/* hzzp/fuzz.c 04.27.2009 Hzzp Krakow Labs Development -> Hzzp Hypertext Transfer Protocol Fuzzer rush@KL (Jeremy Brown) Fuzzing Module -> hzzp.tar.gz Associated Files & Information: http://www.krakowlabs.com/dev/fuz/hzzp/hzzp http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/core.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/http.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/Makefile.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp_doc.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.tar.gz http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.jpeg http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.avi hzzp/fuzz.c */ #include #include #include #include #include #include #include #include #include #include "core.h" #include "fuzz.h" #include "http.h" void hzzp_headline(int m, int mo, int exg, int mode, FILE *fd) { char *hl; if((m == 1) && (mo == 1)) hl = "Fuzzing Protocol"; if((m == 1) && (mo == 2)) hl = "Fuzzing Protocol Version"; if((m == 1) && (mo == 3)) hl = "Fuzzing Status Code"; if((m == 1) && (mo == 4)) hl = "Fuzzing Status Phrase"; if((m == 1) && (mo == 5)) hl = "Fuzzing Response Headers"; if((m == 1) && (mo == 6)) hl = "Fuzzing Response Header Fields"; if((m == 1) && (mo == 7)) hl = "Fuzzing Basic Authentication"; if((m == 1) && (mo == 8)) hl = "Fuzzing Digest Authentication"; if((m == 2) && (mo == 1)) hl = "Fuzzing Method"; if((m == 2) && (mo == 2)) hl = "Fuzzing Request"; if((m == 2) && (mo == 3)) hl = "Fuzzing Request Port"; if((m == 2) && (mo == 4)) hl = "Fuzzing Protocol"; if((m == 2) && (mo == 5)) hl = "Fuzzing Protocol Version"; if((m == 2) && (mo == 6)) hl = "Fuzzing Request Headers"; if((m == 2) && (mo == 7)) hl = "Fuzzing Request Header Fields"; if((m == 2) && (mo == 8)) hl = "Fuzzing Basic Authentication"; if((m == 2) && (mo == 9)) hl = "Fuzzing Digest Authentication"; if((m == 2) && (mo == 10)) hl = "Fuzzing Query Parameters"; if(exg == 1) hl = "Exploit Generation"; if(mode == 1) { printf("\n********** [%s] **********\n\n Krakow Labs Development -> Hzzp\n\n********** [%s] **********\n\n", hl, hl); } if(mode == 2) { fprintf(fd, "Mode: %s\n", hl); } } int hzzp_engine(char *tar, int port, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int vb, int db, int lg, char *lgf, int exg, char *exf, int mth, int sc, int dir, char *path, char *bqd, char *ptf, char *eqd) { char *mthd = http[mth].method; hzzp_headline(m, mo, exg, 1, NULL); if(exg == 1) hzzp_exgen(tar, port, m, mo, fzn, hdn, cfd, chd, cu, exf, mthd, httpresp[sc].code, dir, path, bqd, ptf, eqd); if(m == 1) hzzp_client(port, m, mo, fzn, hdn, cfd, chd, cu, vb, db, lg, lgf, exg, sc, dir); if(m == 2) hzzp_server(tar, port, m, mo, fzn, hdn, cfd, chd, cu, vb, db, lg, lgf, exg, exf, mthd, dir, path, bqd, ptf, eqd); return 0; } int hzzp_client(int port, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int vb, int db, int lg, char *lgf, int exg, int sc, int dir) { char buf[BUFSIZE], fzdt[16+1], hddt[16+1], msg[256]; int cli, serv, reuse = 1, cnt = 0; struct sockaddr_in client, server; socklen_t len; printf("INFO: Hzzp -> CLIENT MODE INITALIZING...\n"); fflush(stdout); server.sin_family = AF_INET; server.sin_port = htons(port); server.sin_addr.s_addr = INADDR_ANY; if(vb == 1) printf("VERBOSE: Creating Socket... "); fflush(stdout); if((serv = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("hzzp_error: socket()\n"); return -1; } if(setsockopt(serv, SOL_SOCKET, SO_REUSEADDR, &reuse, (socklen_t)sizeof(reuse)) < 0) { printf("hzzp_error: setsockopt()\n"); return -1; } if(vb == 1) printf("SUCCESS\nVERBOSE: Binding to PORT %d... ", port); fflush(stdout); if(bind(serv, (struct sockaddr *)&server, sizeof(struct sockaddr)) < 0) { printf("hzzp_error: bind(%d)\n", port); return -1; } if(vb == 1) printf("SUCCESS\nVERBOSE: Listening on Socket... "); fflush(stdout); if(listen(serv, 10) < 0) { printf("hzzp_error: listen()\n"); return -1; } if(vb == 1) printf("SUCCESS\n"); printf("INFO: Hzzp -> Waiting for Connections...