Cardinal-Crystal-Fuzzer
Cardinal Crystal Fuzzer (CCF)
Security research fuzzer for legacy Windows vulnerability analysis
Written entirely in Crystal · MIT License · v0.8.0
Overview
Cardinal Crystal Fuzzer (CCF) is a security-focused fuzzing framework for analyzing legacy Windows operating system vulnerabilities. It targets the full Windows 9x/NT legacy stack — from Windows 95 through Windows Vista — using public CVE data to generate targeted, high-signal fuzzing inputs.
CCF is designed for:
- Reverse engineers studying legacy Windows internals
- Security researchers analyzing old CVE reproduction cases
- Penetration testers with explicit authorization on legacy infrastructure
- Students learning how fuzzing and vulnerability research work
⚠️ Legal Disclaimer: Use CCF only on systems you own or have explicit written permission to test. CVE data is included for defensive/research purposes only. Unauthorized use against systems you do not own is illegal.
Features
| Feature | Description |
|---|---|
| 🎯 CVE-Targeted Fuzzing | Mutations based on real CVE patterns across all 6 legacy OS targets |
| 🧠 Crash-Guided Learning | Auto-adapts mutation strategy based on crash feedback (weighted random ops) |
| 🪟 Full Win9x Coverage | Windows 95, 98, ME profiles with known attack surfaces and CVEs |
| 🏛️ Full WinNT Coverage | Windows 2000, XP, Vista profiles with known CVEs |
| 🔬 28+ Mutation Operations | bit flip, NetBIOS spray, ASN.1 corrupt, RPC opnum fuzz, Win9x heap spray, and more |
| 🌐 Protocol Fuzzer | SMBv1/2, RPC, NetBIOS, WINS (UDP/42), Messenger (1026), HTTP, LDAP, DNS, SNMP |
| 📡 UDP Fuzzing | UDP datagram send for WINS/SNMP/NetBIOS Name Service targets |
| 📊 Multi-Format Reporting | JSON, Markdown, HTML dashboard, SARIF (GitHub Code Scanning), issue drafts |
| 🌱 Auto Seed Generation | Generate CVE-seeded inputs per OS target automatically |
| 🔒 Security-First Code | Input validation, bounds checking, ANSI sanitization, 100MB log cap |
| ⚡ Delta-Debugging Minimizer | O(n log n) ddmin — 10-100x faster crash minimization |
| 🔄 Win9x-Aware Adaptive | Auto-selects Win9x CVE vectors when targeting Win95/98 |
| 🪟 Windows EXE | Pre-built .exe for Windows in Releases |
Supported OS Targets
| Target | Flag | CVEs Covered | Attack Surfaces |
|---|---|---|---|
| Windows 95 | win95 |
CVE-1999-0382, CVE-1999-0142, CVE-1999-0372, CVE-2000-0979, + more | NetBIOS, PWS, RPC, WinSock |
| Windows 98 | win98 |
CVE-2002-0369, CVE-2003-0109, CVE-2003-0660, CVE-2001-0238, + more | ASN.1, SMB, Messenger, IE5.5 |
| Windows ME | me |
CVE-2001-0154, CVE-2004-0200, CVE-2006-0001, + more | NetBIOS, Shell, WinHelp |
| Windows 2000 | win2000 |
CVE-2001-0500, CVE-2003-0352, CVE-2003-0533, + more | IIS 5.0, LSASS, AD, RPC |
| Windows XP | xp |
CVE-2008-4250, CVE-2017-0143, CVE-2004-0200, + more | SMB, RPC, GDI+, Shell |
| Windows Vista | vista |
CVE-2009-3103, CVE-2010-2568, CVE-2017-0143, + more | SMBv2, LNK, IE7 |
New in v0.8.0
- ✅ Crash-Safe Persistence — atomic file writes (rename), WAL, fsync flush
SafeWritermodule: atomic write + WAL + fsyncCheckpoint: fuzzing session save/restore after abnormal terminationCorpusManager: interesting input collection, deduplication, pruning- SIGTERM/SIGINT handler: flush logs before exit
- CrashLogger: per-file crash count cap (1000), atomic crash detail writes
- ✅ Korean comments — all 18 source files converted to Korean annotations
- ✅ ASCII art banner — ANSI blue banner on every run
- ✅ README.ko.md — complete Korean documentation
- ✅ 95 specs passing (was 81)
New in v0.7.0
- ✅ PE binary format fuzzer — 14 structure-aware mutation ops for Windows PE/DLL parsing CVEs
- MZ/DOS header corruption, PE signature flip, COFF/Optional header field fuzzing
- Section header overflow (VirtualSize, RVA, PointerToRawData)
- Import/Export/Resource/TLS directory corruption, checksum break, overlay append
generate_base_pe()produces valid PE32 / PE32+ structures
- ✅ LNK file fuzzer — 15 mutation ops targeting CVE-2010-2568 class (Vista/XP/2000/ME)
- Shell Link header magic, CLSID, LinkFlags, FileAttributes fuzzing
- FILETIME corruption, IconIndex/ShowCommand/HotKey field attacks
- IDList size overflow, LinkInfo misparse, StringData length corruption
- UNC path injection (
\\\\attacker\\share\\evil.dll) — direct CVE-2010-2568 vector - IconLocation buffer overflow — key attack surface for shell32 parsing
