public ResultData(FuzzData test, string sent, DateTime start, DateTime end)
{
this.test = test;
this.sent = sent;
this.start = start;
this.end = end;
}
public string CreateRequest(FuzzData job, Random rand)
{
return($@"POST / HTTP/2
Host: {job.fullhost}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Transfer-Encoding: chunked".Replace("\n", "\r\n") + "\r\n");
}
public FuzzData(FuzzData src)
{
name = src.name;
maxLineLength = src.maxLineLength;
host = src.host;
port = src.port;
payload = src.payload;
seed = src.seed;
nextChar = src.nextChar;
nextLine = src.nextLine;
createInitialRequest = src.createInitialRequest;
insertNewlines = src.insertNewlines;
newline = src.newline;
_fullhost = src.fullhost;
}
private static string PrebakedHTTP(FuzzData job)
{
return($@"POST / HTTP/2
Host: {job.fullhost}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://{job.fullhost}/wherever
Content-Length: {job.payload.Length}
content-type: text/plain
Origin: https://{job.fullhost}
Connection: keep-alive
Cookie: veryFreshIndeed
Sec-GPC: 1
TE: Trailers
{job.payload}".Replace("\n", "\r\n"));;
}
private static async Task <int> Pwn(string host, short port, Action <FuzzData> callback)
{
string name = callback.Method.Name;
Log.Info($"Doing test [{name}] on {host}:{port}...");
string result = await Request.Post($"{harnessHost}/test", $"{{\"name\":\"{name}\"}}");
// Wait for a new instance of the test app to be up and running
await Request.Post($"{harnessHost}/restart", "{}");
// await Task.Delay(100);
// Log.Info(result);
List <FuzzData> atks = new List <FuzzData>();
FuzzData basis = new FuzzData(host, port, "{\"ayyy\":\"lmao\"}");
atks.Add(new FuzzData(basis));
atks.Add(new FuzzData(basis)
{
name = "RandomHeaders", nextLine = RandomHeader
});
atks.Add(new FuzzData(basis)
{
name = "AcceptHeaderStuffer", nextLine = new AcceptHeaderStuffer().NextLine
});
atks.Add(new FuzzData(basis)
{
name = "RandomAcceptHeaderStuffer", nextLine = new RandomAcceptHeaderStuffer().NextLine
});
atks.Add(new FuzzData(basis)
{
name = "HeaderContinuation", nextLine = new HeaderContinuation().NextLine
});
EndlessChunked ec = new EndlessChunked();
atks.Add(new FuzzData(basis)
{
name = "EndlessChunked", nextLine = ec.NextLine, createInitialRequest = ec.CreateRequest
});
foreach (FuzzData atk in atks)
{
try {
Log.Info($"Test [{atk.name}] starting");
atk.BindSocket();
callback(atk);
atk.UnbindSocket();
Log.Info($"Test [{atk.name}] finished");
} catch (Exception e) {
Log.Warning($"Unhandled Exception occurred during test {atk.name}:", e);
}
await Request.Post($"{harnessHost}/restart", "{}");
}
for (int i = 0; i < outputs.Count; i++)
{
var res = outputs[i];
File.WriteAllText($"{logfile}-{i}-{res.test.name}.txt", res.sent);
}
return(0);
}
private static void FuzzBasic(FuzzData job)
{
string fullhost = job.fullhost;
string payload = job.payload;
Random rand = new Random(job.seed);
string partialHttp = job.createInitialRequest(job, rand);
StringBuilder allSent = new StringBuilder();
StringBuilder allRead = new StringBuilder();
long bytesSent = 0;
long byteDebounce = 1024 * 1024;
DateTime start = DateTime.UtcNow;
void send(string data)
{
byte[] bytes = Encoding.UTF8.GetBytes(data);
allSent.Append(data);
job.sock.Send(bytes);
bytesSent += bytes.Length;
if (bytesSent >= byteDebounce)
{
byteDebounce *= 2;
Log.Debug($"Still sending. So far, sent {FormatBytes(bytesSent)} over {FormatTimeFrom(start)}.");
}
}
byte[] readBuff = new byte[4096];
void read()
{
try {
if (job.sock.Available > 0)
{
int bytesRead = job.sock.Receive(readBuff, 0, 4096, SocketFlags.None);
string str = Encoding.UTF8.GetString(readBuff, 0, bytesRead);
allRead.Append(str);
}
} catch (Exception e) { }
}
send(partialHttp);
StringBuilder nextLine = new StringBuilder();
DateTime end;
while (true)
{
try {
nextLine.Clear();
if (job.insertNewlines)
{
send(job.newline);
read();
}
if (job.nextLine != null)
{
nextLine.Append(job.nextLine(rand));
}
else
{
int len = rand.Next(2, job.maxLineLength);
for (int i = 0; i < len; i++)
{
nextLine.Append(job.nextChar(rand));
}
}
send(nextLine.ToString());
} catch (Exception e) {
end = DateTime.UtcNow;
TimeSpan elapsed = end - start;
Log.Warning($"Exception during test after sending {FormatBytes(bytesSent)} over {FormatTime(elapsed)}\nHTTP Message received:\n----------\n{allRead.ToString()}\n---------\n", e);
break;
}
}
ResultData result = new ResultData(job, allSent.ToString(), start, end);
outputs.Add(result);
}
