def prepare(self):
self.start_index = 10
self.end_index = 20
self.delay_duration = 0
self.fuzzer = ClientFuzzer(name="TestServerFuzzer", logger=self.logger)
self.interface = EmptyInterface()
self.fuzzer.set_interface(self.interface)
self.model = GraphModel()
self.model.logger = self.logger
self.model.connect(self.t_str)
self.fuzzer.set_model(self.model)
self.default_config = {
'always': {
'trigger': {
'fuzzer': self.fuzzer,
'stages': [(self._default_stage, {})]
}
}
}
self.target = ClientTargetMock(self.default_config,
self.default_callback,
logger=self.logger)
self.fuzzer.set_target(self.target)
self.fuzzer.set_range(self.start_index, self.end_index)
self.fuzzer.set_delay_between_tests(self.delay_duration)
def get_model(options):
'''
Get the data model
:param options: options
:return: session model
'''
stage_file = options['--stage-file']
stages = get_stages(stage_file)
templates = {}
templates.update(enumerate_templates(audio))
templates.update(enumerate_templates(cdc))
templates.update(enumerate_templates(enum))
templates.update(enumerate_templates(generic))
templates.update(enumerate_templates(hid))
templates.update(enumerate_templates(hub))
templates.update(enumerate_templates(mass_storage))
templates.update(enumerate_templates(smart_card))
g = GraphModel('usb model (%s)' % (stage_file))
for stage in stages:
if stage in templates:
stage_template = templates[stage]
stage_count = min(stages[stage], int(options['--count']))
add_stage(g, stage, stage_template, stage_count)
return g
def main(cls):
""" Main NmFuzzer function
:return: 0 if successful, -1 otherwise
"""
args = cls.parse_args()
logger = cls.logger(levels[args.log_level], "NetworkMiner.fuzz",
"./session.log")
prog = os.path.abspath(args.target_prog)
start_tc = int(args.start)
# define target
target = WinAppDbgTarget("NetworkMiner",
process_path=prog,
process_args=[],
logger=logger)
# Template
t1 = Template(name="PCAPs",
fields=[
FsNames(args.test_corpus,
name_filter="*.pcap",
name="paths"),
])
model = GraphModel()
model.connect(t1)
# define the fuzzing session
fuzzer = ServerFuzzer(
name="NetworkMiner fuzzer",
logger=logger,
)
fuzzer.set_interface(WebInterface())
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_delay_between_tests(2)
# Start
try:
logger.info("Starting fuzz session...")
fuzzer.set_range(start_tc)
start_time = time.time()
fuzzer.start()
end_time = time.time()
logger.info("Done with fuzzing in {} seconds".format(end_time -
start_time))
raw_input("Press enter to exit...")
fuzzer.stop()
except KeyboardInterrupt:
logger.info("Session interrupted by user...")
fuzzer.stop()
return 1
except Exception as exc:
logger.error(exc)
fuzzer.stop()
return -1
return 0
def testCorrectCallbackIsCalledForAllEdgesInPath(self):
template1 = Template(name='template1', fields=String('str1'))
template2 = Template(name='template2', fields=String('str2'))
template3 = Template(name='template3', fields=String('str3'))
self.cb2_call_count = 0
self.cb3_call_count = 0
def t1_t2_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template1)
self.assertEqual(edge.dst, template2)
self.cb2_call_count += 1
def t2_t3_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template2)
self.assertEqual(edge.dst, template3)
self.cb3_call_count += 1
model = GraphModel()
model.logger = self.logger
model.connect(template1)
model.connect(template1, template2, t1_t2_cb)
model.connect(template2, template3, t2_t3_cb)
self.model = model
self.fuzzer.set_model(model)
self.fuzzer.set_range()
self.fuzzer.start()
self.assertEqual(template2.num_mutations() + template3.num_mutations(),
self.cb2_call_count)
self.assertEqual(template3.num_mutations(), self.cb3_call_count)
def new_model(self):
model = GraphModel()
model.logger = self.logger
model.connect(
Template(name='simple_str_template',
fields=[String(name='str1', value='kitty')]))
return model
def prepare(self):
self.start_index = 0
