This peach pit makes the assumption that the FTP communication follows the sequence:
‘Receive Banner’ > ‘Send Anonymous Login’ > ‘Receive OK, Request Password’ > ‘Send Password’ > ‘Receive OK’ > ‘Send Command’ > ‘Receive Response’
In order to run this pit you can use the command below, but I’ve also created a python wrapper (below) which can be used to sequentially call peach with different commands to fuzz. This helps automate the process further.
peach -DCOMMAND=###Command to Fuzz### ftp_command_fuzz.xml |
<Peach>list_of_commands.txt <!-- DATA SECTION --> <DataModel name="LoginAnon"> <String value="USER " mutable="false" token="true"/> <String value="anonymous" mutable="false" token="true"/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="PasswordAnon"> <String value="PASS " mutable="false" token="true"/> <String value="anonymous" mutable="false" token="true"/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="Command"> <String value="##COMMAND## " mutable="false" token="true"/> <!--Command To Fuzz --> <String value=""/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="Response"> <String value=""/> </DataModel> <!-- STATE SECTION --> <StateModel name="CommandFuzzing" initialState="PreAuth"> <State name="PreAuth"> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="output"> <DataModel ref="LoginAnon"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="output"> <DataModel ref="PasswordAnon"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="changeState" ref="AuthorizedAnon"/> </State> <State name="AuthorizedAnon"> <Action type="output"> <DataModel ref="Command"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> </State> </StateModel> <!-- AGENT SECTION --> <Agent name="LocalAgent"> <Monitor name="Debugger" class="WindowsDebugger"> <!-- Binary to fuzz path --> <!-- ### TO EDIT ### --> <Param name="CommandLine" value=" < Enter Path to Fuzzed Server > "/> </Monitor> </Agent> <!-- TEST SECTION --> <Test name="Default"> <Agent ref="LocalAgent"/> <StateModel ref="CommandFuzzing"/> <Publisher class="TcpClient"> <Param name="Host" value="127.0.0.1"/> <Param name="Port" value="21"/> </Publisher> <Logger class="File"> <Param name="Path" value="Logs" /> </Logger> <Strategy class="Sequential"/> </Test> </Peach> |
This is the python wrapper I used. It can be placed in any directory along with a text file ‘list_of_commands.txt’ containing a list of the commands you wish to fuzz. These must be on one per line.
import subprocess # Open list of commands to enumerate # readIn = open('list_of_commands.txt','r').read().splitlines() pit_name = "ftp_command_fuzz.xml" for elements in readIn: subprocess.call(['C:\Program Files\Peach\peach.exe', '-DCOMMAND='+elements, 'C:/Program Files/Peach/Pits/'+pit_name], shell=True) |
You can download each of these files here:
Peach Pit: ftp_command_fuzz.xml
Python Wrapper: ftp_command_wrapper.py
Sample List of Commands: list_of_commands.txt