NAME

Fuzz - network services fuzzing interface.

VERSION

This document describes Fuzz version 0.06.

SYSNOPSIS

use Fuzz;

my $fuzzer = Fuzz->new(
	RemoteAddr => 'localhost',
	RemotePort => 21,
	FuzzLevel  => ['Numbers'],
	Debug => 1
);    

$fuzzer->AuthTemplate("USER {USER}\r\nPASS {PASS}\r\n");
$fuzzer->AuthSuccess('220');
$fuzzer->AuthUser('test');
$fuzzer->AuthPass('test');

$fuzzer->ActionCmd([qw(MKD CWD)]);
$fuzzer->ActionExit('QUIT');
$fuzzer->ActionTemplate("{CMD} {BOF}\r\n");

$fuzzer->StartFuzzing;

$fuzzer->CreateReport('report.html');

DESCRIPTION

Fuzzing is a simple technique for feeding random input to applications to reveal their weaknesses (buffer overflows). This module provides you a quite flexable interface to create generic fuzzers for most of application layer protocols.

METHODS

Note: there are a bunch of private module methods which are not described here.

Constructor

new(ARGS)

Creates a new Fuzz instance. Takes arguments as key=>value pairs. Required arguments are:

RemoteAddr
RemotePort

Optional arguments are (they are described in "Accessors/Mutators" section):

FuzzLevel
Debug
Letters
Numbers
Formats
ActionCmd
ActionExit
ActionTemplate
AuthUser
AuthPass
AuthSuccess
AuthTemplate
ExploitTemplate
ExploitShellcode
ExploitLength
ExploitCategory
ExploitNeedLogin
ExploitShellcodeDescription

Note: RemoteAddr and RemotePort arguments can be replaced with its short form, e.g.: my $fuzzer = Fuzz->new('host:port');.

Note: almost all the constructor argumets can be accessed by corresponding methods (look "Accessors/Mutators" section).

Accessors/Mutators

Note: accessors and mutators are generated by http://search.cpan.org/~kawasaki/Class-Accessor-Children-0.02/lib/Class/Accessor/Children/Fast.pm module.

RemoteAddr([SCALAR])

Gets/sets IP/host of the target network service.

RemotePort([SCALAR])

Gets/sets port number of the target service..

FuzzLevel([SCALAR|ARRAYREF])

Gets/sets fuzzing deepness level. Two types of argument can be passed: integer which indicates fuzzing deepness and arrayref with fuzzing data categories names. Avaliable levels:

1 - 'Letters' only (e.g.: AAAAAA...)
>=2 - 'Letters' and 'Formats' (e.g.: AAAAAA... and %s%s%s...)
>=3 - 'Letters', 'Formats' and 'Numbers' (e.g.: AAAAAA...,%s%s%s... and +-100000...)

Socket([IO::Socket::INET])

Gets/sets connection descriptor.

Note: if calling as a setter, argument must be valid IO::Socket::INET object.

Debug([SCALAR])

Gets/sets Debug flag.

Letters([HASHREF])

Gets/sets 'Letters' fuzzing data category.

Note: if calling as a setter, argument must be valid hashref with 2 keys: _example => ARRAYREF and _data => Regexp.

Numbers([HASHREF])

Gets/sets 'Numbers' fuzzing data category.

Note: if calling as a setter, argument must be valid hashref with 2 keys: _example => ARRAYREF and _data => Regexp.

Formats([HASHREF])

Gets/sets 'Formats' fuzzing data category. Note: if calling as a setter, argument must be valid hashref with 2 keys: _example => ARRAYREF and _data => Regexp.

ActionCmd([ARRAYREF])

Gets/sets ActionCmd attribute. Note: if calling as a setter, argument must be ARRAYREF with valid protocol commands.

ActionExit([SCALAR])

Gets/sets ActionExit attribute.

Note: if calling as a setter, argument must be valid protocol command.