\n"); fflush(stdout); if(cfd != NULL) { snprintf(fzdt, sizeof(fzdt), "%s", cfd); } if(chd != NULL) { snprintf(hddt, sizeof(hddt), "%s", chd); } while(1) { fflush(stdout); if((cli = accept(serv, (struct sockaddr *)&client, &len)) < 0) { printf("hzzp_error: accept()\n"); return -1; } if(getpeername(cli, (struct sockaddr *)&client, &len) < 0) { printf("hzzp_error: getpeername()\n"); return -1; } if(cnt > 0) hzzp_counter(&fzn); if((fzn == FZTL) && (mo <= 5) || (fzn == FZTL) && (mo == 7)) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } if((fzn == FZTL) && (mo == 8) && (dir == DCMAX-1)) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } if(fzn == FZTL) { dir++; hdn++; fzn = 0; } if(hdn == RESPHDRTL) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } hzzp_counter(&cnt); if((mo == 1) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Protocol: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 1) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Protocol: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 2) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Protocol Version: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 2) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Protocol Version: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 3) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Status Code: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 3) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Status Code: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 4) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Status Phrase: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 4) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Status Phrase: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 5) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Response Headers: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 5) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Response Headers: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 6) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing [%d/%s] Response Header Fields: (%s + %s)\n", cnt, inet_ntoa(client.sin_addr), httpresp[sc].code, httpresp[sc].desc, response[hdn].header, fuzz[fzn].desc); } if((mo == 6) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing [%d/%s] Response Header Fields: (%s + CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), httpresp[sc].code, httpresp[sc].desc, response[hdn].header, fzdt, strlen(cfd)); } if((mo == 6) && (cu == 3)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing [%d/%s] Response Header Fields: (CHD: %s [%d bytes] + %s)\n", cnt, inet_ntoa(client.sin_addr), httpresp[sc].code, httpresp[sc].desc, hddt, strlen(chd), fuzz[fzn].desc); } if((mo == 6) && (cu == 4)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing [%d/%s] Response Header Fields: (CHD: %s [%d bytes] + CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), httpresp[sc].code, httpresp[sc].desc, hddt, strlen(chd), fzdt, strlen(cfd)); } if((mo == 7) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Basic Client Authentication: (%s)\n", cnt, inet_ntoa(client.sin_addr), fuzz[fzn].desc); } if((mo == 7) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Basic Client Authentication: (CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), fzdt, strlen(cfd)); } if((mo == 8) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Digest Client Authentication: (%s + %s)\n", cnt, inet_ntoa(client.sin_addr), digcli[dir].dir, fuzz[fzn].desc); } if((mo == 8) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Client %s connected --> Fuzzing Digest Client Authentication: (%s + CFD: %s [%d bytes])\n", cnt, inet_ntoa(client.sin_addr), digcli[dir].dir, fzdt, strlen(cfd)); } if(vb == 1) { printf("%s", msg); } if(db == 1) { printf("DEBUG: cnt = %d, fzn = %d, hdn = %d, sc = %d, dir = %d\n", cnt, fzn, hdn, sc, dir); } if(lg == 1) { hzzp_log(NULL, NULL, 0, 0, 0, 0, 0, NULL, NULL, 0, 0, 0, NULL, 0, NULL, NULL, NULL, NULL, msg, lgf, exg); } fflush(stdout); hzzp_resp(buf, cli, mo, fzn, hdn, cfd, chd, cu, db, sc, dir); } } int hzzp_server(char *tar, int port, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int vb, int db, int lg, char *lgf, int exg, char *exf, char *mthd, int dir, char *path, char *bqd, char *ptf, char *eqd) { char buf[BUFSIZE], fzdt[16+1], hddt[16+1], msg[256], lfdat[256]; int sock, fzd = 0, io = 0, cnt = 0, flen = 0, hlen = 0; struct sockaddr_in remote; struct hostent *resolve; printf("INFO: Hzzp -> SERVER MODE INITALIZING...