- ExtraData block injection (SpecialFolder/KnownFolder malformed blocks)
generate_base_lnk()produces valid [MS-SHLLINK] compliant structure
- ✅ MutationEngine integration — all PE/LNK ops routable via
apply_named_op() - ✅ CrashLearner coverage — MUTATION_OPS expanded from 27 → 56 ops
- ✅ 81 specs passing (was 53)
New in v0.6.1
- ✅ Windows EXE — pre-built
ccf-windows-amd64.exevia GitHub Actions - ✅ SARIF export — GitHub Code Scanning compatible security report
- ✅ HTML dashboard — stat cards, color bars, mutation leaderboard
- ✅ WINS protocol (UDP/42) — CVE-1999-0142 registration/query/release fuzzing
- ✅ Messenger protocol (port 1026) — CVE-2003-0660 overflow payload
- ✅ Delta-debugging minimizer — O(n log n) vs previous O(n²) byte-by-byte
- ✅ Win9x-aware adaptive strategy — automatic Win9x CVE vector bias
- ✅ RPC opnum fuzzing — boundary opnum corruption for CVE-2003-0352 class
- ✅ UDP fuzzing — send_udp(), probe_udp(), win9x_session()
- ✅ ANSI sanitization in crash logs + 100MB log rotation
- ✅ CveRegistry API — by_year, by_product, win9x_entries, severity_breakdown, etc.
- ✅ 47 specs passing
v0.5.0
- ✅ Windows 95 & 98 CVE profiles — 22 new vulnerability entries
- ✅ NetBIOS spray mutation — targets CVE-1999-0382, CVE-1999-0661 class
- ✅ ASN.1 corruption mutation — targets CVE-2002-0369, CVE-2003-0818 class
- ✅ Win9x heap spray mutation — VxD/ring-0 boundary patterns
- ✅ Security hardening — config bounds checking, safe path validation, null byte rejection
Requirements
- Crystal
>= 1.19.0 - macOS, Linux (or any Crystal-supported platform)
- No external shards required
Installation & Build
# Clone
git clone https://github.com/KaztoRay/Cardinal-Crystal-Fuzzer.git
cd Cardinal-Crystal-Fuzzer
# Build (release mode — optimized)
crystal build src/main.cr -o bin/ccf --release
# Or debug build
crystal build src/main.cr -o bin/ccf
Usage
Basic Fuzzing
./bin/ccf --target-cmd "./target_binary @@" --iterations 5000
Legacy OS Targeted Fuzzing
# Windows 95 target — NetBIOS/SMB attack surface
./bin/ccf --target-cmd "./target @@" --target-os win95 --strategy cve_targeted --iterations 10000
# Windows 98 target — ASN.1 / Messenger attack surface
./bin/ccf --target-cmd "./target @@" --target-os win98 --strategy adaptive --crash-learning true
# Windows 2000 — IIS 5.0 / LSASS attack surface
./bin/ccf --target-cmd "./target @@" --target-os win2000 --strategy crash_guided
# Windows XP — EternalBlue / SMB attack surface
./bin/ccf --target-cmd "./target @@" --target-os xp --strategy cve_targeted
# Windows Vista — SMBv2 / LNK attack surface
./bin/ccf --target-cmd "./target @@" --target-os vista --strategy adaptive
Seed Generation
# Generate CVE-seeded inputs for all OS targets
./bin/ccf --generate-seeds --seed-dir seeds
# Generate seeds for a specific OS
./bin/ccf --generate-seeds --seed-dir seeds --target-os win95
./bin/ccf --generate-seeds --seed-dir seeds --target-os win98
Legacy OS Vulnerability Summary
# Print full CVE summary for all supported OS targets
./bin/ccf --legacy-summary
Fuzzing Strategies
| Strategy | Flag | Description |
|---|---|---|
| Random | random |
Pure random mutation (default) |
| Crash-Guided | crash_guided |
Prioritize mutations that triggered crashes |
| CVE-Targeted | cve_targeted |
Use patterns from known CVE classes |
| Protocol-Aware | protocol_aware |
Structure-aware protocol fuzzing |
| Adaptive | adaptive |
Auto-switch strategy based on crash rate |
All Options
--target-cmd CMD Target command (use @@ for input placeholder)
--seed-dir DIR Seed directory (default: seeds/)
--out-dir DIR Output directory (default: out/)
--iterations N Number of fuzzing iterations (default: 1000)
--timeout-ms N Per-run timeout in ms (default: 2000)
--max-size N Max input size in bytes (default: 4096)
--target-os OS OS target: win95|win98|me|win2000|xp|vista
--strategy S Fuzzing strategy (see table above)
--crash-learning BOOL Enable crash-guided learning (default: true)
--minimize-crashes Enable crash input minimization
--report-format FMT Report format: json|markdown|html|all
--generate-seeds Generate CVE-seeded inputs and exit
--legacy-summary Print legacy OS CVE summary and exit
--verbose Verbose output
--workers N Number of parallel workers
Output Structure
out/
