def do_fuzz(): sess = sessions.Session( session_filename="audits/trend_server_protect_5168.session") target = sessions.Target("192.168.181.133", 5168) target.netmon = pedrpc.Client("192.168.181.133", 26001) target.procmon = pedrpc.Client("192.168.181.133", 26002) target.vmcontrol = pedrpc.Client("127.0.0.1", 26003) target.procmon_options = \ { "proc_name": "SpntSvc.exe", "stop_commands": ['net stop "trend serverprotect"'], "start_commands": ['net start "trend serverprotect"'], } # start up the target. target.vmcontrol.restart_target() print("virtual machine up and running") sess.add_target(target) sess.pre_send = rpc_bind sess.connect(s_get("5168: op-1")) sess.connect(s_get("5168: op-2")) sess.connect(s_get("5168: op-3")) sess.connect(s_get("5168: op-5")) sess.connect(s_get("5168: op-a")) sess.connect(s_get("5168: op-1f")) sess.fuzz() print("done fuzzing. web interface still running.")
pedrpc, \ s_get # noinspection PyUnresolvedReferences from requests import jabber def init_message(sock): init = '<?xml version="1.0" encoding="UTF-8" ?>\n' init += '<stream:stream to="152.67.137.126" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">' sock.send(init) sock.recv(1024) sess = sessions.Session(session_filename="audits/trillian.session") target = sessions.Target("152.67.137.126", 5298) target.netmon = pedrpc.Client("152.67.137.126", 26001) target.procmon = pedrpc.Client("152.67.137.126", 26002) target.vmcontrol = pedrpc.Client("127.0.0.1", 26003) target.procmon_options = {"proc_name": "trillian.exe"} # start up the target. target.vmcontrol.restart_target() print("virtual machine up and running") sess.add_target(target) sess.pre_send = init_message sess.connect(sess.root, s_get("chat message")) sess.fuzz()
s_block_end() s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth") s_group("end_auth", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing s_word(0xc, name="Type_auth", endian='>') s_word(0x8001, name="Class_auth", endian='>') s_dword(0x78, name="TTL_auth", endian='>') s_size("data_length", length=2, endian='>') if s_block_start("data_length"): s_binary( "00 00 00 00 00 16 c0 b0" ) # This should be fuzzed according to the type, but I'm too lazy atm s_block_end() s_block_end() s_repeat("auth_nameserver", 0, 1000, 40, name="auth_nameservers") s_word(0) sess = sessions.Session(proto="udp") target = sessions.Target("224.0.0.251", 5353) sess.add_target(target) sess.connect(s_get("query"), callback=insert_questions) sess.fuzz()