void dump_options(option_block *opts)
{
int i;
if(opts != NULL)
{
printf("[%s] dumping options:\n\tfilename: <%s>\n\tstate: <%d>\n\tlineno: <%d>\n\tliterals: [%d]\n\tsequences: [%d]\n\tsymbols: [%d]\n\treq_del: <%d>\n\tmseq_len: <%d>\n\tplugin: <%s>\n\ts_syms: <%d>\n",
get_time_as_log(), opts->pFilename, opts->state, opts->lno, opts->num_litr, opts->num_seq, opts->sym_count / 2, opts->reqw_inms, opts->mseql,
g_plugin ? g_plugin->name() : "none", opts->s_syms_count);
for(i = 0; i < opts->num_litr; i++)
printf("\tliteral[%d] = [%s]\n", i+1, opts->litr[i]);
for(i = 0; i < opts->num_seq; i++)
printf("\tsequence[%d] = [%s]\n", i+1, opts->seq[i]);
for(i = 0; i < opts->sym_count; ++i)
{
if(!(opts->syms_array[i].is_len))
printf("\tsym [%s]->[%s]\n", opts->syms_array[i].sym_name,
opts->syms_array[i].sym_val);
}
for(i = 0; i < opts->s_syms_count; ++i)
{
printf("\t|sym| [%s] -> %d[%d:%s]\n",
opts->s_syms[i].sym_name, opts->s_syms[i].is_len,
opts->s_syms[i].offset, opts->s_syms[i].sym_val);
}
}
}
int os_send_unix_dgram(option_block *opts, char *str, size_t len)
{
#ifdef __WIN32__
return -1;
#endif
FILE *log = stdout;
struct sockaddr_un sa_unix;
int sockfd = -1;
if(opts->fp_log)
log = opts->fp_log;
sockfd = socket(AF_UNIX, SOCK_DGRAM, 0);
if (sockfd != -1)
{
sa_unix.sun_family = AF_UNIX;
strcpy(sa_unix.sun_path, opts->host_spec);
if (sendto(sockfd, str, len, 0,
(const struct sockaddr *)&sa_unix, sizeof sa_unix) < 0 ) {
// handle the failure case...
}
if (opts->verbosity != QUIET)
fprintf(log, "[%s] info: tx fuzz - scanning for reply.\n",
get_time_as_log());
close(sockfd);
return 0;
}
return -1;
}
void process_opts(int argc, char *argv[], option_block *opts)
{
char *lastarg = 0;
if(opts->state != CMD_LINE_OPTS)
{
fprintf(stderr, "[%s] fatal: attempt to invoke process_opts in improper state. ARE YOU HACKING ME?!\n",
get_time_as_log());
exit(-1);
}
if(argc > 1)
{
--argc;
while(argc > 0)
{
switch(argv[argc][0])
{
case '-':
process_opt_str((argv[argc])+1, lastarg, opts);
break;
default:
lastarg = argv[argc];
break;
}
argc--;
}
}
sanity(opts);
}
void sanity(option_block *opts)
{
if(opts == NULL)
{
fprintf(stderr, "[%s] fatal: option block null\n", get_time_as_log());
exit(-1);
}
if(!(opts->tcp_flag) && !(opts->udp_flag) && !(opts->out_flag))
{
fprintf(stderr, "[%s] error: must specify an output type.\n",
get_time_as_log());
print_help();
exit(-1);
}
if(opts->pFilename[0] == 0)
{
fprintf(stderr, "[%s] error: must specify a config file.\n",
get_time_as_log());
print_help();
exit(-1);
}
if(((opts->tcp_flag)||(opts->udp_flag)) &&
((opts->host == 0) || ((opts->port == 0) || (opts->port < 1) ||
(opts->port > 65535)))
)
{
fprintf(stderr,
"[%s] error: must specify a host and port when using netmode.\n",
get_time_as_log());
print_help();
exit(-1);
}
}
