# # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 only. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # # This fuzzer is based on the Peach Framework # # Importing stuff import sys sys.path.append("~/Peach-2.0-Preview-073007/") from Peach import * from Peach.group import * from Peach.Transformers import * from Peach.Generators import * from Peach.Generators.dictionary import * from Peach.Generators.block import * from Peach.Generators.data import * from Peach.Protocols import * from Peach.Publishers import * import time import psyco # Variables SERVER = "192.168.94.144" PORT = 80 START_TIME = time.time() psyco.full() # Building groups for later on extensibility's sake group_how = Group() group_what = Group() group_with = Group() group_version = Group() group_rn = Group() group_host = Group() group_host_rn = Group() group_agent_name = Group() group_agent_version = Group() group_agent_inbrackets_1 = Group() group_agent_inbrackets_2 = Group() group_agent_inbrackets_3 = Group() group_agent_inbrackets_4 = Group() group_agent_inbrackets_5 = Group() group_agent_engine = Group() group_agent_engine_version = Group() group_agent_browser = Group() group_agent_browser_version = Group() group_agent_rn = Group() group_accept_text = Group() group_accept_application = Group() group_accept_html = Group() group_accept_q = Group() group_accept_plain = Group() group_accept_image = Group() group_accept_whatever_a = Group() group_accept_whatever_b = Group() group_accept_rn = Group() group_language_a = Group() group_language_b = Group() group_language_q = Group() group_language_rn = Group() group_encoding_gzip = Group() group_encoding_deflate = Group() group_encoding_rn = Group() group_charset_a = Group() group_charset_b = Group() group_charset_q = Group() group_charset_crap = Group() group_charset_rn = Group() group_keep_value = Group() group_keep_rn = Group() group_connection = Group() group_connection_value = Group() group_connection_rn = Group() group_end_rn = Group() # The Master group to iterate through. This can later on be kind of extended to allow cross fuzzing several variables. Currently the entire setup is kind of useless. -> Extensibility (?) || The only cross-fuzzing we do here is done with the HTTP request types. (group_how) group_master = GroupSequence([group_what, group_with, group_version, group_rn, group_host, group_host_rn, group_agent_name, group_agent_version, group_agent_inbrackets_1, group_agent_inbrackets_2, group_agent_inbrackets_3, group_agent_inbrackets_4, group_agent_inbrackets_5, group_agent_engine, group_agent_engine_version, group_agent_browser, group_agent_browser_version, group_agent_rn, group_accept_text, group_accept_application, group_accept_html, group_accept_q, group_accept_plain, group_accept_image, group_accept_whatever_a, group_accept_whatever_b, group_accept_rn, group_language_a, group_language_b, group_language_q, group_language_rn, group_encoding_gzip, group_encoding_deflate, group_encoding_rn, group_charset_a, group_charset_b, group_charset_q, group_charset_crap, group_charset_rn, group_keep_value, group_keep_rn, group_connection, group_connection_value, group_connection_rn, group_end_rn ], "Complete Sequence") # Building the Block Generator http_generator = Block([ # Request line List(group_how,["HEAD","GET","POST","PUT","DELETE","TRACE","OPTIONS","CONNECT"]), Static(" /"), GeneratorList(group_what,[ Static(""), BadStrings(), BadPath(), BadFilename(), Static("") ]), Static(" "), GeneratorList(group_with,[ Static("HTTP"), BadStrings(), Static("HTTP") ]), Static("/"), GeneratorList(group_version,[ Static("1.1"), BadNumbers(), Static("1.1") ]), Static(" "), GeneratorList(group_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Host Line Static("Host: "), GeneratorList(group_host,[ Static("localhost"), BadStrings(), BadHostname(), BadIpAddress(), Static("localhost") ]), GeneratorList(group_host_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Agent Line Static("User-Agent: "), GeneratorList(group_agent_name,[ Static("Mozilla"), BadStrings(), Static("Mozilla") ]), Static("/"), GeneratorList(group_agent_version,[ Static("5.0"), BadNumbers(), Static("5.0") ]), Static(" ("), GeneratorList(group_agent_inbrackets_1,[ Static("X11"), BadStrings(), Static("X11") ]), Static("; "), GeneratorList(group_agent_inbrackets_2,[ Static("U"), BadStrings(), Static("U") ]), Static("; "), GeneratorList(group_agent_inbrackets_3,[ Static("Linux i686"), BadStrings(), Static("Linux