int
main (int argc, char ** argv)
{
int first;
char * target;
char buffer[1500000];
int port;
char * optional;
struct spike * our_spike;
unsigned long retval;
int notfin;
if (argc!=3)
{
usage();
}
/*sheesh.*/
signal(SIGPIPE,SIG_IGN);
target=argv[1];
printf("Target is %s\r\n",argv[1]);
port=atoi(argv[2]);
if (argc>3)
optional=argv[3];
our_spike=new_spike();
s_init_fuzzing();
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
setspike(our_spike);
/*during s_variable push, if fuzzstring is == currentfuzzstring
then set didlastfuzzstring. If fuzzvariable is == current
variable, set didlastfuzzvariable*/
/*zeroth fuzz variable is first variable*/
s_resetfuzzvariable();
while (!s_didlastvariable())
{
s_resetfuzzstring();
/*zeroth fuzz string is no change*/
while(!s_didlastfuzzstring())
{
spike_clear();
int
main (int argc, char ** argv)
{
int port;
int result,listenfd,acceptfd;
if (argc!=2)
{
usage();
}
port=atoi(argv[1]);
our_spike=new_spike();
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
setspike(our_spike);
result=make_tcp_listener(port,&listenfd);
if (result!=1)
{
printf("Failed to listen on that port: %d\n",port);
usage();
}
/*very important line. don't forget it*/
s_init_fuzzing();
/*zeroth fuzz variable is first variable*/
s_resetfuzzvariable();
while (!s_didlastvariable())
{
s_resetfuzzstring();
/*zeroth fuzz string is no change*/
while(!s_didlastfuzzstring())
{
spike_clear();
/*now loop on connections to that port*/
acceptfd=s_tcp_accept(listenfd);
if (acceptfd==-1)
{
printf("Accept failed for some reason!\n");
continue;
}
/*change any of the s_string's into s_string_variable for extra
* fun */
s_read_packet(); /*read a 0d 0a */
s_string("2"); /*EDIT THIS*/
//s_string_variable("");
s_string_repeat("asdf",5);
s_string("\t");
s_string("2"); /*AND THIS*/
s_string("/");
s_string_repeat("asdf",5);
s_string_variable("");
s_string("\t");
s_string("localhost");
s_string(".");
s_string("localdomain");
s_string(".");
s_string("com");
s_string("\t");
s_string("70");
s_string("\t");
s_string("-");
s_string("\r\n");
s_string(".\r\n");
if (spike_send()<0)
{
printf("Couldn't send data!\r\n");
spike_close_tcp();
continue;
}
spike_close_tcp();
s_incrementfuzzstring();
}
s_incrementfuzzvariable();
}/*end for each variable*/
printf("Done.\n");
return 0;
} /*end program*/
int main (int argc, char **argv) {
struct spike * spike_instance;
int port;
char *host;
char buffer[1500000];
/* Get some parameters */
if (argc != 3) {
printf("Usage: ./lighttpd_fuzz <host> <port>\n");
exit(2);
}
host = argv[1];
port = atoi(argv[2]);
if (port < 1) {
fprintf(stderr, "Invalid port %d, using default of 9999\n", port);
port = 9999;
}
/* Set up Spike */
spike_instance = new_spike();
if (spike_instance == NULL) {
fprintf(stderr, "Malloc failed trying to allocate a spike.\n");
exit(-1);
}
setspike(spike_instance);
/* Print something so it's clear that we've started */
printf("Spike initialized\n");
/* Initialize the fuzzing and reset the fuzz variables */
s_init_fuzzing();
s_resetfuzzvariable();
/* The original generic_send_tcp had some nice ways to shortcut
in to specific variables. I'm skipping that for now to better
learn how this works */
while (!s_didlastvariable()) {
s_resetfuzzstring();
while(!s_didlastfuzzstring()) {
spike_clear();
/* Connect via TCP */
spike_connect_tcp(host, port);
if (spike_send() < 0) {
fprintf(stderr, "Could not send data \n");
}
/* Do some stuff: This is the core commands of the fuzz script */
s_readline(); //print received line from server
s_string("GET ");
s_string_variable("/cgi.pl");
s_string(" HTTP/1.0");
s_string("\n");
s_string_variable("COMMAND"); //send fuzzed string
spike_close_tcp();
//printf("%s", s_get_databuf());