self.end_index = 20
self.delay_duration = 0
self.fuzzer = ServerFuzzer(name="TestServerFuzzer", logger=self.logger)
self.model = GraphModel()
self.model.logger = self.logger
self.model.connect(self.t_str)
self.fuzzer.set_model(self.model)
def main():
test_name = 'GET fuzzed'
get_template = Template(
name=test_name,
fields=[
XmlElement(
name='html',
element_name='html',
content=[
XmlElement(
name='head',
element_name='head',
content='<meta http-equiv="refresh" content="5; url=/">'
),
XmlElement(name='body',
element_name='body',
content='123',
fuzz_content=True),
])
])
fuzzer = ClientFuzzer(name='Example 3 - Browser Fuzzer')
fuzzer.set_interface(WebInterface(host='0.0.0.0', port=26000))
target = ClientTarget(name='BrowserTarget')
#
# Note: to avoid opening the process on our X server, we use another display for it
# display ':2' that is specified below was started this way:
# >> sudo apt-get install xvfb
# >> Xvfb :2 -screen 2 1280x1024x8
#
env = os.environ.copy()
env['DISPLAY'] = ':2'
controller = ClientProcessController('BrowserController',
'/usr/bin/opera',
['http://localhost:8082/fuzzed'],
process_env=env)
target.set_controller(controller)
target.set_mutation_server_timeout(20)
model = GraphModel()
model.connect(get_template)
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_delay_between_tests(0.1)
server = MyHttpServer(('localhost', 8082), MyHttpHandler, fuzzer)
fuzzer.start()
while True:
server.handle_request()
def run(self):
target = FuzzerTarget(name='target', base_url=self.base_url, report_dir=self.report_dir)
interface = WebInterface()
model = GraphModel()
for template in self.templates:
model.connect(template.compile_template())
fuzzer = OpenApiServerFuzzer()
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_interface(interface)
fuzzer.start()
def mod(ics_ip):
print ">>>>> ICS FUZZING MODULE <<<<<\n"
# 定义目标Fuzz对象的IP地址
TARGET_IP = ics_ip
# 定义目标Fuzz对象的通讯端口
TARGET_PORT = 502
# 定义随机数种子
RANDSEED = int(RandShort())
# 根据ISF中Modbus-tcp协议的数据结构构造测试数据包,下面例子中将使用RandShort对请求的地址及bit位长度进行测试
write_coils_request_packet = ModbusHeaderRequest(
func_code=0x05) / WriteSingleCoilRequest(ReferenceNumber=RandShort(),
Value=RandShort())
# 使用ScapyField直接将Scapy的数据包结构应用于Kitty框架中
write_coils_request_packet_template = Template(
name='Write Coils Request',
fields=[
ScapyField(
write_coils_request_packet,
name='wrire_coils_request_packet', # 定义这个Field的名字,用于在报告中显示
fuzzable=True, # 定义这个Field是否需要Fuzz
seed=RANDSEED, # 定义用于变异的随机数
fuzz_count=2000 # 这个数据结构的fuzz次数
),
])
# 使用GraphModel进行Fuzz
model = GraphModel()
# 在使用GraphModel中注册第一个节点,由于Modbus的Read Coils请求是单次的请求/回答形式,因此这里只要注册简单的一个节点即可
model.connect(write_coils_request_packet_template)
# 定义一个目标Target, 设置IP、端口及连接超时时间
modbus_target = TcpTarget(name='modbus target',
host=TARGET_IP,
port=TARGET_PORT,
timeout=2)
# 定义是需要等待Target返回响应,如果设置为True Target不返回数据包则会被识别成异常进行记录。
modbus_target.set_expect_response(True)
# 定义使用ServerFuzzer的方式进行Fuzz测试
fuzzer = ServerFuzzer()
# 定义fuzzer使用的交互界面为web界面
fuzzer.set_interface(WebInterface(port=26001))
# 在fuzzer中定义使用GraphModel
fuzzer.set_model(model)
# 在fuzzer中定义target为modbus_target
fuzzer.set_target(modbus_target)
# 定义每个测试用例发送之间的延迟
fuzzer.set_delay_between_tests(0.1)
# 开始执行Fuzz
fuzzer.start()
def get_model(options):
'''
Get the data model
:param options: options
:return: session model
'''
stage_file = options['--stage-file']
stages = get_stages(stage_file)
templates = enumerate_templates(usb_templates)
g = GraphModel('usb model (%s)' % (stage_file))
for stage in stages:
if stage in templates:
stage_template = templates[stage]
stage_count = min(stages[stage], int(options['--count']))
add_stage(g, stage, stage_template, stage_count)
return g
def testCallbackIsCalledBetweenTwoNodes(self):
template1 = Template(name='template1', fields=String('str1'))
template2 = Template(name='template2', fields=String('str2'))
self.cb_call_count = 0
def t1_t2_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template1)
