5

I would to seek help on using SPIKE fuzzer to fuzz an FTP server which I am testing on Freefloat FTP server but do not have idea on how to work on. As I research and tested out many different types of SPIKE fuzzing scripts to do fuzzing on FTP server but the server was not able to crash.

As I try some of the scripts like:

s_readline(); s_string("USER "); s_string_variable("COMMAND"); s_string("\r\n"); s_string("PASS "); s_string_variable("COMMAND"); s_read_packet();

When I ran the script using the 'generic_send_tcp' and also opened the wireshark to capture the traffic, the script does make the server crash. But the issue is that when I look into the first packet of the traffic it shows this:

500 'USER COMMAND' command not understood\r\n

But this wasn't the part that causes the server to crash. As if the first packet successful, it suppose to make it true to the password and it will state '230 User logged in'. But it couldn't manage to pass through till the password stage.

So I would like to seek help anyone that could please assist me in this problem. As I really tried many different methods but could manage to work.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
ebiz
  • 51
  • 1
  • 2

2 Answers2

1

Sorry I cant help directly with the SPIKE component but how do you know that the FreeFloat FTP server is even insecure and will crash? It may be well written and able to handle everything that SPIKE throws at it.

In the mean time, metasploit has great FTP fuzzing modules that I have used in the past with lots of success.

http://www.metasploit.com/modules/auxiliary/fuzzers/ftp/ftp_pre_post

fixulate
  • 788
  • 4
  • 9
-1

I know that this question is very old but I just want to point out that the part causing the server to crash contains the same regex "Command not understood!" ... But one just have to be patient! In my case (while back), I had to check one by one the captured packet on wireshark and check where (using a specific display filter)the server didn't reply anymore (it always sends back its header, so if "no" header received means crash), and just the packet before that did the job. As always, I think it would be wise to always try to replicate the crash by just ^+c && ^+v the stream from wireshark and send it to the server by means of a little script, just to check, before moving forward! In my case 512 bytes did the job !

Ants0
  • 1
  • 1