Saturday, January 10, 2015

Built Fuzzer for vulnserver.exe using Python

Through searching for information about buffer overflows and exploiting them I found "vulnserver.exe" created by "The Grey Corner" @ http://www.thegreycorner.com/2010/12/introducing-vulnserver.html.

Then I began fuzzing the vulnserver.exe and built the following fuzzer using python, it can be adapted to fuzz other programs by modifying the source code that is listed below.

#!/usr/bin/python

import socket

def optionsMenu(currentCommand, currentChar, currentSize, currentMulti):
print 'Select from the Following Options: '
print '1. List Commands'
print '2. Set Command - "' + currentCommand + '"'
print '3. Set Character or String ("' + currentChar + '")'
print '4. Set String Initial Size ("' + currentChar + '"*' + str(currentSize) + ')'
print '5. Set String Multiplier (("' + currentChar + '"*' + str(currentSize) + ')*' + str(currentMulti) + ')'
print '6. Run Fuzzer'
print '9. Exit'
menuOpt = raw_input('>> ')
return menuOpt

def listCommands(conn):
print
conn.send(('HELP' + '\r\n'))
print conn.recv(1024)

def setString(currentChar):
print
print 'Current Character or String: ' + currentChar
newChar = raw_input('Set Character> ')
return newChar

def setSize(currentSize):
print
print 'Current Initial Size of String: ' + str(currentSize)
newSize = raw_input('Set Size> ')
return newSize

def setMultiplier(currentMulti):
print
print 'Current Multiplier of String: ' + str(currentMulti)
newMulti = raw_input('Set Multiplier> ')
return newMulti

def funcCommand(currentCommand):
print
print 'Current Command: ' + currentCommand
newCommand = raw_input('Set Command> ')
return newCommand

def runFuzzer(conn, currentCommand, currentChar, currentSize, currentMulti):
print
for i in range(0, int(currentMulti)):
buffer = currentCommand + ' '
#buffer = currentCommand + ' .'
buffer += currentChar * (int(currentSize) * (i+1))
buffer += '\r\n'
#print buffer
conn.send((buffer))
print 'Sent: ' + currentCommand + ' .("' + currentChar + '"*' + str(currentSize) + ')*' + str(i+1) + ' Size of buffer: ' + str(len(buffer))
print conn.recv(1024)
print

def main():
global s
setCommand='STATS'
setChar='A'
initialSize=50
intMultiplier=1
menuOption = '0'
while menuOption <> '9':
print
menuOption = optionsMenu(setCommand, setChar, initialSize, intMultiplier)
if menuOption == '1':
listCommands(s)
elif menuOption == '2':
listCommands(s)
setCommand = funcCommand(setCommand)
elif menuOption == '3':
setChar = setString(setChar)
elif menuOption == '4':
initialSize = setSize(initialSize)
elif menuOption == '5':
intMultiplier = setMultiplier(intMultiplier)
elif menuOption == '6':
runFuzzer(s, setCommand, setChar, initialSize, intMultiplier)
elif menuOption == '9':
break
else:
listCommands(s)


server = '172.16.102.132'
sourcePort = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sourcePort))
# The following line can be uncommented if you need to send first
print s.recv(1024)

main()

s.close()

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...