Writing a bare-bones FTP fuzzer service in Python

Back in Chapter 9Weaponizing Python, on Python for pen testers, we built a server skeleton with nothing more than a core socket and listening port functionality. We also introduced a quick way to run something forever (well, until an event such as an interrupt): while True. We'll do something a little different for our fuzzing FTP server because we need to mimic the appearance of a legitimate FTP server that's communicating with the client. We'll also introduce the try/except construct in Python so we can handle errors and interrupts.

Fire up vim fuzzy.py and type out the program:

#!/usr/bin/python
import socket
import sys
host_ip = '0.0.0.0'
host_port = 21
try:
    i = int(raw_input("

How many bytes of fuzz?

:"))
except ValueError:
    print "

* Exception: Byte length must be an integer *"
    sys.exit(0)
fuzz = 'x7a' * i
try:
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind((host_ip, host_port))
    server.listen(1)
    print "

** Phuzzy Phil's FuzzTP **
Server is up.
Listening at %s on port %d" % (host_ip, host_port)
    print "Fuzzing exploit length: %d bytes" % len(fuzz)
    client, address = server.accept()
    print "Connection accepted from FTP client %s, remote port %d" % (address[0], address[1])
    client.send("220 Connected to FuzzTP Server by Phuzzy Phil
")
    client.recv(1024)
    client.send("331 OK
")
    client.recv(1024)
    client.send("230 OK
")
    client.recv(1024)
    client.send("220 %s
" % fuzz
    print "

Fuzz payload sent! Closing connection; exiting server.
"
    server.close()
    client.close()
except socket.error as error:
    print "* Error *

Details:" + str(error)
    server.close()
    client.close()
    sys.exit(1)
except KeyboardInterrupt:
    print "

* Keyboard interrupt received *
"
    server.close()
    client.close()
    sys.exit(1)

Fun, right? Okay, let's see what we did here:

  • The first try/except section allows the user to define the fuzzing payload. Note that we take input with int(raw_input()). If the returned value from raw_input() is a string, then obviously int() will return a value error, which we handle with except ValueError. This is just some pretty code and not really necessary, and for the pen tester on a time crunch, I'm sure you'll just define the byte length directly in the code and modify it with Vim as you see fit.
  • We declare the fuzzing payload as fuzz with x7a as the byte. Obviously, use whatever you like, but I've been pretty sleepy lately so I'm sticking with z. I can't get z's in real life; I may as well stuff them into vulnerable buffers.
  • Now, the familiar part for anyone used to sockets in Python: we create a socket with socket.socket(socket.AF_INET, socket.SOCK_STREAM) and call it server. From there, we use server.bind() and server.listen() to stand up our server. Note that I'm passing a 1 to server.listen(); we're just testing with a single client, so 1 is all that is necessary.
  • If you connect to our fuzzy little server with an FTP client or netcat, you'll see a conversation with FTP server response codes. Now you can see in our code that we're just faking; we're taking a kilobyte of response and just tossing it in the trash, working our way up to sending the payload.
  • We wrap up with two except sections for handling errors or Ctrl + C.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.252.140