Last active
October 18, 2023 08:57
-
-
Save PMaynard/9053046 to your computer and use it in GitHub Desktop.
Proxy Fuzz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Proxyfuzz: a TCP and UDP proxy man-in-the-middle fuzzer | |
# v 0.1 | |
# By Rodrigo Marcos | |
# http://www.theartoffuzzing.com | |
from twisted.protocols import portforward | |
from twisted.internet.protocol import DatagramProtocol | |
from twisted.internet import reactor | |
import getopt, sys | |
from random import randint | |
# UDP Proxy stuff | |
class Client(DatagramProtocol): | |
def __init__(self, server, host, port): | |
self.server = server | |
self.host = host | |
self.port = port | |
def startProtocol(self): | |
self.transport.connect(desthost, destport) | |
def datagramReceived(self, data, (host, port)): | |
global verbose | |
global notuntil | |
global request | |
global testclient | |
if testclient: | |
if request < notuntil: | |
request = request + 1 | |
else: | |
data = fuzz(data) | |
if verbose: | |
print "Server ------> Client" | |
print "%r" % data | |
self.server.transport.write(data, (self.host, self.port)) | |
class Server(DatagramProtocol): | |
client = None | |
def datagramReceived(self, data, (host, port)): | |
if not self.client or self.client.host != host or self.client.port != port: | |
self.client = Client(self, host, port) | |
reactor.listenUDP(0, self.client) | |
global verbose | |
global notuntil | |
global request | |
global testserver | |
if testserver: | |
if request < notuntil: | |
request = request + 1 | |
else: | |
data = fuzz(data) | |
if verbose: | |
print "Client ------> Server" | |
print "%r" % data | |
self.client.transport.write(data, (desthost, destport)) | |
# TCP proxy stuff | |
def server_dataReceived(self, data): | |
global verbose | |
global notuntil | |
global request | |
global testserver | |
if testserver: | |
if request < notuntil: | |
request = request + 1 | |
else: | |
data = fuzz(data) | |
if verbose: | |
print "Client ------> server" | |
print "%r" % data | |
portforward.Proxy.dataReceived(self, data) | |
portforward.ProxyServer.dataReceived = server_dataReceived | |
def client_dataReceived(self, data): | |
global verbose | |
global notuntil | |
global request | |
global testclient | |
if testclient: | |
if request < notuntil: | |
request = request + 1 | |
else: | |
data = fuzz(data) | |
if verbose: | |
print "Server ------> Client" | |
print "%r" % data | |
portforward.Proxy.dataReceived(self, data) | |
portforward.ProxyClient.dataReceived = client_dataReceived | |
overflowstrings = ["A" * 255, "A" * 256, "A" * 257, "A" * 420, "A" * 511, "A" * 512, "A" * 1023, "A" * 1024, "A" * 2047, "A" * 2048, "A" * 4096, "A" * 4097, "A" * 5000, "A" * 10000, "A" * 20000, "A" * 32762, "A" * 32763, "A" * 32764, "A" * 32765, "A" * 32766, "A" * 32767, "A" * 32768, "A" * 65534, "A" * 65535, "A" * 65536, "%x" * 1024, "%n" * 1025 , "%s" * 2048, "%s%n%x%d" * 5000, "%s" * 30000, "%s" * 40000, "%.1024d", "%.2048d", "%.4096d", "%.8200d", "%99999999999s", "%99999999999d", "%99999999999x", "%99999999999n", "%99999999999s" * 1000, "%99999999999d" * 1000, "%99999999999x" * 1000, "%99999999999n" * 1000, "%08x" * 100, "%%20s" * 1000,"%%20x" * 1000,"%%20n" * 1000,"%%20d" * 1000, "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"] | |
def bitflipping(data): | |
l = len(data) | |
n = int(l*7/100) # 7% of the bytes to be modified | |
for i in range(0,n): # We change the bytes | |
r = randint(0,l-1) | |
data = data[0:r] + chr(randint(0,255)) + data[r+1:] | |
return data | |
def bofinjection(data): | |
l = len(data) | |
r = randint(0,len(overflowstrings)-1) | |
data = data[0:r] + overflowstrings[r] + data[r-l:] | |
return data | |
def fuzz(data): | |
r = randint(0,5) | |
if r==0: | |
data = bitflipping(data) | |
r = randint(0,5) | |
if r==0: | |
data = bofinjection(data) | |
return data | |
def startudpproxy(): | |
reactor.listenUDP(localport, Server()) | |
reactor.run() | |
def starttcpproxy(): | |
reactor.listenTCP(localport, portforward.ProxyFactory(desthost, destport)) | |
reactor.run() | |
def usage(): | |
#print "###############################################################" | |
print "ProxyFuzz 0.1, Simple fuzzing proxy by Rodrigo Marcos" | |
print "http://www.theartoffuzzing.com" | |
print "usage():" | |
print "python proxyfuzz -l <localport> -r <remotehost> -p <remoteport> [options]" | |
print " [options]" | |
print " -c: Fuzz only client side (both otherwise)" | |
print " -s: Fuzz only server side (both otherwise)" | |
print " -w: Number of requests to send before start fuzzing" | |
print " -u: UDP protocol (otherwise TCP is used)" | |
print " -v: Verbose (outputs network traffic)" | |
print " -h: Help page" | |
verbose = False | |
notuntil = 0 | |
request = 0 | |
proto = "tcp" | |
localport = 0 | |
desthost = "" | |
destport = 0 | |
testclient = 1 | |
testserver = 1 | |
def main(): | |
global verbose | |
global notuntil | |
global proto | |
global localport | |
global desthost | |
global destport | |
global testclient | |
global testserver | |
try: | |
opts, args = getopt.getopt(sys.argv[1:], "uvhcsl:r:p:w:", ["help"]) | |
except getopt.GetoptError: | |
usage() | |
sys.exit(2) | |
try: | |
for o, a in opts: | |
if o in ("-h", "--help"): | |
usage() | |
sys.exit() | |
if o == "-l": | |
localport=int(a) | |
if o == "-r": | |
desthost=a | |
if o == "-p": | |
destport=int(a) | |
if o == "-v": | |
verbose = True | |
if o == "-w": | |
notuntil=int(a) | |
if o == "-u": | |
proto="udp" | |
if o == "-c": # Only client | |
testserver=0 | |
if o == "-s": # Only server | |
testclient=0 | |
except: | |
usage() | |
sys.exit(2) | |
if testserver==0 and testclient==0: | |
usage() | |
sys.exit(2) | |
elif localport==0 or desthost=="" or destport==0: | |
usage() | |
sys.exit(2) | |
else: | |
if proto=="tcp": | |
starttcpproxy() | |
else: # UDP | |
startudpproxy() | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment