Results 1 to 3 of 3

Thread: spike fuzzer 2.9-bt4 issues - A) segfault - B) response issues

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    4

    Angry spike fuzzer 2.9-bt4 issues - A) segfault - B) response issues

    Hi All,
    I am trying to research spike fuzzer more (as part of background for OSCE) but on BT5 I am not getting any joy with it at all. (Maybe I'm not using it right, but the docs aren't much help)


    Issue A)

    I'm following the very well written examples at:

    http://resources.infosecinstitute.com/intro-to-fuzzing/

    I get to the first fuzz of vulnserver with the following *.spk file (should be dead simple ?):

    s_readline(); //print received line from server
    s_string_variable(“COMMAND”); //send fuzzed string

    Run is as follows:

    ~/vulnserver# /pentest/fuzzers/spike/src/generic_send_tcp 192.168.1.71 9999 vscommand.spk 0 0

    And I get this:

    <truncated for brevity>
    ring_variables_string_variables_string_variables_s tring_variables_string_variables_string_variables_ string_variables_string_variables_string_variables _string_variables_string_variables_string_variable s_string_variables_string_variables_string_variabl es_string_variables_string_variables_string_variab les_string_variables_string_variables_string_varia bles_string_variables_string_variables_string_vari ables_string_variables_string_variables_string_var iables_string_variables_string_variables_string_va riables_string_variables_string_variables_string_v ariables_string_variables_string_variables_string_ variables_string_variables_string_variables_string _variables_string_variables_string_variables_strin g_variables_string_variables_string_variables_stri ng_variables_string_variables_string_variables_str ing_variables_string_variables_string_variables_st ring_variables_string_variables_string_variables_s tring_variables_string_variables_string_variables_ string_variables_string_variables_string_variables _string_variables_string_variables_string_variable s_string_variables_string_variables_string_variabl es_string_variables_string_variables_string_variab les_string_variables_string_variables_string_varia bles_string_variables_string_variables_string_vari ables_string_variables_string_variables_string_var iables_string_variables_string_variables_string_va riables_string_variables_string_variables_string_v ariables_string_variables_string_variables_string_ variables_string_variables_string_variables_string _variables_string_variables_string_variables_strin g_variables_string_variables_string_variables_stri ng_variables_string_variables_string_variable!
    Segmentation fault
    </code>

    My spike version is the latest (on BT5, updated this morning) I have removed and reinstalled it with apt-get successfully so it is fresh)

    Here is my version info:

    dpkg -l spike
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name Version Description
    +++-========================-========================-================================================== ==============
    ii spike 2.9-bt4 A powerful network fuzzer.


    I have set the library path with:

    . /pentest/fuzzers/spike/src/ld.sh

    So really not sure how this is crashing so badly.


    Issue B)
    I also have some issues with an SMTP *.spk I was trying to do, where it refuses to listen to responses, or pause in between protocol commands (ignores blank lines and/or sleep commands, and just sends everything at once without listening to responses from the server)

    The target server is a vmware-player Windows system, with an smtp application, in a bridged configuration.

    Manual SMTP messages are received fine using netcat, so it is nothing to do with the setup or connectivity.

    spike refuses to listen to responses other than the initial banner.
    How do I get it to converse? It's sending data way too fast and not listening for responses.
    I used the default SMTP audit files, for example:

    /pentest/fuzzers/spike/src/generic_send_tcp 192.168.1.71 25 /pentest/fuzzers/spike/src/audits/SMTP/smtp1.spk 0 0

    and I get the following errors at the other end:

    Network I/O error 64 (0X00000040) encountered when awaiting command from 192.168.1.66.

    So I tried using the following *.spk file (putting in some pauses and readlines) and it still does the same:

    s_readline();
    s_string_variable("HELO");
    s_string(" ");
    s_string_variable("localhost");
    s_string("\r\n");
    sleep(1);

    s_readline();
    s_string("MAIL FROM");
    s_string(": ");
    s_string_variable("bob");
    s_string("@");
    s_string_variable("bob");
    s_string(".");
    s_string_variable("com");
    s_string("\r\n");
    sleep(1);

    s_readline();
    s_string("RCPT TO: ");
    s_string_variable("postmaster");
    s_string("@");
    s_string_variable("company");
    s_string(".");
    s_string("mail");
    s_string("\r\n");
    sleep(1);

    s_readline();
    s_string("DATA\r\n");
    s_string_variable("Message-ID");
    s_string(":");
    s_string_variable("123");
    s_string("\r\n");
    sleep(1);

    s_readline();
    s_string_variable("ASDFK");
    s_string("\r\n");
    sleep(1);

    s_readline();
    s_string(".\r\n");
    sleep(1);

    s_readline();
    s_string("QUIT\r\n");
    sleep(1);

    s_readline();

    I know that exactly the same data works fine with netcat, so what is wrong with spike? or the way I am using it.


    In wireshark I can see I'm not getting the responses in the readlines, and all the data is being sent in one packet:

    220 Relay Ready

    HELO localhost

    MAIL FROM: bob@bob.com

    RCPT TO: postmaster@whatever.com
    DATA

    Message-ID:123

    ASDFK

    .

    QUIT

    250 OK

    The 250 OK at the end is for the "HELO localhost" at the beginning. This is not a proper two-way conversation.


    Maybe I am just using spike wrong, and these aren't bugs, if so, could someone please point me in a better direction?

    Many thanks
    Regards
    Ben

  2. #2
    Developer muts's Avatar
    Join Date
    Jan 2006
    Posts
    272

    Default Re: spike fuzzer 2.9-bt4 issues - A) segfault - B) response issues

    Make sure you don't have funky chars in the spk file.

    For example ” vs " . Not the same. If in doubt, re-write the spk file from scratch in your favorite editor.

  3. #3
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    3

    Default Re: spike fuzzer 2.9-bt4 issues - A) segfault - B) response issues

    Did you ever figure out your issue with spike running everything at once? I'm having a similar issue when fuzzing an FTP server. It gets the initial server message, but then sends all of my s_string() commands at once, which sounds similar to your issue. I can't seem to get past it.

Similar Threads

  1. SET issues.
    By TheBravo in forum Beginners Forum
    Replies: 1
    Last Post: 11-29-2010, 12:53 PM
  2. DNS issues.
    By TheFridgeMaster in forum Beginners Forum
    Replies: 3
    Last Post: 08-27-2010, 11:40 AM
  3. 2 Issues I'm having.
    By ramzhh in forum Beginners Forum
    Replies: 1
    Last Post: 06-21-2010, 03:34 PM
  4. Changes= issues
    By ESC201 in forum OLD General IT Discussion
    Replies: 0
    Last Post: 10-11-2008, 03:58 PM
  5. Help - WEP ISSUES after WPA Tut
    By l0gaN in forum OLD Newbie Area
    Replies: 7
    Last Post: 09-13-2007, 06:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •