def do_fuzz():
sess = sessions.Session(
session_filename="audits/trend_server_protect_5168.session")
target = sessions.Target("192.168.181.133", 5168)
target.netmon = pedrpc.Client("192.168.181.133", 26001)
target.procmon = pedrpc.Client("192.168.181.133", 26002)
target.vmcontrol = pedrpc.Client("127.0.0.1", 26003)
target.procmon_options = \
{
"proc_name": "SpntSvc.exe",
"stop_commands": ['net stop "trend serverprotect"'],
"start_commands": ['net start "trend serverprotect"'],
}
# start up the target.
target.vmcontrol.restart_target()
print("virtual machine up and running")
sess.add_target(target)
sess.pre_send = rpc_bind
sess.connect(s_get("5168: op-1"))
sess.connect(s_get("5168: op-2"))
sess.connect(s_get("5168: op-3"))
sess.connect(s_get("5168: op-5"))
sess.connect(s_get("5168: op-a"))
sess.connect(s_get("5168: op-1f"))
sess.fuzz()
print("done fuzzing. web interface still running.")
pedrpc, \
s_get
# noinspection PyUnresolvedReferences
from requests import jabber
def init_message(sock):
init = '<?xml version="1.0" encoding="UTF-8" ?>\n'
init += '<stream:stream to="152.67.137.126" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">'
sock.send(init)
sock.recv(1024)
sess = sessions.Session(session_filename="audits/trillian.session")
target = sessions.Target("152.67.137.126", 5298)
target.netmon = pedrpc.Client("152.67.137.126", 26001)
target.procmon = pedrpc.Client("152.67.137.126", 26002)
target.vmcontrol = pedrpc.Client("127.0.0.1", 26003)
target.procmon_options = {"proc_name": "trillian.exe"}
# start up the target.
target.vmcontrol.restart_target()
print("virtual machine up and running")
sess.add_target(target)
sess.pre_send = init_message
sess.connect(sess.root, s_get("chat message"))
sess.fuzz()
s_block_end()
s_repeat("name_chunk_auth",
min_reps=2,
max_reps=4,
step=1,
fuzzable=True,
name="aName_auth")
s_group("end_auth", values=["\x00",
"\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type_auth", endian='>')
s_word(0x8001, name="Class_auth", endian='>')
s_dword(0x78, name="TTL_auth", endian='>')
s_size("data_length", length=2, endian='>')
if s_block_start("data_length"):
s_binary(
"00 00 00 00 00 16 c0 b0"
) # This should be fuzzed according to the type, but I'm too lazy atm
s_block_end()
s_block_end()
s_repeat("auth_nameserver", 0, 1000, 40, name="auth_nameservers")
s_word(0)
sess = sessions.Session(proto="udp")
target = sessions.Target("224.0.0.251", 5353)
sess.add_target(target)
sess.connect(s_get("query"), callback=insert_questions)
sess.fuzz()