self.assertEqual(edge.dst, template2)
self.cb_call_count += 1
model = GraphModel()
model.logger = self.logger
model.connect(template1)
model.connect(template1, template2, t1_t2_cb)
self.model = model
self.fuzzer.set_model(model)
self.fuzzer.set_range()
self.fuzzer.start()
self.assertEqual(template2.num_mutations(), self.cb_call_count)
def prepare(self):
self.start_index = 10
self.end_index = 20
self.delay_duration = 0
self.session_file_name = None
self.interface = EmptyInterface()
self.model = GraphModel()
self.model.logger = self.logger
self.model.connect(self.t_str)
self.target = ServerTargetMock({}, logger=self.logger)
self.fuzzer = ServerFuzzer(name="TestServerFuzzer", logger=self.logger)
self.fuzzer.set_interface(self.interface)
self.fuzzer.set_model(self.model)
self.fuzzer.set_target(self.target)
self.fuzzer.set_range(self.start_index, self.end_index)
self.fuzzer.set_delay_between_tests(self.delay_duration)
def fuzzing(host, port, template):
# Define target
target = TcpTarget('HTTP', host, int(port), timeout=1)
target.set_expect_response(True)
# target.add_monitor(monitor)
# Define model
model = GraphModel()
model.connect(template)
# Define fuzzer
fuzzer = ServerFuzzer()
fuzzer.set_interface(WebInterface(port=4445))
fuzzer.set_delay_between_tests(0.2)
# Run fuzzer
session_name = '%s.sqlite' % time.ctime().replace(' ', '_')
sessions_dbs = os.path.join('/tmp', 'sessions', session_name)
fuzzer.set_session_file(sessions_dbs)
fuzzer.set_store_all_reports('reports')
fuzzer.set_target(target)
fuzzer.set_model(model)
fuzzer.start()
fuzzer.stop()
def run_proto(self) -> None:
"""
kitty low level field model
https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html
"""
js = ext_json.dict_to_JsonObject(dict(self.pb2_api[0]['Messages']), 'api')
template_a = Template(name='Api', fields=js)
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare ProtobufTarget ")
target = ProtobufTarget('ProtobufTarget',
host=self.target_host,
port=self.target_port,
max_retries=10,
timeout=None,
pb2_module=self.pb2_api[1])
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare ProtobufController ")
controller = ProtobufController('ProtobufController', host=self.target_host, port=self.target_port)
target.set_controller(controller)
#target.set_expect_response('true')
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Defining GraphModel")
model = GraphModel()
model.connect(template_a)
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare Server Fuzzer ")
fuzzer = ServerFuzzer()
fuzzer.set_interface(WebInterface(port=26001))
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.start()
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer")
self.logger.info(f"[Further info are in the related Kitty log output!]")
six.moves.input('press enter to exit')
self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session")
fuzzer.stop()
def fuzzing(host, port, template):
# Define target
monitor = GdbServerMonitor(
name='GdbServerMonitor', gdb_path='gdb-multiarch',
host=host, port=2222,
signals=[signal.SIGSEGV, signal.SIGILL, signal.SIGKILL, signal.SIGTERM]
)
target = TcpTarget('upnp', host, int(port), timeout=1)
target.set_expect_response(True)
target.add_monitor(monitor)
# Define model
model = GraphModel()
model.connect(template)
# Define fuzzer
fuzzer = ServerFuzzer()
fuzzer.set_interface(WebInterface(port=4445))
fuzzer.set_delay_between_tests(0.2)
# Run fuzzer
fuzzer.set_session_file('sessions/%s.sqlite' % time.ctime().replace(' ', '_'))
fuzzer.set_store_all_reports('reports')
fuzzer.set_target(target)
fuzzer.set_model(model)
fuzzer.start()
fuzzer.stop()
def run_dns(self):
"""
kitty low level field model
https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html
"""
fields = []
counter = 0
dns_label_length = len(self.default_labels.split('.'))
dns_label_list = self.default_labels.split('.')
