Skip to content

Instantly share code, notes, and snippets.

@DanielOaks DanielOaks/m_fuzz.c
Last active Dec 17, 2015

Embed
What would you like to do?
ircfuzz for Plexus3, mostly for fun
/************************************************************************
* IRC - Internet Relay Chat,
* Copyright (C) 2001 Hybrid Development Team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 1, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* $Id: m_fuzz.c,v 1.10 2004/03/30 00:53:55 leeh Exp $
*/
/* modified and ported version of ircfuzz v 0.3 by Ilja van Sprundel. */
/* List of ircd includes from ../include/ */
#include "stdinc.h"
#include "tools.h"
#include "handlers.h"
#include "client.h"
#include "common.h" /* FALSE bleah */
#include "dbuf.h"
#include "hash.h"
#include "hostmask.h"
#include "ircd.h"
#include "irc_string.h"
#include "sprintf_irc.h"
#include "numeric.h"
#include "fdlist.h"
#include "s_bsd.h"
#include "s_conf.h"
#include "s_log.h"
#include "s_serv.h"
#include "send.h"
#include "msg.h"
#include "parse.h"
#include "modules.h"
/* ircfuzz stuff */
static char arr[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%%^*()_-+={}[]\\|<>,.:;'\"";
char *strings[] =
{ "JOIN", "PRIVMSG", "KICK", "NOTICE", "NICK", "MODE", "TOPIC", "INVITE", "USER", "PASS", "OPER",
"NAMES", "LIST", "STATS", "PART", "WHO", "WHOIS", "WHOWAS", "PING", "PONG", "SQUERY", NULL };
// 25
#define SUBMSG_LENGTH 25
#define SUBMSG_LENGTH_WITH_NULL (SUBMSG_LENGTH + 1)
char *submsg[] =
{ "DCC SEND", "DCC CHAT", "DCC XMIT", "DCC OFFER", "XDCC LIST", "XDCC SEND", "FINGER", "VERSION",
"USERINFO", "CLIENTINFO", "TIME", "FINGER", "PING", "CDCC SEND", "CDCC LIST", "CDCC XMIT",
"XDCC XMIT", "DCC LIST", "XDCC OFFER", "XDCC CHAT", "CDCC OFFER", "CDCC OFFER", "DCC", "XDCC", "CDCC", NULL };
int
getseed(void)
{
int fd = open("/dev/urandom", O_RDONLY);
int random_int;
if (fd < 0) {
perror("open");
exit(0);
}
read(fd, &random_int, sizeof (random_int));
close(fd);
return random_int;
}
char *
gen_submsg(void)
{
if (rand() % SUBMSG_LENGTH_WITH_NULL) {
return submsg[rand() % SUBMSG_LENGTH];
} else {
return "";
}
}
char *
gen_command(void)
{
static char t[1200];
int len;
if (rand() % 23) {
return strings[rand () % 22];
/* raw 100000...1 */
} else {
len = (rand() % 1000) + 2;
t[0] = '1';
memset(t + 1, '0', len - 2);
t[len - 1] = '1';
t[len] = '\0';
return t;
}
}
void
fuzz(struct Client *target_p)
{
char command_buffer[100000];
int raw = rand() % 1000;
int random_length = 0;
int i = 0;
int a = 0;
int al = 0;
if (!(rand () % 10)) {
raw = -raw;
}
switch (rand () % 5) {
case 0: // long string
random_length = (rand () % 12000) + 10;
for (i = 0; i < random_length; i++) {
do {
command_buffer[i] = rand () % 256;
} while (command_buffer[i] == '\n' || command_buffer[i] == '\r' || command_buffer[i] == '\0');
}
break;
case 1: // fmtbug
strcpy (command_buffer, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n");
break;
case 2: // lots of arguments
a = (rand () % 230) + 20;
al = (rand () % 750) / a;
command_buffer[0] = '\0';
for (i = 0; i < a; i++) {
char t[100];
int j = 0;
for (j = 0; j < al; j++) {
t[j] = arr[rand () % sizeof (arr)];
}
t[j] = '\0';
strcat (command_buffer, t);
strcat (command_buffer, " ");
}
break;
case 3: // long alpha str
random_length = (rand () % 12000) + 10;
for (i = 0; i < random_length; i++) {
command_buffer[i] = arr[rand () % sizeof (arr)];
}
command_buffer[i] = '\0';
break;
case 4: // random stuff, random length
random_length = (rand () % 2500);
sprintf (command_buffer, ":%s %d ", me.name, raw);
al = strlen (command_buffer);
for (i = 0; i < random_length; i++) {
command_buffer[i + al] = rand () % 256;
}
command_buffer[i + al] = '\r';
command_buffer[i + al + 1] = '\n';
write (target_p->localClient->fd.fd, command_buffer, i + al + 2);
