What is SPIKE

Spike is a protocol fuzzer creation kit. It provides an API for creating your own fuzzers for network protocols, using the C++ language. SPike provides a series of basic commands for generating fuzzed messages to be sent to a network service.

Scriptiong SPIKE

For TCP-based server applications, we use scrpit .spk with the generic_send_tcp interpreter (preinstalled on Kali Linux). The basic syntax is :

1
generic_send_tcp <IP> <port> <script.spk> <SKIPVAR> <SKIPSTR>
  • IP / PORT : Target to fuzz
  • script.spk : SPIKE script to execute
  • SKIPVAR: Skip one or more variables s_string_variable
  • SKIPSTR: Skip a number of automatically generated strings

So, to start a classic fuzzing from the beginning, you can use the following command:

Main SPIKE commands

SPIKE scripts use primitives to define the messages to be sent. Here are the most useful ones, grouped by category:

Character strings

1
2
3
s_string("Hello"); // Adds the "Hello" string
s_string_repeat("A", 200); // Repeats "A" 200 times
s_string_variable("payload"); // Inserts a fuzzed string

Binary data

1
2
s_binary("\x41"); // Add byte 0x41 ("A")
s_binary_repeat("\x41", 200); // Repeats 0x41 200 times

Blocks

1
2
3
4
s_block_start("bloc1"); // Beginning of a named block*.
s_block_end("bloc1"); // End of block
s_blocksize_string("bloc1", 2); // Size in 2 ASCII characters
s_binary_block_size_byte("bloc1"); // Size in 1 byte

SPIKE script example (fuzz POST)

1
2
3
4
5
6
7
8
s_string("POST /testme.php HTTP/1.1\r\n");
s_string("Host: testserver.example.com");
s_string("Content-Length: ");
s_string("Connection: close");
s_block_start("block1");
s_string("inputvar=");
s_string_variable("inputval");
s_block_end("block1");

This script generates a POST request in which the inputval variable is replaced by the various strings automatically generated by SPIKE :

1
2
3
4
5
6
POST /testme.php HTTP/1.1
Host: testserver.example.com
Content-Length: [size]
Connection: close

inputvar=[fuzzed_string]