Wait for banner before sending any traffic

[Jason Culligan]

Hi.  How do you establish a connection but wait for a known / expected banner before sending traffic?

[joshua.t...@gmail.com]

Jason,

You can use a callback on the first message. See for example https://github.com/jtpereyda/boofuzz-ftp/blob/b6b3c16c884c60aaf653cda6fe6a5df09ef50f17/ftp.py (experimental branch)

Notice line 174:

session.connect(user, callback=check_reply_code)  

And in the callback function on line 30-31:

if test_case_context.previous_message.name == "__ROOT_NODE__":

    session.last_recv = target.recv() # grab FTP hello banner

It's a bit of a hack, and not too well documented, but this approach is working for me for now. Note that the file itself is not stable so it may not work, but the principle is valid. There might also be issues with __ROOT_NODE__ though, if so please let me know (it's been the subject of some recent code churn).

Joshua

[Jason Culligan]

Hi Joshua.   Here's a little more that might help explain the issue.

I'm using the bundled ftp_simple.py against a vsftp server.  Look at this first test case:

[2021-06-11 17:55:08,192] Test Step: Transmit Prep Node 'user'
[2021-06-11 17:55:08,193] Info: Sending 18 bytes...
[2021-06-11 17:55:08,193] Transmitted 18 bytes: 55 53 45 52 20 66 74 70 74 65 73 74 75 73 65 72 0d 0a b'USER ftptestuser\r\n'
[2021-06-11 17:55:08,193] Info: Receiving...
[2021-06-11 17:55:08,285] Received: 32 32 30 20 28 76 73 46 54 50 64 20 33 2e 30 2e 33 29 0d 0a b'220 (vsFTPd 3.0.3)\r\n'
[2021-06-11 17:55:08,285] Test Step: Fuzzing Node 'pass'
[2021-06-11 17:55:08,285] Info: Sending 1039 bytes...

Do you see how the first interaction was that boofuzz sent the USER ftptestuser\r\n string, before the (vsFTPd 3.0.3)\r\n was received?  Then, and purely randomly, a later test case was lucky and the banner arrived before boofuzz got to send the USER command and it was only then able to log in.  The ability for boofuzz to send something only after something is received would be great.