This repository has been archived by the owner. It is now read-only.

Cardinal-Crystal-Fuzzer

Cardinal Crystal Fuzzer (CCF)

Cardinal Crystal Fuzzer (CCF)

Security research fuzzer for legacy Windows vulnerability analysis
Written entirely in Crystal · MIT License · v0.8.0

Crystal License: MIT Version Build Windows EXE


Overview

Cardinal Crystal Fuzzer (CCF) is a security-focused fuzzing framework for analyzing legacy Windows operating system vulnerabilities. It targets the full Windows 9x/NT legacy stack — from Windows 95 through Windows Vista — using public CVE data to generate targeted, high-signal fuzzing inputs.

CCF is designed for:

  • Reverse engineers studying legacy Windows internals
  • Security researchers analyzing old CVE reproduction cases
  • Penetration testers with explicit authorization on legacy infrastructure
  • Students learning how fuzzing and vulnerability research work

⚠️ Legal Disclaimer: Use CCF only on systems you own or have explicit written permission to test. CVE data is included for defensive/research purposes only. Unauthorized use against systems you do not own is illegal.


Features

Feature Description
🎯 CVE-Targeted Fuzzing Mutations based on real CVE patterns across all 6 legacy OS targets
🧠 Crash-Guided Learning Auto-adapts mutation strategy based on crash feedback (weighted random ops)
🪟 Full Win9x Coverage Windows 95, 98, ME profiles with known attack surfaces and CVEs
🏛️ Full WinNT Coverage Windows 2000, XP, Vista profiles with known CVEs
🔬 28+ Mutation Operations bit flip, NetBIOS spray, ASN.1 corrupt, RPC opnum fuzz, Win9x heap spray, and more
🌐 Protocol Fuzzer SMBv1/2, RPC, NetBIOS, WINS (UDP/42), Messenger (1026), HTTP, LDAP, DNS, SNMP
📡 UDP Fuzzing UDP datagram send for WINS/SNMP/NetBIOS Name Service targets
📊 Multi-Format Reporting JSON, Markdown, HTML dashboard, SARIF (GitHub Code Scanning), issue drafts
🌱 Auto Seed Generation Generate CVE-seeded inputs per OS target automatically
🔒 Security-First Code Input validation, bounds checking, ANSI sanitization, 100MB log cap
Delta-Debugging Minimizer O(n log n) ddmin — 10-100x faster crash minimization
🔄 Win9x-Aware Adaptive Auto-selects Win9x CVE vectors when targeting Win95/98
🪟 Windows EXE Pre-built .exe for Windows in Releases

Supported OS Targets

Target Flag CVEs Covered Attack Surfaces
Windows 95 win95 CVE-1999-0382, CVE-1999-0142, CVE-1999-0372, CVE-2000-0979, + more NetBIOS, PWS, RPC, WinSock
Windows 98 win98 CVE-2002-0369, CVE-2003-0109, CVE-2003-0660, CVE-2001-0238, + more ASN.1, SMB, Messenger, IE5.5
Windows ME me CVE-2001-0154, CVE-2004-0200, CVE-2006-0001, + more NetBIOS, Shell, WinHelp
Windows 2000 win2000 CVE-2001-0500, CVE-2003-0352, CVE-2003-0533, + more IIS 5.0, LSASS, AD, RPC
Windows XP xp CVE-2008-4250, CVE-2017-0143, CVE-2004-0200, + more SMB, RPC, GDI+, Shell
Windows Vista vista CVE-2009-3103, CVE-2010-2568, CVE-2017-0143, + more SMBv2, LNK, IE7

New in v0.8.0

  • Crash-Safe Persistence — atomic file writes (rename), WAL, fsync flush
    • SafeWriter module: atomic write + WAL + fsync
    • Checkpoint: fuzzing session save/restore after abnormal termination
    • CorpusManager: interesting input collection, deduplication, pruning
    • SIGTERM/SIGINT handler: flush logs before exit
    • CrashLogger: per-file crash count cap (1000), atomic crash detail writes
  • Korean comments — all 18 source files converted to Korean annotations
  • ASCII art banner — ANSI blue banner on every run
  • README.ko.md — complete Korean documentation
  • 95 specs passing (was 81)