/* this is going to be crappy! */
int atoip(const char *pIpStr)
{
#ifdef __WIN32__
WSADATA wsaData;
#endif
struct addrinfo hints, *servinfo, *p;
int t = 0;
#ifdef __WIN32__
if(WSAStartup(MAKEWORD(2,0), &wsaData) != 0)
{
fprintf(stderr, "[%s]: error: Unable to init winsock!\n",
get_time_as_log());
return -1;
}
#endif
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if(getaddrinfo(pIpStr, NULL, &hints, &servinfo) != 0)
return 0;
for(p = servinfo; p != NULL; p = p->ai_next)
{
if(p->ai_family == AF_INET)
{
t = ((struct sockaddr_in*)(p->ai_addr))->sin_addr.s_addr;
break;
}
else if(p->ai_family == AF_INET6)
t = 1; /* for IPv6 we treat it as a "true" value */
else
t = 0;
}
freeaddrinfo(servinfo);
#ifdef __WIN32__
WSACleanup();
#endif
return t;
}
int os_send_udp(option_block *opts, char *str, size_t len)
{
#ifdef __WIN32__
WSADATA wsaData;
#endif
FILE *log = stdout;
struct timeval tv;
fd_set fds;
unsigned long int to = MAX(100, opts->time_out);
struct addrinfo hints, *servinfo, *p;
int sockfd = -1;
int ret;
if(opts->fp_log)
log = opts->fp_log;
#ifdef __WIN32__
if(WSAStartup(MAKEWORD(2,0), &wsaData) != 0)
{
fprintf(stderr, "[%s]: error: Unable to init winsock!\n",
get_time_as_log());
fprintf(log, "[%s]: error: Unable to init winsock!\n",
get_time_as_log());
return -1;
}
#endif
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
if(getaddrinfo(opts->host_spec, opts->port_spec, &hints, &servinfo) != 0)
{
fprintf(stderr, "[%s]: error: unable to get addrinfo\n",
get_time_as_log());
fprintf(log, "[%s]: error: unable to get addrinfo\n",
get_time_as_log());
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
for(p = servinfo; p!= NULL; p = p->ai_next)
{
sockfd = socket(p->ai_family, p->ai_socktype,
p->ai_protocol);
if(sockfd < 0)
continue;
opts->sockfd = sockfd;
break; /* p won't be equal to NULL in this case */
}
if(p == NULL)
{
fprintf(stderr,"[%s] error: unable to acquire socket.\n",
get_time_as_log());
fprintf(log,"[%s] error: unable to acquire socket.\n",
get_time_as_log());
freeaddrinfo(servinfo);
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
ret = sendto(sockfd, str, len, 0,
p->ai_addr, p->ai_addrlen);
freeaddrinfo(servinfo);
if(ret < 0)
{
fprintf(stderr,"[%s] error: udp send() failed.\n", get_time_as_log());
fprintf(log,"[%s] error: udp send() failed.\n", get_time_as_log());
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
if(opts->verbosity != QUIET)
fprintf(log, "[%s] info: tx fuzz - scanning for reply.\n",
get_time_as_log());
FD_ZERO(&fds);
FD_SET(sockfd, &fds);
tv.tv_sec = to / 1000;
tv.tv_usec = (to % 1000) * 1000; /*time out*/
mssleep(opts->reqw_inms);
ret = select(sockfd+1, &fds, NULL, NULL, &tv);
if(ret > 0)
{
if(FD_ISSET(sockfd, &fds))
{
char buf[8193] = {0};
int r_len = 0;
r_len = read(sockfd, &buf, 8192);
buf[8192] = 0;
if(opts->verbosity != QUIET)
fprintf(log, "[%s] read:\n%s\n===============================================================================\n",
get_time_as_log(),
buf);
#ifndef NOPLUGIN
if((g_plugin != NULL) &&
((g_plugin->capex() & PLUGIN_PROVIDES_POST_FUZZ) ==
PLUGIN_PROVIDES_POST_FUZZ))
{
g_plugin->post_fuzz(opts, buf, r_len);
}
#endif
}
}
#ifdef __WIN32__
closesocket(sockfd);
WSACleanup();
#else
close(sockfd);
#endif
return 0;
}
int os_send_tcp(option_block *opts, char *str, size_t len)
{
#ifdef __WIN32__
WSADATA wsaData;
#endif
FILE *log = stdout;
struct timeval tv;
fd_set fds;
int sockfd = -1;
struct addrinfo hints, *servinfo, *p;
int ret;
int snt = 0;
unsigned long int to = MAX(100, opts->time_out);
if(opts->fp_log)
log = opts->fp_log;
#ifdef __WIN32__
if(WSAStartup(MAKEWORD(2,0), &wsaData) != 0)
{
fprintf(stderr, "[%s]: error: Unable to init winsock!\n",
get_time_as_log());
fprintf(log, "[%s]: error: Unable to init winsock!\n",
get_time_as_log());
return -1;
}
#endif
if(opts->sockfd != -1)
{
sockfd = opts->sockfd;
}
else
{
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if(getaddrinfo(opts->host_spec, opts->port_spec, &hints, &servinfo) != 0)
{
fprintf(stderr, "[%s]: error: unable to get addrinfo\n",
get_time_as_log());
fprintf(log, "[%s]: error: unable to get addrinfo\n",
get_time_as_log());
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
for(p = servinfo; p!= NULL; p = p->ai_next)
{
sockfd = socket(p->ai_family, p->ai_socktype,
p->ai_protocol);
if(sockfd < 0)
continue;
opts->sockfd = sockfd;
if(connect(sockfd,
p->ai_addr, p->ai_addrlen) < 0)
{
#ifdef __WIN32__
closesocket(sockfd);
#else
close(sockfd);
#endif
opts->sockfd = sockfd = -1;
continue;
}
break; /* faster than setting p = NULL; (I think)*/
}
freeaddrinfo(servinfo);
}
if(sockfd == -1)
{
fprintf(stderr,
"[%s] error: unable to connect to remote system [%s].\n",
get_time_as_log(), process_error());
fprintf(log,
"[%s] error: unable to connect to remote system [%s].\n",
get_time_as_log(), process_error());
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
while(len)
{
ret = send(sockfd, str + snt, len, 0);
if(ret < 0)
{
fprintf(stderr,"[%s] error: tcp send() failed.\n", get_time_as_log());
fprintf(log,"[%s] error: tcp send() failed.\n", get_time_as_log());
#ifdef __WIN32__
WSACleanup();
#endif
return -1;
}
len -= ret;
snt += ret;
}
if(opts->verbosity != QUIET)
fprintf(log, "[%s] info: tx fuzz - (%d bytes) - scanning for reply.\n",
get_time_as_log(), snt);
FD_ZERO(&fds);
FD_SET(sockfd, &fds);
tv.tv_sec = to / 1000;
tv.tv_usec = (to % 1000) * 1000; /*time out*/
mssleep(opts->reqw_inms);
ret = select(sockfd+1, &fds, NULL, NULL, &tv);
if(ret > 0)
{
if(FD_ISSET(sockfd, &fds))
{
char buf[8193] = {0};
int r_len = 0;
r_len = read(sockfd, &buf, 8192);