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Initiate template for DNS ...")
while counter < dns_label_length:
fields.append(
String(dns_label_list[counter],
name='sub_domain_' + str(counter),
max_size=10))
fields.append(Delimiter('.', name='delimiter_' + str(counter)))
counter += 1
fields.append(String(self.tld, name='tld', fuzzable=False))
dns_query = Template(name='DNS_QUERY', fields=fields)
"""
dns_query = Template(name='DNS_QUERY', fields=[
String('r', name='sub_domain', max_size=10),
Delimiter('.', name='space1"),
String('rf', name='sub_domain2', max_size=10),
Delimiter('.', name='space2"),
String(self.tld, name='tld', fuzzable=False),
])
"""
# define target, in this case this is SslTarget because of HTTPS
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Prepare DnsTarget ...")
target = DnsTarget(name='DnsTarget',
host=self.target_host,
port=self.target_port,
timeout=self.timeout)
target.set_expect_response('true')
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Prepare DnsController ...")
controller = DnsController('DnsController',
host=self.target_host,
port=self.target_port)
target.set_controller(controller)
# Define model
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Defining GraphModel...")
model = GraphModel()
model.connect(dns_query)
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Prepare Server Fuzzer ...")
fuzzer = ServerFuzzer()
fuzzer.set_interface(WebInterface(port=26001))
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_delay_between_tests(1)
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer...")
self.logger.info(
f"[Further info are in the related Kitty log output!]")
fuzzer.start()
self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session")
fuzzer.stop()
from kitty.controllers import EmptyController
from katnip.targets.file import FileTarget
from kitty.model import GraphModel
from kitty.model import String
from kitty.model import Template
opts = docopt.docopt(__doc__)
t1 = Template(name='T1',
fields=[
String('The default string', name='S1_1'),
String('Another string', name='S1_2'),
])
# Writes content to files
target = FileTarget('FileTarget', 'tmp/', 'fuzzed')
controller = EmptyController('EmptyController')
target.set_controller(controller)
model = GraphModel()
model.connect(t1)
fuzzer = ServerFuzzer(name="Example 1 - File Generator",
option_line=opts['--kitty-options'])
fuzzer.set_interface(WebInterface(port=26001))
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.start()
print('-------------- done with fuzzing -----------------')
raw_input('press enter to exit')
fuzzer.stop()
def main(cls):
""" Main fuzzing routine.
:return:
"""
args = cls.parse_args()
conf = cls.parse_config()
logger = cls.logger(levels[args.log_level], "tPortmapd.fuzz",
"./session.log")
victim = args.target_addr
port = args.target_port
version = args.target_version
vmrun = conf.get("VMWARE", "vmrun")
vmx = conf.get("VMWARE", "vm_path")
snapshot_name = conf.get("VMWARE", "snapshot")
web_port = conf.getint("KITTY", "web_port")
to_log = "Started VxWorks {}.x fuzzing session\n".format(version)
to_log += "Target:\n\tip address: {}\n\tport: {}\n".format(
victim, port)
to_log += "VM: {}\nsnapshot: {}\n".format(vmx, snapshot_name)
logger.info(to_log)
# Define target
target = TcpTarget("tPortmapd",
logger=logger,
host=victim,
port=port,
timeout=2)
# Define the controller
controller = VmWareController(name="VMWare Controller",
logger=logger,
vmrun_path=vmrun,
vmx_path=vmx,
snap_name=snapshot_name,
target_addr=victim,
target_port=port)
target.set_controller(controller)
# Define the monitor
monitor = VxWorksProcessMonitor(name="VxWorks Process Monitor",
logger=logger,
target_addr=victim,
target_version=version)
target.add_monitor(monitor)
# Define the model
model = GraphModel()
model.connect(portmap_proc_null)
# Define the fuzzing session
fuzzer = ServerFuzzer(name="PortmapFuzzer", logger=logger)
fuzzer.set_interface(WebInterface(port=web_port))
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_delay_between_tests(0)
# Start!
try:
fuzzer.start()
except KeyboardInterrupt:
logger.info("Session interrupted by user...")
