Customizable TCP fuzzing tool to test for remote buffer overflows.
Project description
fuzza
Customizable TCP fuzzing tool to test for remote buffer overflows.
Installation
pip install fuzza
Usage
$ fuzza --help
usage: fuzza [-h] [-v] [-c char] [-p str] [-s str] [-l int] [-m int] [-i str]
[-a str] [-t float] [-d float]
host port
Customizable TCP fuzzing tool to test for remote buffer overflows.
positional arguments:
host address to connect to.
port port to connect to.
optional arguments:
-h, --help show this help message and exit
-v, --version Show version information,
-c char, --char char Buffer character to send as payload. Default: "A"
-p str, --prefix str Prefix string to prepend to buffer. Empty by default.
-s str, --suffix str Suffix string to append to buffer. Empty by default.
-l int, --length int Initial length to concat buffer string with x*char. Default: 100
-m int, --multiply int Round multiplier to concat buffer string with x*char every round.
Default: 100
-i str, --init str If specified, initializes communication in the form
'<send>:<expect>,<send>:<expect>,...'. Where <send> is the data
to be sent to the server and <expect> is the answer to be
received from the server. Regex supported for <expect> part.
-a str, --answer str If specified, will stop if answer is not received from
endpoint. Regex supported.
-t float, --timeout float Timeout for receiving data before declaring the endpoint as
crashed. Default: 30.0
-d float, --delay float Delay in seconds between each round. Default: 1.0
example:
The following example illustrates how to use the initial communication by:
1. Expecting the POP3 server banner
2. Sending 'USER bob'
3. Expecting a welcome message
Additionally before sending the fuzzing characters, it is prepended with 'PASS ',
so that the actuall fuzzing can be done on the password:
$ fuzza -i ':.*POP3.*,USER bob:.*welcome.*' -p 'PASS '
Examples
SLMail 5.5 Buffer overflow
- CVE-2003-0264 - buffer overflow in password.
To see how the raw communication works, have a look at the following netcat snippet:
$ nc mail.example.tld 110
+OK POP3 server mail.example.tld ready <00001.544405549@mail.example.tld>
USER test
+OK test welcome here
PASS LongPassword
In order to fuzz the password, all previous communication must have happened. By using fuzza
,
this can be achieved with the -i
argument to specify initial data to be send and received:
$ fuzz -i ':.*OK POP3.*,USER test:.*test welcome.*' -p 'PASS ' mail.example.tld 110
------------------------------------------------------------
A * 100
------------------------------------------------------------
Init Awaiting: .*OK POP3.*
Init Received: +OK POP3 server mail.example.tld ready <00005.544236132@mail.example.tld>
Init Sending: USER test
Init Awaiting: test welcome
Init Received: +OK test welcome here
Sending "PASS " + "A"*100 + ""
...
------------------------------------------------------------
A * 4000
------------------------------------------------------------
Init Awaiting: .*OK POP3.*
Remote service (most likely) crashed at 3000 bytes of "A"
Payload sent:
PASS AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
License
Copyright (c) 2020 cytopia
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
fuzza-0.2.0.tar.gz
(5.3 kB
view hashes)
Built Distribution
Close
Hashes for fuzza-0.2.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 65b3234ac2d28b99f7439b34f5b129f42faa065122264375fb523675c0559cb0 |
|
MD5 | 1478c22408e8873f5cd051519520d62d |
|
BLAKE2b-256 | 6df9e406e8ea1b0a1581897eb3073e63f464a787ed69ac5d402a3164dedfb070 |