Fuzz - network services fuzzing interface.
This document describes Fuzz version 0.06.
use Fuzz; my $fuzzer = Fuzz->new( RemoteAddr => 'localhost', RemotePort => 21, FuzzLevel => ['Numbers'], Debug => 1 ); $fuzzer->AuthTemplate("USER {USER}\r\nPASS {PASS}\r\n"); $fuzzer->AuthSuccess('220'); $fuzzer->AuthUser('test'); $fuzzer->AuthPass('test'); $fuzzer->ActionCmd([qw(MKD CWD)]); $fuzzer->ActionExit('QUIT'); $fuzzer->ActionTemplate("{CMD} {BOF}\r\n"); $fuzzer->StartFuzzing; $fuzzer->CreateReport('report.html');
Fuzzing is a simple technique for feeding random input to applications to reveal their weaknesses (buffer overflows). This module provides you a quite flexable interface to create generic fuzzers for most of application layer protocols.
Note: there are a bunch of private module methods which are not described here.
Creates a new Fuzz instance. Takes arguments as key=>value pairs. Required arguments are:
Optional arguments are (they are described in "Accessors/Mutators" section):
Note: RemoteAddr and RemotePort arguments can be replaced with its short form, e.g.: my $fuzzer = Fuzz->new('host:port');.
my $fuzzer = Fuzz->new('host:port');
Note: almost all the constructor argumets can be accessed by corresponding methods (look "Accessors/Mutators" section).
Note: accessors and mutators are generated by http://search.cpan.org/~kawasaki/Class-Accessor-Children-0.02/lib/Class/Accessor/Children/Fast.pm module.
Gets/sets IP/host of the target network service.
Gets/sets port number of the target service..
Gets/sets fuzzing deepness level. Two types of argument can be passed: integer which indicates fuzzing deepness and arrayref with fuzzing data categories names. Avaliable levels:
1 - 'Letters' only (e.g.: AAAAAA...) >=2 - 'Letters' and 'Formats' (e.g.: AAAAAA... and %s%s%s...) >=3 - 'Letters', 'Formats' and 'Numbers' (e.g.: AAAAAA...,%s%s%s... and +-100000...)
Gets/sets connection descriptor.
Note: if calling as a setter, argument must be valid IO::Socket::INET object.
Gets/sets Debug flag.
Gets/sets 'Letters' fuzzing data category.
Note: if calling as a setter, argument must be valid hashref with 2 keys: _example => ARRAYREF and _data => Regexp.
_example => ARRAYREF
_data => Regexp
Gets/sets 'Numbers' fuzzing data category.
Gets/sets 'Formats' fuzzing data category. Note: if calling as a setter, argument must be valid hashref with 2 keys: _example => ARRAYREF and _data => Regexp.
Gets/sets ActionCmd attribute. Note: if calling as a setter, argument must be ARRAYREF with valid protocol commands.
Gets/sets ActionExit attribute.
Note: if calling as a setter, argument must be valid protocol command.
Gets/sets ActionTemplate attribute. Required shortcurts:
{CMD} - currently fuzzing protocol command {BOF} - fuzzing data
Note: those shortcurts are required, but missing them in ActionTemplate call will not cause fatal error, you will be just warned about possible typo.
Gets/sets AuthUser attribute.
Note: if calling as a setter, argument must be valid remote network service username.
Gets/sets AuthPass attribute. Note: if calling as a setter, argument must be valid remote network service user's password.
Gets/sets AuthSuccess attribute.
Gets/sets AuthTemplate attribute. Required shortcurts:
{USER} - valid username {PASS} - user's valid password
Note: those shortcurts are required, but missing them in AuthTemplate call will not cause fatal error, you will be just warned about possible typo.
Gets/sets ExploitTemplate attribute. Required shortcurts:
{CMD} - vulberable protocol command {BOF} - buffer overflow trigger {SHC} - shellcode payload
Optional shortcurts:
{NOP} - NOP assembler instruction (\x90)
Gets/sets shellcode which will be used for exploiting.
Gets/sets buffer overflow trigger's length.
Gets/sets buffer overflow trigger's data category.
Note: if calling as a setter, argument must be valid internal or custom defined data category.
Gets/sets authorization flag.
Gets/sets text description of currently used shellcode.
Starts fuzzing process with defined preferences. No arguments needed.
Starts exploiting process with defined preferences. Takes one required argument: vulnerable protocol command.
Builds standalone exploit application (perl script). Takes two optional arguments: exploit filename ('exploit.pl' by default) and exploit text description ('No description defined' by default).
Note: this method can be called only if a bug was found by StartFuzzing.
StartFuzzing
Adds custom fuzzing data category. Takes three required arguments: category name, data generation rule and one char matching regexp.
Note: this method requires http://search.cpan.org/~daconti/Data-Generate-0.02/lib/Data/Generate.pod module installed.
Note: second argument must be valid http://search.cpan.org/~daconti/Data-Generate-0.02/lib/Data/Generate.pod#BASIC_SYNTAX grammar rule.
Note: third argument must be valid regexp (http://theoryx5.uwinnipeg.ca/CPAN/perl/pod/perlop.html#regexp_quotelike_operators) that muchs strictly one character (token) of your data.
Creates simple HTML report on Fuzz work. Takes one required argument: report filename.
Loads internal protocol preset. Takes one required and one optional parameter: preset name and preset's required data. Avaliable presets: FTP - preset for File Transfer Protocol (optional data may be passed: username and password, on missing will be set to anonymous:fuzz@itdefence.ru by default). HTTP - preset for Hyper Text Transfer Protocol. Not implemented yet. SMTP - preset for Simple Mail Transfer Protocol. Not implemented yet. POP3 - preset for Post Office Protocol version 3. Not implemented yet.
http://search.cpan.org/~daconti/Data-Generate-0.02/lib/Data/Generate.pod
Please report them to ksuri<AT>cpan<DOT>org.
Aleksey Surikov.
© 2008 Aleksey Surikov (surikov<AT>itdefence<DOT>ru)
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install Fuzz, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Fuzz
CPAN shell
perl -MCPAN -e shell install Fuzz
For more information on module installation, please visit the detailed CPAN module installation guide.