NetSec

Ramblings of a NetSec addict

Fuzz FTP Commands

This peach pit makes the assumption that the FTP communication follows the sequence:

‘Receive Banner’ > ‘Send Anonymous Login’ > ‘Receive OK, Request Password’ > ‘Send Password’ > ‘Receive OK’ > ‘Send Command’ > ‘Receive Response’

In order to run this pit you can use the command below, but I’ve also created a python wrapper (below) which can be used to sequentially call peach with different commands to fuzz. This helps automate the process further.

peach -DCOMMAND=###Command to Fuzz### ftp_command_fuzz.xml

<Peach>list_of_commands.txt
 
    <!-- DATA SECTION -->
 
    <DataModel name="LoginAnon">
        <String value="USER " mutable="false" token="true"/>
        <String value="anonymous" mutable="false" token="true"/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="PasswordAnon">
        <String value="PASS " mutable="false" token="true"/>    
        <String value="anonymous" mutable="false" token="true"/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="Command">
        <String value="##COMMAND## " mutable="false" token="true"/>
        <!--Command To Fuzz -->
        <String value=""/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="Response">
        <String value=""/>
    </DataModel>
 
    <!-- STATE SECTION -->
 
    <StateModel name="CommandFuzzing" initialState="PreAuth">
        <State name="PreAuth">
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="output">
                <DataModel ref="LoginAnon"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="output">
                <DataModel ref="PasswordAnon"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="changeState" ref="AuthorizedAnon"/>
        </State>
 
        <State name="AuthorizedAnon">
            <Action type="output">
                <DataModel ref="Command"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
        </State>
    </StateModel> 
 
    <!-- AGENT SECTION -->
 
    <Agent name="LocalAgent">
        <Monitor name="Debugger" class="WindowsDebugger">
            <!-- Binary to fuzz path -->
            <!-- ### TO EDIT ### -->
            <Param name="CommandLine" value=" < Enter Path to Fuzzed Server > "/>
        </Monitor>
    </Agent>
 
    <!-- TEST SECTION -->
 
    <Test name="Default">
        <Agent ref="LocalAgent"/>
        <StateModel ref="CommandFuzzing"/>
        <Publisher class="TcpClient">
            <Param name="Host" value="127.0.0.1"/>
            <Param name="Port" value="21"/>
        </Publisher>
 
        <Logger class="File">
            <Param name="Path" value="Logs" />
        </Logger>
 
        <Strategy class="Sequential"/>
    </Test>
</Peach>

This is the python wrapper I used. It can be placed in any directory along with a text file ‘list_of_commands.txt’ containing a list of the commands you wish to fuzz. These must be on one per line.

import subprocess
 
# Open list of commands to enumerate #
readIn = open('list_of_commands.txt','r').read().splitlines()
 
pit_name = "ftp_command_fuzz.xml"
 
for elements in readIn:
    subprocess.call(['C:\Program Files\Peach\peach.exe', '-DCOMMAND='+elements, 'C:/Program Files/Peach/Pits/'+pit_name], shell=True)

You can download each of these files here:
Peach Pit: ftp_command_fuzz.xml
Python Wrapper: ftp_command_wrapper.py
Sample List of Commands: list_of_commands.txt