class Fuzzer(object):
    """Take a valid network packet and fuzz the crap out of it

    Fuzzing strategies:

        - Random bytes
        - Exhaustive (recursive)
        - Fuzz vectors (known "dangerous" values"
    """
    def __init__(self, context):
        self.mh = MessageHelper(context)

    def fuzz(self, valid_packet):
        """Generate fuzzed packets"""
        i = 0
        self.valid_packet = self.mh.unpack_request(valid_packet)[0]

        # Just do a static number of permutations for now.
        while i < 1000:
            print '[i]', i
            yield self.permute(self.valid_packet)
            i += 1

    def permute(self, packet):
        """Return a fuzzed packet"""
        if packet.type == 'handshake':
            packet_struct = get_struct('ClientInitHandShake')
        else:
            packet_struct = get_struct('ClientRequestHdr')
            packet_struct += get_struct('Client' + packet.type[4:].title() +
                                        'Request')

        if packet.type == 'kXR_read':
            packet_struct += get_struct('read_args')

        # Remove 'type' field that we inserted for convenience
        vars = packet._asdict()
        del vars['type']

        for field in packet_struct:
            if field['fuzzable']:
                vars[field['name']] = self.mutate(vars[field['name']],
                                                  field['type'])

        return self.mh.build_message(packet_struct, vars)

    def mutate(self, field, type):
        if type == 'H':
            return random.randint(0, 65535)
        elif type == 'l':
            return random.randint(-2147483648 + 1, 2147483647)
        elif type == 'q':
            return random.randint(-sys.maxint + 1, sys.maxint)
        elif type in ('s', 'c'):
            return os.urandom(len(field))
Exemple #2
0
class Fuzzer(object):
    """Take a valid network packet and fuzz the crap out of it

    Fuzzing strategies:

        - Random bytes
        - Exhaustive (recursive)
        - Fuzz vectors (known "dangerous" values"
    """

    def __init__(self, context):
        self.mh = MessageHelper(context)

    def fuzz(self, valid_packet):
        """Generate fuzzed packets"""
        i = 0
        self.valid_packet = self.mh.unpack_request(valid_packet)[0]

        # Just do a static number of permutations for now.
        while i < 1000:
            print '[i]', i
            yield self.permute(self.valid_packet)
            i += 1

    def permute(self, packet):
        """Return a fuzzed packet"""
        if packet.type == 'handshake':
            packet_struct = get_struct('ClientInitHandShake')
        else:
            packet_struct = get_struct('ClientRequestHdr')
            packet_struct += get_struct('Client' + packet.type[4:].title() + 'Request')

        if packet.type == 'kXR_read':
            packet_struct += get_struct('read_args')

        # Remove 'type' field that we inserted for convenience
        vars = packet._asdict()
        del vars['type']

        for field in packet_struct:
            if field['fuzzable']:
                vars[field['name']] = self.mutate(vars[field['name']], field['type'])

        return self.mh.build_message(packet_struct, vars)

    def mutate(self, field, type):
        if type == 'H':
            return random.randint(0, 65535)
        elif type == 'l':
            return random.randint(-2147483648 + 1, 2147483647)
        elif type == 'q':
            return random.randint(-sys.maxint + 1, sys.maxint)
        elif type in ('s', 'c'):
            return os.urandom(len(field))
    def __call__(self, context):
        client = ImposterClient(context)
        mh = MessageHelper(context)
        fuzzer = Fuzzer(context)

        handshake_request = client.handshake()
        print mh.unpack_request(handshake_request)

        # Fuzz a read request
        for m in fuzzer.fuzz(handshake_request):
            print mh.unpack_request(m)[0]
            client.send(m)
            response_raw = client.receive()
            response = client.unpack(response_raw, m)
            print response
Exemple #4
0
    def __call__(self, context):
        client = ImposterClient(context)
        mh = MessageHelper(context)
        fuzzer = Fuzzer(context)

        handshake_request = client.handshake()
        print mh.unpack_request(handshake_request)

        # Fuzz a read request
        for m in fuzzer.fuzz(handshake_request):
            print mh.unpack_request(m)[0]
            client.send(m)
            response_raw = client.receive()
            response = client.unpack(response_raw, m)
            print response
Exemple #5
0
  def __call__( self, context ):
    server = ImposterServer(context)
    fuzzer = Fuzzer(context, iterations=1)
    mh     = MessageHelper(context)

    # The following line will to the equivalent of the rest of this method,
    # using sensible default values and optionally fully authenticating.
    #
    # server.do_full_handshake(verify_auth=True)
    for request in server.receive():

      if request.type == 'handshake':
        print request
        server.send(server.handshake())

      if request.type == 'kXR_protocol':
        print request
        server.send(server.kXR_protocol(streamid=request.streamid))

      elif request.type == 'kXR_login':
        print request
        server.send(server.kXR_login(streamid=request.streamid, verify_auth=True))

      elif request.type == 'kXR_auth':
        # Authenticate this request's credentials and potentially get
        # continuation (authmore) parameters
        contparams = server.authenticate(request.cred)
        if contparams:
          # Send an authmore if necessary
          response = server.kXR_authmore(streamid=request.streamid,
                                         data=contparams)
        else:
          # We are done authenticating
          response = server.kXR_ok(streamid=request.streamid)

        server.send(response)
        # If we have contparams, there will be more auth-related requests
        # to receive at this stage. Otherwise, we are done
        if not contparams: continue
        
        #    kXR_query    = 3001,
        #    kXR_chmod    = 3002,
        #    kXR_close    = 3003,
        #    kXR_dirlist  = 3004,
        #    kXR_protocol = 3006,
        #    kXR_mkdir    = 3008,
        #    kXR_mv       = 3009,
        #    kXR_open     = 3010,
        #    kXR_ping     = 3011,
        #    kXR_read     = 3013,
        #    kXR_rm       = 3014,
        #    kXR_rmdir    = 3015,
        #    kXR_sync     = 3016,
        #    kXR_stat     = 3017,
        #    kXR_set      = 3018,
        #    kXR_write    = 3019,
        #    kXR_prepare  = 3021,
        #    kXR_statx    = 3022,
        #    kXR_endsess  = 3023,
        #    kXR_bind     = 3024,
        #    kXR_readv    = 3025,
        #    kXR_verifyw  = 3026,
        #    kXR_locate   = 3027,
        #    kXR_truncate = 3028
        # )

      elif request.type == 'kXR_chmod':
        stat_response = server.kXR_error(errmsg=20*'\0')
        #server.send(stat_response)
        for m in fuzzer.fuzz_response(stat_response, request):
            print mh.unpack_response(m, request)
            fuzzer.send(m)

      elif request.type == 'kXR_stat':
        print request
        stat_response = server.kXR_stat(data='2251804108717312 20480 51 1370444422\0')
        #server.send(stat_response)
        for m in fuzzer.fuzz_response(stat_response, request):
            print mh.unpack_response(m, request)
            fuzzer.send(m)
            # response_raw = fuzzer.receive()
            # response = mh.unpack(response_raw, m)
            # print response

    server.close()
Exemple #6
0
 def __init__(self, context):
     self.mh = MessageHelper(context)
 def __init__(self, context):
     self.mh = MessageHelper(context)