module PWN::Plugins::Fuzz

def self.authors
st.pentest@0dayinc.com>

def self.help
lts_arr = #{self}.socket(
red = target host or ip',
d => target port',
ional => :tcp || :udp (defaults to tcp)',
 - boolean connect to target socket using TLS (defaults to false)',
: \"optional - fuzz delimeter used in request to specify where payloads should reside (defaults to \u2665)\",
uired - String object of socket request w/ \u2665 as fuzz delimeter (e.g. '\"GET /\u2665\u2665 HTTP/1.1\\r\\nHost: \u2665127.0.0.1\u2665\\r\\n\\r\\n\"')\",
ired - payload string',
ional - :base64 || :hex || :html_entity || :url (Defaults to nil)',
: 'optional - number of times to encode payload (defaults to 1)',
 'optional - character encoding returned by PWN::Plugins::Char.list_encoders (defaults to UTF-8)',
ut: 'optional - float (defaults to 0.9)',
imit: 'optional - float (defaults to 0.3)'

def self.socket(opts = {})
get].to_s.scrub
.to_i
rotocol]
l? ? encoding = nil : encoding = opts[:encoding].to_s.strip.chomp.scrub.downcase.to_sym
th].nil? ? encoding_depth = 1 : encoding_depth = opts[:encoding_depth].to_i
g].nil? ? char_encoding = 'UTF-8' : char_encoding = opts[:char_encoding].to_s
er].nil? ? fuzz_delimeter = "\u2665" : fuzz_delimeter = opts[:fuzz_delimeter]
quest].to_s.encode(char_encoding, 'UTF-8')
yload].to_s.encode(char_encoding, 'UTF-8')
pth > 1
_depth).each do
Base64.strict_encode64(payload)
se64.strict_encode64(payload)
pth > 1
_depth).each do
d = ''
ch_byte { |b| hex_payload = "#{hex_payload}#{format('\x%02x', b)}" }
hex_payload
= ''
_byte { |b| hex_payload = "#{hex_payload}#{format('\x%02x', b)}" }
x_payload
y
pth > 1
_depth).each do
HTMLEntities.new.encode(payload)
MLEntities.new.encode(payload)
pth > 1
_depth).each do
CGI.escape(payload)
I.escape(payload)
g type: #{encoding} not supported."
eout].nil? ? response_timeout = 0.9 : response_timeout = opts[:response_timeout].to_f
_limit].nil? ? request_rate_limit = 0.3 : request_rate_limit = opts[:request_rate_limit].to_f
s_arr = []
ter index numbers in request
x_arr = []
with_index do |char, char_index|
dex_arr.push(char_index) if char == fuzz_delimeter
dex_arr should always return an even length,
quest is missing a fuzz delimeter.
x_arr.each_slice(2).with_index do |placeholder_slice, placeholder_slice_index|
_result = {}
_index_shift_width = placeholder_slice_index * 2
_index = placeholder_slice[0].to_i - begin_delim_char_index_shift_width
ndex_shift_width = (placeholder_slice_index * 2) + 2
ndex = placeholder_slice[1].to_i - end_delim_char_index_shift_width
equest.dup.delete(fuzz_delimeter).encode(char_encoding, 'UTF-8')
r_index.positive?
egin_delim_char_index..end_delim_char_index] = payload
char_index should always be 0
egin_delim_char_index] = payload
Plugins::Sock.connect(
,
ocol,
_result[:timestamp] = Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s
_result[:request] = this_request
_result[:request_encoding] = this_request.encoding.name
_result[:request_len] = this_request.length
oad in its rawest form (as long as it will undump first)
his_request.encode('ASCII-8BIT', undef: :replace).undump)
ock_obj.wait_readable(response_timeout)
k_obj.read
 response.length
zz_result[:response] = response.to_s.inspect
zz_result[:response_len] = response_len
zz_result[:response] = ''
zz_result[:response_len] = 0
te_limit
Plugins::Sock.disconnect(sock_obj: sock_obj)
o file once array reaches max length (avoid memory consumption issues)
lts_arr.push(this_socket_fuzz_result)
NRESET => e
sage
_result[:response] = response
_result[:response_len] = response.length
te_limit
Plugins::Sock.disconnect(sock_obj: sock_obj) unless sock_obj.nil?
o file once array reaches max length (avoid memory consumption issues)
lts_arr.push(this_socket_fuzz_result)
or => e
class}: #{e.message} #{e.backtrace}"
_result[:response] = response
_result[:response_len] = response.length
te_limit
Plugins::Sock.disconnect(sock_obj: sock_obj) unless sock_obj.nil?
o file once array reaches max length (avoid memory consumption issues)
lts_arr.push(this_socket_fuzz_result)
s_arr
 => e
ugins::Sock.disconnect(sock_obj: sock_obj) unless sock_obj.nil?