/*see, the thing is that the spike is not guaranteed to be
null terminated, so just a plain printf on the
s_get_databuf() is ill-advised.*/
memset(buffer,0x00,sizeof(buffer));
if (s_get_size()>2500)
memcpy(buffer,s_get_databuf(),2500);
else
memcpy(buffer,s_get_databuf(),s_get_size());
printf("Request:\n%.2500s\nEndRequest\n",buffer);
s_incrementfuzzstring();
} /* while !s_didlastfuzzstring() */
s_incrementfuzzvariable();
} /* while !s_didlastvariable() */
return 0;
}
int
main (int argc, char **argv)
{
char *target;
char buffer[1500000];
int port;
unsigned char *user, *domain;
unsigned char *password;
if (argc != 6)
{
usage ();
}
target = argv[1];
printf ("Target is %s\r\n", argv[1]);
port = atoi (argv[2]);
our_spike = new_spike ();
s_init_fuzzing ();
/*sheesh. */
signal (SIGPIPE, SIG_IGN);
if (our_spike == NULL)
{
fprintf (stderr, "Malloc failed trying to allocate a spike.\r\n");
exit (-1);
}
setspike (our_spike);
host = strdup ("localhost");
/*url=strdup("/iisadmin/iis.asp"); */
url = strdup (argv[5]);
memset (buffer, 0x41, sizeof (buffer));
buffer[sizeof (buffer)] = 0;
buffer[140000] = 0;
user = strdup (argv[3]);
domain = NULL; /*set domain with user@domain */
password = strdup (argv[4]);
s_resetfuzzvariable ();
while (!s_didlastvariable ())
{
s_resetfuzzstring ();
/*zeroth fuzz string is no change */
while (!s_didlastfuzzstring ())
{
spike_clear ();
spike_connect_tcp (target, port);
printf ("Connected.\n");
memset(buffer,0x00,sizeof(buffer));
printf("Getting page %s as %s:%s@%s\n",url,user,password,domain);
if (!get_ntlm_page (url, user, password, domain, buffer))
printf ("Couldn't get ntlm page\n");
else
{
printf ("Reponse: %s\n", buffer);
printf ("\nEnd of response\n");
}
printf("Closing socket\n");
spike_close_tcp ();
// sleep(5);
s_incrementfuzzstring();
}
s_incrementfuzzvariable();
}
return 0;
}
int
main (int argc, char ** argv)
{
int first;
char * target;
char buffer[150000];
char requestbuffer[150000];
int port;
char * file;
char * directory;
struct spike * our_spike;
unsigned long retval;
int notfin;
char * extention;
char * method;
int firstfuzz;
int fuzzvarnum,fuzzstrnum; /*for fuzz variable count*/
int SKIPVARIABLES,SKIPFUZZSTR;
if (argc!=9)
{
usage();
}
target=argv[1];
printf("Target is %s\r\n",argv[1]);
port=atoi(argv[2]);
method = argv[3];
directory = argv [4];
file = argv[5];
extention=argv[6];
SKIPVARIABLES=atoi(argv[7]);
SKIPFUZZSTR=atoi(argv[8]);
fuzzvarnum=0;
fuzzstrnum=0;
our_spike=new_spike();
s_init_fuzzing();
/*sheesh.*/
signal(SIGPIPE,SIG_IGN);
if (our_spike==NULL)
{
fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
exit(-1);
}
setspike(our_spike);
/*during s_variable push, if fuzzstring is == currentfuzzstring
then set didlastfuzzstring. If fuzzvariable is == current
variable, set didlastfuzzvariable*/
/*zeroth fuzz variable is first variable*/
s_resetfuzzvariable();
/*
fuzzvarnum=0;
fuzzstrnum=0;
*/
firstfuzz=1;
while (!s_didlastvariable())
{
s_resetfuzzstring();
/*zeroth fuzz string is no change*/
if (firstfuzz)
{
/*zeroth fuzz string is no change*/
/*see below for why we have this if statement and loop*/
if (fuzzvarnum<SKIPVARIABLES )
{
for (fuzzvarnum=0; fuzzvarnum<SKIPVARIABLES; fuzzvarnum++)
{
s_incrementfuzzvariable();
}
}
/*here is another part of where we implement the ability to jump to a particular
place in the fuzzing*/
if (fuzzstrnum<SKIPFUZZSTR)
{
for (fuzzstrnum=0; fuzzstrnum<SKIPFUZZSTR; fuzzstrnum++)
{
s_incrementfuzzstring();
}
}
firstfuzz=0;
}
else
{
/*we reset this here so every new variable gets a new count*/
fuzzstrnum=0;
}
while(!s_didlastfuzzstring())
{
printf("Fuzzing Variable %d:%d\n",fuzzvarnum,fuzzstrnum);
spike_clear();
/*reset this*/
/*controls when we put an ampersand or not*/
