Last active
December 17, 2015 19:39
-
-
Save DanielOaks/5661919 to your computer and use it in GitHub Desktop.
ircfuzz for Plexus3, mostly for fun
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /************************************************************************ | |
| * IRC - Internet Relay Chat, | |
| * Copyright (C) 2001 Hybrid Development Team | |
| * | |
| * This program is free software; you can redistribute it and/or modify | |
| * it under the terms of the GNU General Public License as published by | |
| * the Free Software Foundation; either version 1, or (at your option) | |
| * any later version. | |
| * | |
| * This program is distributed in the hope that it will be useful, | |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| * GNU General Public License for more details. | |
| * | |
| * You should have received a copy of the GNU General Public License | |
| * along with this program; if not, write to the Free Software | |
| * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | |
| * | |
| * $Id: m_fuzz.c,v 1.10 2004/03/30 00:53:55 leeh Exp $ | |
| */ | |
| /* modified and ported version of ircfuzz v 0.3 by Ilja van Sprundel. */ | |
| /* List of ircd includes from ../include/ */ | |
| #include "stdinc.h" | |
| #include "tools.h" | |
| #include "handlers.h" | |
| #include "client.h" | |
| #include "common.h" /* FALSE bleah */ | |
| #include "dbuf.h" | |
| #include "hash.h" | |
| #include "hostmask.h" | |
| #include "ircd.h" | |
| #include "irc_string.h" | |
| #include "sprintf_irc.h" | |
| #include "numeric.h" | |
| #include "fdlist.h" | |
| #include "s_bsd.h" | |
| #include "s_conf.h" | |
| #include "s_log.h" | |
| #include "s_serv.h" | |
| #include "send.h" | |
| #include "msg.h" | |
| #include "parse.h" | |
| #include "modules.h" | |
| /* ircfuzz stuff */ | |
| static char arr[] = | |
| "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%%^*()_-+={}[]\\|<>,.:;'\""; | |
| char *strings[] = | |
| { "JOIN", "PRIVMSG", "KICK", "NOTICE", "NICK", "MODE", "TOPIC", "INVITE", "USER", "PASS", "OPER", | |
| "NAMES", "LIST", "STATS", "PART", "WHO", "WHOIS", "WHOWAS", "PING", "PONG", "SQUERY", NULL }; | |
| // 25 | |
| #define SUBMSG_LENGTH 25 | |
| #define SUBMSG_LENGTH_WITH_NULL (SUBMSG_LENGTH + 1) | |
| char *submsg[] = | |
| { "DCC SEND", "DCC CHAT", "DCC XMIT", "DCC OFFER", "XDCC LIST", "XDCC SEND", "FINGER", "VERSION", | |
| "USERINFO", "CLIENTINFO", "TIME", "FINGER", "PING", "CDCC SEND", "CDCC LIST", "CDCC XMIT", | |
| "XDCC XMIT", "DCC LIST", "XDCC OFFER", "XDCC CHAT", "CDCC OFFER", "CDCC OFFER", "DCC", "XDCC", "CDCC", NULL }; | |
| int | |
| getseed(void) | |
| { | |
| int fd = open("/dev/urandom", O_RDONLY); | |
| int random_int; | |
| if (fd < 0) { | |
| perror("open"); | |
| exit(0); | |
| } | |
| read(fd, &random_int, sizeof (random_int)); | |
| close(fd); | |
| return random_int; | |
| } | |
| char * | |
| gen_submsg(void) | |
| { | |
| if (rand() % SUBMSG_LENGTH_WITH_NULL) { | |
| return submsg[rand() % SUBMSG_LENGTH]; | |
| } else { | |
| return ""; | |
| } | |
| } | |
| char * | |
| gen_command(void) | |
| { | |
| static char t[1200]; | |
| int len; | |
