xml2 Fuzzer is a fuzzing utility that daemonizes in order to fuzz the client side of a web browser.
6ce1679a18a737f7e82c37dd5a21cc85bfe82165cf1e8c95fb312c29f4e930d0/*
xml2 fuzz ver 1.0
--
C:\x90c\xml2_fuzz> ./xml_fuzz
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / __. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|
xml2 fuzzer ver 1.0
./xml2_fuzz
xml2 fuzz: listen fuzz daemon [9090/tcp]
--
[Description]:
It's a fuzz daemon to exploit
to com object of client side in
web browser
(1) xml2 fuzz daemon listen
(2) web browser open url of the fuzz daemon
(3) the url request to xml2 COM object with fuzz str
for instance, AAAA fuzz, numeric fuzz
target program is libxml2, msxml2 com object
note)
Include "stdafx.h" for win32 and add wsock32.lib
to link option. I did compile test for it
x90c
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#define FUZZ_DAEMON_PORT (9090)
/*
fuzz type
*/
#define AAAA_FUZZ (1)
#define NUMERIC_FUZZ (2)
static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;
void set_fuzz_str(char *mal_str);
static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
" function xml2_exploit() {\n"
" var request_url = location.protocol + '//' + location.host + '/'\n"
" var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
" xml_http_request.open(%s, request_url, false);\n"
" xml_http_request.send();\n"
" setTimeout(xml2_exploit, 1);\n"
" }\n"
" xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};
int fuzz_start(int fuzz_type) {
int srv_sockfd = 0, cld_sockfd = 0;
struct sockaddr_in srv_addr, cld_addr;
int cld_addr_len = sizeof(struct sockaddr);
char recv_buf[1024];
WSADATA wsaData;
int mal_index = 0;
int cnt_aaaa=1;
WSAStartup(0x202, &wsaData);
memset(&srv_addr, 0, sizeof(struct sockaddr_in));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);
if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
return -1;
if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
closesocket(srv_sockfd);
return -2;
}
if(listen(srv_sockfd, 1) < 0){
closesocket(srv_sockfd);
return -3;
}
memset(fuzz_str, 0, sizeof fuzz_str);
fuzz_str[0] = 'A';
set_fuzz_str(fuzz_str);
fuzz_int = 0x0;
fuzz_int_neg = 0;
printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);
accept_again:
if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
closesocket(srv_sockfd);
return -4;
}
memset(&recv_buf, 0, sizeof(recv_buf));
recv_again:
if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
goto recv_again;
printf("recv data: %s\n", recv_buf);
if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
{
printf("HTTP response 200\n");
send(cld_sockfd, &http_res[0], strlen(http_res), 0);
closesocket(cld_sockfd);
memset(fuzz_str, 0, sizeof fuzz_str);
switch(fuzz_type){
case AAAA_FUZZ: // AAAAAAAA... fuzz
++cnt_aaaa;
if(cnt_aaaa == 65535)
goto fuzz_end;
memset(fuzz_str, 'A', cnt_aaaa);
set_fuzz_str(fuzz_str);
break;
case NUMERIC_FUZZ: // 0x00000000 ~ 0xffffffff, -0x00000000 ~ -0xffffffff fuzz
if(fuzz_int_neg == 0)
sprintf(fuzz_str, "%d", fuzz_int);
else if(fuzz_int_neg == 1){
if(fuzz_int >= 0xffffffff)
goto fuzz_end;
sprintf(fuzz_str, "-%d", fuzz_int);
}
set_fuzz_str(fuzz_str);
++fuzz_int;
if(fuzz_int >= 0xffffffff){
fuzz_int_neg = 1;
fuzz_int = 0x0;
}
break;
}
goto accept_again;
}
fuzz_end:
fprintf(stderr, "xml2 fuzz: fuzz end!\n");
if(srv_sockfd)
closesocket(srv_sockfd);
return 0;
}
void set_fuzz_str(char *mal_str) {
if(strlen(mal_str) > 65535-1){
printf("xml2 fuzz: too long malformed string\n");
exit(-1);
}
memset((void *)&http_res, 0, sizeof(http_res));
sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}
static char banner[] = {
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
" \n" \
" xml2 fuzzer ver 1.0 \n" \
" \n" \
" ./xml2_fuzz \n" \
" \n"
};
int main() {
int ret = 0;
printf("%s", banner);
if((ret = fuzz_start(AAAA_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
/*
if((ret = fuzz_start(NUMERIC_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
*/
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed