/* hzzp/hzzp.c 04.27.2009 Hzzp Krakow Labs Development -> Hzzp Hypertext Transfer Protocol Fuzzer rush@KL (Jeremy Brown) UI Module -> hzzp.tar.gz Associated Files & Information: http://www.krakowlabs.com/dev/fuz/hzzp/hzzp http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/core.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/http.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/Makefile.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp_doc.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.tar.gz http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.jpeg http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.avi hzzp/hzzp.c */ #include #include #include #include #include #include #include #include #include #define BUFSIZE 512 int hzzp_engine(char *tar, int port, int m, int mo, int fzn, int hdn, char *cfd, char *chd, int cu, int vb, int db, int lg, char *lgf, int exg, char *exf, int mth, int sc, int dir, char *path, char *bqd, char *ptf, char *eqd); void hzzp_usage(char *prog); void hzzp_counter(int *n); void hzzp_fetch_banner(char *tar, int port, int vb); void hzzp_list_fzorc(void); void hzzp_list_hdrs(void); void hzzp_list_digdirs(void); void hzzp_list_methods(void); void hzzp_list_scodes(void); void hzzp_usage(char *prog) { printf("\n Krakow Labs Development -> Hzzp"); printf("\n Hypertext Transfer Protocol Fuzzer"); printf("\n rush@KL (Jeremy Brown)\n"); printf("\nUSAGE: %s <-C/-S/-E/-B> SELECTIONS", prog); printf("\nOPTIONAL: -T [Target] -P [Port] [-L Log.file] [-A exploit.pl] [-V] [-D]\n"); printf("\n -C Client Side Fuzzing"); printf("\n 1 (Protocol)"); printf("\n 2 (Protocol Version)"); printf("\n 3 (Status Code)"); printf("\n 4 (Status Phrase)\n"); printf("\n 5 (Response Headers)"); printf("\n 6 (Response Header Fields)"); printf("\n [-s status code]\n"); printf("\n 7 (Basic Authentication)"); printf("\n 8 (Digest Authentication)"); printf("\n [-p /path]"); printf("\n\n -S Server Side Fuzzing"); printf("\n 1 (Method)"); printf("\n 2 (Request)"); printf("\n 3 (Request Port)"); printf("\n 4 (Protocol)"); printf("\n 5 (Protocol Version)\n"); printf("\n 6 (Request Headers)"); printf("\n 7 (Request Header Fields)"); printf("\n [-m method]\n"); printf("\n 8 (Basic Authentication)"); printf("\n 9 (Digest Authentication)"); printf("\n [-p /path]\n"); printf("\n 10 (Query Parameters)"); printf("\n -p [/path]\n -b [beginning query data]\n -x [parameter to fuzz]\n -e [ending query data]"); printf("\n\n -E Exploit Generation"); printf("\n "); printf("\n\n -B (Fetch Banner)"); printf("\n -T \n"); printf("\nPREFERENCES: -c [Custom Fuzzing Data] -h [Custom Header] -d [Digest #] -y [Oracle #] -z [Header #]"); printf("\nINFORMATION: [-F Fuzzing Oracle] [-H Headers] [-J Digest Directives] [-M Methods] [-O Status Codes]\n\n"); exit(1); } void hzzp_counter(int *n) { (*n)++; } int main(int argc, char *argv[]) { char *tar = NULL, opt, *cfd = NULL, *chd = NULL, *exf = NULL, *lgf = NULL, *path = "/", *bqd = "", *ptf = "ptf=", *eqd = ""; int port = 80, m = -1, mo = -1, cu = 0, db = 0, vb = 0, dir = 0, fzn = 0, hdn = 0, exg = 0, mth = 1, lg = 0, sc = 2, fb = 0; while ((opt = getopt(argc, argv, "T:P:L:A:VDE:FHJMOC:S:m:s:d:y:z:b:x:e:c:h:p:B")) != EOF) { switch(opt) { case 'T': tar = optarg; break; case 'P': port = atoi(optarg); break; case 'L': lg = 1; lgf = optarg; break; case 'A': exg = 2; exf = optarg; break; case 'V': vb = 1; break; case 'D': db = 1; break; case 'F': hzzp_list_fzorc(); break; case 'H': hzzp_list_hdrs(); break; case 'J': hzzp_list_digdirs(); break; case 'M': hzzp_list_methods(); break; case 'O': hzzp_list_scodes(); break; case 'C': m = 1; mo = atoi(optarg); break; case 'S': m = 2; mo = atoi(optarg); break; case 'm': mth = atoi(optarg)-1; break; case 's': sc = atoi(optarg)-1; break; case 'd': dir = atoi(optarg)-1; break; case 'y': fzn = atoi(optarg)-1; break; case 'z': hdn = atoi(optarg)-1; break; case 'b': bqd = optarg; break; case 'x': ptf = optarg; break; case 'e': eqd = optarg; break; case 'E': exg = 1; exf = optarg; break; case 'c': cfd = optarg; break; case 'h': chd = optarg; break; case 'p': path = optarg; break; case 'B': fb = 1; break; default: hzzp_usage(argv[0]); break; } } if(fb == 1) hzzp_fetch_banner(tar, port, vb); if(m < 0) hzzp_usage(argv[0]); if((m == 2) && (tar == NULL)) hzzp_usage(argv[0]); if((m == 2) && (mo == 3) && (mth != 7)) hzzp_usage(argv[0]); if((m == 1) && (mo > 1) && (chd != NULL)) hzzp_usage(argv[0]); if((m == 2) && (mo < 9) && (chd != NULL)) hzzp_usage(argv[0]); if((m == 2) && (mo > 10) && (chd != NULL)) hzzp_usage(argv[0]); if((exg > 1) && (tar == NULL)) hzzp_usage(argv[0]); if((exg > 0) && (exf == NULL)) hzzp_usage(argv[0]); if((m == 1) && (mo > 6)) sc = 17; if((cfd == NULL) && (chd == NULL)) cu = 1; if((cfd != NULL) && (chd == NULL)) cu = 2; if((cfd == NULL) && (chd != NULL)) cu = 3; if((cfd != NULL) && (chd != NULL)) cu = 4; if(db == 1) { printf("DEBUG: m = %d, mo = %d, fzn = %d, hdn = %d, cu = %d, vb = %d, db = %d, lg = %d, lgf = %s, exg = %d, exf = %s, mth = %d, sc = %d, dir = %d, path = %s, bqd = %s, ptf = %s, eqd = %s\n", m, mo, fzn, hdn, cu, vb, db, lg, lgf, exg, exf, mth, sc, dir, path, bqd, ptf, eqd); } fflush(stdout); hzzp_engine(tar, port, m, mo, fzn, hdn, cfd, chd, cu, vb, db, lg, lgf, exg, exf, mth, sc, dir, path, bqd, ptf, eqd); return 0; } void hzzp_fetch_banner(char *tar, int port, int vb) { char buf[BUFSIZE], banner[BUFSIZE*2], data[] = "HEAD / HTTP/1.1\r\n\r\n", *fstr; int sock, pos, i = 0, len = strlen(data); struct sockaddr_in remote; struct hostent *resolve; if(tar == NULL) { printf("hzzp_error: target not set\n"); exit(-1); } if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("hzzp_error: socket()\n"); exit(-1); } if((resolve = gethostbyname(tar)) == NULL) { printf("hzzp_error: gethostbyname(%s)\n", tar); exit(-1); } char *tarip = inet_ntoa(*(struct in_addr *)resolve->h_addr); remote.sin_family = AF_INET; remote.sin_port = htons(port); remote.sin_addr.s_addr = inet_addr(tarip); if(connect(sock, (struct sockaddr *)&remote, sizeof(struct sockaddr)) < 0) { printf("hzzp_error: connect(%s:%d)\n", tar, port); exit(-1); } send(sock, data, len, 0); memset(buf, 0, sizeof(buf)); recv(sock, buf, BUFSIZE-1, 0); if((fstr = strstr(buf, "Server:")) == NULL) { printf("hzzp_error: banner_not_found(%s:%d)\n", tar, port); exit(-1); } pos = (int)(fstr - buf + 8); // Data position after "Server: " (7+1 bytes) while(buf[pos] != '\n') { banner[i++] = buf[pos++]; banner[i] = 0; } if(vb == 1) { printf("\n%s", buf); } printf("\n%s[%s]:%d --> %s\n\n", tar, tarip, port, banner); close(sock); exit(0); }