src/generic_send_udp.c - spike (master)

Tree @master (Download .tar.gz)

generic_send_udp.c @master — raw · history · blame

/* halflife.c - the beginings of a halflife fuzzer


*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h> /*for memset*/
#include <sys/types.h>
#include <sys/socket.h>
#include <ctype.h> /*isalpha*/


#include "spike.h"
#include "hdebug.h"
#include "tcpstuff.h"
#include "udpstuff.h"
#include "dlrpc.h"
#define TOTALTOSEND 10
struct spike * our_spike;


void
usage()
{
  printf("Usage: ./gsu target port file.spk startvariable startfuzzstring startvariable startstring totaltosend\r\n");
  printf("./gsu 192.168.1.104 80 file.spk 0 0 5000\n");
  exit(-1);
}


int
main (int argc, char ** argv)
{
  char * target;
  int port;
  char * spkfile;
  /*change these to skip over variables*/
  int SKIPFUZZSTR=0;
  int SKIPVARIABLES=0;
  int fuzzvarnum;
  int fuzzstrnum;
  int firstfuzz;
  int totalsent,totaltosend;
  int i;
  
  if (argc!=7)
    {
      printf("argc=%d\n",argc);
      usage();
    }
  
  target=argv[1];
  printf("Target is %s\r\n",argv[1]);
  
  port=atoi(argv[2]);
  spkfile=(argv[3]); 
  SKIPVARIABLES=atoi(argv[4]);
  SKIPFUZZSTR=atoi(argv[5]);


  totalsent=1;
  totaltosend=atoi(argv[6]);

  our_spike=new_spike();
  
  s_init_fuzzing();

  if (SKIPFUZZSTR>s_get_max_fuzzstring())
    {
      printf("Your start fuzzstring is greater than %d, which is the maximum\n",s_get_max_fuzzstring());
      exit(1);
    }

    
  if (our_spike==NULL)
    {
      fprintf(stderr,"Malloc failed trying to allocate a spike.\r\n");
      exit(-1);
    }
  
  setspike(our_spike);
  
  
  if (spike_connect_udp(target,port)<0)
    {
      printf("Couldn't connect!\n");
      exit(-1);
    }
  
  printf("fd=%d\n",our_spike->fd);
 /*zeroth fuzz variable is first variable*/
  s_resetfuzzvariable();
  fuzzvarnum=0;
  fuzzstrnum=0;
  firstfuzz=1;

  while (!s_didlastvariable())
    {
      s_resetfuzzstring();
      /*zeroth fuzz string is no change*/

      
      if (firstfuzz)
	{
	  /*zeroth fuzz string is no change*/
      /*see below for why we have this if statement and loop*/
	  if (fuzzvarnum<SKIPVARIABLES )
	    {
	      for (fuzzvarnum=0; fuzzvarnum<SKIPVARIABLES; fuzzvarnum++)
		{
		  s_incrementfuzzvariable();
		}
	    }
	  
	  /*here is another part of where we implement the ability to jump to a particular
	    place in the fuzzing*/
	  if (fuzzstrnum<SKIPFUZZSTR)
	    {
	      for (fuzzstrnum=0; fuzzstrnum<SKIPFUZZSTR; fuzzstrnum++)
		{
		  s_incrementfuzzstring();
		}
	    }
	  firstfuzz=0;
	}
      else
	{
	  /*we reset this here so every new variable gets a new count*/
	  fuzzstrnum=0;
	}
      while(!s_didlastfuzzstring())
	{
	  printf("Fuzzing Variable %d:%d\n",fuzzvarnum,fuzzstrnum);
	  
	  spike_clear();
	  s_parse(spkfile);
/*
	  printf("spike size is 0x%x\n",(unsigned int)our_spike->datasize);
	  for (i=0; i<our_spike->datasize; i++) {
	    printf("0x%2.2x ",our_spike->databuf[i]);
	    
	  }
	  */
	  
	  if (spike_send()<0)
	    {
	      printf("Couldn't send data!\r\n");
	      exit(-1);
	    }
	  
	  //s_read_packet();
	  //

	  if (totalsent==totaltosend) 
	  {
		  printf("\nReached maximum packets to send (%d).\n",totaltosend);
		exit(0);
	  }
	  totalsent++;
	  
	  fuzzstrnum++;
	  s_incrementfuzzstring();
	  //spike_close_tcp();
	  /*Use this for testing against netcat*/
	  /*
	    sleep(1);
	  */
	}/*end for each fuzz string*/
      fuzzvarnum++;
      s_incrementfuzzvariable();
    }/*end for each variable*/
  
  
  printf ("\nDone fuzzing!\n");
    
  return 0;
}