├── crashes/ # Crash-triggering inputs (binary)
├── crash_db.json # Structured crash database
├── report.json # JSON fuzzing report
├── report.md # Markdown fuzzing report
└── report.html # HTML fuzzing report
Mutation Operations
CCF implements 56 mutation operations:
| Operation | Description | CVE Target |
|---|---|---|
bit_flip |
Flip random bits | General |
byte_overwrite |
Overwrite random bytes | General |
ascii_overflow |
Classic ASCII overflow pattern | Buffer overflows |
format_string |
%n, %x, %s injection |
Format string bugs |
path_traversal |
../, \\..\\ sequences |
Path traversal CVEs |
unicode_inject |
UTF-16/32 BOM and overlong encodings | Unicode parsing |
null_inject |
Null byte injection | String termination bugs |
boundary_value |
0, 1, 127, 128, 255 values | Integer boundaries |
known_integer |
Interesting DWORD values | Integer overflows |
netbios_spray |
Malformed NetBIOS session headers | CVE-1999-0382 class |
asn1_corrupt |
Malformed BER/DER ASN.1 structures | CVE-2002-0369 class |
win9x_specific |
Win9x heap spray patterns | VxD/ring-0 bugs |
header_mutate |
Protocol header corruption | Protocol parsing |
length_field_corrupt |
Corrupt length fields | Length handling |
checksum_break |
Invert checksum bytes | Checksum bypass |
havoc |
Many random mutations at once | General |
block_swap |
Swap data blocks | General |
block_duplicate |
Duplicate data blocks | General |
trim |
Truncate input | General |
extend |
Extend input with random bytes | General |
dictionary_insert |
Insert common tokens | Parser fuzzing |
arithmetic_inc/dec |
Byte arithmetic | Integer bugs |
random_insert/delete |
Insert/remove random bytes | General |
pe_dos_header_corrupt |
Corrupt MZ/DOS header, e_lfanew offset | PE parsing CVEs |
pe_signature_corrupt |
Flip PE signature (PE/NE/LE/null) | PE loader bypass |
pe_coff_header_fuzz |
Machine type, section count, timestamps | COFF parsing |
pe_optional_header_fuzz |
Magic, entrypoint, ImageBase, sizes | OPT header CVEs |
pe_section_header_fuzz |
Name, VirtualSize, VirtualAddress, flags | Section mapping |
pe_import_table_corrupt |
Import directory RVA/size overflow | IAT parsing |
pe_export_table_corrupt |
Export directory corruption | EAT parsing |
pe_resource_corrupt |
Resource directory RVA/size + data flip | RSRC parsing |
pe_overlay_fuzz |
Append/corrupt overlay data | Parser edge cases |
pe_checksum_break |
Corrupt PE checksum field | Integrity bypass |
pe_subsystem_corrupt |
Invalid subsystem values | Loader type checks |
pe_entrypoint_corrupt |
Null/overflow entrypoint RVA | EP handling |
pe_size_overflow |
SizeOfCode/Image/Headers overflow | Size field CVEs |
pe_tls_inject |
Fake TLS directory pointer injection | TLS callback abuse |
lnk_header_magic_corrupt |
Wrong HeaderSize / magic bytes | LNK parsing |
lnk_clsid_corrupt |
Wrong/null/random CLSID | Shell CLSID lookup |
lnk_link_flags_corrupt |
Invalid LinkFlags combinations | Shell parsing |
lnk_file_attributes_corrupt |
Invalid attribute flags | File type confusion |
lnk_timestamps_corrupt |
Zero/max/random FILETIME values | Time field parsing |
lnk_file_size_corrupt |
Overflow FileSize field | Size handling |
lnk_icon_index_corrupt |
Overflow IconIndex | Icon resource lookup |
lnk_show_command_corrupt |
Invalid ShowCommand values | Window creation |
lnk_hotkey_corrupt |
Overflow HotKey field | Keyboard handling |
lnk_target_id_list_corrupt |
IDList size overflow / bad ItemID | Shell ID parsing |
lnk_link_info_corrupt |
LinkInfo size/offset corruption | Path resolution |
lnk_string_data_corrupt |
CountCharacters overflow | Unicode string bugs |
lnk_extra_data_inject |
Malformed ExtraData blocks | Extra data parsing |
lnk_unc_path_inject |
UNC paths (\\attacker\share\evil.dll) |
CVE-2010-2568 class |
lnk_icon_location_overflow |
Overflow IconLocation string | Shell32 buffer bug |
Security Notes
- All file path inputs are validated to prevent directory traversal
- Null bytes in target commands are rejected
- Iteration counts, timeouts, and buffer sizes are clamped to safe bounds
- Crash log output is capped at 100 MB to prevent disk exhaustion
- Target command is length-limited to 4096 characters
License
MIT License © 2025 KaztoRay
Cardinal-Crystal-Fuzzer
- 0
- 0
- 0
- 0
- 0
- 1 day ago
- July 13, 2026
MIT License
Mon, 13 Jul 2026 11:40:44 GMT