def fuzz_ap(): def is_alive(): global IFACE, AUTH_REQ_OPEN ETH_P_ALL = 3 def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL)) s.bind((IFACE, ETH_P_ALL)) sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3) retries = CRASH_RETRIES alive = False while retries: s.send(AUTH_REQ_OPEN) start_time = time.time() while (time.time() - start_time) < 1: ans = s.recv(1024) alive = isresp(ans) if alive: s.send(DEAUTH) s.close() if retries != CRASH_RETRIES: sess.log("retried authentication %d times" % (CRASH_RETRIES - retries), level=1) return alive retries -= 1 s.close() return alive def check_alive(s): global AUTH_REQ_OPEN def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3) while True: t = s.send(AUTH_REQ_OPEN) start_time = time.time() while (time.time() - start_time) < 1: alive = isresp(s.recv(1024)) if alive: return alive sess.log("waiting for the access point to be up", level=1) time.sleep(DELAY_REBOOT) def pass_state(s): ''' ''' return True def clean_state(s): global DEAUTH s.send(DEAUTH) sess.log("sending deauthentication to come back to initial state", level=3) # shameless ripped from scapy def hexdump(x): x=str(x) l = len(x) i = 0 while i < l: print "%04x " % i, for j in range(16): if i+j < l: print "%02X" % ord(x[i+j]), else: print " ", if j%16 == 7: print "", print " ", print x[i:i+16] i += 16 def check_auth(session, node, edge, sock): def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp start_time = time.time() while (time.time() - start_time) < STATE_WAIT_TIME: pkt = sock.recv(1024) ans = isresp(pkt) if ans: sess.log("authentication successfull with %s" % AP_MAC, level=3) return sess.log("authentication not successfull with %s" % AP_MAC, level=1) if session.fuzz_node.mutant != None: ''' print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations() print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index ''' sess.log("re-trying the current test case", level=1) session.fuzz_node.mutant_index -= 1 session.fuzz_node.mutant.mutant_index -= 1 session.total_mutant_index -= 1 def check_asso(session, node, edge, sock): def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\x10"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[26:28] == "\x00\x00"): resp = True return resp start_time = time.time() while (time.time() - start_time) < STATE_WAIT_TIME: pkt = sock.recv(1024) ans = isresp(pkt) if ans: sess.log("association successfull with %s" % AP_MAC, level=3) return sess.log("association not successfull with %s" % AP_MAC, level=1) if session.fuzz_node.mutant != None: ''' print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations() print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index ''' sess.log("re-trying the current test case", level=1) session.fuzz_node.mutant_index -= 1 session.fuzz_node.mutant.mutant_index -= 1 session.total_mutant_index -= 1 # Defining the transport protocol sess = sessions.session(session_filename=FNAME, proto="wifi", timeout=5.0, sleep_time=0.1, log_level=LOG_LEVEL, skip=SKIP, crash_threshold=CRASH_THRESHOLD) # Defining the target target = sessions.target(AP_MAC, 0) # Adding the detect_crash function for target monitoring target.procmon = instrumentation.external(post=is_alive) # Adding a check for alive of access point sess.pre_send = check_alive # Adding a deauth send to come back to initial state sess.post_send = clean_state # Adding the IFACE for socket binding sess.wifi_iface = IFACE # Adding the target to the fuzzing session sess.add_target(target) # Fuzzing State "Not Authenticated, Not Associated" sess.connect(s_get("AuthReq: Open")) for type_subtype in range(256): # 256 sess.connect(s_get("Fuzzy 1: Malformed %d" % type_subtype)) # Fuzzing State "Authenticated, Not Associated" sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Garbage"), callback=check_auth) # Checking Authentication sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Open"), callback=check_auth) # Checking Authentication sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s" % AP_CONFIG), callback=check_auth) # Checking Authentication if AP_CONFIG not in ['Open']: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s Fuzzing" % AP_CONFIG ), callback=check_auth) # Checking Authentication for oui in ouis: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Vendor Specific %s" % oui), callback=check_auth) for ie in list_ies: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: IE %d" % ie), callback=check_auth) #for type_subtype in range(256): sess.connect(s_get("AuthReq: Open"), s_get("Fuzzy 2: Malformed %d" % type_subtype), callback=check_auth) # Fuzzing State : "Authenticated, Associated" for type_subtype in range(256): sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("Fuzzy 3: Malformed %d" % type_subtype), callback=check_asso) if AP_CONFIG in ['WPA-PSK', 'RSN-PSK']: sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Key: %s" % AP_CONFIG), callback=check_asso) if AP_CONFIG in ['WPA-EAP', 'RSN-EAP']: sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Start: %s" % AP_CONFIG), callback=check_asso) # Launching the fuzzing campaign sess.fuzz()
def fuzz_ap(): def is_alive(): global IFACE, AUTH_REQ_OPEN ETH_P_ALL = 3 def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL)) s.bind((IFACE, ETH_P_ALL)) sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3) retries = CRASH_RETRIES alive = False while retries: s.send(AUTH_REQ_OPEN) start_time = time.time() while (time.time() - start_time) < 1: ans = s.recv(1024) alive = isresp(ans) if alive: s.send(DEAUTH) s.close() if retries != CRASH_RETRIES: sess.log("retried authentication %d times" % (CRASH_RETRIES - retries), level=1) return alive retries -= 1 s.close() return alive def check_alive(s): global AUTH_REQ_OPEN def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3) while True: t = s.send(AUTH_REQ_OPEN) start_time = time.time() while (time.time() - start_time) < 1: alive = isresp(s.recv(1024)) if alive: return alive sess.log("waiting for the access point to be up", level=1) time.sleep(DELAY_REBOOT) def pass_state(s): ''' ''' return True def clean_state(s): global DEAUTH s.send(DEAUTH) sess.log("sending deauthentication to come back to initial state", level=3) # shameless ripped from scapy def hexdump(x): x = str(x) l = len(x) i = 0 while i < l: print "%04x " % i, for j in range(16): if i + j < l: print "%02X" % ord(x[i + j]), else: print " ", if j % 16 == 7: print "", print " ", print x[i:i + 16] i += 16 def check_auth(session, node, edge, sock): def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\xB0"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[28:30] == "\x00\x00"): resp = True return resp start_time = time.time() while (time.time() - start_time) < STATE_WAIT_TIME: pkt = sock.recv(1024) ans = isresp(pkt) if ans: sess.log("authentication successfull with %s" % AP_MAC, level=3) return sess.log("authentication not successfull with %s" % AP_MAC, level=1) if session.fuzz_node.mutant != None: ''' print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations() print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index ''' sess.log("re-trying the current test case", level=1) session.fuzz_node.mutant_index -= 1 session.fuzz_node.mutant.mutant_index -= 1 session.total_mutant_index -= 1 def check_asso(session, node, edge, sock): def isresp(pkt): resp = False if (len(pkt) >= 30 and pkt[0] == "\x10"\ and pkt[4:10] == mac2str(STA_MAC)\ and pkt[26:28] == "\x00\x00"): resp = True return resp start_time = time.time() while (time.time() - start_time) < STATE_WAIT_TIME: pkt = sock.recv(1024) ans = isresp(pkt) if ans: sess.log("association successfull with %s" % AP_MAC, level=3) return sess.log("association not successfull with %s" % AP_MAC, level=1) if session.fuzz_node.mutant != None: ''' print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations() print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index ''' sess.log("re-trying the current test case", level=1) session.fuzz_node.mutant_index -= 1 