Saturday, January 17, 2015

Updated Fuzzer for vulnserver.exe

I have updated the script to cycle through a series of characters instead of manually changing the character after each iteration of the script.  I also added the ability to include the new line, carriage return and line feed, and NOP characters.

I have built this script to introduce the concept of fuzzing in a Computer Science course that I will be teaching.

#!/usr/bin/python

import socket

def optionsMenu(currentCommand, currentChar, currentSeries, currentSize, currentMulti):
print 'Select from the Following Options: '
print '1. List Commands'
print '2. Set Command - "' + currentCommand + '"'
print '3. Set Initial Character or String ("' + currentChar + '")'
print '4. Set String Initial Size ("' + currentChar + '"*' + str(currentSize) + ')'
print '5. Set String Multiplier (("' + currentChar + '"*' + str(currentSize) + ')*' + str(currentMulti) + ')'
print '6. Set Series of Characters to go through after the Initial Character: ' + currentSeries
print '7. Run Fuzzer'
print '9. Exit'
menuOpt = raw_input('>> ')
return menuOpt

def listCommands(conn):
print
conn.send(('HELP' + '\r\n'))
print conn.recv(1024)

def setString(currentChar):
print
print 'Current Character or String: ' + currentChar
print
print 'For the following characters select the numeric value before it:'
print "100. \\n 101. \\r\\n 102. \\x90 or NOP"
print
print '* The above characters can not be used in a series of characters'
print '  at this time.'
print
newChar = raw_input('Set Character> ')
return newChar

def funcSeriesChar(currentSeries):
print
print 'Current Series if Characters or String: ' + currentSeries
newSeries = raw_input('Set Character(s)> ')
return newSeries

def setSize(currentSize):
print
print 'Current Initial Size of String: ' + str(currentSize)
newSize = raw_input('Set Size> ')
return newSize

def setMultiplier(currentMulti):
print
print 'Current Multiplier of String: ' + str(currentMulti)
newMulti = raw_input('Set Multiplier> ')
return newMulti

def funcCommand(currentCommand):
print
print 'Current Command: ' + currentCommand
newCommand = raw_input('Set Command> ')
return newCommand

def runFuzzer(conn, currentCommand, currentChar, currentSeries, currentSize, currentMulti):
print
print currentSeries
if currentSeries == '':
for i in range(0, int(currentMulti)):
buffer = currentCommand + ' '
if currentChar == '100': currentChar = '\x0a'
elif currentChar == '101': currentChar = '\x0d\x0a'
elif currentChar == '102': currentChar = '\x90'
buffer += currentChar * (int(currentSize) * (i+1))
buffer += '\r\n'
#print buffer
conn.send((buffer))
print 'Sent: ' + currentCommand + ' .("' + currentChar + '"*' + str(currentSize) + ')*' + str(i+1) + ' Size of buffer: ' + str(len(buffer))
print conn.recv(1024)
else:
currentSeries = currentChar + currentSeries
for currentSeriesChar in currentSeries:
print currentSeriesChar
for i in range(0, int(currentMulti)):
buffer = currentCommand + ' '
buffer += currentSeriesChar * (int(currentSize) * (i+1))
buffer += '\r\n'
#print buffer
conn.send((buffer))
print 'Sent: ' + currentCommand + ' .("' + currentSeriesChar + '"*' + str(currentSize) + ')*' + str(i+1) + ' Size of buffer: ' + str(len(buffer))
print conn.recv(1024)

def main():
global s
setCommand='STATS'
setChar='A'
setSeriesChar=''
initialSize=50
intMultiplier=1
menuOption = '0'
while menuOption <> '9':
print
menuOption = optionsMenu(setCommand, setChar, setSeriesChar, initialSize, intMultiplier)
if menuOption == '1':
listCommands(s)
elif menuOption == '2':
listCommands(s)
setCommand = funcCommand(setCommand)
elif menuOption == '3':
setChar = setString(setChar)
elif menuOption == '4':
initialSize = setSize(initialSize)
elif menuOption == '5':
intMultiplier = setMultiplier(intMultiplier)
elif menuOption == '6':
setSeriesChar = funcSeriesChar(setSeriesChar)
elif menuOption == '7':
runFuzzer(s, setCommand, setChar, setSeriesChar, initialSize, intMultiplier)
elif menuOption == '9':
break
else:
listCommands(s)


server = '172.16.102.132'
sourcePort = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sourcePort))
# The following line can be uncommented if you need to send first
print s.recv(1024)

main()

s.close()

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...