Agent: ");
	  s_string_variable("Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)");
	  s_string("\r\n");
	  s_string_variable("Variable");
	  s_string(": ");
	  s_string_variable("result");
	  s_string("\r\n");
          s_string_variable(""); 
	  s_string("Host: ");
	  s_string_variable("localhost");
	  s_string("\r\n");
#endif

#ifdef BODY
	  s_string("Content-length: ");
	  s_string_variable("");
	  s_blocksize_unsigned_string_variable("post",7);
	  s_string("\r\n");
#endif

#ifdef RTSP
	  s_string("Accept: application/sdp");
#else
	  s_string("Accept: ");
	  s_string_variable("image/");
	  s_string_variable("gif");
	  s_string(", image/x-xbitmap, image/jpeg, image/pjpeg, image/png");
#endif
	  s_string("\r\n");
#ifdef RTSP
#ifdef RTSP_DESCRIBE
	  s_string("Bandwidth: ");
	  s_string_variable("393216");
	  s_string("\r\n");

	  s_string("ClientID: ");
	  s_string_variable("WinNT_5.1_6.0.11.868_RealPlayer_RN10PD_e-us_UNK");
	  s_string("\r\n");

	  s_string("RegionData: ");
	  s_string_variable("10034");
	  s_string("\r\n");
	  s_string("Require: ");
	  s_string_variable("com.real.retain-entity-for-setup");
	  s_string("\r\n");

	  s_string("SupportsMaximumASMBandwidth: ");
	  s_string_variable("1");
	  s_string("\r\n");

	  s_string("ClientChallenge: ");
	  s_string_variable("deee2996aca6c64db4ff59e0e3fb386f");
	  s_string("\r\n");

	  s_string("CompanyID: ");
	  s_string_variable("nB9UbGcLzuKoS++5MTGHIg");
	  s_string("==\r\n");

	  s_string("GUID: ");
	  s_string_variable("00000000-0000-0000-0000-000000000000");
	  s_string("\r\n");

	  s_string("Pragma: ");
	  s_string_variable("initiate-session");
	  s_string("\r\n");
#endif
#endif
#ifndef RTSP
		  
	  s_string("Accept-Encoding: ");
	  s_string_variable("gzip");
	  s_string("\r\n");
	  s_string("Accept-Language: ");
	  s_string_variable("en");
	  s_string("\r\n");
	  s_string("Accept-Charset: ");
	  s_string_variable("iso-8859-1,*,utf-8");
	  s_string("\r\n");

#endif
	  s_string("\r\n");
	  /*Done with Headers*/
	  s_block_start("post");
	  /*begin POST block*/
	  s_setfirstvariable();
#ifdef BODY
	  s_string_variables('&',"User=bob&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n ");
#endif
#ifdef XML
	  s_string("<?xml version=\"1.0\"?>\n");
	  s_string("<g:searchrequest xmlns:g=\"DAV:\">\n");
	  s_string("<g:sql>\n");
	  s_string("SELECT \"DAV:");
	  s_string_variable("");
	  s_string("displayname\" from scope()\n");
	  s_string("</g:sql");
	  s_string_variable("");
	  s_string(">\n");
	  s_string("</g:searchrequest>");
#endif

	  /*
	  s_string("username="******"");
	  s_string_repeat("A",500);
	  */
	  s_block_end("post");
	  /* Start webfuzzpostlude.c */ 


	  if (spike_send_tcp(target,port)==0)
	    {
	      /*this whole block is a bit wrong. Really we
		need to exit or something.*/
	      printf("Couldn't connect to host or send data!\r\n");
	      spike_close_tcp();
	      if (fuzzstrnum==s_get_max_fuzzstring())
		{
		  break;
		}

	      fuzzstrnum++;
	      s_incrementfuzzstring();
	      //sleep(5);
	      continue;
	    }

	  /*see, the thing is that the spike is not guaranteed to be
            null terminated, so just a plain printf on the
            s_get_databuf() is ill-advised.*/
	  memset(requestbuffer,0x00,sizeof(requestbuffer));
	  if (s_get_size()>2500)
	    memcpy(requestbuffer,s_get_databuf(),2500);
	  else
           {
	    memcpy(requestbuffer,s_get_databuf(),s_get_size());
           }
  

	  /*here we print out our request*/
	  printf("Request:\n%.2500s\nEndRequest\n",requestbuffer);

	  first=1;
	  notfin=1;
	  retval=1;
          printf("Response:\n");
	  while(retval && notfin) 
	    {
 	     
	      memset(buffer,0x00,sizeof(buffer));
	      notfin=s_fd_wait();
	      notfin=s_fd_wait();
	      notfin=s_fd_wait();
	      if (!notfin)
                {
                 printf("Server didn't answer in time limit\n");
		break;
                }
	      retval=read(our_spike->fd,buffer,2500);
	if (first && (retval==-1 || retval==0) )
                {
                   printf("***Server closed connection!\n");
		   fprintf(stderr,"Request: %s\n",requestbuffer);
                   fprintf(stderr,"***Server closed connection!\n");
		   break;
                }
		first=0;
	      if (retval)
		{
		    if (strstr(buffer, "500 ok") 
			|| strstr(buffer,"Internal Server Error")
			) 
                    {
			fprintf(stderr,"Request: %s\n",requestbuffer);
			fprintf(stderr,"Response: %s\n",buffer);
                    }


		    printf("**%.500s**\n",buffer);
		  /*this is where you filter responses out that you don't want to bother seeing.*/
#if 0
		  /*don't print out 404 errors*/
		  if (!strstr(buffer,"404") && !strstr(buffer,"400 Bad Request") && !strstr(buffer,"check that it is entered correctly"))
 		break;
#endif
		  /*here we speed things up by no continuing to read past this dumb error message*/
		  /*do this same thing for any request that continues to slow you down and is non-interesting*/
                  if (strstr(buffer,"<TITLE>404"))
                    break;
                  if (strstr(buffer,"<TITLE>401"))
		    break;
		  if (strstr(buffer,"401 Access denied"))
		    break;
		  if (strstr(buffer,"Public: OPTIONS"))
		    break;
		  if (strstr(buffer,"Please do not alter this file"))
		    break;
		  if (strstr(buffer,"GIF89a"))
		    break;
		  if (strstr(buffer,"This object may be found <a HREF=\"localstart.asp\""))
	break;

		if (strstr(buffer,"home page, and then look for links to the information you want"))
		break;
		 if(strstr(buffer,"Location: localstart.asp"))
		break;
 		 if (strstr(buffer,"This is the default page that appears on new AOLserver installations"))
		break;
		if (strstr(buffer,"This page intentionally left blank."))
		break;
               }
	    }/*end while read loop*/
               printf("End response\n");
          fuzzstrnum++;
	  s_incrementfuzzstring();
	  spike_close_tcp();
	  /*Use this for testing against netcat*/
	  /*
	    sleep(1);
	  */
	}/*end for each fuzz string*/
      fuzzvarnum++;
      s_incrementfuzzvariable();
    }/*end for each variable*/
  printf("Done.\n");
  return 0;
} /*end program*/