what you don't know can hurt you

xml2 Fuzzer 1.0

xml2 Fuzzer 1.0
Posted Aug 26, 2013
Authored by x90c

xml2 Fuzzer is a fuzzing utility that daemonizes in order to fuzz the client side of a web browser.

tags | web, fuzzer
MD5 | 1ca43872c1fd3985bebc49cea04c3ac4

xml2 Fuzzer 1.0

Change Mirror Download
/*

xml2 fuzz ver 1.0

--
C:\x90c\xml2_fuzz> ./xml_fuzz
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / __. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|

xml2 fuzzer ver 1.0

./xml2_fuzz

xml2 fuzz: listen fuzz daemon [9090/tcp]
--

[Description]:

It's a fuzz daemon to exploit
to com object of client side in
web browser

(1) xml2 fuzz daemon listen
(2) web browser open url of the fuzz daemon
(3) the url request to xml2 COM object with fuzz str
for instance, AAAA fuzz, numeric fuzz

target program is libxml2, msxml2 com object

note)
Include "stdafx.h" for win32 and add wsock32.lib
to link option. I did compile test for it


x90c

*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#define FUZZ_DAEMON_PORT (9090)

/*
fuzz type
*/
#define AAAA_FUZZ (1)
#define NUMERIC_FUZZ (2)

static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;

void set_fuzz_str(char *mal_str);

static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
" function xml2_exploit() {\n"
" var request_url = location.protocol + '//' + location.host + '/'\n"
" var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
" xml_http_request.open(%s, request_url, false);\n"
" xml_http_request.send();\n"
" setTimeout(xml2_exploit, 1);\n"
" }\n"
" xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};

int fuzz_start(int fuzz_type) {
int srv_sockfd = 0, cld_sockfd = 0;
struct sockaddr_in srv_addr, cld_addr;
int cld_addr_len = sizeof(struct sockaddr);
char recv_buf[1024];
WSADATA wsaData;
int mal_index = 0;
int cnt_aaaa=1;

WSAStartup(0x202, &wsaData);

memset(&srv_addr, 0, sizeof(struct sockaddr_in));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);

if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
return -1;
if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
closesocket(srv_sockfd);
return -2;
}
if(listen(srv_sockfd, 1) < 0){
closesocket(srv_sockfd);
return -3;
}

memset(fuzz_str, 0, sizeof fuzz_str);
fuzz_str[0] = 'A';
set_fuzz_str(fuzz_str);
fuzz_int = 0x0;
fuzz_int_neg = 0;

printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);

accept_again:
if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
closesocket(srv_sockfd);
return -4;
}

memset(&recv_buf, 0, sizeof(recv_buf));

recv_again:
if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
goto recv_again;

printf("recv data: %s\n", recv_buf);

if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
{
printf("HTTP response 200\n");
send(cld_sockfd, &http_res[0], strlen(http_res), 0);
closesocket(cld_sockfd);

memset(fuzz_str, 0, sizeof fuzz_str);

switch(fuzz_type){
case AAAA_FUZZ: // AAAAAAAA... fuzz
++cnt_aaaa;
if(cnt_aaaa == 65535)
goto fuzz_end;

memset(fuzz_str, 'A', cnt_aaaa);
set_fuzz_str(fuzz_str);
break;
case NUMERIC_FUZZ: // 0x00000000 ~ 0xffffffff, -0x00000000 ~ -0xffffffff fuzz
if(fuzz_int_neg == 0)
sprintf(fuzz_str, "%d", fuzz_int);
else if(fuzz_int_neg == 1){
if(fuzz_int >= 0xffffffff)
goto fuzz_end;

sprintf(fuzz_str, "-%d", fuzz_int);
}

set_fuzz_str(fuzz_str);

++fuzz_int;
if(fuzz_int >= 0xffffffff){
fuzz_int_neg = 1;
fuzz_int = 0x0;
}

break;
}

goto accept_again;
}

fuzz_end:
fprintf(stderr, "xml2 fuzz: fuzz end!\n");
if(srv_sockfd)
closesocket(srv_sockfd);

return 0;
}

void set_fuzz_str(char *mal_str) {
if(strlen(mal_str) > 65535-1){
printf("xml2 fuzz: too long malformed string\n");
exit(-1);
}
memset((void *)&http_res, 0, sizeof(http_res));
sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}

static char banner[] = {
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
" \n" \
" xml2 fuzzer ver 1.0 \n" \
" \n" \
" ./xml2_fuzz \n" \
" \n"
};

int main() {
int ret = 0;

printf("%s", banner);

if((ret = fuzz_start(AAAA_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
/*
if((ret = fuzz_start(NUMERIC_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
*/

return 0;
}



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close