\n"); fflush(stdout); while(1) { fflush(stdout); hzzp_counter(&fzd); hzzp_counter(&io); if((vb == 1) && (io == 1)) printf("VERBOSE: Creating Socket... "); fflush(stdout); if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("hzzp_error: socket()\n"); return -1; } if((resolve = gethostbyname(tar)) == NULL) { printf("hzzp_error: gethostbyname(%s)\n", tar); return -1; } char *tarip = inet_ntoa(*(struct in_addr *)resolve->h_addr); remote.sin_family = AF_INET; remote.sin_port = htons(port); remote.sin_addr.s_addr = inet_addr(tarip); if(cfd != NULL) { flen = strlen(cfd); snprintf(fzdt, sizeof(fzdt), "%s", cfd); } if(chd != NULL) { hlen = strlen(chd); snprintf(hddt, sizeof(hddt), "%s", chd); } if((vb == 1) && (io == 1)) printf("SUCCESS\nVERBOSE: Connecting to %s:%d... ", tarip, port); fflush(stdout); if(connect(sock, (struct sockaddr *)&remote, sizeof(struct sockaddr)) < 0) { printf("hzzp_error: connect(%s:%d)\n", tar, port); // We haven't increased our integers with hzzp_counter() yet, so no need for -1 action if(fzd > 1) { printf("\nALERT: ***** Hzzp might have found a bug! *****\n\n"); } if((lg == 1) && (fzd > 1)) { hzzp_log(tar, tarip, port, m, mo, fzn, hdn, fzdt, hddt, cu, flen, hlen, mthd, dir, path, bqd, ptf, eqd, NULL, lgf, exg); } if((exg == 2) && (fzd > 1)) { hzzp_exgen(tar, port, m, mo, fzn, hdn, cfd, chd, cu, exf, mthd, 0, dir, path, bqd, ptf, eqd); } return -1; } if((vb == 1) && (io == 1)) printf("SUCCESS\n"); if(io == 1) printf("INFO: Hzzp -> Fuzzing Target...\n"); fflush(stdout); if(cnt > 0) hzzp_counter(&fzn); if((fzn == FZTL) && (mo == 9) && (dir == DSMAX-1)) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } if((fzn == FZTL) && (mo <= 6) || (fzn == FZTL) && (mo == 8) || (fzn == FZTL) && (mo == 10)) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } if(fzn == FZTL) { dir++; hdn++; fzn = 0; } if(hdn == REQHDRTL) { printf("INFO: Hzzp -> FINISHED!\n"); return 0; } hzzp_counter(&cnt); if((mo == 1) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Method: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 1) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Method: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 2) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 2) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 3) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request Port: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 3) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request Port: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 4) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Protocol: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 4) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Protocol: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 5) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Protocol Version: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 5) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Protocol Version: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 6) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request Headers: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 6) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Request Headers: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 7) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Request Header Fields: (%s + %s)\n", cnt, tarip, port, request[hdn].header, fuzz[fzn].desc); } if((mo == 7) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Request Header Fields: (%s + CFD: %s [%d bytes])\n", cnt, tarip, port, request[hdn].header, fzdt, strlen(cfd)); } if((mo == 7) && (cu == 3)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Request Header Fields: (CHD: %s [%d bytes] + %s)\n", cnt, tarip, port, hddt, strlen(chd), fuzz[fzn].desc); } if((mo == 7) && (cu == 4)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Request Header Fields: (CHD: %s [%d bytes] + CFD: %s [%d bytes])\n", cnt, tarip, port, hddt, strlen(chd), fzdt, strlen(cfd)); } if((mo == 8) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Basic Server Authentication: (%s)\n", cnt, tarip, port, fuzz[fzn].desc); } if((mo == 8) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Basic Server Authentication: (CFD: %s [%d bytes])\n", cnt, tarip, port, fzdt, strlen(cfd)); } if((mo == 9) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Digest Server Authentication: (%s + %s)\n", cnt, tarip, port, digserv[dir].dir, fuzz[fzn].desc); } if((mo == 9) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Fuzzing Digest Server Authentication: (%s + CFD: %s [%d bytes])\n", cnt, tarip, port, digserv[dir].dir, fzdt, strlen(cfd)); } if((mo == 10) && (cu == 1)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Query Fuzzing: (%s + %s)\n", cnt, tarip, port, ptf, fuzz[fzn].desc); } if((mo == 10) && (cu == 2)) { snprintf(msg, sizeof(msg), "VERBOSE: [%d] Target @ [%s]:%d --> Query Fuzzing: (%s + CFD: %s [%d bytes])\n", cnt, tarip, port, ptf, fzdt, strlen(cfd)); } if(vb == 1) { printf("%s", msg); fflush(stdout); } if(db == 1) { printf("DEBUG: cnt = %d, fzn = %d, hdn = %d, mthd = %s, dir = %d\n", cnt, fzn, hdn, mthd, dir); } fflush(stdout); hzzp_req(tarip, port, sock, m, mo, fzn, hdn, cfd, chd, cu, db, mthd, dir, path, bqd, ptf, eqd); } } // configure