buf[8192] = 0;
if(opts->verbosity != QUIET)
fprintf(log, "[%s] read:\n%s\n===============================================================================\n",
get_time_as_log(),
buf);
if((opts->s_syms_count) && (opts->repl_pol))
{
for(ret = 0; ret < opts->s_syms_count; ++ret)
{
sym_t *pSym = &(opts->s_syms[ret]);
int cpy_len = pSym->is_len;
if((opts->repl_pol == 2) &&
pSym->increment)
continue;
if(cpy_len > r_len)
continue;
memset(pSym->sym_val, 0, 1024);
memcpy(pSym->sym_val, buf+(pSym->offset),cpy_len);
pSym->sym_val[cpy_len] = 0;
pSym->s_len = cpy_len;
pSym->increment = 1;
}
}
#ifndef NOPLUGIN
if((g_plugin != NULL) &&
((g_plugin->capex() & PLUGIN_PROVIDES_POST_FUZZ) ==
PLUGIN_PROVIDES_POST_FUZZ))
{
g_plugin->post_fuzz(opts, buf, r_len);
}
#endif
}
}
if(opts->close_conn)
opts->sockfd = -1;
if((opts->close_conn) && (!opts->forget_conn))
{
#ifdef __WIN32__
closesocket(sockfd);
#else
close(sockfd);
#endif
}
#ifdef __WIN32__
WSACleanup();
#endif
return 0;
}
int execute_fuzz(option_block *opts)
{
char *line = malloc(8192);
char *req = malloc(opts->mseql + 16384);
char *req2 = malloc(opts->mseql + 16384);
char *preq = malloc(opts->mseql + 16384);
char *p, *j;
char c,f,b;
int tsze = 0;
int reqsize = 0;
int preqsize= 0;
int i = 0;
int k = 0;
unsigned int seq4b = 0;
memset(req, 0, opts->mseql + 16384);
memset(req2, 0, opts->mseql + 16384);
memset(preq, 0, opts->mseql + 16384);
if(opts->state != FUZZ)
{
fprintf(stderr, "[%s] fatal: corrupted state for execute_fuzz()\n",
get_time_as_log());
exit(-1);
}
/*setup the socket fd*/
opts->sockfd = -1;
while(!feof(opts->fp))
{
tsze = 0;
reqsize = 0;
line[0] = 0;
while(strcmp(line, "--") && strcmp(line, "c-"))
{
tsze = readLine(opts, line, 8192, 1);
if(!strcmp(line, "--") || !strcmp(line, "c-") || tsze == 0)
{
break;
}
if(opts->mseql && ((tsze + reqsize) > opts->mseql + 8192))
{
/*ohnoes overflow*/
fprintf(stderr, "[%s] error: overflow[%d:%d].\n",
get_time_as_log(), opts->mseql,
(tsze + reqsize));
exit(-1);
}
memcpy(req+reqsize, line, tsze);
reqsize += tsze-1;
if(opts->line_terminator_size)
{
memcpy(req+reqsize, opts->line_term,
opts->line_terminator_size);
}
reqsize += opts->line_terminator_size;
*(req+reqsize) = 0;
}
if(feof(opts->fp)) break;
if(!strcasecmp(line, "c-"))
opts->close_conn = 0;
else
opts->close_conn = 1;
/* TODO: implement this feature in an intuitive and useful manner */
opts->send_initial_nonfuzz_again = 0;
if(opts->trim_nl)
req[reqsize-1] = 0;
if(opts->seqstep <= 0)
{
opts->seqstep = opts->mseql;
}
/*loaded a request.*/
p = strstr(req, "FUZZ");
if(!p)
{
if(fuzz(opts, req, reqsize) < 0)
{
goto done;
}
memcpy(preq, req, reqsize);
preqsize = reqsize;
}
else /* we have to FUZZ for reals*/
{
/*do the literals*/
if(opts->no_literal_fuzz == 0)
{
for(tsze = 0; tsze < opts->num_litr; ++tsze)