| if (rand() % 23) { | |
| return strings[rand () % 22]; | |
| /* raw 100000...1 */ | |
| } else { | |
| len = (rand() % 1000) + 2; | |
| t[0] = '1'; | |
| memset(t + 1, '0', len - 2); | |
| t[len - 1] = '1'; | |
| t[len] = '\0'; | |
| return t; | |
| } | |
| } | |
| void | |
| fuzz(struct Client *target_p) | |
| { | |
| char command_buffer[100000]; | |
| int raw = rand() % 1000; | |
| int random_length = 0; | |
| int i = 0; | |
| int a = 0; | |
| int al = 0; | |
| if (!(rand () % 10)) { | |
| raw = -raw; | |
| } | |
| switch (rand () % 5) { | |
| case 0: // long string | |
| random_length = (rand () % 12000) + 10; | |
| for (i = 0; i < random_length; i++) { | |
| do { | |
| command_buffer[i] = rand () % 256; | |
| } while (command_buffer[i] == '\n' || command_buffer[i] == '\r' || command_buffer[i] == '\0'); | |
| } | |
| break; | |
| case 1: // fmtbug | |
| strcpy (command_buffer, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"); | |
| break; | |
| case 2: // lots of arguments | |
| a = (rand () % 230) + 20; | |
| al = (rand () % 750) / a; | |
| command_buffer[0] = '\0'; | |
| for (i = 0; i < a; i++) { | |
| char t[100]; | |
| int j = 0; | |
| for (j = 0; j < al; j++) { | |
| t[j] = arr[rand () % sizeof (arr)]; | |
| } | |
| t[j] = '\0'; | |
| strcat (command_buffer, t); | |
| strcat (command_buffer, " "); | |
| } | |
| break; | |
| case 3: // long alpha str | |
| random_length = (rand () % 12000) + 10; | |
| for (i = 0; i < random_length; i++) { | |
| command_buffer[i] = arr[rand () % sizeof (arr)]; | |
| } | |
| command_buffer[i] = '\0'; | |
| break; | |
| case 4: // random stuff, random length | |
| random_length = (rand () % 2500); | |
| sprintf (command_buffer, ":%s %d ", me.name, raw); | |
| al = strlen (command_buffer); | |
| for (i = 0; i < random_length; i++) { | |
| command_buffer[i + al] = rand () % 256; | |
| } | |
| command_buffer[i + al] = '\r'; | |
| command_buffer[i + al + 1] = '\n'; | |
| write (target_p->localClient->fd.fd, command_buffer, i + al + 2); | |
| return; | |
| // case 5: // long str with 0bytes | |
| } | |
| if (rand () % 5) | |
| // netprintf (fd, ":%s %03d %s :%s%s", gen_hostname (), raw, Nnick, command_buffer, | |
| // (rand () % 100) ? "\r\n" : ""); | |
| sendto_one(target_p, ":%s %03d %s :%s%s", me.name, raw, target_p->name, | |
| command_buffer, (rand () % 100) ? "\r\n" : ""); | |
| else if (rand () % 3) | |
| // netprintf (fd, ":%s %s %s :%s%s", gen_hostname (), gen_command (), Nnick, | |
| // command_buffer, (rand () % 100) ? "\r\n" : ""); | |
| sendto_one(target_p, ":%s %s %s :%s%s", me.name, gen_command(), target_p->name, | |
| command_buffer, (rand () % 100) ? "\r\n" : ""); | |
| else | |
| // netprintf (fd, ":%s %s %s :\x01%s %s%s%s", gen_hostname (), "PRIVMSG", | |
| // Nnick, gen_submsg (), command_buffer, (rand () % 20) ? "\x01" : "", | |
| // (rand () % 100) ? "\r\n" : ""); | |
| sendto_one(target_p, ":%s %s %s :\x01%s %s%s%s", me.name, "PRIVMSG", target_p->name, | |
| gen_submsg(), command_buffer, (rand () % 20) ? "\x01" : "", | |
| (rand () % 100) ? "\r\n" : ""); | |
| return; | |
| } | |
| /* Hybrid stuff */ | |
