#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#define FUZZ_DAEMON_PORT (9090)
#define AAAA_FUZZ (1)
#define NUMERIC_FUZZ (2)
static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;
void set_fuzz_str(char *mal_str);
static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
" function xml2_exploit() {\n"
" var request_url = location.protocol + '//' + location.host + '/'\n"
" var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
" xml_http_request.open(%s, request_url, false);\n"
" xml_http_request.send();\n"
" setTimeout(xml2_exploit, 1);\n"
" }\n"
" xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};
int fuzz_start(int fuzz_type) {
int srv_sockfd = 0, cld_sockfd = 0;
struct sockaddr_in srv_addr, cld_addr;
int cld_addr_len = sizeof(struct sockaddr);
char recv_buf[1024];
WSADATA wsaData;
int mal_index = 0;
int cnt_aaaa=1;
WSAStartup(0x202, &wsaData);
memset(&srv_addr, 0, sizeof(struct sockaddr_in));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);
if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
return -1;
if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
closesocket(srv_sockfd);
return -2;
}
if(listen(srv_sockfd, 1) < 0){
closesocket(srv_sockfd);
return -3;
}
memset(fuzz_str, 0, sizeof fuzz_str);
fuzz_str[0] = 'A';
set_fuzz_str(fuzz_str);
fuzz_int = 0x0;
fuzz_int_neg = 0;
printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);
accept_again:
if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
closesocket(srv_sockfd);
return -4;
}
memset(&recv_buf, 0, sizeof(recv_buf));
recv_again:
if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
goto recv_again;
printf("recv data: %s\n", recv_buf);
if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
{
printf("HTTP response 200\n");
send(cld_sockfd, &http_res[0], strlen(http_res), 0);
closesocket(cld_sockfd);
memset(fuzz_str, 0, sizeof fuzz_str);
switch(fuzz_type){
case AAAA_FUZZ:
++cnt_aaaa;
if(cnt_aaaa == 65535)
goto fuzz_end;
memset(fuzz_str, 'A', cnt_aaaa);
set_fuzz_str(fuzz_str);
break;
case NUMERIC_FUZZ:
if(fuzz_int_neg == 0)
sprintf(fuzz_str, "%d", fuzz_int);
else if(fuzz_int_neg == 1){
if(fuzz_int >= 0xffffffff)
goto fuzz_end;
sprintf(fuzz_str, "-%d", fuzz_int);
}
set_fuzz_str(fuzz_str);
++fuzz_int;
if(fuzz_int >= 0xffffffff){
fuzz_int_neg = 1;
fuzz_int = 0x0;
}
break;
}
goto accept_again;
}
fuzz_end:
fprintf(stderr, "xml2 fuzz: fuzz end!\n");
if(srv_sockfd)
closesocket(srv_sockfd);
return 0;
}
void set_fuzz_str(char *mal_str) {
if(strlen(mal_str) > 65535-1){
printf("xml2 fuzz: too long malformed string\n");
exit(-1);
}
memset((void *)&http_res, 0, sizeof(http_res));
sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}
static char banner[] = {
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
" \n" \
" xml2 fuzzer ver 1.0 \n" \
" \n" \
" ./xml2_fuzz \n" \
" \n"
};
int main() {
int ret = 0;
printf("%s", banner);
if((ret = fuzz_start(AAAA_FUZZ)) < 0)
fprintf(stderr, "xml2 fuzz: start failed!\n");
return 0;
}