return;
// case 5: // long str with 0bytes
}
if (rand () % 5)
// netprintf (fd, ":%s %03d %s :%s%s", gen_hostname (), raw, Nnick, command_buffer,
// (rand () % 100) ? "\r\n" : "");
sendto_one(target_p, ":%s %03d %s :%s%s", me.name, raw, target_p->name,
command_buffer, (rand () % 100) ? "\r\n" : "");
else if (rand () % 3)
// netprintf (fd, ":%s %s %s :%s%s", gen_hostname (), gen_command (), Nnick,
// command_buffer, (rand () % 100) ? "\r\n" : "");
sendto_one(target_p, ":%s %s %s :%s%s", me.name, gen_command(), target_p->name,
command_buffer, (rand () % 100) ? "\r\n" : "");
else
// netprintf (fd, ":%s %s %s :\x01%s %s%s%s", gen_hostname (), "PRIVMSG",
// Nnick, gen_submsg (), command_buffer, (rand () % 20) ? "\x01" : "",
// (rand () % 100) ? "\r\n" : "");
sendto_one(target_p, ":%s %s %s :\x01%s %s%s%s", me.name, "PRIVMSG", target_p->name,
gen_submsg(), command_buffer, (rand () % 20) ? "\x01" : "",
(rand () % 100) ? "\r\n" : "");
return;
}
/* Hybrid stuff */
static int m_fuzz(struct Client *client_p, struct Client *source_p, int parc, char *parv[]);
struct Message fuzz_msgtab = {
"FUZZ", 0, 0, 0, 0, MFLG_SLOW, 0,
{m_unregistered, m_not_oper, m_fuzz, m_ignore, m_fuzz, m_ignore}
};
#ifndef STATIC_MODULES
void
_modinit(void)
{
mod_add_cmd(&fuzz_msgtab);
}
void
_moddeinit(void)
{
mod_del_cmd(&fuzz_msgtab);
}
const char *_version = "$Revision: 1 $";
#endif
static int
m_fuzz(struct Client *client_p, struct Client *source_p, int parc, char *parv[])
{
struct Client *target_p;
/* Verify that they should be executing this command in the first place. */
if(!IsServer(source_p) && !IsOper(source_p) && !IsAdmin(source_p)) {
// This should be a local connection.
sendto_one(source_p, ":%s NOTICE %s :You do not have the appropriate access, go way.", me.name, source_p->name);
sendto_wallops_flags(UMODE_WALLOP, &me, "Attempt to fuzz [%s] by %s!%s@%s",
parv[1], source_p->name, source_p->username, source_p->host);
return 0;
}
/* If they are allowed to use this command, and haven't specified any parameters, tell them how to use it. */
int fuzzed_responses = 10;
if (parc < 3) {
sendto_one(source_p, ":%s NOTICE %s :USAGE: fuzz <nick> [number of fuzzed responses]", me.name, source_p->name);
sendto_one(source_p, ":%s NOTICE %s : Defaults to 10 fuzzed responses", me.name, source_p->name);
} else {
fuzzed_responses = abs(atoi(parv[2]));
}
if(parc < 2) {
return 0;
}
/* Does this command belong on another server? If so, send it on its way. */
if((hunt_server(client_p, source_p, ":%s fuzz %s %s", 1, parc, parv)) != HUNTED_ISME) {
return 0;
}
/* They're authed and its for us. Find the client */
if((target_p = find_client(parv[1])) == NULL) {
/* However, if it doesn't exist, tell them so. */
//sendto_one(source_p, form_str(ERR_NOSUCHNICK), me.name, source_p->name, parv[1]);
sendto_one(client_p, form_str(ERR_NOSUCHNICK), me.name, client_p->name, parv[1]);
return 0;
}
/*
* Are they trying to fuzz a server, admin, or operator? if so, do nothing.
*/
if(IsServer(target_p) || IsAdmin(target_p) || IsOper(target_p)) {
sendto_one(client_p, ":%s NOTICE %s :Your attempt to fuzz [%s] was rejected.", me.name, source_p->name, target_p->name);
sendto_wallops_flags(UMODE_WALLOP, &me,
"Rejected attempt to fuzz [%s] by %s!%s@%s",
target_p->name, source_p->name, source_p->username, source_p->host);
return 0;
}
/* FIZZBUZZ, FUZZ! */
sendto_one(client_p, ":%s NOTICE %s :Fuzzing %s with %d fuzzed responses.", me.name, client_p->name, target_p->name, fuzzed_responses);
sendto_one(target_p, ":%s NOTICE %s :You're being fuzzed, %d responses.", me.name, target_p->name, fuzzed_responses);
int i = 0;
do {
fuzz(target_p);
i++;
} while (i < fuzzed_responses);
/* finish */
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.