fuzzer.stop()
return 1
except Exception as exc:
logger.error(exc)
fuzzer.stop()
return -1
from kitty.controllers import EmptyController
from kitty.fuzzers import ServerFuzzer
from kitty.interfaces import WebInterface
from katnip.targets.file import FileTarget
from kitty.model import String
from kitty.model import Template
from kitty.model import GraphModel
from chaostoolkitfuzzdiscover.experimentfilewriter.writegeneratedfuzz import InputFuzzExperimentGenerator, InputFileFuzzExperimentGenerator, InternalFileFuzzExperimentGenerator
import os, shutil, pickle
sample_template = Template(name='T1', fields=[
String('The default string', name='S1_1'),
String('Another string', name='S1_2'),
])
sample_model = GraphModel()
sample_model.connect(sample_template)
#TODO : Add input validations & fix input
def __generate_fuzz_file_for_fuzzinternalfilereads(input_files = None, sample_input = None):
controller = EmptyController()
__my_modal = sample_model
__tmp_folder = tmp_folder
if os.path.exists(__tmp_folder):
shutil.rmtree(__tmp_folder)
if not os.path.exists(__tmp_folder):
os.makedirs(__tmp_folder)
if sample_input is not None:
__parent_tokens = []
for __si in sample_input:
__tokens = str(__si).split()
if len(__tokens)>2:
def s7(ics_ip):
print ">>>>> ICS FUZZING MODULE <<<<<\n"
# snap7 server 配置信息
TARGET_IP = ics_ip
TARGET_PORT = 102
RANDSEED = int(RandShort())
SRC_TSAP = "0100".encode('hex')
DST_TSAP = "0103".encode('hex')
# 定义COTP CR建立连接数据包
COTP_CR_PACKET = TPKT() / COTPCR()
COTP_CR_PACKET.Parameters = [COTPOption() for i in range(3)]
COTP_CR_PACKET.PDUType = "CR"
COTP_CR_PACKET.Parameters[0].ParameterCode = "tpdu-size"
COTP_CR_PACKET.Parameters[0].Parameter = "\x0a"
COTP_CR_PACKET.Parameters[1].ParameterCode = "src-tsap"
COTP_CR_PACKET.Parameters[2].ParameterCode = "dst-tsap"
COTP_CR_PACKET.Parameters[1].Parameter = SRC_TSAP
COTP_CR_PACKET.Parameters[2].Parameter = DST_TSAP
# 因为是建立连接使用,因此fuzzable参数需要设置为False避免数据包被变异破坏
COTP_CR_TEMPLATE = Template(name='cotp cr template',
fields=[
ScapyField(COTP_CR_PACKET,
name='cotp cr',
fuzzable=False),
])
# 定义通讯参数配置数据结构
SETUP_COMM_PARAMETER_PACKET = TPKT() / COTPDT(EOT=1) / S7Header(
ROSCTR="Job", Parameters=S7SetConParameter())
SETUP_COMM_PARAMETER_TEMPLATE = Template(
name='setup comm template',
fields=[
ScapyField(SETUP_COMM_PARAMETER_PACKET,
name='setup comm',
fuzzable=False),
])
# 定义需要Fuzzing的数据包结构, 下面例子中将使用RandShort对请求的SZLId及SZLIndex值进行变异测试
READ_SZL_PACKET = TPKT() / COTPDT(EOT=1) / S7Header(
ROSCTR="UserData",
Parameters=S7ReadSZLParameterReq(),
Data=S7ReadSZLDataReq(SZLId=RandShort(), SZLIndex=RandShort()))
# 定义READ_SZL_TEMPLATE为可以进行变异的结构,fuzzing的次数为1000次
READ_SZL_TEMPLATE = Template(name='read szl template',
fields=[
ScapyField(READ_SZL_PACKET,
name='read szl',
fuzzable=True,
fuzz_count=1000),
])
# 使用GraphModel进行Fuzz
model = GraphModel()
# 在使用GraphModel中注册第一个节点, 首先发送COTP_CR请求。
model.connect(COTP_CR_TEMPLATE)
# 在使用GraphModel中注册第二个节点, 在发送完COTP_CR后发送SETUP_COMM_PARAMETER请求
model.connect(COTP_CR_TEMPLATE, SETUP_COMM_PARAMETER_TEMPLATE)
# 在使用GraphModel中注册第三个节点, 在发送完SETUP_COMM_PARAMETER后发送READ_SZL请求
model.connect(SETUP_COMM_PARAMETER_TEMPLATE, READ_SZL_TEMPLATE)
# define target
s7comm_target = TcpTarget(name='s7comm target',
host=TARGET_IP,
port=TARGET_PORT,
timeout=2)
# 定义是需要等待Target返回响应,如果设置为True Target不返回数据包则会被识别成异常进行记录
s7comm_target.set_expect_response(True)