s_setfirstvariable();
s_string_variable(method);
s_string(" ");
s_string(directory);
s_string_variable(file);
s_string(extention);
/*url arguments*/
#ifdef USEARGS
s_string("?");
s_string_variable("View");
s_string_variable("=");
s_string_variable("Logon");
#endif
#ifdef RTSP
s_string(" RTSP/1.0");
#else
s_string(" HTTP/1.1");
#endif
s_string_variable("");
s_string("\r\n");
#ifdef RTSP
//a simple per-request sequence number
s_string("CSeq: ");
s_string_variable("1");
s_string("\r\n");
s_string("Session: ");
s_string_variable("260778254-1");
s_string("\r\n");
s_string("PlayerStats: ");
s_string_variable("Stat3");
s_string(":");
s_string_variable("331");
s_string("|");
s_string_variable("0");
s_string("|");
s_string_variable("STOP");
s_string("|");
s_string(";][");
s_string_variable("Stat4");
s_string(":");
s_string_variable("0");
s_string(" ");
s_string("0 0 0");
s_string("|");
s_string_variable("0");
s_string("|");
s_string_variable("0");
s_string("|");
s_string(" 0 2]\r\n");
#endif
#ifndef RTSP
s_string("Referer: http://localhost/");
s_string_variable("bob");
s_string("\r\n");
s_string("Content-Type: ");
s_string_variable("application/x-www-form-urlencoded");
#ifdef XML
s_string_variable("application/xml");
#endif
s_string("\r\n");
s_string("Connection: ");
s_string_variable("close");
#ifdef WEBDAV
s_string_variable("TE");
#endif
s_string("\r\n");
#ifdef WEBDAV
s_string("TE: ");
s_string_variable("trailers");
s_string("\r\n");
s_string("Depth: ");
s_string_variable("0");
s_string("\r\n");
#endif
//Cookie: JSESSIONID=2CB3ED5F0D71E3C6CD504705BAFD67E0.tomcatinstance1
s_string("Cookie: ");
#ifdef WEBADMIN
s_string_variable("User");
s_string("=");
s_string_variable("bob");
s_string("; Lang=");
s_string_variable("en");
s_string("; Theme=standard");
#endif
#ifdef TOMCAT
s_string_variable("JSESSIONID");
s_string("=");
s_string_variable("B3ED5F0D71E3C6CD504705BAFD67E0");
s_string(".");
s_string_variable("tomcatinstance1");
#endif
s_string("\r\n");
#ifdef BASIC_AUTH
s_string("Authorization: ");
s_string_variable("Basic");
s_string(" ");
s_string_variable("QWxhZGRpbjpvcGVuIHNlc2FtZQ");
s_string("==\r\n");
#endif
s_string("User-Agent: ");
s_string_variable("Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)");
s_string("\r\n");
s_string_variable("Variable");
s_string(": ");
s_string_variable("result");
s_string("\r\n");
s_string_variable("");
s_string("Host: ");
s_string_variable("localhost");
s_string("\r\n");
#endif
#ifdef BODY
s_string("Content-length: ");
s_string_variable("");
s_blocksize_unsigned_string_variable("post",7);
s_string("\r\n");
#endif
#ifdef RTSP
s_string("Accept: application/sdp");
#else
s_string("Accept: ");
s_string_variable("image/");
s_string_variable("gif");
s_string(", image/x-xbitmap, image/jpeg, image/pjpeg, image/png");
#endif
s_string("\r\n");
#ifdef RTSP
#ifdef RTSP_DESCRIBE
s_string("Bandwidth: ");
s_string_variable("393216");
s_string("\r\n");
s_string("ClientID: ");
s_string_variable("WinNT_5.1_6.0.11.868_RealPlayer_RN10PD_e-us_UNK");
s_string("\r\n");
s_string("RegionData: ");
s_string_variable("10034");
s_string("\r\n");
s_string("Require: ");
s_string_variable("com.real.retain-entity-for-setup");
s_string("\r\n");
s_string("SupportsMaximumASMBandwidth: ");
s_string_variable("1");
s_string("\r\n");
s_string("ClientChallenge: ");
s_string_variable("deee2996aca6c64db4ff59e0e3fb386f");
s_string("\r\n");
s_string("CompanyID: ");
s_string_variable("nB9UbGcLzuKoS++5MTGHIg");
s_string("==\r\n");
s_string("GUID: ");
s_string_variable("00000000-0000-0000-0000-000000000000");
s_string("\r\n");
s_string("Pragma: ");
s_string_variable("initiate-session");
s_string("\r\n");
#endif
#endif
#ifndef RTSP