data void hzzp_resp(char *buf, int cli, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int db, int sc, int dir) { hzzp_fzof_gen(); memset(buf, 0, BUFSIZE); if(cu == 1) { int len = strlen(fuzz[fzn].data)+512; char resp[len]; if(db == 1) printf("DEBUG: len = %d\n", len); fflush(stdout); hzzp_resp_fuzz(buf, cli, mo, resp, len, fuzz[fzn].data, response[hdn].header, httpresp[sc].code, dir); } if(cu == 2) { int len = strlen(cfd)+strlen(response[hdn].header)+512; char resp[len]; if(db == 1) printf("DEBUG: len = %d\n", len); fflush(stdout); hzzp_resp_fuzz(buf, cli, mo, resp, len, cfd, response[hdn].header, httpresp[sc].code, dir); } if(cu == 3) { int len = strlen(fuzz[fzn].data)+strlen(chd)+512; char resp[len]; if(db == 1) printf("DEBUG: len = %d\n", len); fflush(stdout); hzzp_resp_fuzz(buf, cli, mo, resp, len, fuzz[fzn].data, chd, httpresp[sc].code, dir); } if(cu == 4) { int len = strlen(cfd)+strlen(chd)+512; char resp[len]; if(db == 1) printf("DEBUG: len = %d\n", len); fflush(stdout); hzzp_resp_fuzz(buf, cli, mo, resp, len, cfd, chd, httpresp[sc].code, dir); } } // control data void hzzp_resp_fuzz(char *buf, int cli, int mo, char *resp, int len, char *fdat, char *hdr, int sc, int dir) { memset(buf, 0, BUFSIZE); recv(cli, buf, BUFSIZE-1, 0); if(mo <= 4) { hzzp_resp_lines(buf, cli, mo, resp, len, fdat, sc); } if((mo == 5) || (mo == 6)) { hzzp_resp_hdrs(buf, cli, mo, resp, len, fdat, hdr, sc); } if(mo >= 7) { hzzp_resp_httpauth(buf, cli, mo, resp, len, fdat, sc, dir); } close(cli); return; } // prepare and send data void hzzp_resp_lines(char *buf, int cli, int mo, char *resp, int len, char *fdat, int sc) { memset(resp, 0, len); if(mo == 1) { snprintf(resp, len, "%s/1.1 %d\r\n\r\n%s", fdat, sc, content); } if(mo == 2) { snprintf(resp, len, "HTTP/%s %d\r\n\r\n%s", fdat, sc, content); } if(mo == 3) { snprintf(resp, len, "%s %s\r\n\r\n%s", HTTP, fdat, content); } if(mo == 4) { snprintf(resp, len, "%s %d %s\r\n\r\n%s", HTTP, sc, fdat, content); } send(cli, resp, strlen(resp), 0); } // prepare and send data void hzzp_resp_hdrs(char *buf, int cli, int mo, char *resp, int len, char *fdat, char *hdr, int sc) { memset(resp, 0, len); if(mo == 5) { snprintf(resp, len, "%s %d\r\n%s: Hzzp\r\n\r\n%s", HTTP, sc, fdat, content); } if(mo == 6) { snprintf(resp, len, "%s %d\r\n%s: %s\r\n\r\n%s", HTTP, sc, hdr, fdat, content); } send(cli, resp, strlen(resp), 0); } // prepare and send data void hzzp_resp_httpauth(char *buf, int cli, int mo, char *resp, int len, char *fdat, int sc, int dir) { char path[] = "/"; memset(resp, 0, len); if(mo == 7) { snprintf(resp, len, "%s %d %s\r\n%s: Basic realm=\"%s\"\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, fdat, content); } if(mo == 8) { if(dir == 0) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=\"%s\", %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, fdat, digcli[1].dir, path, digcli[2].dir, digcli[2].def, digcli[3].dir, digcli[3].def, digcli[4].dir, digcli[4].def, digcli[5].dir, digcli[5].def, digcli[6].dir, digcli[6].def, content); if(dir == 1) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, fdat, digcli[2].dir, digcli[2].def, digcli[3].dir, digcli[3].def, digcli[4].dir, digcli[4].def, digcli[5].dir, digcli[5].def, digcli[6].dir, digcli[6].def, content); if(dir == 2) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, path, digcli[2].dir, fdat, digcli[3].dir, digcli[3].def, digcli[4].dir, digcli[4].def, digcli[5].dir, digcli[5].def, digcli[6].dir, digcli[6].def, content); if(dir == 3) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, path, digcli[2].dir, digcli[2].def, digcli[3].dir, fdat, digcli[4].dir, digcli[4].def, digcli[5].dir, digcli[5].def, digcli[6].dir, digcli[6].def, content); if(dir == 4) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, path, digcli[2].dir, digcli[2].def, digcli[3].dir, digcli[3].def, digcli[4].dir, fdat, digcli[5].dir, digcli[5].def, digcli[6].dir, digcli[6].def, content); if(dir == 5) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, path, digcli[2].dir, digcli[2].def, digcli[3].dir, digcli[3].def, digcli[4].dir, digcli[4].def, digcli[5].dir, fdat, digcli[6].dir, digcli[6].def, content); if(dir == 6) snprintf(resp, len, "%s %d %s\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=\"%s\"\r\n\r\n%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].def, digcli[1].dir, path, digcli[2].dir, digcli[2].def, digcli[3].dir, digcli[3].def, digcli[4].dir, digcli[4].def, digcli[5].dir, digcli[5].def, digcli[6].dir, fdat, content); } send(cli, resp, strlen(resp), 0); } // configure data void hzzp_req(char *tar, int