Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: latin-1 -*- # ###################################################
- # #
- # ~ .__ °.__ 0 o ^ .__ °__ `´ #
- # °____) __ __| | | °| ______°____ 0 ____ __ _________|__|/ |_ ___.__. #
- # / \| | °\ |°| | °/ ___// __ \_/ ___\| | °\_ __ \ o\ __< | | #
- # | o°| \ | / |_| |__\___ \\ ___/\ °\___| o| /| | \/ || |° \___ O| #
- # |___| /____/|____/____/____ °>\___ >\___ >____/ |__|° |__||__| / ____| #
- # `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/ ``´```´```´´´´`´``0_o\/´´`´´ #
- # #
- # uniofuzz.py - UniOFuzz #
- # #
- # DATE #
- # 01/16/2012 #
- # #
- # DESCRIPTION #
- # UniOFuzz - the universal fuzzing tool for browsers, web services, files, #
- # programs and network services/ports #
- # #
- # FOUND BY UNIOFUZZ #
- # http://www.exploit-db.com/exploits/18019 #
- # http://www.exploit-db.com/exploits/18008 #
- # http://www.exploit-db.com/exploits/18006 #
- # #
- # DEMONSTRATION #
- # http://www.youtube.com/watch?v=oYzc_vEidBQ #
- # #
- # AUTHOR #
- # pigtail23 - http://www.nullsecurity.net/ #
- # #
- ###############################################################################
- import argparse
- import sys
- import random
- import socket
- import time
- import os
- NAME = 'UniOFuzz - the universal fuzzing tool for browsers, web services, files , programs and network services/ports.'
- VERSION = '0.1.2-beta'
- AUTHOR = ("pigtail23 | http://www.nullsecurity.net/ | pigtail23-(at)-nullsecurity.net")
- def parh():
- global args
- parser = argparse.ArgumentParser(
- usage='%(prog)s -h/--help',
- formatter_class=argparse.RawDescriptionHelpFormatter,
- description='%s #v%s\nby: %s\n' % (NAME, VERSION, AUTHOR),
- epilog='''
- Examples:
- Browser Fuzzing:
- usage: ./%(prog)s -b template.html -m 1000 -e html/php/aspx -o /var/www [-c A] [-s 10000]
- Web Service Fuzzing:
- usage: ./%(prog)s -w -i 0.01 -ip 127.0.0.1 -port 80 [-c A] [-s 10000]
- File Fuzzing:
- usage: ./%(prog)s -f -m 1000 -e m3u/ini/pdf -o ~/files [-c A] [-s 10000]
- usage: ./%(prog)s -ft template.m3u -m 1000 -e m3u/ini/pdf -o ~/files [-c A] [-s 10000]
- Piping String to Program:
- usage: ./%(prog)s -p -m 1000 -i 1.5 -d '/bin/ls -n' [-c A] [-s 10000]
- Network Service/Port Fuzzing:
- usage: ./%(prog)s -n -i 0.01 -ip 127.0.0.1 -port 25 [-c A] [-s 10000]
- ''')
- if len(sys.argv)==1:
- parser.print_help()
- sys.exit(1)
- parser.add_argument('-b', default=True, metavar='templatefile.*', help='browser fuzz')
- parser.add_argument('-f', metavar='', help='filefuzz', const=True , action='store_const')
- parser.add_argument('-ft', default=True, metavar='templatefile.*', help='fuzz files with template file')
- parser.add_argument('-p', metavar='', help='pipes strings to a program', const=True , action='store_const')
- parser.add_argument('-d', default=True, metavar='\'/bin/ls -n\'', help='program to execute')
- parser.add_argument('-w', metavar='', help='web daemon fuzz', const=True , action='store_const')
- parser.add_argument('-n',metavar='', help='network service fuzz', const=True , action='store_const')
- parser.add_argument('-i', default=True, metavar='0.01', help='intervall')
- parser.add_argument('-o', default=True, metavar='/var/www', help='outputfolder')
- parser.add_argument('-s', default=True, metavar='10000', help='max string length (default: 30000)')
- parser.add_argument('-m', default=True, metavar='10000', help='how many files/pipes')
- parser.add_argument('-c', default=True, metavar='A', help='const character (default: random)')
- parser.add_argument('-ip', default=True, metavar='127.0.0.1', help='host ip')
- parser.add_argument('-port', default=True, metavar='80', help='host port')
- parser.add_argument('-e', default=True, metavar='html,m3u,pdf,...', help='file extension')
- args = parser.parse_args()
- #random number
- def rand():
- if args.s == True:
- ra = random.randrange(1,30000)
- else:
- ra = random.randrange(1,int(args.s))
- return ra
- #generates simple random strings
- def ran():
- rstr = ''
- for v in range(0,rand()):
- ra = random.randrange(1,256)
- rstr += "%c"%(ra)
- return rstr
- #Generate Random Strings
- def genstr(i):
- if args.c != True:
- rd = 4
- else:
- rd = random.randrange(0,i)
- #String with a char from ASCII 1-255
- if rd == 0:
- randomstr = ''
- ra = random.randrange(1,256)
- for v in range(0,rand()):
- randomstr += "%c"%(ra)
- #String with chars from ASCII 1-255
- elif rd == 1:
- randomstr = ran()
- #String like %%%AAAAAAAAA... or !"§!"§!"§!"§...
- elif rd == 2:
- randomstr = ''
- newstr = ''
- ra = random.randrange(0,6)
- for y in range(0,ra):
- rb = random.randrange(0,4)
- if rb == 0:
- newchar = random.randrange(33,48)
- elif rb == 1:
- newchar = random.randrange(58,65)
- elif rb == 2:
- newchar = random.randrange(91,97)
- elif rb == 3:
- newchar = random.randrange(123,127)
- newstr += "%c"%(newchar)
- rc = random.randrange(0,2)
- if rc == 0:
- for y in range(0,rand()/2):
- randomstr += newstr
- else:
- randomstr += newstr + 'A' * rand()
- #String with chars from ASCII 1-255 (HTML encoded) like Az...
- elif rd == 3:
- newstr = ''
- randomstr = ''
- ra = random.randrange(0,20)
- for y in range(0,ra):
- rb = random.randrange(1,256)
- newstr += '&#' + str(rb) + ';'
- for y in range(0,rand()/2):
- randomstr += newstr
- #String with const char -c
- elif rd == 4:
- ra = rand()
- randomstr = args.c * ra
- return randomstr
- #File Fuzz -f , -ft *
- def filefuzz():
- for y in range(0,int(args.m)):
- filename = 'fuzz' + str(y) + '.' + args.e
- if args.ft != True:
- try:
- content = open(args.ft, 'r').read()
- except:
- print "Found no " + args.ft
- sys.exit(1)
- ra = random.randrange(0,len(content))
- content2 = content[:ra] + genstr(3) + content[ra:]
- else:
- content2 = genstr(3)
- FILE = open(args.o + '/' + filename,"w")
- FILE.write(content2)
- FILE.close()
- sys.stdout.flush()
- sys.stdout.write(("\rfuzz{0}." + args.e + " generated!").format(y))
- #Browser Fuzzing -b *
- def brow():
- for y in range(0,int(args.m)):
- try:
- content = open(args.b, 'r').read()
- except:
- print "Found no " + args.b
- sys.exit(1)
- #First File is fuzz0.html
- filename = 'fuzz' + str(y) + '.' + args.e
- fix = '<meta http-equiv="refresh" content="0.2; URL=fuzz' + str(y+1) + '.html">\n\n'
- ra = random.randrange(0,len(content))
- content2 = content[:ra] + genstr(4) + content[ra:]
- FILE = open(args.o + '/' + filename,"w")
- FILE.write(fix + content2)
- FILE.close()
- sys.stdout.flush()
- sys.stdout.write(("\rfuzz{0}." + args.e + " generated!").format(y))
- #Connect to Target
- def conn(sbuf, ind):
- vuln = (range(30))
- try:
- sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- connect=sock.connect((args.ip, int(args.port)))
- sock.send(sbuf)
- #print sock.recv(10000)
- sock.close()
- time.sleep(float(args.i))
- vuln[ind] = sbuf
- except socket.error:
- for i in range(0,30):
- FILE = open('crashlogs/crashlog' + str(i) +'.txt',"w") #Create Crashlogs
- FILE.write(str(vuln[i]))
- FILE.close()
- print '\n\nHas it crashed? If not, your intervall may be to low! 30 last request saved to crashlogs/\n'
- sys.exit(1)
- #TCP Network Service/Port Fuzzing -n
- def netf():
- j = 0
- l = 1
- o = 0
- while True:
- if j == 10:
- j = 0
- buffer = genstr(3)
- u = (['\\','|','/','-'])
- sys.stdout.flush()
- sys.stdout.write("\r[{1}] Sending request: {0}".format(l,u[o]))
- o += 1
- if o == 4:
- o = 0
- l += 1