{
char litr_is_bin = 0;
i = 0;
/*first, do the literals, which are filled in as-is*/
strcpy(req2, req);
c = *(
(opts->litr[tsze]) +
strspn(opts->litr[tsze], " "));
b = *(1+
(opts->litr[tsze]) +
strspn(opts->litr[tsze], " "));
f = *(2 +
(opts->litr[tsze])+
strspn(opts->litr[tsze], " "));
if((c == '0') ||
(c == '\\'))
{
if((b == 'x') &&
((f >= '0') &&
(f <= '9')))
litr_is_bin = 1;
}
if(c == 'x')
if((f >= '0') && (f <= '9'))
litr_is_bin = 1;
if(!litr_is_bin)
i = strrepl(req2, reqsize, "FUZZ", opts->litr[tsze]);
else
{
char *blit = malloc(8192);
int blit_len = 0;
strcpy(blit,opts->litr[tsze]+
strspn(opts->litr[tsze]," "));
strrepl(blit, strlen(blit), "0x", " ");
strrepl(blit, strlen(blit), "\\x", " ");
blit_len = ascii_to_bin(blit);
i = smemrepl(req2, reqsize, "FUZZ",blit, blit_len );
free( blit );
}
if(opts->send_initial_nonfuzz_again)
if(fuzz(opts, preq, preqsize) < 0)
goto done;
if(fuzz(opts, req2, i)<0)
goto done;
}
}
if(opts->no_sequence_fuzz == 0)
{
/*do the sequences*/
for(tsze = 0; tsze < opts->num_seq; ++tsze)
{
char seq_buf[5] = {0};
/*at this point, we do sequences. Sequencing will be done*/
/*by filling to maxseqlen, in increments of seqstep*/
memcpy(req2, req, (p-req));
/*we've filled up req2 with everything BEFORE FUZZ*/
j = req2;
for(k = opts->seqstep; k <= opts->mseql; k+= opts->seqstep)
{
seq4b = 0;
req2 = j;
req2 += (p-req);
for(i=0; i < k; ++i)
{
*req2++ =
*(opts->seq[tsze] +
(i % opts->seq_lens[tsze]));
if(strstr(j, "__SEQUENCE_NUM_ASCII__"))
{
snprintf(seq_buf, 5, "%04d", seq4b++);
strrepl(j, strlen(j), "__SEQUENCE_NUM_ASCII__",
seq_buf);
req2 -= 18;
}
}
memcpy(req2, (char *)(p+4), strlen(p+4));
*(req2+(strlen(p+4))) = 0;
req2 = j;
if(opts->send_initial_nonfuzz_again)
if(fuzz(opts, preq, preqsize) < 0)
goto done;
if(fuzz(opts, req2, strlen(req2))<0)
goto done;
}
}
}
}
}
done:
free( line );
free( req );
free( req2 );
return 0;
}
int fuzz(option_block *opts, char *req, int len)
{
int i = 0;
int res = 0;
FILE *log = stdout;
char *r2, *tmp = 0;
char *p1, *tmp2 = 0;
int r2_len,p1_len;
sym_t *pSym;
int fuzz_this_time = (opts->start_test <= ++fuzznum) ?
1 : 0;
if(opts->fp_log)
log = opts->fp_log;
if( fuzz_this_time && opts->verbosity != QUIET )
fprintf(log, "[%s] attempting fuzz - %d.\n", get_time_as_log(),
fuzznum);
#ifndef NOPLUGIN
if(fuzz_this_time && g_plugin != NULL &&
((g_plugin->capex() & PLUGIN_PROVIDES_PAYLOAD_PARSE) ==
PLUGIN_PROVIDES_PAYLOAD_PARSE))
{
tmp2 = req;
p1_len = len * 2;
p1 = malloc(p1_len);
g_plugin->payload_trans(opts, req, len, p1, &p1_len);
req = p1;
len = p1_len;
}
#endif
if(fuzz_this_time && ((opts->sym_count) || (opts->s_syms_count)))
{
/*xxx : enhancement - loop backwards allowing people to define
a string (aaa for example) and use that string within
other defines appearing later.