port, int sock, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int db, char *mthd, int dir, char *path, char *bqd, char *ptf, char *eqd) { hzzp_fzof_gen(); if(cu == 1) { int len = strlen(fuzz[fzn].data)+512; char req[len]; if(db == 1) printf("DEBUG: len = %d, method = %s\n", len, mthd); fflush(stdout); hzzp_req_fuzz(tar, port, sock, m, mo, req, len, fuzz[fzn].data, request[hdn].header, mthd, dir, path, bqd, ptf, eqd); } if(cu == 2) { int len = strlen(cfd)+strlen(request[hdn].header)+512; char req[len]; if(db == 1) printf("DEBUG: len = %d, method = %s\n", len, mthd); fflush(stdout); hzzp_req_fuzz(tar, port, sock, m, mo, req, len, cfd, request[hdn].header, mthd, dir, path, bqd, ptf, eqd); } if(cu == 3) { int len = strlen(fuzz[fzn].data)+strlen(chd)+512; char req[len]; if(db == 1) printf("DEBUG: len = %d, method = %s\n", len, mthd); fflush(stdout); hzzp_req_fuzz(tar, port, sock, m, mo, req, len, fuzz[fzn].data, chd, mthd, dir, path, bqd, ptf, eqd); } if(cu == 4) { int len = strlen(cfd)+strlen(chd)+512; char req[len]; if(db == 1) printf("DEBUG: len = %d, method = %s\n", len, mthd); fflush(stdout); hzzp_req_fuzz(tar, port, sock, m, mo, req, len, cfd, chd, mthd, dir, path, bqd, ptf, eqd); } } // control data void hzzp_req_fuzz(char *tar, int port, int sock, int m, int mo, char *req, int len, char *fdat, char *hdr, char *mthd, int dir, char *path, char *bqd, char *ptf, char *eqd) { char buf[BUFSIZE]; if(mo <= 5) { hzzp_req_lines(tar, port, sock, mo, buf, req, len, mthd, fdat); } if((mo == 6) || (mo == 7)) { hzzp_req_hdrs(tar, sock, mo, buf, req, len, hdr, mthd, fdat); } if((mo == 8) || (mo == 9)) { hzzp_req_httpauth(tar, port, sock, mo, buf, req, len, mthd, fdat, dir, path); } if(mo == 10) { hzzp_req_query(tar, sock, buf, req, len, mthd, fdat, path, bqd, ptf, eqd); } close(sock); return; } // prepare and send data void hzzp_req_lines(char *tar, int port, int sock, int mo, char *buf, char *req, int len, char *mthd, char *fdat) { memset(req, 0, len); if(strcmp(mthd, "CONNECT") == 0) { if(mo == 1) { snprintf(req, len, "%s %s:%d %s\r\nHost: %s:%d\r\n\r\n", fdat, tar, port, HTTP, tar, port); } if(mo == 2) { snprintf(req, len, "%s %s:%d %s\r\nHost: %s:%d\r\n\r\n", mthd, fdat, port, HTTP, tar, port); } if(mo == 3) { snprintf(req, len, "%s %s:%s %s\r\nHost: %s:%d\r\n\r\n", mthd, tar, fdat, HTTP, tar, port); } if(mo == 4) { snprintf(req, len, "%s %s:%d %s/1.1\r\nHost: %s:%d\r\n\r\n", mthd, tar, port, fdat, tar, port); } if(mo == 5) { snprintf(req, len, "%s %s:%d HTTP/%s\r\nHost: %s:%d\r\n\r\n", mthd, tar, port, fdat, tar, port); } } if(strcmp(mthd, "OPTIONS") == 0) { if(mo == 1) { snprintf(req, len, "%s * %s\r\nHost: %s:%d\r\n\r\n", fdat, HTTP, tar, port); } if(mo == 2) { snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n\r\n", mthd, fdat, HTTP, tar, port); } if(mo == 4) { snprintf(req, len, "%s * %s/1.1\r\nHost: %s:%d\r\n\r\n", mthd, fdat, tar, port); } if(mo == 5) { snprintf(req, len, "%s * HTTP/%s\r\nHost: %s:%d\r\n\r\n", mthd, fdat, tar, port); } } else { if(mo == 1) { snprintf(req, len, "%s / %s\r\n\r\n", fdat, HTTP); } if(mo == 2) { snprintf(req, len, "%s /%s %s\r\n\r\n", mthd, fdat, HTTP); } if(mo == 4) { snprintf(req, len, "%s / %s/1.1\r\n\r\n", mthd, fdat); } if(mo == 5) { snprintf(req, len, "%s / HTTP/%s\r\n\r\n", mthd, fdat); } } send(sock, req, strlen(req), 0); memset(buf, 0, BUFSIZE); recv(sock, buf, BUFSIZE-1, 0); sleep(1); } // prepare and send data void hzzp_req_hdrs(char *tar, int sock, int mo, char *buf, char *req, int len, char *hdr, char *mthd, char *fdat) { memset(req, 0, len); if(mo == 6) { snprintf(req, len, "%s / %s\r\n%s: Hzzp\r\n\r\n", mthd, HTTP, fdat); } if(mo == 7) { snprintf(req, len, "%s / %s\r\n%s: %s\r\n\r\n", mthd, HTTP, hdr, fdat); } send(sock, req, strlen(req), 0); memset(buf, 0, BUFSIZE); recv(sock, buf, BUFSIZE-1, 0); sleep(1); } // prepare and send data void hzzp_req_httpauth(char *tar, int port, int sock, int mo, char *buf, char *req, int len, char *mthd, char *fdat, int dir, char *path) { memset(req, 0, len); if(mo == 8) { snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Basic %s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, fdat); } if(mo == 9) // these may not pass all checks, but they will fuzz input { if(dir == 0) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=\"%s\", %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, fdat, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 1) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=\"%s\", %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, fdat, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 2) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=\"%s\", %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, fdat, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 3) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, fdat, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 4) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, fdat, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 5) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, fdat, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 6) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, fdat, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 7) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, fdat, digserv[8].dir, digserv[8].def, digserv[9].dir, digserv[9].def); if(dir == 8) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, fdat, digserv[9].dir, digserv[9].def); if(dir == 9) snprintf(req, len, "%s %s %s\r\nHost: %s:%d\r\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\"%s\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=\"%s\"\r\n\r\n", mthd, path, HTTP, tar, port, request[5].header, digserv[0].dir, digserv[0].def, digserv[1].dir, digserv[1].def, digserv[2].dir, digserv[2].def, digserv[3].dir, path, digserv[4].dir, digserv[4].def, digserv[5].dir, digserv[5].def, digserv[6].dir, digserv[6].def, digserv[7].dir, digserv[7].def, digserv[8].dir, digserv[8].def, digserv[9].dir, fdat); } send(sock, req, strlen(req), 0); memset(buf, 0, BUFSIZE); recv(sock, buf, BUFSIZE-1, 0); sleep(1); } void hzzp_req_query(char *tar, int sock, char *buf, char *req, int len, char *mthd, char *fdat, char *path, char *bqd, char *pft, char *eqd) { memset(req, 0, len); snprintf(req, len, "%s %s%s%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n", mthd, path, bqd, pft, fdat, eqd, tar); send(sock, req, strlen(req), 0); memset(buf, 0, BUFSIZE); recv(sock, buf, BUFSIZE-1, 0); sleep(1); } void hzzp_log(char *tar, char *tarip, int port, int m, int mo, int fzn, int hdn, char *fzdt, char *hddt, int cu, int flen, int hlen, char *mthd, int dir, char *path, char *bqd, char *ptf, char *eqd, char *msg, char *lgf, int exg) { FILE *fd; if(m < 2) { if((fd = fopen(lgf, "a")) == NULL) { printf("hzzp_error: fopen(%s)\n", lgf); exit(-1); } fprintf(fd, "%s", msg); fclose(fd); } if(m == 2) { if((fd = fopen(lgf, "a")) == NULL) { printf("hzzp_error: fopen(%s)\n", lgf); exit(-1); } fprintf(fd, "Hzzp might have found a bug!\n"); fprintf(fd, "Host: %s [%s] -> Port %d\n", tar, tarip, port); hzzp_headline(m, mo, 0, 2, fd); if(mo == 8) { fprintf(fd, "Basic Authentication [Protected Path: %s]\n", path); } if(mo == 9) { fprintf(fd, "Digest Authentication [Directive: %s] [Protected Path: %s]\n", digserv[dir].dir, path); } if(mo == 10) { fprintf(fd, "Query Fuzzing [%s \"%s\" %s]\n", bqd, ptf, eqd); } fprintf(fd, "Method: %s\n", mthd); if(mo == 7) { fprintf(fd, "Header: \"%s\"\n", request[hdn].header); } if((cu == 1) || (cu == 3)) { fprintf(fd, "Fuzzing Data: \"%s\"\n", fuzz[fzn].desc); } if((cu == 2) || (cu == 4)) { fprintf(fd, "Custom Fuzzing Data: %s [%d bytes]\n", fzdt, flen); } if((cu == 3) || (cu == 4)) { fprintf(fd, "Custom Header Data: %s [%d bytes]\n", hddt, hlen); } fprintf(fd, "\n"); fclose(fd); printf("INFO: Hzzp -> Details logged in %s\n", lgf); if(exg > 0) printf("\n"); } } void hzzp_exgen(char *tar, int port, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, char *exf, char *mthd, int sc, int dir, char *path, char *bqd, char *ptf, char *eqd) { char *fdat, *hdat; FILE *fd; hzzp_fzof_gen(); if((cu == 1) || (cu == 3)) fdat = fuzz[fzn].data; if((cu == 2) || (cu == 4)) fdat = cfd; if((cu == 1) || (cu == 2) && (m == 1)) hdat = response[hdn].header; if((cu == 3) || (cu == 4)) hdat = chd; if((cu == 1) || (cu == 2) && (m == 2)) hdat = request[hdn].header; printf("INFO: Generating Exploit...\n", exf); if((fd = fopen(exf, "w")) == NULL) { printf("hzzp_error: fopen(%s)\n", exf); exit(-1); } if(m == 1) { fprintf(fd, "#!/usr/bin/perl\n%s\n# %s\n\nuse IO::Socket;\n\n", exbanner, exf); fprintf(fd, "$port = %d;\n", port); fprintf(fd, "$payload = \""); } if(m == 2) { fprintf(fd, "#!