Customizable TCP fuzzing tool to test for remote buffer overflows.
Project description
fuzza
Customizable TCP fuzzing tool to test for remote buffer overflows.
Installation
pip install fuzza
Usage
$ fuzza --help
usage: fuzza [-h] [-v] [-c char] [-p str] [-s str] [-l int] [-m int] [-i str]
[-e str] [-t float] [-d float]
host port
Customizable TCP fuzzing tool to test for remote buffer overflows.
positional arguments:
host address to connect to.
port port to connect to.
optional arguments:
-h, --help show this help message and exit
-v, --version Show version information,
-c char, --char char Buffer character to send as payload. Default: "A"
-p str, --prefix str Prefix string to prepend to buffer. Empty by default.
-s str, --suffix str Suffix string to append to buffer. Empty by default.
-l int, --length int Initial length to concat buffer string with x*char. Default: 100
-m int, --multiply int
Round multiplier to concat buffer string with x*char every round. Default: 100
-i str, --init str If specified, initializes communication before sending the payload in the form
'<send>:<expect>,<send>:<expect>,...'. Where <send> is the data to be sent
to the server and <expect> is the answer to be received from the server.
Either one of <send> or <expect> can be omitted if you expect something without
having sent data yet or need to send something for which there will not be an
answer. Multiple <send>:<expect> are supported and must be separated by a comma.
Regex supported for <expect> part.
-e str, --exit str If specified, finalizes communication after sending the payload in the form
'<send>:<expect>,<send>:<expect>,...'. Where <send> is the data to be sent
to the server and <expect> is the answer to be received from the server.
Either one of <send> or <expect> can be omitted if you expect something without
having sent data yet or need to send something for which there will not be an
answer. Multiple <send>:<expect> are supported and must be separated by a comma.
Regex supported for <expect> part.
-t float, --timeout float
Timeout for receiving data before declaring the endpoint as crashed. Default: 30.0
-d float, --delay float
Delay in seconds between each round. Default: 1.0
example:
The following example illustrates how to use the initial communication by:
1. Expecting the POP3 server banner
2. Sending 'USER bob'
3. Expecting a welcome message
Additionally before sending the fuzzing characters, it is prepended with 'PASS ',
so that the actuall fuzzing can be done on the password:
1. Prefix payload with 'PASS '
2. Send payload
Lastly in order to also close the connection the '-e' opton is used
(which works exactly as '-i') in order to send data after the payload.
1. Expect any response from password payload
2. Terminate the connection via QUIT
$ fuzza -i ':.*POP3.*,USER bob:.*welcome.*' -e '.*:QUIT' -p 'PASS '
Examples
SLMail 5.5 Buffer overflow
- CVE-2003-0264 - buffer overflow in password.
To see how the raw communication works, have a look at the following netcat snippet:
$ nc mail.example.tld 110
+OK POP3 server mail.example.tld ready <00001.544405549@mail.example.tld>
USER test
+OK test welcome here
PASS LongPassword
-ERR unable to lock mailbox
QUIT
In order to fuzz the password, all previous communication must have happened. By using fuzza
,
this can be achieved with the -i
argument to specify initial data to be send and received.
Additionally we also want to close the connection after sending the payload (if possible).
This can be achieved with the -e
option which works exactly as -i
.
$ fuzz -i ':.*OK POP3.*,USER test:.*test welcome.*' -p 'PASS ' -e ':.*,QUIT:' mail.example.tld 110
------------------------------------------------------------
A * 100
------------------------------------------------------------
Init Awaiting: .*OK POP3.*
Init Received: +OK POP3 server mail.example.tld ready <00005.544236132@mail.example.tld>
Init Sending: USER test
Init Awaiting: test welcome
Init Received: +OK test welcome here
Sending "PASS " + "A"*100 + ""
Exit Awaiting: .*
Exit Received: -ERR unable to lock mailbox
Exit Sending: QUIT
...
------------------------------------------------------------
A * 2700
------------------------------------------------------------
Init Awaiting: .*POP3.*
Init Received: +OK POP3 server mail.example.tld ready <00009.592913389@mail.example.tld>
Init Sending: USER test
Init Awaiting: welcome here
Init Received: +OK test welcome here
Sending "PASS " + "A"*2700 + ""
Exit Awaiting: .*
Remote service (most likely) crashed at 2700 bytes of "A"
Payload sent:
PASS AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
License
Copyright (c) 2020 cytopia
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
fuzza-0.3.0.tar.gz
(5.9 kB
view hashes)
Built Distribution
Close
Hashes for fuzza-0.3.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a95bbfffa6344eccd55984311df0cae99bfbddfa71c176e2f4248e6cab77f6c7 |
|
MD5 | 36272bc4f798e146b6703c3210f98e7b |
|
BLAKE2b-256 | a5964a7921e3fdc97ee3d3a329a03ad84a6c0ac03df274c6f4c9dfb131e09daa |