New in v0.7.0

  • PE binary format fuzzer — 14 structure-aware mutation ops for Windows PE/DLL parsing CVEs
    • MZ/DOS header corruption, PE signature flip, COFF/Optional header field fuzzing
    • Section header overflow (VirtualSize, RVA, PointerToRawData)
    • Import/Export/Resource/TLS directory corruption, checksum break, overlay append
    • generate_base_pe() produces valid PE32 / PE32+ structures
  • LNK file fuzzer — 15 mutation ops targeting CVE-2010-2568 class (Vista/XP/2000/ME)
    • Shell Link header magic, CLSID, LinkFlags, FileAttributes fuzzing
    • FILETIME corruption, IconIndex/ShowCommand/HotKey field attacks
    • IDList size overflow, LinkInfo misparse, StringData length corruption
    • UNC path injection (\\\\attacker\\share\\evil.dll) — direct CVE-2010-2568 vector
    • IconLocation buffer overflow — key attack surface for shell32 parsing
    • ExtraData block injection (SpecialFolder/KnownFolder malformed blocks)
    • generate_base_lnk() produces valid [MS-SHLLINK] compliant structure
  • MutationEngine integration — all PE/LNK ops routable via apply_named_op()
  • CrashLearner coverage — MUTATION_OPS expanded from 27 → 56 ops
  • 81 specs passing (was 53)

New in v0.6.1

  • Windows EXE — pre-built ccf-windows-amd64.exe via GitHub Actions
  • SARIF export — GitHub Code Scanning compatible security report
  • HTML dashboard — stat cards, color bars, mutation leaderboard
  • WINS protocol (UDP/42) — CVE-1999-0142 registration/query/release fuzzing
  • Messenger protocol (port 1026) — CVE-2003-0660 overflow payload
  • Delta-debugging minimizer — O(n log n) vs previous O(n²) byte-by-byte
  • Win9x-aware adaptive strategy — automatic Win9x CVE vector bias
  • RPC opnum fuzzing — boundary opnum corruption for CVE-2003-0352 class
  • UDP fuzzing — send_udp(), probe_udp(), win9x_session()
  • ANSI sanitization in crash logs + 100MB log rotation
  • CveRegistry API — by_year, by_product, win9x_entries, severity_breakdown, etc.
  • 47 specs passing

v0.5.0

  • Windows 95 & 98 CVE profiles — 22 new vulnerability entries
  • NetBIOS spray mutation — targets CVE-1999-0382, CVE-1999-0661 class
  • ASN.1 corruption mutation — targets CVE-2002-0369, CVE-2003-0818 class
  • Win9x heap spray mutation — VxD/ring-0 boundary patterns
  • Security hardening — config bounds checking, safe path validation, null byte rejection

Requirements

  • Crystal >= 1.19.0
  • macOS, Linux (or any Crystal-supported platform)
  • No external shards required

Installation & Build

# Clone
git clone https://github.com/KaztoRay/Cardinal-Crystal-Fuzzer.git
cd Cardinal-Crystal-Fuzzer

# Build (release mode — optimized)
crystal build src/main.cr -o bin/ccf --release

# Or debug build
crystal build src/main.cr -o bin/ccf

Usage

Basic Fuzzing

./bin/ccf --target-cmd "./target_binary @@" --iterations 5000

Legacy OS Targeted Fuzzing

# Windows 95 target — NetBIOS/SMB attack surface
./bin/ccf --target-cmd "./target @@" --target-os win95 --strategy cve_targeted --iterations 10000

# Windows 98 target — ASN.1 / Messenger attack surface
./bin/ccf --target-cmd "./target @@" --target-os win98 --strategy adaptive --crash-learning true

# Windows 2000 — IIS 5.0 / LSASS attack surface
./bin/ccf --target-cmd "./target @@" --target-os win2000 --strategy crash_guided

# Windows XP — EternalBlue / SMB attack surface
./bin/ccf --target-cmd "./target @@" --target-os xp --strategy cve_targeted

# Windows Vista — SMBv2 / LNK attack surface
./bin/ccf --target-cmd "./target @@" --target-os vista --strategy adaptive

Seed Generation

# Generate CVE-seeded inputs for all OS targets
./bin/ccf --generate-seeds --seed-dir seeds

# Generate seeds for a specific OS
./bin/ccf --generate-seeds --seed-dir seeds --target-os win95
./bin/ccf --generate-seeds --seed-dir seeds --target-os win98

Legacy OS Vulnerability Summary

# Print full CVE summary for all supported OS targets
./bin/ccf --legacy-summary

Fuzzing Strategies

Strategy Flag Description
Random random Pure random mutation (default)
Crash-Guided crash_guided Prioritize mutations that triggered crashes
CVE-Targeted cve_targeted Use patterns from known CVE classes
Protocol-Aware protocol_aware Structure-aware protocol fuzzing
Adaptive adaptive Auto-switch strategy based on crash rate

All Options

--target-cmd CMD         Target command (use @@ for input placeholder)
--seed-dir DIR           Seed directory (default: seeds/)
--out-dir DIR            Output directory (default: out/)
--iterations N           Number of fuzzing iterations (default: 1000)
--timeout-ms N           Per-run timeout in ms (default: 2000)
--max-size N             Max input size in bytes (default: 4096)
--target-os OS           OS target: win95|win98|me|win2000|xp|vista
--strategy S             Fuzzing strategy (see table above)
--crash-learning BOOL    Enable crash-guided learning (default: true)
--minimize-crashes       Enable crash input minimization
--report-format FMT      Report format: json|markdown|html|all
--generate-seeds         Generate CVE-seeded inputs and exit
--legacy-summary         Print legacy OS CVE summary and exit
--verbose                Verbose output
--workers N              Number of parallel workers

