Patching a closed source network application to read from file - c

So let me explain, I want to fuzz a closed source application named Y that implements a custom protocol let's name the protocol X. Y is written in C.
Is there a way to patch the send/read family functions to read from file instead of the socket?
Could this potentially work for the AFL/AFL++ fuzzer?
Keep in mind the application is developed for UNIX-like ecosystems.

Yes, you can do that easily by making bridges between named pipes (fifos) and TCP connections through netcat.
Create two files (named pipes):
mkfifo /tmp/program_input /tmp/program_output
Now, make a bridge between these files and the application.
In case the application is a TCP/IP Client, your bridge will be a TCP/IP Server:
tail -f /tmp/program_input | nc -kl 127.0.0.1 50000 | tee /tmp/program_output > /dev/null
Then you'll have to configure the application's peer IP address as the IP of the host where your bridge runs. Port also must match and is arbitrary. ("50000" in the example above.)
In case you can't change the IP address/TCP port the application uses, you'll have to map these on your router to the IP/port of your bridge application (see "port forwarding").
If the application is a TCP/IP Server, create a TCP/IP client as a bridge:
tail -f /tmp/program_input | nc <application_ip_address> <application_port> | tee /tmp/program_output > /dev/null
If you want to write something to the networking application you're analyzing, write to /tmp/program_input. Read /tmp/program_output to see its output.
I'm not too familiar with AFL/AFL++, but you can certainly communicate with the application directly or also make socket/file bridges for the fuzzer as well.

Related

How can i connect to memcached via C sys/socket.h?

How can i connect to Memcached via C sys/socket.h and set some text string to key "key"? I can't figure out how can I run .c program which will connect to cashing system via socket. I can connect to it through console by writing smth like this
memcached -l 127.0.0.1 -p 12345 -m 64 -vv
and then
set key 1 0 4
test
but i have to do it using socket in C
It looks like you're missing some knowledge regarding C sockets in general.
As an overview, a socket is a two way communication channel that connects a client with a server, each having their own end of the socket.
What memcached is doing is using the socket mechanism to transfer data between memcached and whoever it is looking for the data.
memcached is using TCP sockets and clear text messages so it is easy to work with.
What you'll have to do:
open a socket and connect it to the memcached server at 127.0.0.1 port 12345 (taken from your example)
Write 'set key 1 0 4\n' to the memcached socket
Read the string from the socket (this is memcached result)
The following read: http://www.thegeekstuff.com/2011/12/c-socket-programming/ provides code snippets and great explanation on sockets and how to use them, and the client code contains 90% of the work you need to do
Feel free to ask if you need further clarifications

Simple socket forwarding in linux

The scenario is pretty simple:
Using TCP/IP I have a client which connects to me (server) I want to forward the data the socket sends me to another socket which I opened and the data I received from that socket backwards.Just like a proxy.
Right now I have 1 thread one who listens from incoming connection and spawns another 2 when a connection from the client is established. I must use a mechanism for communicating in the threads.
Is there anything simpler which I can use to act as a TCP/IP proxy ? Does Linux have socket forwarding or some kind of mechanism ?
You can use iptables to do port forwarding. It's not a c solution, but it is a 2-line that has good performance and which will have minimal debugging.
From the second link:
iptables -A PREROUTING -t nat -i eth1 -p tcp \
--dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW \
--dport 80 -i eth1 -j ACCEPT
The first line forward from port 80 to port 80 on 192.168.1.50 and the second accepts the connection, keeping iptables from dropping it.
You can add additional constraints with other iptables flags such as -s 10.0.3.0/24 would catch all the addresses with a source of 10.0.3.0 to 10.0.3.255
One user level solution is using socat. For example, to accept connections on port 8080 and forward them to 192.168.1.50:9090 you can use:
socat TCP-LISTEN:8080,fork TCP:192.168.1.50:9090
The fork option makes socat permit multiple connections.
You don't need threads. Take a look at select(), epoll() or kqueue() in order to manage multiple sockets without any thread (if you're on Windows, it's the completion port).
This is an example of a select-based server, it will be a good start.
For simple socket forwarding, let the kernel do it. Use iptables, or one of the frontends to configure it.
If you need complicated data sniffing/mangling/forwarding for real-world use, write an iptables module.
If you need to tee (duplicate/split) the data stream, or inspect or modify the data, then read on.
Linux 2.6.17 and later, with glibc 2.5 and later, do provide a couple of nice functions: splice() and tee(). You can use these to avoid having the payload copied to and from userspace, telling the kernel to transfer a specific amount of bytes from one descriptor to another. (tee() does not consume the data, allowing you to send one or more copies of the data to other descriptors.)
You could use your two threads per connection (one per direction), and have each thread read inspect/mangle/tee the data stream as necessary. When you know you have N incoming bytes to forward to one outgoing socket, use splice(). If you have more than one outgoing socket, use nonblocking outgoing sockets, tee() small chunks at a time (but use splice() for the last outgoing socket for each chunk).
Your threads can read some/all of the incoming data to decide what to do with it, but remember that you need to write() or send() the part you already read that needs to be sent, before using splice() or tee(); they don't magically pick up already consumed data.

