5Likes
LinkBack URL
About LinkBacks-
07-18-2012, 11:13 PM #1Security Researcher
- Join Date
- Jul 2010
- Posts
- 245
- Blog Entries
- 2
- Thanks
- 178
- Thanked 140 Times in 72 Posts
X-Fuz source code of a raw & tiny dynamic browser fuzzer..."vinnu"
Namast
Following is the source code of a tiny & raw dynamic browser fuzzer. This code is though not so neat, also this fuzzer doesnt go for infinite iterations and has many other limits
The code can be manipulated and altered as u like
It needs two files Fuz.htm with folowing code
Code:<html> <head><title>X - Fuzzer </title> </head> <body> <h3>Let us fuzz...</h3> <script src="x.js"></script> </body> </html>
fb1h2s likes this.
-
The Following User Says Thank You to "vinnu" For This Useful Post:
prashant_uniyal (07-19-2012)
-
07-18-2012, 11:30 PM #2Security Researcher
- Join Date
- Jul 2010
- Posts
- 245
- Blog Entries
- 2
- Thanks
- 178
- Thanked 140 Times in 72 Posts
and x.js with splitted code join all blocks togather:
Code:/*** Author:"vinnu" Team:Legion Of Xtremers & Secfence Product: Limited dynamic X-Fuzzing engine Site:www.garage4hackers.com ***/ var divf = null; var zxc = null; var ivalue = null; var icheck = null; var iter =-1; var limit = 100; var loverride = 1; // This will override the limit. var carpet = 0x50; var bsize = 0x040000 var robj; var dgarb; var tform = "$#{transform}"; var scheck = false; var intercheck = false; var sprayed = false; var otag = ["a","applet","area","acronym","article","aside","audio","address","abbr","bdo","bdi","big","blockquote","basefont","br","body","button","canvas","caption","cite","code","center","col","colgroup","command","circle","dd","div","datalist","dir","dfn","dl","dt","del","details","em","embed", "ellipse","fieldset","font","form","frame","frameset","figcaption","figure","footer","g","hr","h1","hgroup","head","header","html","i","ins","img","image","iframe","input","isindex","keygen","kbd","label","legend","li", "link","line","linearGradient","layer","map","menu","meta","meter","mark","marquee","nav","object","ol","option","optgroup","output","p","plaintext","param","progress","pre","polygon","polyline","path","q","rect","rp","rt","ruby","s","samp","script","small","section", "select","span","strike","strong","style","sub","sup","summary","source","svg","table","tbody","tfoot","textarea","td","tr","th", "thead","title","time","track","tt","text","tspan","tref","textPath","t:VIDEO","t:MEDIA","t:IMG","t:AUDIO","animateTransform","u","ul","var","video","vml","v:rect","v:roundrect", "v:line","v:polyline","v:oval","v:image","v:curve","v:group","v:shapetype","v:arc","v:stroke","v:fill","v:textbox","xmp","xml","wbr"]; var oattr = ["code","codebase","classid","face","fill","fillcolor","height","width","type","src","href","datasrc","value","title","offsetWidth","style='float:"+tform+";'", "style='display: block; mask: url(#"+tform+");'","style='z-index:"+tform+";'","style='list-style:"+tform+";'","style='clip: rect("+tform+");'", "style='font-variant:"+tform+";'","style='stroke: #"+tform+";'","style='stroke-width: #"+tform+";'","style='margin: #"+tform+";'", "style='fill:#"+tform+";'","style=\"behavior:url('#default#time2');\"","style=\"behavior:url(#default#VML);\"","class","cols","colspan","rows","role","size","dir","x","y","cx","cy","x1","y1","x2","y2", "points","attributeName","begin","from","dur","to","repeatCount","prompt","max","maxlength","rowspan","rules","scrollamount","scrolldelay","selected", "shape","wrap", // Basic attributes set