#!/usr/bin/perl # TagFuzzer # # Information: This fuzzer edits tag information from a # supplied file. # Supported : MP3, M4A, M4P, MP4, M4B, 3GP, OGG, FLAC # Developed : 03/11/2008 # Released : 24/11/2008 # # Written by r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) # If you find something using this fuzzer, greet my TagFuzz! # # Note: You need to supply a sample file of the format you want # fuzz! # # Requires the following modules installed: # - File::Spec # - Options::Config # - Getopt::Std # - Music::Tag # - Music::Tag::Auto # - Music::Tag::MP3 use Music::Tag; use Getopt::Std; # Test patterns @overflow = ('A' x 20, 'A' x 80, 'A' x 140, 'A' x 260, 'A' x 360, 'A' x 480, 'A' x 680, 'A' x 780, 'A' x 940, 'A' x 1300, 'A' x 2600, 'A' x 3500, 'A' x 4500, 'A' x 5500, 'A' x 8200, 'A' x 11000, 'A' x 50000, 'A' x 110000, 'A/' x 8000, "\0x99" x 1200); @fmtstring = ("%n%n%n%n%n", "%p%p%p%p%p", "%s%s%s%s%s", "%d%d%d%d%d", "%x%x%x%x%x", "%s%p%x%d", "%.1024d", "%.1025d", "%.2048d", "%.2049d", "%.4096d", "%.4097d", "%99999999999s", "%08x", "%%20n", "%%20p", "%%20s", "%%20d", "%%20x", "%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%", "\0xCD" x 50, "\0xCB" x 50); @numbers = ("0", "-0", "1", "-1", "32767", "-32768", "2147483647", "-2147483647", "2147483648", "-2147483648", "4294967294", "4294967295", "4294967296", "357913942", "-357913942", "536870912", "-536870912", "1.79769313486231E+308", "3.39519326559384E-313", "99999999999", "-99999999999", "0x100", "0x1000", "0x3fffffff", "0x7ffffffe", "0x7fffffff", "0x80000000", "0xffff", "0xfffffffe", "0xfffffff", "0xffffffff", "0x10000", "0x100000", "0x99999999", "65535", "65536", "65537", "16777215", "16777216", "16777217", "-268435455"); @miscbugs = ("<<<<<>>>>>", "test|touch /tmp/ZfZ-PWNED|test", "test`touch /tmp/ZfZ-PWNED`test", "test'touch /tmp/ZfZ-PWNED'test", "test;touch /tmp/ZfZ-PWNED;test", "test&&touch /tmp/ZfZ-PWNED&&test", "test|C:/WINDOWS/system32/calc.exe|test", "test`C:/WINDOWS/system32/calc.exe`test", "test'C:/WINDOWS/system32/calc.exe'test", "test;C:/WINDOWS/system32/calc.exe;test", "/bin/sh", "C:/WINDOWS/system32/calc.exe", "¶§¼½¿", "%0xa", "%u000", "/" x 200, "\\" x 200); # Class properties @properties = ("album", "album_type", "albumartist", "albumartist_sortname", "artist", "artist_type", "asin", "bitrate", "booklet", "comment", "compilation", "composer", "copyright", "country", "disc", "disctitle", "discnum", "duration", "ean", "encoder", "filename", "filedir", "frequency", "genre", "jan", "label", "lyrics", "rating", "recorddate", "recordepoch", "recordtime", "releasedate", "secs", "sortname", "tempo", "title", "totaldiscs", "totaltracks", "track", "tracknum", "upc", "url", "year"); getopts('t:f:', \%opts); $target = $opts{'t'}; $file = $opts{'f'}; if (!defined($target) || !defined($file)) { print "#################################################################"; print "\n# TagFuzzer #"; print "\n# #"; print "\n# Information: This fuzzer edits tag information from a #"; print "\n# supplied file. #"; print "\n# Supported : MP3, M4A, M4P, MP4, M4B, 3GP, OGG, FLAC #"; print "\n# #"; print "\n# Usage : $0 -t -f #"; print "\n# Released : 24/11/2008 #"; print "\n# Written By : r0ut3r (writ3r [at] gmail.com / bmgsec.com.au) #"; print "\n#################################################################\n"; exit(0); } print "[!] Fuzzing process beginning [Target: $target, File: $file]\n"; $c = 0; foreach (@properties) { my $prop = $_; print "[+] Stage ".$c." [".$prop."]: "; foreach (@overflow) { $e = $_; my $info = Music::Tag->new($file, { quiet => 1 }, "Auto"); $info->get_tag(); $info->$prop($e); $info->set_tag(); $info->close(); my $pid = fork(); defined $pid or die "Unable to fork: $!\n"; if ($pid == 0) { system($target." ".$file."&> /dev/null"); } sleep(3); kill("TERM" => $pid); } print "o"; foreach (@fmtstring) { $e = $_; my $info = Music::Tag->new($file, { quiet => 1 }, "Auto"); $info->get_tag(); $info->$prop($e); $info->set_tag(); $info->close(); my $pid = fork(); defined $pid or die "Unable to fork: $!\n"; if ($pid == 0) { system($target." ".$file."&> /dev/null"); } sleep(3); kill("TERM" => $pid); } print "f"; foreach (@numbers) { $e = $_; my $info = Music::Tag->new($file, { quiet => 1 }, "Auto"); $info->get_tag(); $info->$prop($e); $info->set_tag(); $info->close(); my $pid = fork(); defined $pid or die "Unable to fork: $!\n"; if ($pid == 0) { system($target." ".$file."&> /dev/null"); } sleep(3); kill("TERM" => $pid); } print "n"; foreach (@miscbugs) { $e = $_; my $info = Music::Tag->new($file, { quiet => 1 }, "Auto"); $info->get_tag(); $info->$prop($e); $info->set_tag(); $info->close(); my $pid = fork(); defined $pid or die "Unable to fork: $!\n"; if ($pid == 0) { system($target." ".$file."&> /dev/null"); } sleep(3); kill("TERM" => $pid); } print "m\n"; $c++; } print "[!] Process complete. Anything?\n";