exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xml2 Fuzzer 1.0

xml2 Fuzzer 1.0
Posted Aug 26, 2013
Authored by x90c

xml2 Fuzzer is a fuzzing utility that daemonizes in order to fuzz the client side of a web browser.

tags | web, fuzzer
SHA-256 | 6ce1679a18a737f7e82c37dd5a21cc85bfe82165cf1e8c95fb312c29f4e930d0

xml2 Fuzzer 1.0

Change Mirror Download
/*

xml2 fuzz ver 1.0

--
C:\x90c\xml2_fuzz> ./xml_fuzz
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / __. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|

xml2 fuzzer ver 1.0

./xml2_fuzz

xml2 fuzz: listen fuzz daemon [9090/tcp]
--

[Description]:

It's a fuzz daemon to exploit
to com object of client side in
web browser

(1) xml2 fuzz daemon listen
(2) web browser open url of the fuzz daemon
(3) the url request to xml2 COM object with fuzz str
for instance, AAAA fuzz, numeric fuzz

target program is libxml2, msxml2 com object

note)
Include "stdafx.h" for win32 and add wsock32.lib
to link option. I did compile test for it


x90c

*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#define FUZZ_DAEMON_PORT (9090)

/*
fuzz type
*/
#define AAAA_FUZZ (1)
#define NUMERIC_FUZZ (2)

static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;

void set_fuzz_str(char *mal_str);

static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
" function xml2_exploit() {\n"
" var request_url = location.protocol + '//' + location.host + '/'\n"
" var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
" xml_http_request.open(%s, request_url, false);\n"
" xml_http_request.send();\n"
" setTimeout(xml2_exploit, 1);\n"
" }\n"
" xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};

int fuzz_start(int fuzz_type) {
int srv_sockfd = 0, cld_sockfd = 0;
struct sockaddr_in srv_addr, cld_addr;
int cld_addr_len = sizeof(struct sockaddr);
char recv_buf[1024];
WSADATA wsaData;
int mal_index = 0;
int cnt_aaaa=1;

WSAStartup(0x202, &wsaData);

memset(&srv_addr, 0, sizeof(struct sockaddr_in));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);

if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
return -1;
if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
closesocket(srv_sockfd);
return -2;
}
if(listen(srv_sockfd, 1) < 0){
closesocket(srv_sockfd);
return -3;
}

memset(fuzz_str, 0, sizeof fuzz_str);
fuzz_str[0] = 'A';
set_fuzz_str(fuzz_str);
fuzz_int = 0x0;
fuzz_int_neg = 0;

printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);

accept_again:
if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
closesocket(srv_sockfd);
return -4;
}

memset(&recv_buf, 0, sizeof(recv_buf));

recv_again:
if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
goto recv_again;

printf("recv data: %s\n", recv_buf);

if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
{
printf("HTTP response 200\n");
send(cld_sockfd, &http_res[0], strlen(http_res), 0);
closesocket(cld_sockfd);

memset(fuzz_str, 0, sizeof fuzz_str);

switch(fuzz_type){
case AAAA_FUZZ: // AAAAAAAA... fuzz
++cnt_aaaa;
if(cnt_aaaa == 65535)
goto fuzz_end;

memset(fuzz_str, 'A', cnt_aaaa);
set_fuzz_str(fuzz_str);
break;
case NUMERIC_FUZZ: // 0x00000000 ~ 0xffffffff, -0x00000000 ~ -0xffffffff fuzz
if(fuzz_int_neg == 0)
sprintf(fuzz_str, "%d", fuzz_int);
else if(fuzz_int_neg == 1){
if(fuzz_int >= 0xffffffff)
goto fuzz_end;

sprintf(fuzz_str, "-%d", fuzz_int);
}

set_fuzz_str(fuzz_str);

++fuzz_int;
if(fuzz_int >= 0xffffffff){
fuzz_int_neg = 1;
fuzz_int = 0x0;
}

break;
}

goto accept_again;
}

fuzz_end:
fprintf(stderr, "xml2 fuzz: fuzz end!\n");
if(srv_sockfd)
closesocket(srv_sockfd);

return 0;
}

void set_fuzz_str(char *mal_str) {
if(strlen(mal_str) > 65535-1){
printf("xml2 fuzz: too long malformed string\n");
exit(-1);
}
memset((void *)&http_res, 0, sizeof(http_res));
sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}

static char banner[] = {
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
" \n" \
" xml2 fuzzer ver 1.0 \n" \
" \n" \
" ./xml2_fuzz \n" \
" \n"
};

int main() {
int ret = 0;

printf("%s", banner);

if((ret = fuzz_start(AAAA_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
/*
if((ret = fuzz_start(NUMERIC_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
*/

return 0;
}



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close