s_string("Accept-Encoding: ");
s_string_variable("gzip");
s_string("\r\n");
s_string("Accept-Language: ");
s_string_variable("en");
s_string("\r\n");
s_string("Accept-Charset: ");
s_string_variable("iso-8859-1,*,utf-8");
s_string("\r\n");
#endif
s_string("\r\n");
/*Done with Headers*/
s_block_start("post");
/*begin POST block*/
s_setfirstvariable();
#ifdef BODY
s_string_variables('&',"User=bob&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n ");
#endif
#ifdef XML
s_string("<?xml version=\"1.0\"?>\n");
s_string("<g:searchrequest xmlns:g=\"DAV:\">\n");
s_string("<g:sql>\n");
s_string("SELECT \"DAV:");
s_string_variable("");
s_string("displayname\" from scope()\n");
s_string("</g:sql");
s_string_variable("");
s_string(">\n");
s_string("</g:searchrequest>");
#endif
/*
s_string("username="******"");
s_string_repeat("A",500);
*/
s_block_end("post");
/* Start webfuzzpostlude.c */
if (spike_send_tcp(target,port)==0)
{
/*this whole block is a bit wrong. Really we
need to exit or something.*/
printf("Couldn't connect to host or send data!\r\n");
spike_close_tcp();
if (fuzzstrnum==s_get_max_fuzzstring())
{
break;
}
fuzzstrnum++;
s_incrementfuzzstring();
//sleep(5);
continue;
}
/*see, the thing is that the spike is not guaranteed to be
null terminated, so just a plain printf on the
s_get_databuf() is ill-advised.*/
memset(requestbuffer,0x00,sizeof(requestbuffer));
if (s_get_size()>2500)
memcpy(requestbuffer,s_get_databuf(),2500);
else
{
memcpy(requestbuffer,s_get_databuf(),s_get_size());
}
/*here we print out our request*/
printf("Request:\n%.2500s\nEndRequest\n",requestbuffer);
first=1;
notfin=1;
retval=1;
printf("Response:\n");
while(retval && notfin)
{
memset(buffer,0x00,sizeof(buffer));
notfin=s_fd_wait();
notfin=s_fd_wait();
notfin=s_fd_wait();
if (!notfin)
{
printf("Server didn't answer in time limit\n");
break;
}
retval=read(our_spike->fd,buffer,2500);
if (first && (retval==-1 || retval==0) )
{
printf("***Server closed connection!\n");
fprintf(stderr,"Request: %s\n",requestbuffer);
fprintf(stderr,"***Server closed connection!\n");
break;
}
first=0;
if (retval)
{
if (strstr(buffer, "500 ok")
|| strstr(buffer,"Internal Server Error")
)
{
fprintf(stderr,"Request: %s\n",requestbuffer);
fprintf(stderr,"Response: %s\n",buffer);
}
printf("**%.500s**\n",buffer);
/*this is where you filter responses out that you don't want to bother seeing.*/
#if 0
/*don't print out 404 errors*/
if (!strstr(buffer,"404") && !strstr(buffer,"400 Bad Request") && !strstr(buffer,"check that it is entered correctly"))
break;
#endif
/*here we speed things up by no continuing to read past this dumb error message*/
/*do this same thing for any request that continues to slow you down and is non-interesting*/
if (strstr(buffer,"<TITLE>404"))
break;
if (strstr(buffer,"<TITLE>401"))
break;
if (strstr(buffer,"401 Access denied"))
break;
if (strstr(buffer,"Public: OPTIONS"))
break;
if (strstr(buffer,"Please do not alter this file"))
break;
if (strstr(buffer,"GIF89a"))
break;
if (strstr(buffer,"This object may be found <a HREF=\"localstart.asp\""))
break;
if (strstr(buffer,"home page, and then look for links to the information you want"))
break;
if(strstr(buffer,"Location: localstart.asp"))
break;
if (strstr(buffer,"This is the default page that appears on new AOLserver installations"))
break;
if (strstr(buffer,"This page intentionally left blank."))
break;
}
}/*end while read loop*/
printf("End response\n");
fuzzstrnum++;
s_incrementfuzzstring();
spike_close_tcp();
/*Use this for testing against netcat*/
/*
sleep(1);
*/
}/*end for each fuzz string*/
fuzzvarnum++;
s_incrementfuzzvariable();
}/*end for each variable*/
printf("Done.\n");
return 0;
} /*end program*/