- conn(buffer, j)
- #Web Daemon Fuzzing -w
- def httpf():
- #Config
- getfile = 'index.html'
- #####
- l = 1
- j = 0
- o = 0
- while True:
- if j == 10:
- j = 0
- #HTTP Methods
- method = (["GET /","POST /","TRACE /","PUT /","OPTION /","HEAD /"])
- #random string
- randomstr = genstr(4)
- #HTTP Version
- ver = ([" HTTP/0.9\r\n"," HTTP/1.0\r\n"," HTTP/1.1\r\n"," HTTP/2.0\r\n"])
- #Header
- header = (['Host: ' + str(args.ip) + ':' + str(args.port),'User-Agent: Mozilla','Accept: */*'])
- ra = random.randrange(0,6)
- rb = random.randrange(0,4)
- rc = random.randrange(0,4)
- if rc == 3:
- buffer = method[ra] + str(randomstr) + ver[rb]
- else:
- buffer = method[ra] + getfile + ver[rb]
- for v in range(0,3):
- if v != rc:
- buffer += header[v] + '\n'
- else:
- buffer += header[rc] + randomstr + '\n'
- buffer += '\r\n\r\n'
- u = (['\\','|','/','-'])
- sys.stdout.flush()
- sys.stdout.write("\r[{1}] Sending request: {0}".format(l,u[o]))
- o += 1
- if o == 4:
- o = 0
- l += 1
- conn(buffer, j)
- #Piping to a Program -p
- def printc():
- PROG = args.d
- for i in range(0,int(args.m)):
- randomstr = genstr(3)
- try:
- FILE = open('pipes/pipe' + str(i) + '.txt',"w")
- FILE.write(randomstr)
- FILE.close()
- except IOError:
- print "\nPlease create the folder pipes/\n"
- sys.exit(1)
- PFILE = "pipes/pipe" + str(i) + ".txt"
- cmd = "%s < %s" % (PROG , PFILE)
- print '\n' + cmd + '\n'
- os.system(cmd)
- time.sleep(float(args.i))
- def main():
- parh()
- if(args.o != True):
- try:
- FILE = open(args.o + '/test.txt',"w")
- FILE.write("1")
- FILE.close()
- except IOError:
- print "\nPlease create the folder " + args.o + "\n"
- sys.exit(1)
- if(args.n == True or args.w == True):
- try:
- FILE = open('crashlogs/test.txt',"w")
- FILE.write("1")
- FILE.close()
- except IOError:
- print "\nPlease create the folder crashlogs/\n"
- sys.exit(1)
- try:
- if (args.m != True) and (args.o != True) and (args.b != True) and (args.e != True):
- print '\nBrowser fuzz!\n'
- brow()
- print '\n\nReady to fuzz!\n'
- elif (args.n == True) and (args.ip != True) and (args.port != True) and (args.i != True):
- print '\nNetwork fuzz running!\n\nFuzzing: ' + args.ip + ':' + args.port + '\n'
- netf()
- print '\n'
- elif ((args.f == True) or (args.ft != True)) and (args.m != True) and (args.e != True) and (args.o != True):
- print 'File fuzz!\n'
- filefuzz()
- print '\n\nReady to fuzz!\n'
- elif (args.ip != True) and (args.port != True) and (args.w == True) and (args.i != True):
- print '\nWeb daemon fuzz running!\n\nFuzzing: http://' + args.ip + ':' + args.port + '/\n'
- httpf()
- print '\n'
- elif (args.p == True) and (args.i != True) and (args.m != True) and (args.d != True):
- print "Piping it baby!\n"
- printc()
- print '\n'
- else:
- print 'Fail!'
- except KeyboardInterrupt:
- print '\n\nWTF? Why did you stop me?\n'
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