ActionTemplate([SCALAR])

Gets/sets ActionTemplate attribute. Required shortcurts:

{CMD} - currently fuzzing protocol command
{BOF} - fuzzing data

Note: those shortcurts are required, but missing them in ActionTemplate call will not cause fatal error, you will be just warned about possible typo.

AuthUser([SCALAR])

Gets/sets AuthUser attribute.

Note: if calling as a setter, argument must be valid remote network service username.

AuthPass([SCALAR])

Gets/sets AuthPass attribute. Note: if calling as a setter, argument must be valid remote network service user's password.

AuthSuccess([SCALAR])

Gets/sets AuthSuccess attribute.

AuthTemplate(SCALAR)

Gets/sets AuthTemplate attribute. Required shortcurts:

{USER} - valid username
{PASS} - user's valid password

Note: those shortcurts are required, but missing them in AuthTemplate call will not cause fatal error, you will be just warned about possible typo.

ExploitTemplate([SCALAR])

Gets/sets ExploitTemplate attribute. Required shortcurts:

{CMD} - vulberable protocol command
{BOF} - buffer overflow trigger
{SHC} - shellcode payload

Note: those shortcurts are required, but missing them in AuthTemplate call will not cause fatal error, you will be just warned about possible typo.

Optional shortcurts:

{NOP} - NOP assembler instruction (\x90)

ExploitShellcode([SCALAR])

Gets/sets shellcode which will be used for exploiting.

ExploitLength([SCALAR])

Gets/sets buffer overflow trigger's length.

ExploitCategory([SCALAR])

Gets/sets buffer overflow trigger's data category.

Note: if calling as a setter, argument must be valid internal or custom defined data category.

ExploitNeedLogin([SCALAR])

Gets/sets authorization flag.

ExploitShellcodeDescription([SCALAR])

Gets/sets text description of currently used shellcode.

Other methods

StartFuzzing

Starts fuzzing process with defined preferences. No arguments needed.

StartExploit(SCALAR)

Starts exploiting process with defined preferences. Takes one required argument: vulnerable protocol command.

ExploitBuildStandalone([SCALAR], [SCALAR])

Builds standalone exploit application (perl script). Takes two optional arguments: exploit filename ('exploit.pl' by default) and exploit text description ('No description defined' by default).

Note: this method can be called only if a bug was found by StartFuzzing.

AddFuzzCategory(SCALAR, SCALAR, Regexp)

Adds custom fuzzing data category. Takes three required arguments: category name, data generation rule and one char matching regexp.

Note: this method requires http://search.cpan.org/~daconti/Data-Generate-0.02/lib/Data/Generate.pod module installed.

Note: second argument must be valid http://search.cpan.org/~daconti/Data-Generate-0.02/lib/Data/Generate.pod#BASIC_SYNTAX grammar rule.

Note: third argument must be valid regexp (http://theoryx5.uwinnipeg.ca/CPAN/perl/pod/perlop.html#regexp_quotelike_operators) that muchs strictly one character (token) of your data.

CreateReport(SCALAR)

Creates simple HTML report on Fuzz work. Takes one required argument: report filename.

LoadProtocolPreset(SCALAR, [ARRAY])

Loads internal protocol preset. Takes one required and one optional parameter: preset name and preset's required data. Avaliable presets: FTP - preset for File Transfer Protocol (optional data may be passed: username and password, on missing will be set to anonymous:fuzz@itdefence.ru by default). HTTP - preset for Hyper Text Transfer Protocol. Not implemented yet. SMTP - preset for Simple Mail Transfer Protocol. Not implemented yet. POP3 - preset for Post Office Protocol version 3. Not implemented yet.

BUGS

Please report them to ksuri<AT>cpan<DOT>org.

AUTHOR

Aleksey Surikov.

COPYRIGHTS

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Fuzz, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Fuzz

CPAN shell

perl -MCPAN -e shell
install Fuzz

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)