| static int m_fuzz(struct Client *client_p, struct Client *source_p, int parc, char *parv[]); | |
| struct Message fuzz_msgtab = { | |
| "FUZZ", 0, 0, 0, 0, MFLG_SLOW, 0, | |
| {m_unregistered, m_not_oper, m_fuzz, m_ignore, m_fuzz, m_ignore} | |
| }; | |
| #ifndef STATIC_MODULES | |
| void | |
| _modinit(void) | |
| { | |
| mod_add_cmd(&fuzz_msgtab); | |
| } | |
| void | |
| _moddeinit(void) | |
| { | |
| mod_del_cmd(&fuzz_msgtab); | |
| } | |
| const char *_version = "$Revision: 1 $"; | |
| #endif | |
| static int | |
| m_fuzz(struct Client *client_p, struct Client *source_p, int parc, char *parv[]) | |
| { | |
| struct Client *target_p; | |
| /* Verify that they should be executing this command in the first place. */ | |
| if(!IsServer(source_p) && !IsOper(source_p) && !IsAdmin(source_p)) { | |
| // This should be a local connection. | |
| sendto_one(source_p, ":%s NOTICE %s :You do not have the appropriate access, go way.", me.name, source_p->name); | |
| sendto_wallops_flags(UMODE_WALLOP, &me, "Attempt to fuzz [%s] by %s!%s@%s", | |
| parv[1], source_p->name, source_p->username, source_p->host); | |
| return 0; | |
| } | |
| /* If they are allowed to use this command, and haven't specified any parameters, tell them how to use it. */ | |
| int fuzzed_responses = 10; | |
| if (parc < 3) { | |
| sendto_one(source_p, ":%s NOTICE %s :USAGE: fuzz <nick> [number of fuzzed responses]", me.name, source_p->name); | |
| sendto_one(source_p, ":%s NOTICE %s : Defaults to 10 fuzzed responses", me.name, source_p->name); | |
| } else { | |
| fuzzed_responses = abs(atoi(parv[2])); | |
| } | |
| if(parc < 2) { | |
| return 0; | |
| } | |
| /* Does this command belong on another server? If so, send it on its way. */ | |
| if((hunt_server(client_p, source_p, ":%s fuzz %s %s", 1, parc, parv)) != HUNTED_ISME) { | |
| return 0; | |
| } | |
| /* They're authed and its for us. Find the client */ | |
| if((target_p = find_client(parv[1])) == NULL) { | |
| /* However, if it doesn't exist, tell them so. */ | |
| //sendto_one(source_p, form_str(ERR_NOSUCHNICK), me.name, source_p->name, parv[1]); | |
| sendto_one(client_p, form_str(ERR_NOSUCHNICK), me.name, client_p->name, parv[1]); | |
| return 0; | |
| } | |
| /* | |
| * Are they trying to fuzz a server, admin, or operator? if so, do nothing. | |
| */ | |
| if(IsServer(target_p) || IsAdmin(target_p) || IsOper(target_p)) { | |
| sendto_one(client_p, ":%s NOTICE %s :Your attempt to fuzz [%s] was rejected.", me.name, source_p->name, target_p->name); | |
| sendto_wallops_flags(UMODE_WALLOP, &me, | |
| "Rejected attempt to fuzz [%s] by %s!%s@%s", | |
| target_p->name, source_p->name, source_p->username, source_p->host); | |
| return 0; | |
| } | |
| /* FIZZBUZZ, FUZZ! */ | |
| sendto_one(client_p, ":%s NOTICE %s :Fuzzing %s with %d fuzzed responses.", me.name, client_p->name, target_p->name, fuzzed_responses); | |
| sendto_one(target_p, ":%s NOTICE %s :You're being fuzzed, %d responses.", me.name, target_p->name, fuzzed_responses); | |
| int i = 0; | |
| do { | |
| fuzz(target_p); | |
| i++; | |
| } while (i < fuzzed_responses); | |
| /* finish */ | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment