‘JPEG Fuzzer’

Summary

Credit:

‘The information has been provided by Jeremy Brown.
To keep updated with the tool visit the project’s homepage at: http://www.packetstormsecurity.org/filedesc/jpegfuzr.tar-gz.html


Details

‘JPEGfuzr is a perl implementation of fuzzing JPEG metadata through the Image::MetaData::JPEGextension. It supports 40 metadata tags and fuzzes all, one by one, using the fuzz data supplied.

Tool source:
#!/usr/bin/perl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# JPEGfuzr – JPEG File Format Fuzzer
#
# You need to have an image to fuzz with — use test.jpeg if you like 😉
# Fuzzing in 40 stages.. not bad at all. JPEG metadata tags are fun =)
#
# ~/docs is included for more information about this nice extension.
# For terminal logging: `man script`
# This fuzzer should, at this point, be decent. Take care of it.

use Image::MetaData::JPEG;
use Getopt::Std;

# FUZZ DATA BEGIN HERE
@overflows = (‘A’ x 2200, ‘A’ x 4200, ‘A’ x 8400, ‘A’ x 12000, ‘A’ x 20000, ‘A’ x 40000, ‘A’ x 50000, ‘A’ x 65340, ‘//AAAA’ x 8500, ‘\AAAA’ x 8500, ‘x99’ x 12000);

@fmtstring = (‘%n%n%n%n%n’, ‘%p%p%p%p%p’, ‘%s%s%s%s%s’, ‘%d%d%d%d%d’, ‘%x%x%x%x%x’,
              ‘%s%p%x%d’, ‘%.1024d’, ‘%.1025d’, ‘%.2048d’, ‘%.2049d’, ‘%.4096d’, ‘%.4097d’,
              ‘%99999999999s’, ‘%08x’, ‘%%20n’, ‘%%20p’, ‘%%20s’, ‘%%20d’, ‘%%20x’,
              ‘%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%’, ‘xCD’ x 50, ‘xCB’ x 50);

@numbers = (‘0’, ‘-0’, ‘1’, ‘-1’, ‘32767’, ‘-32768’, ‘2147483647’, ‘-2147483647’, ‘2147483648’, ‘-2147483648’,
              ‘4294967294’, ‘4294967295’, ‘4294967296’, ‘357913942’, ‘-357913942’, ‘536870912’, ‘-536870912’,
              ‘1.79769313486231E+308’, ‘3.39519326559384E-313’, ‘99999999999’, ‘-99999999999’, ‘0x100’, ‘0x1000’,
              ‘0x3fffffff’, ‘0x7ffffffe’, ‘0x7fffffff’, ‘0x80000000’, ‘0xffff’, ‘0xfffffffe’, ‘0xfffffff’, ‘0xffffffff’,
              ‘0x10000’, ‘0x100000’, ‘0x99999999’, ‘65535’, ‘65536’, ‘65537’, ‘16777215’, ‘16777216’, ‘16777217’, ‘-268435455’);

@miscbugs = (‘test|touch /tmp/FU_ZZ_ED|test’, ‘test`touch /tmp/FU_ZZ_ED`test’, ‘test\’touch /tmp/FU_ZZ_ED\’test’,
       ‘test;touch /tmp/FU_ZZ_ED;test’, ‘test&&touch /tmp/FU_ZZ_ED&&test’, ‘`/bin/sh`’, ‘%0xa’, ‘%u000’);
# FUZZ DATA END HERE

# JPEG TAGS BEGIN HERE
@mtrx1tg = (‘ExposureIndex’, ‘ExposureMode’, ‘ExposureProgram’, ‘FlashpixVersion’, ‘FocalPlaneResolutionUnit’, ‘GainControl’,
     ‘Orientation’, ‘PhotometricInterpretation’, ‘PixelXDimension’, ‘SensingMethod’, ‘WhiteBalance’);

@mtrx2tg = (‘CompressedBitsPerPixel’, ‘FlashEnergy’, ‘FocalPlaneXResolution’, ‘FocalPlaneYResolution’, ‘SubjectLocation’,
     ‘XResolution’, ‘YResolution’, ‘YCbCrSubSampling’);

@mtrx4tg = (‘PrimaryChromaticities’, ‘TransferFunction’, ‘WhitePoint’);

@mtrx6tg = (‘ReferenceBlackWhite’, ‘YCbCrCoefficients’);

@numxtag = (‘ColorSpace’, ‘ExposureTime’, ‘FocalPlaneResolutionUnit’, ‘ISOSpeedRatings’, ‘MeteringMode’, ‘PlanarConfiguration’,
     ‘ResolutionUnit’, ‘SensingMethod’, ‘YCbCrPositioning’);

@strxtag = (‘Artist’, ‘Copyright’, ‘ImageDescription’, ‘Make’, ‘Model’, ‘Software’, ‘SpectralSensitivity’);
# JPEG TAGS END HERE

getopts(‘s:t:z:’, %opts);
$slp = $opts{‘s’};
$target = $opts{‘t’};
$fzjpg = $opts{‘z’};

if(!defined($target) || !defined($fzjpg) || !defined($slp))
{
     print ‘n JPEGfuzr – JPEG Fuzzer’;
     print ‘nJeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]n’;
     print ‘n Usage: $0 -t <targetapp> -z <jpeg> -s <#sec>’;
     print ‘nExample: $0 -t /usr/bin/iview -z test.jpeg -s 2nn’;
     exit(0);

}

     print ‘n JPEGfuzr – JPEG Fuzzer’;
     print ‘nJeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]n’;

     $i = 1;

     print ‘nFuzzing will begin in 15 seconds… GOOD LUCK!n’;

     sleep(15); # get kill script into action (if needed) 😛

foreach(@mtrx1tg)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@numbers) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => [$fuzz]}, ‘IMAGE_DATA’, ‘ADD’); # IMAGE_DATA –> We access IFD0_DATA/SUBIFD_DATA
$jpeg->save($fzjpg);
$pid = fork(); # thanks r0ut3r
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

foreach(@mtrx2tg)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@numbers) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => [$fuzz, $fuzz]}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

foreach(@mtrx4tg)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@numbers) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => [$fuzz, $fuzz, $fuzz, $fuzz]}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

foreach(@mtrx6tg)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@numbers) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => [$fuzz, $fuzz, $fuzz, $fuzz, $fuzz, $fuzz]}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

foreach(@numxtag)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@numbers) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => $fuzz}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

foreach(@strxtag)
{
     $tg = $_;

     print ‘nFUZZING ‘$target’ with ‘$fzjpg’ [STAGE->$i($tg)]n’;

print ‘n’;
foreach(@overflows) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => $fuzz}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = overflow] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}

foreach(@fmtstring) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => $fuzz}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}

foreach(@miscbugs) { $fuzz = $_;
$jpeg = new Image::MetaData::JPEG($fzjpg);
$jpeg->drop_segments(‘METADATA’);
$jpeg->set_Exif_data({$tg => $fuzz}, ‘IMAGE_DATA’, ‘ADD’);
$jpeg->save($fzjpg);
$pid = fork();
defined $pid or die ‘Error: fork()n’;
if(!$pid) { system(‘$target $fzjpg’); }
print ‘[Target = $target] [JPEG = $fzjpg] [Fuzz = $fuzz] [Tag = $tg] [PID = $pid]n’;
sleep($slp);
kill(‘TERM’ => $pid);
}
$i++;
}

     print ‘nFuzzing Complete! Check for goodies =)nn’;

exit;’

Categories: Tools