Sunday, November 20, 2011

rtspFUZZ a Real Time Streaming Server Fuzzer

The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming.The Real Time Streaming Protocol, or RTSP, is an application-level protocol for control over the delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled, on-demand delivery of real-time data, such as audio and video.

rtspFUZZ is a Real Time Streaming Protocol Server Fuzzer(a python script near about 600 lines)coded by myself.
This fuzzer uses 6 basic crafting and 9 advanced crafting technique to test any target application.

Key Features:
1)This fuzzer uses 6 basic crafting technique with OPTIONS,DESCRIBE,SETUP,PLAY,GET_PARAMETER,TEARDOWN,PAUSE etc rtsp commands and 9 advanced crafting technique to test any target application.
2)Ability to fuzz with Metasploit Pattern (pattern_create.rb) can be helpful to find offset.

How to use??
1)First edit "rtsp.conf" file with your favorite text editor.Change the Parameters as per your requirement.You should get parameters description in the configuration file.
2)Give Write permission to LOG.TXT (chmod 777 README.TXT)
3)Give execution permission to "rtspfuzz.py" file.(chmod 777 rtspfuzz.py)
4)In shell type "python rtspfuzz.py".Now the script will show your preferences provided in the configuration file.If the information are correct then press enter to start fuzzing.
5)The program will always save the last successful request in LOG.TXT file.When the target crashes go to LOG.TXT file to check the Buffer length and the exact request sent.

Some sample wire-shark captures:






Download:

The tool can be downloaded from:

http://packetstormsecurity.org/files/author/9123/

5 comments:

  1. when i run python rtspfuzz.py i get file"",line 1 python rtspfuzz.py syntaxError: invalid syntax, Can anyone tell me what thats about ?

    ReplyDelete
    Replies
    1. I have tested this with Python2.7. I donno about other versions but it should work.Make sure you have all the required modules installed with your python version!
      if you get a error like this

      Traceback (most recent call last):
      File "C:\Users\Debasish\Desktop\rtsp_fuzz_v0.1\rtsp_fuzz_v 0.1\Main_Package\rtspfuzz.py", line 500, in
      STOPAFTER = config.get('rtspfuzz', 'STOPAFTER')
      File "C:\Python27\lib\ConfigParser.py", line 610, in get
      raise NoOptionError(option, section)
      NoOptionError: No option 'stopafter' in section: 'rtspfuzz'

      You need to update the rtsp.conf file little bit.Just add STOPAFTER : at the end!

      Eg.

      STOPAFTER : 1000000

      Delete
  2. ok, got the fuzzer to work but what am i looking for in terms of a rtsp vulnerability? not making out much from your video,

    ReplyDelete
  3. Hi,

    I find this fuzzer so usefull.

    I am able to start fuzzer properly with no issues. But it is taking so much of time for the next pkt to pump in

    Also I dont see 200OK from the server. Is there anything the we need to start at server side(target).

    ReplyDelete
  4. Streaming video is the series of images and sounds that are transported or transmitted from one source, to another location, from which the viewers will watch in the hopes of learning something or being entertained.
    movie box android

    ReplyDelete