# 定义使用基础的ServerFuzzer进行Fuzz测试
fuzzer = ServerFuzzer()
# 定义fuzzer使用的交互界面为web界面
fuzzer.set_interface(WebInterface(port=26001))
# 在fuzzer中定义使用GraphModel
fuzzer.set_model(model)
# 在fuzzer中定义target为s7comm_target
fuzzer.set_target(s7comm_target)
# 定义每个测试用例发送之间的延迟
fuzzer.set_delay_between_tests(0.1)
# 开始执行Fuzz
fuzzer.start()
def setUp(self):
self.logger = get_test_logger()
self.logger.debug('TESTING METHOD: %s', self._testMethodName)
self.model = GraphModel()
self.templates = self.get_templates()
self.todo = []
def run_http(self) -> None:
"""
This method provides the HTTP GET, POST, ... , templating for the HTTP header
as fields, data provided by the config, explained in the User Documentation.
kitty low level field model
https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html
:returns: None
:rtype: None
"""
http_template = None
# HTTP GET TEMPLATE
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Initiate template for HTTP GET ..."
)
if self.http_get:
http_template = Template(
name='HTTP_GET',
fields=[
# GET / HTTP/1.1
String('GET', name='method', fuzzable=False),
Delimiter(' ', name='delimiter-1', fuzzable=False),
String(self.http_path, name='path'),
Delimiter(' ',
name='delimiter-2',
fuzzable=self.http_fuzz_protocol),
String('HTTP',
name='protocol name',
fuzzable=self.http_fuzz_protocol),
Delimiter('/',
name='fws-1',
fuzzable=self.http_fuzz_protocol),
Dword(1,
name='major version',
encoder=ENC_INT_DEC,
fuzzable=self.http_fuzz_protocol),
Delimiter('.',
name='dot-1',
fuzzable=self.http_fuzz_protocol),
Dword(1,
name='minor version',
encoder=ENC_INT_DEC,
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-1'),
# User agent
String('User-Agent:',
name='user_agent_field',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-3',
fuzzable=self.http_fuzz_protocol),
String('Fuzzer',
name='user-agent_name',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-2'),
# Token generated by framework to support following the session if necessary.
String('Fuzzer-Token:',
name='fuzzer_token',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-4',
fuzzable=self.http_fuzz_protocol),
String(str(self.gen_uuid),
name='fuzzer_token_type',
fuzzable=False), # do not fuzz token
Static('\r\n', name='EOL-3'),
# Accept
String('Accept:',
name='accept',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-5',
fuzzable=self.http_fuzz_protocol),
String('*/*',
name='accept_type_',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-4'),
# Cache-control no-cache by default
String('Cache-Control:',
name='cache-control',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-6',
fuzzable=self.http_fuzz_protocol),
String('no-cache',
name='cache_control_type',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-5'),
# Host, the target host
String('Host:',
name='host_name',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-7',
fuzzable=self.http_fuzz_protocol),
String(self.target_host,
name='target_host',
fuzzable=False), # do not fuzz target host address!
Static('\r\n', name='EOL-6'),
# Connection close, do not use keep-alive it results only one mutation, than the
# fuzzer will hang.
String('Connection:',
name='accept_encoding',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-8',
fuzzable=self.http_fuzz_protocol),
String('close',
name='accept_encoding_types',
fuzzable=False), # do not fuzz this field!
