0

I made a simple TCP fuzzer in Python. I need it to be able to receive some response and if I didn't get the response, break the loop. My code is this:

import socket
from time import sleep
import sys

ip = raw_input ("please insert host ip: ")
port = input ("please insert port to fuzz: ")
packet = raw_input ("what string would you like to fuzz with? :  ")
multi = input ("in what jumps would you liike to multiply the string ? (10 = A*10) : ")
host = ip, port
s = socket.socket()
char = packet * multi
a = 1

try:
    while a > 0:
        s.connect((host))
        s.send(packet)
        sleep(1) 
        print 'fuzzing param %s' % (packet)
        packet = char + packet 
        s.close()
except (Exception):
    print "Connection lost for some reason"'

But when I run the program I get this error:

please insert host ip: 10.0.0.138
please insert port to fuzz: 80
what string would you like to fuzz with? :  A
in what jumps would you liike to multiply the string ? (10 = A*10) : 2
fuzzing param A
Connection lost

which is weird because it just suppose to reconnect in an endless loop , (i know the server didn't crush)

Ba7a7chy
  • 1,471
  • 4
  • 14
  • 29
  • I would highly recommend you to try Peach: http://peachfuzzer.com/ – zenpoy Jul 15 '12 at 10:34
  • i wouldn't really use it professionally i got better fuzzer's but its more of a python programming exercise for me – Ba7a7chy Jul 15 '12 at 10:40
  • I think you should connect to the host every time: move `s.connect(host)` inside the `While` loop, because the server probably closes the connection when it gets this gibberish you are sending it. – zenpoy Jul 15 '12 at 10:44
  • when putting s.connect(host) into the loop i get another error that indicates socket is already connected – Ba7a7chy Jul 15 '12 at 10:58

2 Answers2

2

The remote endpoint simply hung up, probably because the data you send doesn't match the format it expects.

You can either create a new connection every time the remote end hangs up, or send a data in the format that the remote end expects. For example, if the remote end is an HTTP server, you may want to send the request line first, and then the fuzzed part, like this:

GET / HTTP/1.0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
phihag
  • 278,196
  • 72
  • 453
  • 469
  • I think that a big part of the fuzzing thing is to send stuff that is not necessarily in the format the server expects. – zenpoy Jul 15 '12 at 10:46
  • @EJP well that's just like your opinion man :) according to Wikipedia: "Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, __unexpected__, or random data to the inputs of a computer program". You don't have to believe in magic, just believe that programmers can make mistakes. – zenpoy Jul 15 '12 at 10:54
  • well , i tried two things , first from the comment above i tried to move s.connect((host)) inside the loop , but i got an error because the socket was still connected, later i tried to put both s.coonect and s.close() inside the loop but it crushed again with the error `Traceback (most recent call last): File "./fuzzy.py", line 25, in s.connect((host)) File "/usr/lib/python2.7/socket.py", line 170, in _dummy raise error(EBADF, 'Bad file descriptor') socket.error: [Errno 9] Bad file descriptor` – Ba7a7chy Jul 15 '12 at 10:55
  • just move everything in the loop (including socket creation). That should do it. – phihag Jul 15 '12 at 11:01
  • @zenpoy Of course programmers make mistakes. I make them every day. My point is why are you surprised when those mistakes have the predictable consequences which this answer correctly describes? – user207421 Jul 15 '12 at 11:03
  • well , my loop now contains everything `while a > 0: s.connect((host)) s.send(packet) sleep(1) data = s.recv(4) if data == " ": a = 0 else: a = 1 sleep(1) print 'fuzzing param %s' % (packet) packet = char + packet s.close()` and i still get the above error – Ba7a7chy Jul 15 '12 at 11:08
  • @EJP I was referring to this part of the answer "or send a data in the format that the remote end expects", I wasn't surprised, I just pointed out that in the context of fuzz testing sending the data in the format that server expects is is kinda missing the whole point of fuzz testing... This answer sounds like a good answer, and it is advised to handle errors in general and especially in fuzz testing when you know you are sending wrong stuff. – zenpoy Jul 15 '12 at 11:09
  • @zenpoy Added an example for the format thing - that should clarify it a bit. – phihag Jul 15 '12 at 11:14
1

When you fuzz testing (and in general) it is very important to handle errors. You should expect that something will get wrong when you are sending Gibberish to your server. So I suggest that you wrap the calls with try ... except ... finally: s.close() clause. And print debug messages to see when you are fail to send and start see why - You don't know how the server react to what you send, and you might just have killed the server after the first call...

zenpoy
  • 19,490
  • 9
  • 60
  • 87
  • `while a > 0: try: s.connect((host)) s.send(packet) sleep(1) data = s.recv(4) except (RuntimeError, TypeError, NameError): print "Connection lost for some reason" sleep(1) print 'fuzzing param %s' % (packet) packet = char + packet s.close()` well , maybe my syntax is wrong but its just wont work :( – Ba7a7chy Jul 15 '12 at 11:36