session.fuzz_node.mutant.mutant_index -= 1 session.total_mutant_index -= 1 # Defining the transport protocol sess = sessions.session(session_filename=FNAME, proto="wifi", timeout=5.0, sleep_time=0.1, log_level=LOG_LEVEL, skip=SKIP, crash_threshold=CRASH_THRESHOLD) # Defining the target target = sessions.target(AP_MAC, 0) # Adding the detect_crash function for target monitoring target.procmon = instrumentation.external(post=is_alive) # Adding a check for alive of access point sess.pre_send = check_alive # Adding a deauth send to come back to initial state sess.post_send = clean_state # Adding the IFACE for socket binding sess.wifi_iface = IFACE # Adding the target to the fuzzing session sess.add_target(target) # Fuzzing State "Not Authenticated, Not Associated" sess.connect(s_get("AuthReq: Open")) for type_subtype in range(256): # 256 sess.connect(s_get("Fuzzy 1: Malformed %d" % type_subtype)) # Fuzzing State "Authenticated, Not Associated" sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Garbage"), callback=check_auth) # Checking Authentication sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Open"), callback=check_auth) # Checking Authentication sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s" % AP_CONFIG), callback=check_auth) # Checking Authentication if AP_CONFIG not in ['Open']: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s Fuzzing" % AP_CONFIG), callback=check_auth) # Checking Authentication for oui in ouis: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Vendor Specific %s" % oui), callback=check_auth) for ie in list_ies: sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: IE %d" % ie), callback=check_auth) #for type_subtype in range(256): sess.connect(s_get("AuthReq: Open"), s_get("Fuzzy 2: Malformed %d" % type_subtype), callback=check_auth) # Fuzzing State : "Authenticated, Associated" for type_subtype in range(256): sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("Fuzzy 3: Malformed %d" % type_subtype), callback=check_asso) if AP_CONFIG in ['WPA-PSK', 'RSN-PSK']: sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Key: %s" % AP_CONFIG), callback=check_asso) if AP_CONFIG in ['WPA-EAP', 'RSN-EAP']: sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Start: %s" % AP_CONFIG), callback=check_asso) # Launching the fuzzing campaign sess.fuzz()
from sulley import (s_initialize, s_string, s_delim, s_static, s_get, sessions) host = 'localhost' port = 1337 s_initialize('hello_world') s_string('GET') s_delim(' ') s_string('/') s_delim(' ') s_static('HTTP/1.1\r\n') s_static('Host: {}:{}\r\n'.format(host, port)) s_static('\r\n') # GET / HTTP/1.1 # Host: localhost:1337 sess = sessions.session() target = sessions.target(host, port) sess.add_target(target) sess.connect(s_get("hello_world")) sess.fuzz()
from sulley import * #just using this for the sake of example, pcap header only s_initialize('pcap') if s_block_start('pcap'): s_dword(0xa1b2c3d4, name='magic', fuzzable=False) s_word(2, name='major') s_word(4, name='minor') s_dword(0, name='thiszone') s_dword(0, name='sigfigs') s_dword(96, name='snaplen') s_dword(1, name='network') s_block_end() sess = sessions.file_session(session_filename='\\work\\audit\\test', start_webserver=True, sleep_time=0.0) #no need to delay, throttled by procmon target = sessions.target('localhost', 30000) # doesnt matter transmit is overridden we ship data over rpc target.procmon = pedrpc.client('localhost', 26002) target.procmon_options = { 'proc_path' : '\\progra~1\\wireshark\\tshark-crash.exe', #a modded version of tshark to crash on improper pcap major ver 'proc_args' : '-r %s', #%s will be replaced with the filepath/name to audit 'file_path' : 'c:\\work\\audit\\files\\', #where to store the testcase files #'finish_bp' : 0x01004a0d, #you may set this to 0 if you wish to rely on max_lifetime/process termination 'finish_bp' : 0, 'max_lifetime' : 3.0, #ttl 'show_window' : False, } sess.add_target(target) sess.connect(sess.root, s_get('pcap')) sess.fuzz()