def fuzz_path(self):
output().raw("Checking base pathes first.")
# get a cup of coffee, fuzzing will take some time
output().fuzzed('PATH', '', ('', 'EXISTS', 'DIRLIST'))
output().hline()
found = {} # pathes found
# try base pathes first
for path in self.vol_exists() + fuzzer().path:
self.verify_path(path, found)
# try path traversal strategies
if found:
output().raw("Now checking traversal strategies.")
output().fuzzed('PATH', '', ('', 'EXISTS', 'DIRLIST'))
output().hline()
# only check found volumes
for vol in found:
sep = '' if vol[-1:] in ['', '/', '\\'] else '/'
sep2 = vol[-1:] if vol[-1:] in ['/', '\\'] else '/'
# 1st level traversal
for dir in fuzzer().dir:
path = vol + sep + dir + sep2
self.verify_path(path)
# 2nd level traversal
for dir2 in fuzzer().dir:
path = vol + sep + dir + sep2 + dir2 + sep2
self.verify_path(path)
def fuzz_blind(self):
output().raw("Blindly trying to read files.")
# get a bottle of beer, fuzzing will take some time
output().fuzzed('PATH', '', ('', 'GET', 'EXISTS'))
output().hline()
# try blind file access strategies (relative path)
for path in fuzzer().rel:
self.verify_blind(path, "")
output().hline()
# try blind file access strategies (absolute path)
for vol in self.vol_exists() + fuzzer().blind:
sep = '' if vol[-1:] in ['', '/', '\\'] else '/'
sep2 = vol[-1:] if vol[-1:] in ['/', '\\'] else '/'
# filenames to look for
for file in fuzzer().abs:
# set current delimiter
if isinstance(file, list): file = sep2.join(file)
path = vol + sep
self.verify_blind(path, file)
# vol name out of range error
if self.error == '30054':
output().raw("Volume nonexistent, skipping.")
break
# no directory traversal
for dir in fuzzer().dir:
# n'th level traversal
for n in range(1, 3):
path = vol + sep + n * (dir + sep2)
self.verify_blind(path, file)
def main():
img = Image.new('RGBA', (consts.WIDTH, consts.HEIGHT), consts.WHITE)
draw = ImageDraw.Draw(img)
depth = 0
corn_chips(draw)
fuzzer(draw)
# img = img.rotate(180)
img.save('test.png', 'PNG')
def setup_payload(self, payload):
data = lsusbDescriptionParser(config.DEV_DESC_FOLDER + payload.get_option("descriptor")).parse()
self.payload = data[0]
self.if_info_packet = data[3]
self.ep_info_packet = data[4]
self.connect_packet = data[2]
fuzzer_obj = fuzzer(payload)
fuzzer_obj.set_descriptor(self.payload)
emulator = payload.get_option("emulator")
if emulator == "enumeration":
self.enum_emulator = enumeration(fuzzer_obj)
elif emulator == "enumeration_abortion":
self.enum_emulator = abortion_enumeration(fuzzer_obj)
elif emulator == "hid":
self.enum_emulator = hid(fuzzer_obj)
else:
raise Exception("Unknown emulator")
def setup_payload(self, payload):
data = usbdescFileParser(config.DEV_DESC_FOLDER + payload.get_option("descriptor")).parse()
self.payload = data[0]
self.if_info_packet = data[3]
self.ep_info_packet = data[4]
self.connect_packet = data[2]
fuzzer_obj = fuzzer(payload)
fuzzer_obj.set_descriptor(self.payload)
emulator = payload.get_option("emulator")
if emulator == "enumeration":
self.enum_emulator = enumeration(fuzzer_obj)
elif emulator == "enumeration_abortion":
self.enum_emulator = abortion_enumeration(fuzzer_obj)
elif emulator == "hid":
self.enum_emulator = hid(fuzzer_obj)
else:
raise Exception("Unknown emulator")
def fuzz_write(self):
self.logger.raw("Writing temporary files.")
# get a cup of tea, fuzzing will take some time
self.logger.fuzzed('PATH', 'COMMAND', ('GET', 'EXISTS', 'DIRLIST'))
self.logger.hline()
# test data to put/append
data = "test"; data2 = "test2"
# try write to disk strategies
for vol in self.vol_exists() + fuzzer().write:
sep = '' if vol[-1:] in ['', '/', '\\' ] else '/'
name = "dat" + str(random.randrange(10000))
# FSDOWNLOAD
self.put(vol + sep + name, data)
fsd_worked = self.verify_write(vol+sep, name, data, 'PUT')
# FSAPPEND
self.append(vol + sep + name, data2)
data = (data + data2) if fsd_worked else data2
self.verify_write(vol + sep, name, data, 'APPEND')
# FSDELETE
self.do_delete(vol + sep + name)
self.logger.hline()
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
server_address = "http://openstack-ace.cloudapp.net"
count = 10000
if sys.argv.__len__() > 0:
if isinstance(sys.argv[0], int):
count = sys.argv[0]
# Step 0: Keystone generating token
# Step 1: Glance - Create Image
http_address_glance_create_image = server_address + ":9292/v2/images"
runner_1 = fuzzer.fuzzer(http_address_glance_create_image, 'POST', 1)
# Token
user_id = "28fb0982afab42a19e44f6d0a124c73d"
password = "******"
token = runner_1.get_token(user_id, password)
# Create Image
runner_1.headers["Content-Type"]= "application/json"
runner_1.headers["X-Auth-Token"]= token
runner_1.body_json_string='''
{
"name": "Ubuntu 12.10",
"container_format": "ami",
"disk_format": "ami",
"visibility": "public"
}
'''
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
from utils import randomer
file_address='../keystone_v3_cases/test.img'
# randomer.generate_random_file(file_address, 0, 655360)
image_id = "e7db3b45-8db7-47ad-8109-3fb55c2c24f2"
http_address='http://openstack-ace.cloudapp.net:9292/v2/images/%s/file' % image_id
# http_address='http://openstack-ace.cloudapp.net:9292/v2/images/{id}/file'
runner = fuzzer.fuzzer(http_address, 'PUT', 1, file_address)
# runner.url_fuzz_params["{id}"]=[1,32,True,True,True,True]
# runner.url_fuzz_params["9292"]=[1,4,False,False,True,False]
# print runner.get_token("28fb0982afab42a19e44f6d0a124c73d","secrete")
runner.headers["X-Auth-Token"]=runner.get_token("28fb0982afab42a19e44f6d0a124c73d","secrete")
runner.set_random_parameters(is_random=True, upper_limit=6550, lower_limit=0)
runner.run_file(asserter.assert_equal, 204, "/v2/images/{image_id}/file ")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
# {account} in uri will be fuzzed, so {account} can be any
http_address='http://openstack-bit.cloudapp.net:8080/v1/{account}'
runner = fuzzer.fuzzer(http_address, 'GET', 5)
runner.url_fuzz_params["{account}"]=[1,64,True,True,True,False]
# make sure token is correct
runner.headers["X-Auth-Token"]="3a917a00c425494981f7059fe9ab9989"
runner.run(asserter.assert_equal, 403, "/v1/{account}")
from fuzzer import fuzzer
# Options for running the fuzzer
parser = OptionParser()
parser.add_option("-s", "--secs", dest="seconds",
help="seconds to fuzz for", default=10)
parser.add_option("-m", "--mins", dest="minutes",
help="minutes to fuzz for", default=0)
parser.add_option("-o", "--hours", dest="hours",
help="hours to fuzz for", default=0)
parser.add_option("-i", "--interface", dest="interface",
help="interface class to use while fuzzing")
parser.add_option("-f", "--fuzzfile", dest="fuzzFile",
help="file containing the fuzz vectors", metavar="FILE",
default="fuzzvectors")
parser.add_option("-a", "--mode", dest="mode",
help="fuzzing mode", default=0)
parser.add_option("-e", "--seed", dest="seed",
help="seed to use for random mutating")
(options, args) = parser.parse_args()
# Make sure we get the sender class
if options.interface is None:
print("No interface class supplied")
exit(1)
# Fuzz for the given amount of time
runTime = int(options.seconds) + (60 * int(options.minutes)) + (3600 * int(options.hours))
fuzzer = fuzzer(options.interface, options.fuzzFile, options.seed, options.mode)