/usr/bin/perl\n%s\n# %s\n\nuse IO::Socket;\n\n", exbanner, exf); fprintf(fd, "$target = \"%s\";\n$port = %d;\n\n", tar, port); fprintf(fd, "$payload = \""); } if((m == 1) && (mo == 1)) // CLIENT SIDE EXPLOIT (Response Line) { fprintf(fd, "%s/1.1 %d", fdat, sc); } if((m == 1) && (mo == 2)) { fprintf(fd, "HTTP/%s %d", fdat, sc); } if((m == 1) && (mo == 3)) { fprintf(fd, "%s %s", HTTP, fdat); } if((m == 1) && (mo == 4)) { fprintf(fd, "%s %d %s", HTTP, sc, fdat); } if((m == 1) && (mo == 5)) // CLIENT SIDE EXPLOIT (Response Headers) { if(cu == 1) { fprintf(fd, "%s %d\\r\\n%s: Hzzp", HTTP, httpresp[sc].code, fdat); } if(cu == 2) { fprintf(fd, "%s %d\\r\\n%s: Hzzp", HTTP, httpresp[sc].code, fdat); } } if((m == 1) && (mo == 6)) // CLIENT SIDE EXPLOIT (Response Header Fields) { if(cu == 1) { fprintf(fd, "%s %d\\r\\n%s: %s", HTTP, httpresp[sc].code, hdat, fdat); } if(cu == 2) { fprintf(fd, "%s %d\\r\\n%s: %s", HTTP, httpresp[sc].code, hdat, fdat); } if(cu == 3) { fprintf(fd, "%s %d\\r\\n%s: %s", HTTP, httpresp[sc].code, hdat, fdat); } if(cu == 4) { fprintf(fd, "%s %d\\r\\n%s: %s", HTTP, httpresp[sc].code, hdat, fdat); } } if((m == 1) && (mo == 7) || (mo == 8)) // CLIENT SIDE EXPLOIT (HTTP Authentication) { if(mo == 7) { fprintf(fd, "%s %d %s\\r\\n%s: Basic realm=\\\"%s\\\"", HTTP, httpresp[sc].code, httpresp[sc].desc, response[30].header, fdat); } if(mo == 8) { if(dir == 0) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=\\\"%s\\\", %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\\\"", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, fdat, digcli[1].dir, path, digcli[2].dir, digcli[2].edef, digcli[3].dir, digcli[3].edef, digcli[4].dir, digcli[4].edef, digcli[5].dir, digcli[5].edef, digcli[6].dir, digcli[6].edef); if(dir == 1) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s\\\"", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, fdat, digcli[2].dir, digcli[2].edef, digcli[3].dir, digcli[3].edef, digcli[4].dir, digcli[4].edef, digcli[5].dir, digcli[5].edef, digcli[6].dir, digcli[6].edef); if(dir == 2) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, path, digcli[2].dir, fdat, digcli[3].dir, digcli[3].edef, digcli[4].dir, digcli[4].edef, digcli[5].dir, digcli[5].edef, digcli[6].dir, digcli[6].edef); if(dir == 3) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, path, digcli[2].dir, digcli[2].edef, digcli[3].dir, fdat, digcli[4].dir, digcli[4].edef, digcli[5].dir, digcli[5].edef, digcli[6].dir, digcli[6].edef); if(dir == 4) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, path, digcli[2].dir, digcli[2].edef, digcli[3].dir, digcli[3].edef, digcli[4].dir, fdat, digcli[5].dir, digcli[5].edef, digcli[6].dir, digcli[6].edef); if(dir == 5) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, path, digcli[2].dir, digcli[2].edef, digcli[3].dir, digcli[3].edef, digcli[4].dir, digcli[4].edef, digcli[5].dir, fdat, digcli[6].dir, digcli[6].edef); if(dir == 6) fprintf(fd, "%s %d %s\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\"", HTTP, sc, httpresp[17].desc, response[30].header, digcli[0].dir, digcli[0].edef, digcli[1].dir, path, digcli[2].dir, digcli[2].edef, digcli[3].dir, digcli[3].edef, digcli[4].dir, digcli[4].edef, digcli[5].dir, digcli[5].edef, digcli[6].dir, fdat); } } if(m == 2) { if(strcmp(mthd, "CONNECT") == 0) // SERVER SIDE EXPLOIT (Response Line) { if(mo == 1) { fprintf(fd, "%s $target:$port %s\\r\\nHost: $target:$port", fdat, HTTP); } if(mo == 2) { fprintf(fd, "%s %s:$port %s\\r\\nHost: $target:$port", mthd, fdat, HTTP); } if(mo == 3) { fprintf(fd, "%s $target:%s %s\\r\\nHost: $target:$port", mthd, fdat, HTTP); } if(mo == 4) { fprintf(fd, "%s $target:$port %s/1.1\\r\\nHost: $target:$port", mthd, fdat); } if(mo == 5) { fprintf(fd, "%s $target:$port HTTP/%s\\r\\nHost: $target:$port", mthd, fdat); } } if(strcmp(mthd, "OPTIONS") == 0) { if(mo == 1) { fprintf(fd, "%s * %s\\r\\nHost: $target:$port", fdat, HTTP); } if(mo == 2) { fprintf(fd, "%s %s %s\\r\\nHost: $target:$port", mthd, fdat, HTTP); } if(mo == 4) { fprintf(fd, "%s * %s/1.1\\r\\nHost: $target:$port", mthd, fdat); } if(mo == 5) { fprintf(fd, "%s * HTTP/%s\\r\\nHost: $target:$port", mthd, fdat); } } else { if(mo == 1) { fprintf(fd, "%s /Hzzp %s", fdat, HTTP); } if(mo == 2) { fprintf(fd, "%s /%s %s", mthd, fdat, HTTP); } if(mo == 4) { fprintf(fd, "%s /Hzzp %s/1.1", mthd, fdat); } if(mo == 5) { fprintf(fd, "%s /Hzzp HTTP/%s", mthd, fdat); } } } if((m == 2) && (mo == 6)) // SERVER SIDE EXPLOIT (Request Headers) { if(cu == 1) { fprintf(fd, "%s / %s\\r\\n%s: Hzzp", mthd, HTTP, fdat); } if(cu == 2) { fprintf(fd, "%s / %s%s: Hzzp", mthd, HTTP, fdat); } } if((m == 2) && (mo == 7)) // SERVER SIDE EXPLOIT (Request Header Fields) { if(cu == 1) { fprintf(fd, "%s / %s\\r\\n%s: %s", mthd, HTTP, hdat, fdat); } if(cu == 2) { fprintf(fd, "%s / %s\\r\\n%s: %s", mthd, HTTP, hdat, fdat); } if(cu == 3) { fprintf(fd, "%s / %s\\r\\n%s: %s", mthd, HTTP, hdat, fdat); } if(cu == 4) { fprintf(fd, "%s / %s\\r\\n%s: %s", mthd, HTTP, hdat, fdat); } } if((m == 2) && (mo == 8) || (mo == 9)) // SERVER SIDE EXPLOIT (HTTP