Fuzzer
Fuzzers usually used for general or precisely applications functions. In this part we'll show how to fuzz most known services using ruby. Remember, Fuzzing is an Art of Hitting Things, it's not about the tools.
Fuzzer Types
  • Mutation
  • Metadata/File format

Mutation

FTP Fuzzer

The general idea of fuzzing FTP service is to test all commands buffer sizes. However, not the case isn't the same all the time, for example, testing username and password buffers. In addition, the same technique could be applied for many services even customized services.
1
#!/bin/ruby
2
# KING SABRI | @KINGSABRI
3
# Simple FTP COMMNDS Fuzzer
4
#
5
require 'socket'
6
7
class String
8
def red; colorize(self, "\e[31m"); end
9
def green; colorize(self, "\e[32m"); end
10
def colorize(text, color_code); "#{color_code}#{text}\e[0m" end
11
end
12
13
mark_Red = "[+]".red
14
mark_Green = "[+]".green
15
16
17
host = ARGV[0] || "127.0.0.1"
18
port = ARGV[1] || 21
19
20
# List of FTP protocol commands
21
cmds = ["MKD","ACCL","TOP","CWD","STOR","STAT","LIST","RETR","NLST","LS","DELE","RSET","NOOP","UIDL","USER","APPE"]
22
23
buffer = ["A"]
24
counter = 1
25
26
cmds.each do |cmd|
27
buffer.each do |buf|
28
29
while buffer.length <= 40
30
buffer << "A" * counter
31
counter += 100
32
end
33
34
s = TCPSocket.open(host, port)
35
s.recv(1024)
36
s.send("USER ftp\r\n", 0)
37
s.recv(1024)
38
s.send("PASS ftp\r\n", 0)
39
s.recv(1024)
40
puts mark_Red + " Sending " + "#{cmd} ".green + "Command with " + "#{buf.size} bytes ".green + "Evil buffer" + ".".green
41
s.send(cmd + " " + buf + "\r\n", 0)
42
s.recv(1024)
43
s.send("QUIT\r\n", 0)
44
s.close
45
end
46
puts "~~~~~~~~~~~~~~~~~~~~".red
47
sleep 0.5
48
end
Copied!
I was thinking of making it a bit more elegant to give myself a chance to inspect and configure each command separately.
1
#!/usr/bin/evn ruby
2
#
3
# KING SABRI | @KINGSABRI
4
# Simple FTP COMMNDS Fuzzer
5
#
6
require 'socket'
7
8
if ARGV.size < 1
9
puts "#{__FILE__} <host> [port]"
10
exit 0
11
else
12
@host = ARGV[0]
13
@port = ARGV[1] || 21
14
end
15
16
def fuzz(payload)
17
begin
18
s = TCPSocket.open(@host, @port)
19
s.recv(2048)
20
s.send payload, 0
21
s.recv(2048)
22
s.close
23
rescue
24
puts "Crash detected after #{payload.size} bytes"
25
exit 0
26
end
27
end
28
29
def insertion(point="", buffer=0)
30
buffer = buffer * 10
31
points =
32
{
33
core: "A" * buffer, # Comment this line is it hangs the fuzzer
34
user: "USER " + "B" * buffer + "\r\n",
35
pass: "PASS " + "C" * buffer + "\r\n",
36
accl: "ACCL " + "D" * buffer + "\r\n",
37
appe: "APPE " + "E" * buffer + "\r\n",
38
cmd: "CWD " + "F" * buffer + "\r\n",
39
dele: "DELE " + "G" * buffer + "\r\n",
40
list: "LIST " + "H" * buffer + "\r\n",
41
ls: "LS " + "I" * buffer + "\r\n",
42
mkd: "MKD " + "J" * buffer + "\r\n",
43
nlst: "NLST " + "K" * buffer + "\r\n",
44
noop: "NOOP " + "L" * buffer + "\r\n",
45
retr: "RETR " + "M" * buffer + "\r\n",
46
rest: "RSET " + "N" * buffer + "\r\n",
47
stat: "STAT " + "O" * buffer + "\r\n",
48
stor: "STOR " + "P" * buffer + "\r\n",
49
top: "TOP " + "Q" * buffer + "\r\n",
50
uidl: "UIDL " + "R" * buffer + "\r\n"
51
}
52
return points[point] unless point.empty?
53
points
54
end
55
56
puts "[+] Fuzzing #{@host} on port #{@port}..."
57
insertion.keys.each do |point|
58
(1..500).each do |buffer|
59
60
puts "[+] Fuzzing #{point.to_s}: #{insertion(point, buffer).size} bytes"
61
fuzz insertion(point, buffer)
62
63
end
64
end
Copied!
Note that, this script can be used for other protocols (IMAP, POP3, etc) since it deals with socket!.
Last modified 3yr ago
Copy link