How to find out data being buffered between two clients connected using unix domain socket on Linux

I have a producer and a client connecting using Unix Domain Sockets. The netstat -nap command shows amount of data getting buffered between two processes for TCP/IP socket but not for Unix domain socket
How to find out send buffer and receiver buffer sizes for Unix Domain Socket from outside of the code?
netstat does not have POSIX compliance. That means you may not get identical information running netstat on different OSes. tcp/ip buffer settings are normally a default system setting.
You have to login on both boxes to run netstat to get tcp internals information, for the sockets. I'm sure you know that already, but I"m trying to be clear. tcp system information is in wildly different locations from Linux to another OS, say Solaris.
What is the output of uname -a on the UNIX box?

Address already in use while executing C socket programme

Hii All,
While running a socket programme (server side ) am getting message like
Address already in use
Am trying to connect to port 80 since port 80 is reserved for https application So before running server side programme i am closing all application that uses https application ,is it enough...
or am doing it wrong??
Am trying to make a communication between browser and termial...
You must run your application as super user(root) on Linux or administrator privileges on Windows in order to bind to port 80. This is the case for all service ports, which is < 1024. Either that or there still is another program binded to that port.
Try using netstat to find out what programs might be listening on port 80.
Example:
on Linux:
netstat -punta
on Windows:
netstat -ban
Both must be run with super user/admin privileges in order to see the program names that bind to specific ports.
If you just closed another process listening on 80 port, this port will be blocked for a certain timespan depending on your OS. This behavior is here to prevent an attacker to crash a service on your machine and immediately restart a malicious service on the same port.
This behavior can be disabled by using SO_REUSEADDR (by using setsockopt).
If your main problem is to communicate from a custom server to your broswer, you can use any port in your server for providing HTTP (8080 is common for that), just specify the port in the url http://server:port/ (ie. http://localhost:8080/)

How to send data over internet through console

I have to develop an application wherein I would receive data from parallel port and send it over to internet. This application is to be developed for embedded device running linux. Please suggest me how I can do that.
Regards
Sounds like a job for netcat. You can just open the device file and bind it straight to a TCP port: cat /dev/whatever | nc -l 2345 reads from a device and writes the results to a socket in case a client connects to port 2345.
If you need security, consider using a SSH tunnel.
Best solution - socat.
It can read from file and send to any socket (tcp, udp, unix, ipv4, ipv6), redirect program output, stdout. Reverse operations also posible.
Local example: read file "test", and send it content to localhost:9999
socat OPEN:test TCP:localhost:9999
If you want monitor file content and make it read only
socat OPEN:test,rdonly,ignoreeof TCP:localhost:9999
in socat you not need bash, in cat|nc some form of shell required.
I recommend sockets using C.
I would suggest either SSH or Telnet.
I would suggest using one of Perl, Python, or Ruby to do it if it has some processing to do.
Otherwise, if it is to use any console command, you can use curl or wget.
If you want to do it in C, perhaps because your embedded Linux doesn't have any of the shell tools and languages that other people have suggested, you need to look at the socket interface. The sequence of events is more or less:
create a socket using socket()
connect to a server using connect()
send your data using send(), or write() and deal with anything that comes back the other way using recv() or read().
close the socket using close().

Resources