THIS creates a problem - our length field substitution
depends on having lengths before non-lengths. The answer
of course, is to just have 2 loops, apply the lenghts first*/
for(i = 0; i < opts->s_syms_count ; ++i)
{
pSym = &(opts->s_syms[ opts->s_syms_count - (i+1) ]);
len = smemrepl(req, len, pSym->sym_name, pSym->sym_val,
pSym->s_len);
}
for(i = 0; i < opts->sym_count; ++i)
{
pSym = &(opts->syms_array[ opts->sym_count - (i+1) ]);
if(pSym->is_len)
len = strrepl(req, len, pSym->sym_name, pSym->sym_val);
}
for(i = 0; i < opts->sym_count; ++i)
{
pSym = &(opts->syms_array[ opts->sym_count - (i+1) ]);
if(!pSym->is_len)
len = strrepl(req, len, pSym->sym_name, pSym->sym_val);
}
}
if(opts->b_sym_count) /* we let this one through in skip cases
because we need the increments to happen. */
{
for(i = 0; i < opts->b_sym_count; ++i)
{
pSym = &(opts->b_syms_array[i]);
len = smemrepl(req, len, pSym->sym_name, pSym->sym_val,
pSym->is_len);
if(pSym->increment)
{
int *increm = (int*)pSym->sym_val;
*increm = (*increm)+1;
}
}
}
if(fuzz_this_time && opts->out_flag)
{
if(opts->hexl_dump)
{
dump(req, len, log);
}
else
{
fwrite(req, len, 1, log);
fwrite("\n", 1, 1, log);
}
}
#ifndef NOPLUGIN
if(fuzz_this_time && g_plugin != NULL &&
((g_plugin->capex() & PLUGIN_PROVIDES_FUZZ_MODIFICATION) ==
PLUGIN_PROVIDES_FUZZ_MODIFICATION))
{
r2 = malloc(len * 2);
r2_len = len * 2;
g_plugin->fuzz_trans(opts, req, len, r2, &r2_len);
tmp = req;
req = r2;
len = r2_len;
}
if(fuzz_this_time && g_plugin != NULL &&
((g_plugin->capex() & PLUGIN_PROVIDES_TRANSPORT_TYPE) ==
PLUGIN_PROVIDES_TRANSPORT_TYPE))
{
res = g_plugin->trans(opts, req, len);
}
else
#endif
if(fuzz_this_time && opts->tcp_flag)
{
res = os_send_tcp(opts, req, len);
}
else if(fuzz_this_time && opts->udp_flag)
{
res = os_send_udp(opts, req, len);
}
#ifndef NOPLUGIN
if(fuzz_this_time && (g_plugin != NULL) &&
((g_plugin->capex() & PLUGIN_PROVIDES_POST_FUZZ) ==
PLUGIN_PROVIDES_POST_FUZZ))
{
g_plugin->post_fuzz(opts, req, len);
}
if(fuzz_this_time && g_plugin != NULL &&
((g_plugin->capex() & PLUGIN_PROVIDES_FUZZ_MODIFICATION) ==
PLUGIN_PROVIDES_FUZZ_MODIFICATION))
{
free(req);
req = tmp;
}
if(fuzz_this_time && g_plugin != NULL &&
((g_plugin->capex() & PLUGIN_PROVIDES_PAYLOAD_PARSE) ==
PLUGIN_PROVIDES_PAYLOAD_PARSE))
{
free(req);
req = tmp2;
}
#endif
if(fuzz_this_time && (opts->new_logfile) && (opts->pLogFilename))
{
char *z_set;
char z_buf[80] = {0};
fclose(opts->fp_log);
z_set = strrchr(opts->pLogFilename, '.');
if(z_set)
*z_set = 0;
snprintf(z_buf, 80, ".%d", fuzznum);
strncat(opts->pLogFilename, z_buf, MAX_FILENAME_SIZE);
opts->fp_log = fopen(opts->pLogFilename, "w");
}
if(res < 0 && opts->stop_on_fail)
return -1;
return 0;
}
int main(int argc, char *argv[])
{
FILE *log = stdout;
struct timeval tv;
option_block options;
int i;
g_plugin = NULL;
sfuzz_setsearchpath(
#ifndef __WIN32__
"./:"PREFIX"/share/sfuzz-db"
#else
"./"
#endif
);
memset(&options, 0, sizeof(options));
gettimeofday(&tv, NULL);
birth = tv.tv_sec;
options.pFilename = malloc(MAX_FILENAME_SIZE);
options.pLogFilename = malloc(MAX_FILENAME_SIZE);
options.host_spec = malloc(MAX_HOSTSPEC_SIZE);
options.port_spec = malloc(MAX_PORTSPEC_SIZE);
options.repl_pol = 2; /* once ! for always, choose 1. */