Output Structure

out/
├── crashes/          # Crash-triggering inputs (binary)
├── crash_db.json     # Structured crash database
├── report.json       # JSON fuzzing report
├── report.md         # Markdown fuzzing report
└── report.html       # HTML fuzzing report

Mutation Operations

CCF implements 56 mutation operations:

Operation Description CVE Target
bit_flip Flip random bits General
byte_overwrite Overwrite random bytes General
ascii_overflow Classic ASCII overflow pattern Buffer overflows
format_string %n, %x, %s injection Format string bugs
path_traversal ../, \\..\\ sequences Path traversal CVEs
unicode_inject UTF-16/32 BOM and overlong encodings Unicode parsing
null_inject Null byte injection String termination bugs
boundary_value 0, 1, 127, 128, 255 values Integer boundaries
known_integer Interesting DWORD values Integer overflows
netbios_spray Malformed NetBIOS session headers CVE-1999-0382 class
asn1_corrupt Malformed BER/DER ASN.1 structures CVE-2002-0369 class
win9x_specific Win9x heap spray patterns VxD/ring-0 bugs
header_mutate Protocol header corruption Protocol parsing
length_field_corrupt Corrupt length fields Length handling
checksum_break Invert checksum bytes Checksum bypass
havoc Many random mutations at once General
block_swap Swap data blocks General
block_duplicate Duplicate data blocks General
trim Truncate input General
extend Extend input with random bytes General
dictionary_insert Insert common tokens Parser fuzzing
arithmetic_inc/dec Byte arithmetic Integer bugs
random_insert/delete Insert/remove random bytes General
pe_dos_header_corrupt Corrupt MZ/DOS header, e_lfanew offset PE parsing CVEs
pe_signature_corrupt Flip PE signature (PE/NE/LE/null) PE loader bypass
pe_coff_header_fuzz Machine type, section count, timestamps COFF parsing
pe_optional_header_fuzz Magic, entrypoint, ImageBase, sizes OPT header CVEs
pe_section_header_fuzz Name, VirtualSize, VirtualAddress, flags Section mapping
pe_import_table_corrupt Import directory RVA/size overflow IAT parsing
pe_export_table_corrupt Export directory corruption EAT parsing
pe_resource_corrupt Resource directory RVA/size + data flip RSRC parsing
pe_overlay_fuzz Append/corrupt overlay data Parser edge cases
pe_checksum_break Corrupt PE checksum field Integrity bypass
pe_subsystem_corrupt Invalid subsystem values Loader type checks
pe_entrypoint_corrupt Null/overflow entrypoint RVA EP handling
pe_size_overflow SizeOfCode/Image/Headers overflow Size field CVEs
pe_tls_inject Fake TLS directory pointer injection TLS callback abuse
lnk_header_magic_corrupt Wrong HeaderSize / magic bytes LNK parsing
lnk_clsid_corrupt Wrong/null/random CLSID Shell CLSID lookup
lnk_link_flags_corrupt Invalid LinkFlags combinations Shell parsing
lnk_file_attributes_corrupt Invalid attribute flags File type confusion
lnk_timestamps_corrupt Zero/max/random FILETIME values Time field parsing
lnk_file_size_corrupt Overflow FileSize field Size handling
lnk_icon_index_corrupt Overflow IconIndex Icon resource lookup
lnk_show_command_corrupt Invalid ShowCommand values Window creation
lnk_hotkey_corrupt Overflow HotKey field Keyboard handling
lnk_target_id_list_corrupt IDList size overflow / bad ItemID Shell ID parsing
lnk_link_info_corrupt LinkInfo size/offset corruption Path resolution
lnk_string_data_corrupt CountCharacters overflow Unicode string bugs
lnk_extra_data_inject Malformed ExtraData blocks Extra data parsing
lnk_unc_path_inject UNC paths (\\attacker\share\evil.dll) CVE-2010-2568 class
lnk_icon_location_overflow Overflow IconLocation string Shell32 buffer bug

Security Notes

  • All file path inputs are validated to prevent directory traversal
  • Null bytes in target commands are rejected
  • Iteration counts, timeouts, and buffer sizes are clamped to safe bounds
  • Crash log output is capped at 100 MB to prevent disk exhaustion
  • Target command is length-limited to 4096 characters

License

MIT License © 2025 KaztoRay

Repository

Cardinal-Crystal-Fuzzer

Owner
Statistic
  • 0
  • 0
  • 0
  • 0
  • 0
  • 1 day ago
  • July 13, 2026
License

MIT License

Links
Synced at

Mon, 13 Jul 2026 11:40:44 GMT

Languages