end. "H","h","V","v","C","c","S","s","Q","q","T","t","A","a","Z","z","d","M","m","L","l", "accept","accept-charset","access-key","action","method","align","alink","alt","archive","aria-checked","aria-level","aria-pressed","aria-valuemax", "aria-valuemin","aria-valuenow","autocapitalize","autocomplete","autocorrect","autoplay","autosave","axis","behavior","background","bgcolor","bgproperties", "border","bordercolor","cellpadding","cellspacing","challenge","char","charoff","charset","checked","cellborder","cite","clear","codetype","compact", "composite","content","contenteditable","controls","data","datetime","declare","defer","direction","enctype","end","for","frame","frameborder","headers", "hidden","hreflang","hspace","http-equiv","incremental","ismap","keytype","label","lang","leftmargin","link","longdesc","loop","loopend","loopstart", "manifest","marginheight","marginwidth","mayscript","media","min","multiple","nohref","noresize","nosave","noshade","nowrap","object", /* events*/ "onabort","onbeforecopy","onbeforecut","onbeforepaste","onbeforeunload","onblur","onchange","onclick","oncontextmenu","oncopy","oncut","ondblclick","ondrag", "ondragend","ondragenter","ondragleave","ondragover","ondragstart","ondrop","onerror","onfocus","ongesturechange","ongestureend","ongesturestart","oninput", "onkeydown","onkeypress","onkeyup","onload", // Events section end. "oversrc","placeholder","playcount","pluginpage","pluginspage","pluginurl","poster","rel","rev","scope","scrolling","span","standby" ]; var fmats = ["%d%s%l%n","%s%s%s%s","%n%n%n%n","%d%d%d%d"]; var intermed = new Array(); var obj = new Array(); var mobj = new Array(); var spray; /* ---interval IDs--- */ var interv = new Array(); /* ------------------ */ function dummy() { zxc = null; } function xplode() { logger("fuz","Start"); intercheck=false;scheck = false; interv[0] = setTimeout(evaporate,100); } function loopxplode() { logger("fuz","Auto"); if(icheck.checked){iter=-1;} intercheck = false;scheck = false; interv[1] = setInterval(evaporate,100); } function sprxplode() { logger("fuz","Spray"); if(icheck.checked){iter=-1;} intercheck = false;scheck = true; interv[2] = setTimeout(evaporate,100); } function sprautoxplode() { logger("fuz","Spray-n-Auto"); if(icheck.checked){iter=-1;} intercheck = false;scheck = true; interv[3] = setInterval(evaporate,100); } function interxplode() { logger("fuz","Internode"); if(icheck.checked){iter=-1;} intercheck = true;scheck = false interv[4] = setInterval(evaporate,100); }x.js file code save it in same folder where .htm file resides.Code:function sinterxplode() { logger("fuz","Internode-n-Spray"); if(icheck.checked){iter=-1;} intercheck = true;scheck = true; interv[5] = setInterval(evaporate,100); } function logger(entity,value) { try { localStorage.setItem(entity,value); } catch(e) {} } function readlog() { try { var buf = "Parent:"+localStorage.getItem("parent"); buf += "\n\tChild:"+localStorage.getItem("child"); buf += "\n[*] Step:"+localStorage.getItem("step"); buf += "\n\tTag: "+localStorage.getItem("attrib"); buf += "\n[-] Fuzz:"+localStorage.getItem("fuz"); alert(buf); } catch(e){} } function killer() { for(var iiter=0;iiter<interv.length;iiter++) { clearInterval(interv[iiter]); } } /*** Verbose:**/ var buffer=""; var sbuf=""; var preent=""; var injex=0; var xseq=1024; var xranl=100000.99999999999999999999999999999999999;//0xfffffffffffffffff; var arglimit=0; var xargl = 70; // The basic set of attributes. var brect = null; /* ****/ function evaporate() {if(xstopcheck.checked) {return;} iter++; obj[iter] = document.createElement(otag[iter]); logger("parent",otag[iter]); if(scheck==true && iter<limit && sprayed==false) {sprinkler();sprayed = true;limit=loverride;} // This limit overrides. logger("step","Sprinkled"); if(iter<otag.length) { divf.innerHTML += "<br>["+iter+"] : "+otag[iter]; setTimeout(dummy,1000); for(var vter = 0;vter<limit;vter++) { /*** Verbose:*/ buffer=/*"\n"+*/otag[iter]; /* ***/ if(xarg.checked)arglimit = oattr.length; else arglimit = xargl; for(var oter=0;oter<arglimit;oter++) { xseq = parseInt(Math.random()*bsize); if(scheck==true) { if(xfscheck.checked) { if(xlsize.checked) ivalue=spray[0].title+fmats[0]; else ivalue=(spray[0].title).substr(0,xseq)+fmats[0]; } else if(xlsize.checked) ivalue = (spray[0].title).substr(0,xseq); else ivalue = spray[0].title; logger("attrib",oattr[oter]+":sz:"+ivalue.length); } else if(scheck==false){ if(xfscheck.checked)ivalue=fmats[0]; else ivalue = /*(parseInt(*/Math.random()*xranl//));//.toString(16); logger("attrib",oattr[oter]+":"+ivalue); } try { if(oattr[oter].indexOf(tform)<0) { if(vcheck.checked) { alert(oattr[oter]+"="+ivalue); } (obj[iter])[oattr[oter]] = ivalue; /*** Verbose:*/ buffer+=" "/*"\n\t"*/+oattr[oter]+":"+ivalue; /* ***/ } else { robj = RegExp("=","g"); intermed = oattr[oter].split(robj,oattr[oter].length); if (scheck==true) { (obj[iter])[intermed[0]] =intermed[1].replace(tform,"\\\""+ivalue+"\\\""); /*** Verbose:*/ buffer+=" "/*"\n\t"*/+intermed[0]+":"; /* ***/ } else { logger("attrib",intermed[0]+":"+intermed[1].replace(tform,ivalue)); (obj[iter])[intermed[0]] =intermed[1].replace(tform,ivalue); /*** Verbose:*/ buffer+=" "/*"\n\t"*/+intermed[0]+":"; /* ***/ } } } catch(e){if(xvcheck.checked) {divf.innerHTML += "<br> Exception : "+e+"<br> Stack : "+e.stack;}} } logger("step","Attributes created."); if(intercheck==true && iter > 0) { //logger("step","Inside internode section."); try { logger("step","Appending childs in internode."); if((parseInt(Math.random()*64)%8)!=0) { mobj[iter] = bobj[iter-1].appendChild(obj[iter]); mobj[iter] = bobj[iter-1].insertAdjacentElement("beforeBegin",obj[iter]); if(mobj[iter]==null) mobj[iter] = document.body.appendChild(obj[iter]); } else { mobj[iter] = document.body.appendChild(obj[iter]); } logger("child",(mobj[iter]).tagName)
-
The Following User Says Thank You to "vinnu" For This Useful Post:
b0nd (07-19-2012)
-
07-19-2012, 11:06 AM #3InfoSec Consultant
- Join Date
- Jul 2010
- Location
- Pune
- Posts
- 301
- Thanks
- 31
- Thanked 82 Times in 37 Posts
Awesome code.... got few crashes in first 10min of testing it... improving this code may give lot more crashes....
thanks vinnu bhai....
-
08-04-2012, 05:48 AM #4Security Researcher
- Join Date
- Feb 2011
- Location
- Hyd
- Posts
- 47
- Thanks
- 3
- Thanked 21 Times in 9 Posts
I just ran the code and glanced through the code...
A few questions/comments.
The timeout should be lesser, no?
Why Spray?
Why not log to console? The verbose mode becomes annoying.
Too few test cases? I couldn't understand the logic behind this.
-
The Following User Says Thank You to webdevil For This Useful Post:
"vinnu" (08-09-2012)
-
08-08-2012, 10:45 PM #5Security Researcher
- Join Date
- Jul 2010
- Posts
- 245
- Blog Entries
- 2
- Thanks
- 178
- Thanked 140 Times in 72 Posts
Namaste, this is an old code. no more support and was only for learning
purpose.
Reply With QuoteLinkBacks (?)
-
08-03-2012, 11:02 AM
-
X-Fuz source code of a raw & tiny dynamic browser fuzzer..."vinnu"
Refback This thread07-21-2012, 11:51 AM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Selective Symbolic Execution(S2E)
Today, 08:33 AM in Reverse Engineering and Application Cracking