fuzzer.fuzz(runTime)
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
file_address = 'test.json'
http_address = 'http://openstackubuntu.chinacloudapp.cn:5000/v3/auth/tokens'
runner = fuzzer.fuzzer(http_address, 'POST', 1)
runner.headers["Content-Type"] = "application/json"
runner.body_json_string = '''
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "e80b74"
}
}
}
}
'''
runner.body_fuzz_params["id"] = [1, 32, True, True, True, True]
runner.run(asserter.assert_equal, 401, "/v3/auth/tokens ")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
file_address='test.json'
http_address='http://openstack-ace.cloudapp.net:5000/v3/auth/tokens'
runner = fuzzer.fuzzer(http_address, 'POST', 500)
runner.headers["Content-Type"]="application/json"
runner.body_json_string='''
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "28fb0982afab42a19e44f6d0a124c73d",
"password": "******"
}
}
}
}
}
'''
runner.body_fuzz_params["password"]=[1,32,True,True,True,True]
runner.body_fuzz_params["id"]=[1,32,True,True,True,True]
runner.run(asserter.assert_equal, 401, "/v3/auth/tokens ")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
# make sure http_address is correct
http_address = 'http://openstack-bit.cloudapp.net:8080/v1/AUTH_8fccf2cb64da46499a68c0cccc364ccc'
runner = fuzzer.fuzzer(http_address, 'HEAD', 500)
# token will be fuzzed, so X-Auth-Token can be any
runner.headers["X-Auth-Token"] = "ba6bbdc90e14446fae8636daa00807cc"
runner.headers_fuzz_params["X-Auth-Token"] = [0, 64, True, True, True, True]
runner.run(asserter.assert_equal, 401, "/v1/{account}")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
file_address = 'test.json'
http_address = 'http://openstackubuntu.chinacloudapp.cn:5000/v3/auth/tokens'
runner = fuzzer.fuzzer(http_address, 'POST', 5, file_address)
runner.headers["Content-Type"]="application/json"
runner.body_fuzz_params["password"]=[1,32,True,True,True,True]
runner.body_fuzz_params["id"]=[1,32,True,True,True,True]
runner.run(asserter.assert_equal, 401, "/v3/auth/tokens ")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
# {account} in uri will be fuzzed, so {account} can be any
http_address='http://openstack-bit.cloudapp.net:8080/v1/{account}'
runner = fuzzer.fuzzer(http_address, 'HEAD', 5)
runner.url_fuzz_params["{account}"]=[1,64,True,True,True,False]
# make sure token is correct
runner.headers["X-Auth-Token"]="ba6bbdc90e14446fae8636daa00807cc"
runner.run(asserter.assert_equal, 403, "/v1/{account}")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
file_address = 'test.json'
http_address = 'http://openstackubuntu.chinacloudapp.cn:5000/v3/auth/tokens'
runner = fuzzer.fuzzer(http_address, 'POST', 5, file_address)
runner.headers["Content-Type"] = "application/json"
runner.body_fuzz_params["password"] = [1, 32, True, True, True, True]
runner.body_fuzz_params["id"] = [1, 32, True, True, True, True]
runner.run(asserter.assert_equal, 401, "/v3/auth/tokens ")
__author__ = 'bunny_gg'
import sys
sys.path.append("..")
import fuzzer
from utils import asserter
from utils import randomer
file_address = '../keystone_v3_cases/test.img'
# randomer.generate_random_file(file_address, 0, 655360)
image_id = "e7db3b45-8db7-47ad-8109-3fb55c2c24f2"
http_address = 'http://openstack-ace.cloudapp.net:9292/v2/images/%s/file' % image_id
# http_address='http://openstack-ace.cloudapp.net:9292/v2/images/{id}/file'
runner = fuzzer.fuzzer(http_address, 'PUT', 1, file_address)
# runner.url_fuzz_params["{id}"]=[1,32,True,True,True,True]
# runner.url_fuzz_params["9292"]=[1,4,False,False,True,False]
# print runner.get_token("28fb0982afab42a19e44f6d0a124c73d","secrete")
runner.headers["X-Auth-Token"] = runner.get_token(
"28fb0982afab42a19e44f6d0a124c73d", "secrete")
runner.set_random_parameters(is_random=True, upper_limit=6550, lower_limit=0)
runner.run_file(asserter.assert_equal, 204, "/v2/images/{image_id}/file ")