Authentication) { if(mo == 8) { fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Basic %s", mthd, path, HTTP, request[5].header, fdat); } if(mo == 9) { if(dir == 0) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=\\\"%s\\\", %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, fdat, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 1) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=\\\"%s\\\", %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, fdat, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 2) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=\\\"%s\\\", %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, fdat, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 3) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, fdat, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 4) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, fdat, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 5) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, fdat, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 6) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, fdat, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 7) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, fdat, digserv[8].dir, digserv[8].edef, digserv[9].dir, digserv[9].edef); if(dir == 8) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, fdat, digserv[9].dir, digserv[9].edef); if(dir == 9) fprintf(fd, "%s %s %s\\r\\nHost: $target:$port\\r\\n%s: Digest %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\", %s=%s, %s=%s, %s=%s, %s=%s, %s=%s, %s=\\\"%s\\\"", mthd, path, HTTP, request[5].header, digserv[0].dir, digserv[0].edef, digserv[1].dir, digserv[1].edef, digserv[2].dir, digserv[2].edef, digserv[3].dir, path, digserv[4].dir, digserv[4].edef, digserv[5].dir, digserv[5].edef, digserv[6].dir, digserv[6].edef, digserv[7].dir, digserv[7].edef, digserv[8].dir, digserv[8].edef, digserv[9].dir, fdat); } } fprintf(fd, "\\r\\n\\r\\n\";\n\n"); if(m == 1) { fprintf(fd, "$serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>$port, Listen=>1) or die \"Error: listen($port)\\n\";\n\n", port); fprintf(fd, "$cli = $serv->accept() or die \"Error: accept()\\n\";\n\n"); fprintf(fd, "$cli->recv($buf, 512);\n$cli->send($payload);\n\n"); // some may need send() first fprintf(fd, "close($cli);\nclose($serv);"); } if(m == 2) { fprintf(fd, "$sock = IO::Socket::INET->new(Proto=>'tcp', PeerHost=>$target, PeerPort=>$port) or die \"Error: $target:$port\\n\";\n\n", tar, port); fprintf(fd, "$sock->send($payload);\n\n"); // some may need a $sock->recv($buf, 512); as well fprintf(fd, "close($sock);"); } fclose(fd); printf("INFO: Generation Successful! --> %s\n\n", exf); exit(0); } void hzzp_list_fzorc(void) { int i; printf("\n Fuzzing Oracle\n\n"); for(i = 0; i <= (FZTL-1); i++) { printf("[%d] %s\n", i+1, fuzz[i].desc); } printf("\n"); exit(0); } void hzzp_list_hdrs(void) { int i; printf("\n HTTP Response Headers (including gen/ent)\n\n"); for(i = 0; i <= RESPHDRTL-1; i++) { printf("[%d] %s\n", i+1, response[i].header); } printf("\n HTTP Request Headers (including gen/ent)\n\n"); for(i = 0; i <= REQHDRTL-1; i++) { printf("[%d] %s\n", i+1, request[i].header); } printf("\n"); exit(0); } void hzzp_list_digdirs(void) { int i; printf("\n HTTP Digest Directives (Client Fuzzing)\n\n"); for(i = 0; i <= DCMAX-1; i++) { printf("[%d] %s\n", i+1, digcli[i].dir); } printf("\n HTTP Digest Directives (Server Fuzzing)\n\n"); for(i = 0; i <= DSMAX-1; i++) { printf("[%d] %s\n", i+1, digserv[i].dir); } printf("\n"); exit(0); } void hzzp_list_methods(void) { int i; printf("\n HTTP Methods\n\n"); for(i = 0; i <= (METHODTL-1); i++) { printf("[%d] %s\n", i+1, http[i].method); } printf("\n"); exit(0); } void hzzp_list_scodes(void) { int i; printf("\n HTTP Status Codes\n\n"); for(i = 0; i <= (HTTPRESPTL-1); i++) { printf("[%d] %d -> %s\n", i+1, httpresp[i].code, httpresp[i].desc); } printf("\n"); exit(0); } void hzzp_fzof_gen(void) { memset(of1, 'A', sizeof(of1)); fuzz[0].data = of1; memset(of2, 'A', sizeof(of2)); fuzz[1].data = of2; memset(of3, 'A', sizeof(of3)); fuzz[2].data = of3; memset(of4, 'A', sizeof(of4)); fuzz[3].data = of4; memset(of5, 'A', sizeof(of5)); fuzz[4].data = of5; memset(of6, 'A', sizeof(of6)); fuzz[5].data = of6; memset(of7, 'A', sizeof(of7)); fuzz[6].data = of7; memset(of8, 'A', sizeof(of8)); fuzz[7].data = of8; memset(of9, 'A', sizeof(of9)); fuzz[8].data = of9; memset(of10, 'A', sizeof(of10)); fuzz[9].data = of10; memset(of11, 'A', sizeof(of11)); fuzz[10].data = of11; memset(of12, 'A', sizeof(of12)); fuzz[11].data = of12; }