memset(options.pFilename, 0, MAX_FILENAME_SIZE-1);
memset(options.pLogFilename, 0, MAX_FILENAME_SIZE-1);
/*default line terminator*/
options.line_term[0] = '\n';
options.line_terminator_size = 1;
options.state = CMD_LINE_OPTS;
process_opts(argc, argv, &options);
options.state = INIT_READ;
read_config(&options);
if(options.pLogFilename[0] != 0)
{
if(options.new_logfile)
{
strncat(options.pLogFilename, ".0", MAX_FILENAME_SIZE);
}
log = fopen(options.pLogFilename, "w");
if(log != NULL)
{
options.fp_log = log;
} else
{
fprintf(stderr, "[%s] error: using stdout - unable to open log.\n",
get_time_as_log());
log = stdout;
}
}
if(options.verbosity == VERBOSE)
dump_options(&options);
if(options.verbosity != QUIET)
{
fprintf(log, "[%s] info: beginning fuzz - method:", get_time_as_log());
if(options.tcp_flag)
{
fprintf(log, " tcp,");
} else if(options.udp_flag)
{
fprintf(log, " udp,");
}
else
{
fprintf(log, " io,");
}
fprintf(log, " config from: [%s], out: [%s:%d]\n",
options.pFilename, options.host_spec, options.port);
}
options.state = FUZZ;
execute_fuzz(&options);
if(options.verbosity != QUIET)
fprintf(log, "[%s] completed fuzzing.\n", get_time_as_log());
free( options.pFilename );
free( options.pLogFilename );
free( options.host_spec );
for(i = 0; i < options.num_litr; ++i)
{
free(options.litr[i]);
}
free(options.litr);
free(options.litr_lens);
for(i = 0; i < options.num_seq; ++i)
{
free(options.seq[i]);
}
free(options.seq);
free(options.seq_lens);
/*this might be the better way of doing things =)*/
if(options.sym_count)
free(options.syms_array);
return 0;
}
int ssl_transport_insecure_send(option_block *opts, void *d, int i)
{
FILE *log = stdout;
char spec[2048] = {0};
struct timeval tv;
int sockfd;
fd_set fds;
unsigned long int to = MAX(100, opts->time_out);
int ret;
if(opts->fp_log)
log = opts->fp_log;
if(ssl_bio == NULL)
{
snprintf(spec, 2048, "%s:%d", opts->host_spec, opts->port);
ssl_bio = BIO_new_connect(spec);
if(ssl_bio == NULL)
{
fprintf(stderr, "<ssl_transport:i-send> failure to acquire BIO: [%s]\n",
spec);
return -1;
}
if(BIO_do_connect(ssl_bio) <= 0)
{
fprintf(stderr, "<ssl_transport:i-send> failure to simple connect to: [%s]\n",
spec);
return -1;
}
}
retx:
if(BIO_write(ssl_bio, d, i) <= 0)
{
if(!BIO_should_retry(ssl_bio))
{
fprintf(stderr, "<ssl_transport:i-send> failure to transmit!\n");
ssl_transport_close();
}
goto retx;
}
if(opts->verbosity != QUIET)
fprintf(log, "[%s] <ssl_transport:send> tx fuzz - scanning for reply.\n",
get_time_as_log());
BIO_get_fd(ssl_bio, &sockfd);
FD_ZERO(&fds);
FD_SET(sockfd, &fds);
tv.tv_sec = to / 1000;
tv.tv_usec = (to % 1000) * 1000; /*time out*/
ret = select(sockfd+1, &fds, NULL, NULL, &tv);
if(ret > 0)
{
if(FD_ISSET(sockfd, &fds))
{
char buf[8192] = {0};
int r_len = 0;
ret = BIO_read(ssl_bio, buf, 8192);
if(ret == 0)
{
fprintf(stderr, "<ssl_transport:send> remote closed xon\n");
ssl_transport_close();
}
else if(ret > 0)
{
if(opts->verbosity != QUIET)
fprintf(log,
"[%s] read:\n%s\n===============================================================================\n",
get_time_as_log(),
buf);
}
}
}
if((opts->close_conn) || ((opts->close_conn) && (!opts->forget_conn)))
{
ssl_transport_close();
}
mssleep(opts->reqw_inms);
return 0;
}
