class Fuzzer(object):
"""Take a valid network packet and fuzz the crap out of it
Fuzzing strategies:
- Random bytes
- Exhaustive (recursive)
- Fuzz vectors (known "dangerous" values"
"""
def __init__(self, context):
self.mh = MessageHelper(context)
def fuzz(self, valid_packet):
"""Generate fuzzed packets"""
i = 0
self.valid_packet = self.mh.unpack_request(valid_packet)[0]
# Just do a static number of permutations for now.
while i < 1000:
print '[i]', i
yield self.permute(self.valid_packet)
i += 1
def permute(self, packet):
"""Return a fuzzed packet"""
if packet.type == 'handshake':
packet_struct = get_struct('ClientInitHandShake')
else:
packet_struct = get_struct('ClientRequestHdr')
packet_struct += get_struct('Client' + packet.type[4:].title() +
'Request')
if packet.type == 'kXR_read':
packet_struct += get_struct('read_args')
# Remove 'type' field that we inserted for convenience
vars = packet._asdict()
del vars['type']
for field in packet_struct:
if field['fuzzable']:
vars[field['name']] = self.mutate(vars[field['name']],
field['type'])
return self.mh.build_message(packet_struct, vars)
def mutate(self, field, type):
if type == 'H':
return random.randint(0, 65535)
elif type == 'l':
return random.randint(-2147483648 + 1, 2147483647)
elif type == 'q':
return random.randint(-sys.maxint + 1, sys.maxint)
elif type in ('s', 'c'):
return os.urandom(len(field))
class Fuzzer(object):
"""Take a valid network packet and fuzz the crap out of it
Fuzzing strategies:
- Random bytes
- Exhaustive (recursive)
- Fuzz vectors (known "dangerous" values"
"""
def __init__(self, context):
self.mh = MessageHelper(context)
def fuzz(self, valid_packet):
"""Generate fuzzed packets"""
i = 0
self.valid_packet = self.mh.unpack_request(valid_packet)[0]
# Just do a static number of permutations for now.
while i < 1000:
print '[i]', i
yield self.permute(self.valid_packet)
i += 1
def permute(self, packet):
"""Return a fuzzed packet"""
if packet.type == 'handshake':
packet_struct = get_struct('ClientInitHandShake')
else:
packet_struct = get_struct('ClientRequestHdr')
packet_struct += get_struct('Client' + packet.type[4:].title() + 'Request')
if packet.type == 'kXR_read':
packet_struct += get_struct('read_args')
# Remove 'type' field that we inserted for convenience
vars = packet._asdict()
del vars['type']
for field in packet_struct:
if field['fuzzable']:
vars[field['name']] = self.mutate(vars[field['name']], field['type'])
return self.mh.build_message(packet_struct, vars)
def mutate(self, field, type):
if type == 'H':
return random.randint(0, 65535)
elif type == 'l':
return random.randint(-2147483648 + 1, 2147483647)
elif type == 'q':
return random.randint(-sys.maxint + 1, sys.maxint)
elif type in ('s', 'c'):
return os.urandom(len(field))
def __call__(self, context):
client = ImposterClient(context)
mh = MessageHelper(context)
fuzzer = Fuzzer(context)
handshake_request = client.handshake()
print mh.unpack_request(handshake_request)
# Fuzz a read request
for m in fuzzer.fuzz(handshake_request):
print mh.unpack_request(m)[0]
client.send(m)
response_raw = client.receive()
response = client.unpack(response_raw, m)
print response
def __call__(self, context):
client = ImposterClient(context)
mh = MessageHelper(context)
fuzzer = Fuzzer(context)
handshake_request = client.handshake()
print mh.unpack_request(handshake_request)
# Fuzz a read request
for m in fuzzer.fuzz(handshake_request):
print mh.unpack_request(m)[0]
client.send(m)
response_raw = client.receive()
response = client.unpack(response_raw, m)
print response
def __call__( self, context ):
server = ImposterServer(context)
fuzzer = Fuzzer(context, iterations=1)
mh = MessageHelper(context)
# The following line will to the equivalent of the rest of this method,
# using sensible default values and optionally fully authenticating.
#
# server.do_full_handshake(verify_auth=True)
for request in server.receive():
if request.type == 'handshake':
print request
server.send(server.handshake())
if request.type == 'kXR_protocol':
print request
server.send(server.kXR_protocol(streamid=request.streamid))
elif request.type == 'kXR_login':
print request
server.send(server.kXR_login(streamid=request.streamid, verify_auth=True))
elif request.type == 'kXR_auth':
# Authenticate this request's credentials and potentially get
# continuation (authmore) parameters
contparams = server.authenticate(request.cred)
if contparams:
# Send an authmore if necessary
response = server.kXR_authmore(streamid=request.streamid,
data=contparams)
else:
# We are done authenticating
response = server.kXR_ok(streamid=request.streamid)
server.send(response)
# If we have contparams, there will be more auth-related requests
# to receive at this stage. Otherwise, we are done
if not contparams: continue
# kXR_query = 3001,
# kXR_chmod = 3002,
# kXR_close = 3003,
# kXR_dirlist = 3004,
# kXR_protocol = 3006,
# kXR_mkdir = 3008,
# kXR_mv = 3009,
# kXR_open = 3010,
# kXR_ping = 3011,
# kXR_read = 3013,
# kXR_rm = 3014,
# kXR_rmdir = 3015,
# kXR_sync = 3016,
# kXR_stat = 3017,
# kXR_set = 3018,
# kXR_write = 3019,
# kXR_prepare = 3021,
# kXR_statx = 3022,
# kXR_endsess = 3023,
# kXR_bind = 3024,
# kXR_readv = 3025,
# kXR_verifyw = 3026,
# kXR_locate = 3027,
# kXR_truncate = 3028
# )
elif request.type == 'kXR_chmod':
stat_response = server.kXR_error(errmsg=20*'\0')
#server.send(stat_response)
for m in fuzzer.fuzz_response(stat_response, request):
print mh.unpack_response(m, request)
fuzzer.send(m)
elif request.type == 'kXR_stat':
print request
stat_response = server.kXR_stat(data='2251804108717312 20480 51 1370444422\0')
#server.send(stat_response)
for m in fuzzer.fuzz_response(stat_response, request):
print mh.unpack_response(m, request)
fuzzer.send(m)
# response_raw = fuzzer.receive()
# response = mh.unpack(response_raw, m)
# print response
server.close()
def __init__(self, context):
self.mh = MessageHelper(context)
def __init__(self, context):
self.mh = MessageHelper(context)