i686") ]), Static("; "), GeneratorList(group_agent_inbrackets_4,[ Static("de"), BadStrings(), Static("de") ]), Static("; rv:"), GeneratorList(group_agent_inbrackets_5,[ Static("1.8.1.5"), BadNumbers(), Static("1.8.1.5") ]), Static(") "), GeneratorList(group_agent_engine,[ Static("Gecko"), BadStrings(), Static("Gecko") ]), Static("/"), GeneratorList(group_agent_engine_version,[ Static("20070731"), BadStrings(), BadNumbers(), BadDate(), Static("20070731") ]), Static(" "), GeneratorList(group_agent_browser,[ Static("Firefox"), BadStrings(), Static("Firefox") ]), Static("/"), GeneratorList(group_agent_browser_version,[ Static("2.0.0.5"), BadNumbers(), Static("2.0.0.5") ]), GeneratorList(group_agent_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Accept Line Static("Accept: text/"), GeneratorList(group_accept_text,[ Static("xml"), BadStrings(), Static("xml") ]), Static(",application/"), GeneratorList(group_accept_application,[ Static("xml"), BadStrings(), Static("xml") ]), Static(",application/xhtml+xml,"), GeneratorList(group_accept_html,[ Static("text"), BadStrings(), Static("text") ]), Static("/html;q="), GeneratorList(group_accept_q,[ Static("0.9"), BadNumbers(), Static("0.9") ]), Static(","), GeneratorList(group_accept_plain,[ Static("text"), BadStrings(), Static("text") ]), Static("/plain;q=0.8,image/"), GeneratorList(group_accept_image,[ Static("png"), BadStrings(), Static("png") ]), Static(","), GeneratorList(group_accept_whatever_a,[ Static("*"), BadStrings(), Static("*") ]), Static("/"), GeneratorList(group_accept_whatever_b,[ Static("*"), BadStrings(), Static("*"), ]), Static(";q=0.5"), GeneratorList(group_accept_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Accept-Language Line Static("Accept-Language: "), GeneratorList(group_language_a,[ Static("en-us"), BadStrings(), Static("en-us") ]), Static(","), GeneratorList(group_language_b,[ Static("en"), BadStrings(), Static("en") ]), Static(";q="), GeneratorList(group_language_q,[ Static("0.8"), BadNumbers(), Static("0.8") ]), Static(",de;q=0.5,de-de;q=0.3"), GeneratorList(group_language_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Accept-Encoding Line Static("Accept-Encoding: "), GeneratorList(group_encoding_gzip,[ Static("gzip"), BadStrings(), Static("gzip") ]), Static(","), GeneratorList(group_encoding_deflate,[ Static("deflate"), BadStrings(), Static("deflate") ]), GeneratorList(group_encoding_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), Static("Accept-Charset: "), GeneratorList(group_charset_a,[ Static("ISO-8859-1"), BadStrings(), Static("ISO-8859-1") ]), Static(","), GeneratorList(group_charset_b,[ Static("utf-8"), BadStrings(), Static("utf-8") ]), Static(";q="), GeneratorList(group_charset_q,[ Static("0.7"), BadNumbers(), Static("0.7") ]), Static(","), GeneratorList(group_charset_crap,[ Static("*"), BadStrings(), Static("*") ]), Static(";q=0.7"), GeneratorList(group_charset_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Keep-Alive Line Static("Keep-Alive: "), GeneratorList(group_keep_value,[ Static("300"), BadNumbers(), Static("300") ]), GeneratorList(group_keep_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # Connection Line GeneratorList(group_connection,[ Static("Connection"), BadStrings(), Static("Connection") ]), Static(": "), GeneratorList(group_connection_value,[ Static("keep-alive"), BadStrings(), Static("keep-alive") ]), GeneratorList(group_connection_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]), # End rn GeneratorList(group_end_rn,[ Static("\r\n"), BadStrings(), Static("\r\n") ]) ]) x = 1 transmit = tcp.Tcp(SERVER,PORT) while 1: try: group_master.reset() while 1: try : # Packet Printout Routine #print http_generator.getValue() # Packet Count Routine #x += 1 try: transmit.start() except: print "ERROR - Server not responding" print "Last package sent:" print http_generator.getValue() sys.exit() group_master.next() while 1: try: transmit.send(http_generator.getValue()) break except: continue #time.sleep(0.05) transmit.stop() x += 1 if x % 10000 == 0: NOW_TIME = time.time() print repr(x)+"/719681" print "Time Elapsed: "+ repr(NOW_TIME - START_TIME)+" Seconds" print "Time Left: "+repr(719681/x * (NOW_TIME - START_TIME))+" Seconds" #group_master.next() except GroupCompleted: print group_how.getAllGenerators()[0].getValue()+" Fuzzing Complete" break print http_generator.getValue() group_how.next() except GroupCompleted: print "Fuzzer Completed" break print x