Static('\r\n', name='EOM-7'),
# Content-type from config.
String('Content-Type:',
name='Content-Type',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-9',
fuzzable=self.http_fuzz_protocol),
String(self.http_content_type,
name='content_type_',
fuzzable=self.http_fuzz_protocol),
Static('\r\n\r\n', name='EOM-8')
])
if self.http_post_put:
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Initiate template for HTTP POST ..."
)
http_template = Template(
name='HTTP_POST',
fields=[
# POST / HTTP/1.1
String('POST', name='method', fuzzable=False),
Delimiter(' ', name='delimiter-1', fuzzable=False),
String(self.http_path, name='path'),
Delimiter(' ',
name='delimiter-2',
fuzzable=self.http_fuzz_protocol),
String('HTTP',
name='protocol name',
fuzzable=self.http_fuzz_protocol),
Delimiter('/',
name='fws-1',
fuzzable=self.http_fuzz_protocol),
Dword(1,
name='major version',
encoder=ENC_INT_DEC,
fuzzable=self.http_fuzz_protocol),
Delimiter('.',
name='dot-1',
fuzzable=self.http_fuzz_protocol),
Dword(1,
name='minor version',
encoder=ENC_INT_DEC,
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-1'),
# User agent
String('User-Agent:',
name='user_agent_field',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-3',
fuzzable=self.http_fuzz_protocol),
String('Fuzzer',
name='user-agent_name',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-2'),
# Token generated by framework to support following the session if necessary.
String('Fuzzer-Token:',
name='fuzzer_token',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-4',
fuzzable=self.http_fuzz_protocol),
String(str(self.gen_uuid),
name='fuzzer_token_type',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-3'),
# Accept
String('Accept:',
name='accept',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-5',
fuzzable=self.http_fuzz_protocol),
String('*/*',
name='accept_type_',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-4'),
# Cache-control no-cache by default
String('Cache-Control:',
name='cache-control',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-6',
fuzzable=self.http_fuzz_protocol),
String('no-cache',
name='cache_control_type',
fuzzable=self.http_fuzz_protocol),
Static('\r\n', name='EOL-5'),
# Host, the target host
String('Host:',
name='host_name',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-7',
fuzzable=self.http_fuzz_protocol),
String(self.target_host,
name='target_host',
fuzzable=False), # do not fuzz target host address!
Static('\r\n', name='EOL-6'),
# Content length: obvious payload lenght.
String('Content-Length:',
name='content_length',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-9',
fuzzable=self.http_fuzz_protocol),
String(str(len(self.http_payload)),
name='content_length_len',
fuzzable=False),
Static('\r\n', name='EOM-8'),
# Connection close, do not use keep-alive it results only one mutation, than the
# fuzzer will hang.
String('Connection:',
name='accept_encoding',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-8',
fuzzable=self.http_fuzz_protocol),
String('close',
name='accept_encoding_types',
fuzzable=False), # do not fuzz this field!
Static('\r\n', name='EOM-7'),
# Content type
String('Content-Type:',
name='Content-Type',
fuzzable=self.http_fuzz_protocol),
Delimiter(' ',
name='delimiter-10',
fuzzable=self.http_fuzz_protocol),
String(self.http_content_type,
name='content_type_',
fuzzable=self.http_fuzz_protocol),
Static('\n\r\n', name='EOM-9'),
# Payload
String(self.http_payload, name='payload'),
Static('\r\n\r\n', name='EOM-10')
])
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Prepare HttpTarget ...")
target = HttpTarget(name='HttpTarget',
host=self.target_host,
port=self.target_port,
max_retries=10,
timeout=None)
target.set_expect_response('true')
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Prepare HttpController ...")
controller = HttpGetController('HttpGetController',
host=self.target_host,
port=self.target_port)
target.set_controller(controller)
self.logger.info(
f"[{time.strftime('%H:%M:%S')}] Defining GraphModel...")
model = GraphModel()
model.connect(http_template)
fuzzer = ServerFuzzer()
fuzzer.set_interface(WebInterface(port=26001))
fuzzer.set_model(model)
fuzzer.set_target(target)
fuzzer.set_delay_between_tests(1)
self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer...")
self.logger.info(
f"[Further info are in the related Kitty log output!]")
fuzzer.start()
self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session")
fuzzer.stop()
