If you want to show your respect for my free tools and free support, please consider a small donation :
Download :
File temporarily unavailable, contact peter.ve [at] corelan.be to report this broken link
Update (July 2010) : the ftp fuzzer has been merged into the Metasploit tree. You do no longer need to download the script here. If you are using the latest version of Metasploit (svn update), then you can find the fuzzer in the modules/auxiliary/fuzzers/ftp folder (file is called ftp_pre_post.rb.
Usage :
Navigate to the metasploit folder, go into ‘modules’ and then into ‘auxiliary’
Create a subfolder called ‘fuzzer’ and place the fuzz_ftp.rb file in that folder
Open Metasploit console and select the module
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 429 exploits - 261 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 199 aux
msf > use auxiliary/fuzzer/fuzz_ftp
msf auxiliary(fuzz_ftp) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
DELAY 0.5 no Delay between connections
ENDSIZE 20000 no Fuzzing string endsize
PASS anonymous@test.com no Password
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
STARTATSTAGE 1 no Start at this test stage
STARTSIZE 10 no Fuzzing string startsize
STEPSIZE 10 no Increase string size each iteration with this number of chars
THREADS 1 yes The number of concurrent threads
USER anonymous no Username
msf auxiliary(fuzz_ftp) >
Important options are :
RHOSTS = the ip address of the FTP server
USER and PASS = set to a valid/working Username & Password combination
The fuzzer has 5 stages :
- Issue no command, only send evil data
- Fuzz the USER command
- Fuzz the PASS command (after a valid USER command/login was executed)
- Fuzz all FTP commands (after a valid login was performed), one command, one fuzz string per session
- Fuzz all FTP commands (after a valid login was performed), one command with all fuzz combinations for that command per session
You can edit the fuzz data and FTP commands yourself (if you want to) by editing the fuzz_ftp.rb file
Start fuzzing ? Just issue the ‘run’ command. When the fuzzer cannot connect anymore, the fuzzing process will be halted, and the last sent string will be displayed.
- Lincoln on CORELAN-10-060 – 123 Flash Chat ver 7.8 August 16, 2010
- Sud0 on CORELAN-10-059 – Sopcast Unicode BOF Remote Exploit August 10, 2010
- MaRkO T. on CORELAN-10-058 – ActiTime2 0MA CSRF July 11, 2010
- MaRkO T. on CORELAN-10-057 – Oracle BPM Process Administrator 5.7-6.0-10.3 MPs XSS July 11, 2010
- chap0 on CORELAN-10-056 - Hero DVD Remote Buffer Overflow Exploit July 7, 2010
- MaRkO T. on CORELAN-10-055 – MemDb (Multiple Remote Dos) June 28, 2010
- chap0 on CORELAN-10-054 - GSM sms Utility SEH Buffer Overflow June 28, 2010
- TecR0c on CORELAN-10-053 – FieldNotes 32 v5.00 SEH exploit June 25, 2010
- sinn3r on CORELAN-10-052 – NO-IP Domain Update Client (DUC) "Request" Insecure Encoding Algorithm June 24, 2010
- chap0 on CORELAN-10-051 - Vocoo CP3 Studio PC Version 2.0 Dos June 12, 2010