-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathboofuzzvulnserver.py
91 lines (67 loc) · 2.54 KB
/
boofuzzvulnserver.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env python2
from boofuzz import *
import argparse
# Target commands
commands = ['STATS', 'RTIME', 'LTIME', 'SRUN', 'TRUN', 'GMON', 'GDOG', 'KSTET', 'GTER', 'HTER', 'LTER', 'KSTAN']
# Parse args
parser = argparse.ArgumentParser(description='Vulnserver fuzzer made with Boofuzz')
parser.add_argument('-t', '--target', help='Host to fuzz', required=True)
parser.add_argument('-p', '--port', help='Port to use', nargs='?', const=int, default=9999)
parser.add_argument('-f', '--filename', help='Session filename', required=True)
args = parser.parse_args()
targethost = args.target
port = args.port
sessfile = args.filename
# Main loop
def main():
# Logging
logfile = open('results.csv', 'wb') # Create CSV
loggers = [FuzzLoggerText(), FuzzLoggerCsv(file_handle=logfile)] # Session object expect loggers as a list
# Procmon
start = ["vulnserver.exe"]
kill = ['wmic process where (name="vulnserver") delete']
procmonclient = ProcessMonitor(targethost, 26002)
procmonclient.set_options(start_commands=[start],stop_commands=[kill],proc_name="vulnserver.exe")
# Define session
sess = Session(
# Set filename to save session data
session_filename=sessfile,
# Target options
target= Target(
# Define target ip/port
connection = TCPSocketConnection(targethost, port),
# Set monitor
monitors=[procmonclient],
# Max bytes to recv
max_recv_bytes=10000
),
# Set loggers for session
fuzz_loggers = loggers
)
"""
s_initialize instantiates request and names it
s_group creates a group that can be used to fuzz multiple inputs
s_block_start creates a block to be used as the "mechanism of action"
for groups
s_string declares string value, default is to be mutated by
fuzzer but can be disabled by setting fuzzable param to False
s_delim used to declare delimiting char between two blocks,
fuzzed by default can be disabled by passing fuzzable=False
s_static declares a static var
"""
# Init group
s_initialize("request")
# Create group from commands list
s_group("commands", commands)
# Create block (Instructs how to process group)
if s_block_start("request", group="commands"):
s_delim(" ", fuzzable=False)
s_string("FZME")
s_string("\r\n")
# End block
s_block_end("request")
# Connect + send the request & fuzz
sess.connect(s_get("request"))
sess.fuzz()
if __name__ == "__main__":
main()