crasha

crasha is a development of a demo program listed in the book "Hackproofing your Network" (Syngress ISBN 1-928994-15-6). The program demonstrated a neat way to automatically test network services for vulnerability to buffer overflows etc. It takes a sample transaction, divides it into fields, and sends various lengths of data in each field trying to overflow something.

The program in the book was a demonstration, with hard-coded test strings and parameters. I've turned all these into command-line options, fixed a few bugs, and given it a (basic) interface.

If you have suggestions let me know at support@snakegully.nu.

Results

How does it work? I've found these things so far:

I fired it at an apache web server and it seemed to handle everything fine.
I pointed it at an old Redhat Linux machine (5.something) and found that I could stop it responding to POP3, Telnet and anything else running under inetd. Inetd decides the service is looping and disables it. I haven't looked into inetd - I suspect (hope?)it would hold the service down for a while and then bring it online again.

Downloading

I haven't had much time to fiddle with this lately, but thought I'd better put something up. Hopefully in the new year I'll get some time to myself.

Downloading

Download from Sourceforge.

Building

This uses GNU autoconf. So just do the standard:

./configure
make
make install

To try the curses support, run:

./configure --with-curses

This will give a better (I think anyway) display.

To rebuild the RPM from the source RPM, try:

rpm --rebuild crasha-1.0alpha6.src.rpm

Usage

Command-line options
Option	Meaning	Default
-b	Forces the program to break between lines and wait for a response from the server. This also has the side effect that single line feeds in the input are changed into carriage return/line feed pairs. This is what they should be for most text-based internet protocols.	Off
-d data	Set the data to use from the command line	None
-f file	Set the file to read the query data from	None
-h option	Help screens. The option character(s) select the help screen(s) to display. Possibilities are: c Display Contact information e Display Usage Examples u Display Usage Help (command line options etc)	-
-l logname	Log results to the file in human-readable format	None
-L logname	Log results to the file in machine-parsable (.csv) format	None
-m minlen	Sets the minimum buffer length to try	0
-M maxlen	Sets the maximum buffer length to try	60000
-p port	The target TCP port	80
-s step	Sets the amount the buffer size is increased at each step	100
-t target	The target system IP or hostname	localhost
-V	Show the software version	-
-w option	Set the wait between attempts. The option can be: "drain" Wait for the reponses from the server to finish before trying again. If the URL grabs a file, the whole file will be retrieved before continuing. This is the slowest option. "no" No waiting. This is the fastest, but the most likely to crash the server (or this program!) A number The program waits the specified number of seconds between attempts.	drain

Either the -f or the -d option must be specified.

To properly test a server, you need to exercise as many of it's functions as possible. The best way to generate a script for this purpose is to use netcat or telnet to connect to a server, manually enter the commands to login and try whatever actions you want to test, and logout. The output from all this should be saved to a script file. Then you need to edit the file and remove all the server responses, leaving just your input. This file can now be used as a script for crasha. For example, you could do this to develop a script to test an SMTP server:

[nu@davo crasha]$ script testit^M
Script started, file is fred
[nu@davo crasha]$ nc davo 25^M
220 davo.snakegully.au ESMTP Sendmail 8.9.3/8.9.3; Tue, 21 Nov 2000 02:12:07 +1100^M
HELO scum.com^M
250 davo.snakegully.au Hello davo.snakegully.au [192.168.5.66], pleased to meet you^M
vrfy root^M
250 <root@davo.snakegully.au>^M
expn root^M
250 <darryll@dave.snakegully.au>^M
MAIL FROM: thequeen@buckingham.com^M
250 thequeen@buckingham.com... Sender ok^M
RCPT TO: hrh@thepalace.com^M
250 hrh@thepalace.com... Recipient ok^M
DATA^M
354 Enter mail, end with "." on a line by itself^M
From: me^M
To: you^M
Subject: howdy there^M
^M
How are you today?^M
^M
.^M
250 CAA26166 Message accepted for delivery^M
QUIT^M
221 davo.snakegully.au closing connection^M
Connection closed by foreign host.^M^M
[nu@dased by foreign host.^M^M
[nu@davo crasha]$ exit^M

From this, you delete all the rubbish and server output, leaving just what you typed to the server. (For SMTP, most responses begin with a numeric return code, so it's pretty easy to pick out what to remove). NOTE: Leave the ^M characters in! The server likes those. These are a single Control-M character, not the separate '^' and 'M' characters:

HELO scum.com^M
vrfy root^M
expn root^M
MAIL FROM: thequeen@buckingham.com^M
RCPT TO: hrh@thepalace.com^M
DATA^M
From: me^M
To: you^M
Subject: howdy there^M
^M
How are you today?^M
^M
.^M
QUIT^M

Now you can run the test using the "-f testit" option to load the text from this file. Remember that the testing can take a while for long files, so don't make it needlessly long.

Known Problems

None really, except that the display and logging still need work.

TODO

These are things in the works:

Fix the problems above!
Clarify what happens when the server crashes. With the non-curses version, the program stops and you get a message that the target is not accepting connections. With the curses version, this message may be lost when the screen clears. It will be logged if you are logging to a file.