Fuzzer

Fuzzers usually used for general or precisely applications functions. In this part we’ll show how to fuzz most known services using ruby. Remember, Fuzzing is an Art of Hitting Things, it’s not about the tools.

Fuzzer Types

  • Mutation
  • Metadata/File format

Mutation

FTP Fuzzer

The general idea of fuzzing FTP service is to test all commands buffer sizes. However, not the case isn’t the same all the time, for example, testing username and password buffers. In addition, the same technique could be applied for many services even customized services.

  1. #!/bin/ruby
  2. # KING SABRI | @KINGSABRI
  3. # Simple FTP COMMNDS Fuzzer
  4. #
  5. require 'socket'
  7. class String
  8.   def red; colorize(self, "\e[31m"); end
  9.   def green; colorize(self, "\e[32m"); end
  10.   def colorize(text, color_code);  "#{color_code}#{text}\e[0m" end
  11. end
  13. mark_Red   = "[+]".red
  14. mark_Green = "[+]".green
  17. host = ARGV[0] || "127.0.0.1"
  18. port = ARGV[1] || 21
  20. # List of FTP protocol commands
  21. cmds = ["MKD","ACCL","TOP","CWD","STOR","STAT","LIST","RETR","NLST","LS","DELE","RSET","NOOP","UIDL","USER","APPE"]
  23. buffer  = ["A"]
  24. counter = 1
  26. cmds.each do |cmd|
  27.   buffer.each do |buf|
  29.     while buffer.length <= 40
  30.       buffer << "A" * counter
  31.       counter += 100
  32.     end
  34.     s = TCPSocket.open(host, port)
  35.     s.recv(1024)
  36.     s.send("USER ftp\r\n", 0)
  37.     s.recv(1024)
  38.     s.send("PASS ftp\r\n", 0)
  39.     s.recv(1024)
  40.     puts mark_Red + " Sending " + "#{cmd} ".green + "Command with " + "#{buf.size} bytes ".green  + "Evil buffer" + ".".green
  41.     s.send(cmd + " " + buf + "\r\n", 0)
  42.     s.recv(1024)
  43.     s.send("QUIT\r\n", 0)
  44.     s.close
  45.   end
  46.   puts "~~~~~~~~~~~~~~~~~~~~".red
  47.   sleep 0.5
  48. end

I was thinking of making it a bit more elegant to give myself a chance to inspect and configure each command separately.

  1. #!/usr/bin/evn ruby
  2. #
  3. # KING SABRI | @KINGSABRI
  4. # Simple FTP COMMNDS Fuzzer
  5. #
  6. require 'socket'
  8. if ARGV.size < 1 
  9.   puts "#{__FILE__} <host> [port]"
  10.   exit 0 
  11. else
  12.   @host = ARGV[0]
  13.   @port = ARGV[1] || 21
  14. end
  16. def fuzz(payload)
  17.   begin 
  18.   s = TCPSocket.open(@host, @port)
  19.   s.recv(2048)
  20.   s.send payload, 0
  21.   s.recv(2048)
  22.   s.close
  23.   rescue
  24.     puts "Crash detected after #{payload.size} bytes"
  25.     exit 0
  26.   end
  27. end
  29. def insertion(point="", buffer=0)
  30.   buffer = buffer * 10
  31.   points = 
  32.     {
  33.       core:           "A" * buffer, # Comment this line is it hangs the fuzzer
  34.       user: "USER " + "B" * buffer + "\r\n",
  35.       pass: "PASS " + "C" * buffer + "\r\n",
  36.       accl: "ACCL " + "D" * buffer + "\r\n",
  37.       appe: "APPE " + "E" * buffer + "\r\n",
  38.       cmd:  "CWD "  + "F" * buffer + "\r\n",
  39.       dele: "DELE " + "G" * buffer + "\r\n",
  40.       list: "LIST " + "H" * buffer + "\r\n",
  41.       ls:   "LS "   + "I" * buffer + "\r\n",
  42.       mkd:  "MKD "  + "J" * buffer + "\r\n",
  43.       nlst: "NLST " + "K" * buffer + "\r\n",
  44.       noop: "NOOP " + "L" * buffer + "\r\n",
  45.       retr: "RETR " + "M" * buffer + "\r\n",
  46.       rest: "RSET " + "N" * buffer + "\r\n",
  47.       stat: "STAT " + "O" * buffer + "\r\n",
  48.       stor: "STOR " + "P" * buffer + "\r\n",
  49.       top:  "TOP "  + "Q" * buffer + "\r\n",
  50.       uidl: "UIDL " + "R" * buffer + "\r\n"
  51.       }
  52.   return points[point] unless point.empty?
  53.   points
  54. end
  56. puts "[+] Fuzzing #{@host} on port #{@port}..."
  57. insertion.keys.each do |point|
  58.   (1..500).each do |buffer|
  60.     puts "[+] Fuzzing #{point.to_s}: #{insertion(point, buffer).size} bytes"
  61.     fuzz insertion(point, buffer)
  63.   end
  64. end

Note that, this script can be used for other protocols (IMAP, POP3, etc) since it deals with socket!.