MaddogTCP Fuzz Test

MaddogTCP is a set of utilities that plug together to allow fuzzing of a TCP connection server.

Programs + source here!

Programs

send.exe - Usage: send <Hostname> <Port>
 Sends data from stdin to the hostname and port specified via TCP

proc.exe - Usage: proc <SendData.fuz file> [RandomSeed]
 Reads send data from file, processes any commands, outputs to stdout

corrupt.exe - Usage: corrupt <RandomSeed> <Nth char to corrupt>
 Reads data from stdin, corrupts every Nth char on average, outputs to stdout

repeat.exe - Usage: repeat <RandomSeed> <PrintString> <MinimumRepeats> [MaximumRepeats]
 Reads print string as parameter, repeats it between Min and Max times, outputs to stdout
Supports #NNN for ASCII characters, example: #010 for \n  or  #000 for NULL

chooser - Usage: chooser <RandomSeed> <[file:][exec:]<choice1> [ .. <[file:][exec:]<choice1> ]
 Reads multiple options as parameters and chooses one to output to stdout
Using prefix "file:" will cause chooser to read from a file
Using prefix "exec:" will cause chooser to execute the DOS command given

Processor Commands

The following commands can be placed anywhere in the .fuz file and will be picked up by the appropriate program during runtime.  Send.exe will strip all commands before sending.

`r`  -  Tells send.exe to receive whatever data is waiting

`startcorrupt`  -  Tells corrupt.exe to start corrupting its output

`stopcorrupt`  -  Tells corrupt.exe to stop corrupting its output

`exec <command> [parameters]`  -  Tells proc.exe to execute a command with optional parameters and stream its output to stdout

Processor commands (particularly exec) may also use the $seed variable, which is assigned by the seed value passed to proc.exe.

Example SMTP File

The following .fuz file will send a message with either a corrupt or non-corrupt header and either a plain or HTML body that will always be corrupted.

`r`HELO from@localhost.com           (Recv welcome msg from server and send HELO)
`r`MAIL FROM: <from@localhost.com>   (Recv helo response and send from)
`r`RCPT TO: <to@localhost.com>       (Recv from response and send to)
`r`DATA                              (recv to response and switch to data mode)
`r``exec chooser $seed file:header_corrupt.fuz file:header_nocorrupt.fuz`
      (Choose to insert either a corrupt or no-corrupt header)

`startcorrupt``exec chooser $seed file:body_plain.fuz file:body_html.fuz``stopcorrupt`
      (Choose either a plain or HTML body)


.

`r`QUIT  (Recv message sent confirmation and disconnect)

 
Last updated: Paul Maddox, Aug 2006
 

 
README 

Quick Start
===========

MaddogTCP consists of a number of separate utilities.  These can be
plugged together as needed along with third party utilities.

This section shows some examples of how to use MaddogTCP.  For
detailed descriptions of each command use the sections following
"Utility Chains".

Let's first look at the most simplistic use, where data is read from
a file and sent to the local machine on port 80.  Hello.txt just
contains the words "Hello world".

  proc.exe hello.txt | send.exe localhost 80

The following output is displayed to show success:

  send.exe: Connected to server

Of course this isn't very useful because the HTTP server doesn't
understand what we've sent.

Now let's examine hello.txt more closely.  Current it contains:

  Hello World

Suppose we want to send Hello World to the server and receive the
response?  For this we can use the command token `r`.  Let's
change our file to:

  Hello World

  `r`

At this point the file should be renamed hello.fuz, as it represents
more than just plain text.

The carriage returns are important so the HTTP server knows that it
has a command to process.  If we run the same command now we see:

  send.exe: Connected to server

  S] Hello World
  R] HTTP/1.1 400 Bad Request
  R] ...

Following the HTTP error you will also see some HTML for rendering the
error in a web browser.

The `r` command is more powerful than being able to receive data once.
For a more complicated protocol like SMTP it can be used to sychronise
an SMTP conversation.  For instance to initiate an SMTP conversation
the following lines could be used (saved into a file called smtp.fuz):

  `r`HELO paulmdx@paulmdx.plus.com
  `r`MAIL FROM: <paulmdx@paulmdx.plus.com>
  `r`RCPT TO: <paulmdx@paulmdx.plus.com>
  `r`DATA

The first `r` receives the server welcome message, and subsequent `r`
commands receive the confirmation of what we've sent.  After DATA we
would then send the email.

Using the proc.exe utility to read data and send.exe to send it to
the server and receive a response is the fundamental functionality of
the MaddogTCP suite.  All further utilities are designed to extend
its functionality.  Supplementary utilities are listed below with a
brief example of their use.


Utility Chains
==============

You will see the use of the pipe token | quite frequently with Maddog,
which takes its design influence from unix tools.  This design uses
stdout (data usually destined for screen using printf) and stdin
(data usually read from the keyboard) to pipeline commands together.


Proc.exe
========

Usage: proc.exe templatefile.fuz

Proc will most likely be the first utility in the chain.  Proc accepts
a template .fuz file, which is essentially a TCP conversation from the
client's perspective.  This file contains all information you want to
send to the server along with some inline commands that can be used to
control Maddog's utilities.

Proc processes the file and sends the results to stdout.  This output
can then either be viewed in a cmd box (in the case of debugging) or
piped into further utilities using the | token.

Example usage:

proc.exe sendsmtp.fuz


Corrupt.exe
===========

Usage: corrupt.exe [seed] [Nth corruption]

Corrupt reads data from stdin (keyboard input, or more usefully
piped to it from another utility) and corrupts certain characters.
Passing a seed allows you to run multiple commands simultaneously
with different randomisation.  Nth corruption is the average
frequency of corruptions.  For instance providing 50 means there will
be a corruption every 50th character on average.

With default input Corrupt will not perform any corruption.  The user
must wrap any sections of data with `startcorrupt` and `endcorrupt` in
order for Corrupt to perform corruption.  These commands can typically
be typed into the .fuz file using a text editor.

Example Usage:

proc.exe sendsmtp.fuz | corrupt 15351 50


Send.exe
========

Usage: send.exe hostname port

Send reads data from stdin (keyboard input, or more usefully piped to
it from another utility), opens a TCP connection to the host that is
specified, and sends the data it has read, taking note of any commands
within the stream (wrapped single open quotes `).

As most TCP conversations are two-way and often require timing, Send
supports the command `r`.  This command tells Send to wait to receive
some data from the server.  Once received it will then resume sending
any data it still has.  The following start fragment of a .fuz file
shows how an SMTP conversation would begin:

`r`HELO <fromuser@fromhost.com>
`r`MAIL FROM: <fromuser@fromhost.com>
`r`RCPT TO: <touser@tohost.com>
`r`DATA
`r`

Note an `r` is the very first item in the .fuz file because upon
connect an SMTP server will send a welcome message.  To keep the send
and recv conversation in sync it must be received before attempting to
send an email.  Following the above the SMTP email would be sent, then
a \r\n.\r\n to indicate the email data had ended.

Example usage:

proc.exe sendsmtp.fuz | corrupt 15351 50 | send localhost 25