def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
s_delim(" ", name='space-1')
s_string("/get", name='Request-URI')
s_delim(" ", name='space-2')
s_string('HTTP/1.1', name='HTTP-Version')
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("example.com", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_string("Connection:", name="Connection-Line")
s_delim(" ", name="space-4")
s_string("Keep-Alive", name="Connection-Line-Value")
s_static("\r\n", name="Connection-Line-CRLF")
s_string("User-Agent:", name="User-Agent-Line")
s_delim(" ", name="space-5")
s_string(
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1",
name="User-Agent-Line-Value")
s_static("\r\n", name="User-Agent-Line-CRLF")
s_static("\r\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
def main() -> None:
"""Run the fuzzer"""
port = 80
host = "192.168.99.100"
protocol = "tcp"
csv_log = open("fuzz_results_easyshare.csv", "w")
my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)]
target = bf.Target(
connection=bf.SocketConnection(host, port, proto=protocol))
session = bf.Session(target=target)
# FUZZING PARAMETERS
bf.s_initialize(name="Request")
with bf.s_block("Request-Line"):
bf.s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
bf.s_delim(" ", name='space-1')
bf.s_string("/index.html", name='Request-URI')
bf.s_delim(" ", name='space-2')
bf.s_string('HTTP/1.1', name='HTTP-Version')
bf.s_static("\r\n", name="Request-Line-CRLF")
bf.s_static("\r\n", "Request-CRLF")
session.connect(bf.s_get("Request"))
session.sleep_time = 1.0
session.fuzz()
def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS",
"TRACE", "PURGE"
])
s_delim(" ", name="space-1")
s_string("/post", name="Request-URI")
s_delim(" ", name="space-2")
s_string("HTTP/1.1", name="HTTP-Version")
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("127.0.0.1:9080", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_static('User-Agent', name='User-Agent-Header')
s_delim(':', name='User-Agent-Colon-1')
s_delim(' ', name='User-Agent-Space-1')
s_string(
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3223.8 Safari/537.36',
name='User-Agent-Value')
s_static('\r\n', name='User-Agent-CRLF'),
s_static('Accept', name='Accept-Header')
s_delim(':', name='Accept-Colon-1')
s_delim(' ', name='Accept-Space-1')
s_string(
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
name='Accept-Value')
s_static('\r\n', name='Accept-CRLF')
s_static("Content-Length:", name="Content-Length-Header")
s_delim(" ", name="space-4")
s_size("Body-Content",
output_format="ascii",
name="Content-Length-Value")
s_static("\r\n", "Content-Length-CRLF")
s_static('Connection', name='Connection-Header')
s_delim(':', name='Connection-Colon-1')
s_delim(' ', name='Connection-Space-1')
s_group('Connection-Type', ['keep-alive', 'close'])
s_static('\r\n', 'Connection-CRLF')
s_static('Content-Type', name='Content-Type-Header')
s_delim(':', name='Content-Type-Colon-1')
s_delim(' ', name='Content-Type-Space-1')
s_string('application/x-www-form-urlencoded',
name='Content-Type-Value')
s_static('\r\n', name='Content-Type-CRLF')
s_static("\r\n", "Request-CRLF")
with s_block("Body-Content"):
s_string('{"a":"b"}', name="Body-Content-Value")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
def generate_body_fuzzed_blocks(endpoint, request, add_quotation_marks_into_non_string_primitives=False) -> str:
body_str = request["BodyExample"]
body_schema = request["BodySchema"]
is_body_json, json_decoder = _prepare_content_body(body_str, body_schema, add_quotation_marks_into_non_string_primitives)
subcategory_name = " (adding quotation marks)" if add_quotation_marks_into_non_string_primitives else ''
request_name = "Request body fuzzing" + subcategory_name + ": " + RequestBuildHelper.get_request_name(endpoint["Uri"], request["Method"])
s_initialize(name=request_name)
_generate_http_header(request, endpoint, False)
_generate_content_body(is_body_json, json_decoder, body_str, True)
return request_name
def generate_url_attributes_fuzzed_blocks(endpoint, request) -> str:
body_str = request["BodyExample"]
body_schema = request["BodySchema"]
is_body_json, json_decoder = _prepare_content_body(body_str, body_schema, True)
request_name = "URI attributes fuzzing: " + \
RequestBuildHelper.get_request_name(endpoint["Uri"], request["Method"])
s_initialize(name=request_name)
_generate_http_header(request, endpoint, fuzzable=True)
_generate_content_body(is_body_json, json_decoder, body_str, fuzzable=False)
return request_name
def test_foo_bar(self):
session = Session(target=Target(connection=UDPSocketConnection(
recv_timeout=1,
host="172.26.87.144",
port=6234,
bind=("0.0.0.0", 12345),
), ),
keep_web_open=False)
s_initialize("foo")
s_group("version", values=["\x06"])
session.connect(s_get("foo"))
session.fuzz()
self.open("http://localhost:26000")
self.assert_text("boofuzz Fuzz Control", "div.main-title")
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server, including two messages in sequence
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_loggers=[], # log to nothing
check_data_received_each_request=True,
keep_web_open=False,
)
session._restart_target = self._mock_restart_target()
s_initialize("test-msg-a")
s_string("test-str-value")
s_static("\r\n")
s_initialize("test-msg-b")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg-a"))
session.connect(s_get("test-msg-a"), s_get("test-msg-b"))
# When
session.fuzz_single_case(s_get("test-msg-a").num_mutations() + 1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def generate_http_fuzzed_blocks() -> str:
request_name = "General HTTP fuzzing:"
s_initialize(name=request_name)
s_http_string("GET", name="HTTP method")
s_delim(" ", name="Delimiter between method and path")
s_http_string("/path", encoding=EncodingTypes.ascii, name="HTTP path")
s_delim(" ", name="Delimiter between path and version")
s_http_string("HTTP/1.1\r\n", name="HTTP version")
s_static("Host: " + ConfigurationManager.config["target"]["hostname"] + "\r\n")
s_static("Content-Length: 0" + "\r\n")
s_static("User-Agent: ")
s_http_string("WapiFuzz", name="User-agent")
s_delim("\r\n\r\n", name="HTTP headers and body delimiter")
return request_name
def main() -> None:
"""Run the fuzzer"""
port = 9999
host = "192.168.99.100"
protocol = "tcp"
csv_log = open("fuzz_results_GMON.csv", "w")
my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)]
target = bf.Target(connection=bf.SocketConnection(host, port, proto=protocol))
session = bf.Session(target=target, fuzz_loggers=my_logger)
# FUZZING PARAMETERS
bf.s_initialize("GMON")
bf.s_string("GMON", fuzzable=False)
bf.s_delim(" ", fuzzable=False)
bf.s_string("FUZZ") #Fuzzable parameter
bf.s_static("\r\n")
session.sleep_time = 1.0
session.connect(bf.s_get("GMON"), callback=get_banner)
session.fuzz()
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_data_logger=FuzzLogger(fuzz_loggers=[]), # log to nothing
)
session.restart_target = self._mock_restart_target()
s_initialize("test-msg")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg"))
# When
session.fuzz_single_case(1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def main():
session = Session(
target=Target(connection=SocketConnection("192.168.0.101", 80, proto='tcp')),
)
s_initialize(name="Command")
s_static("GET /vfolder.ghp HTTP/1.1\r\n")
s_static("Host: 192.168.0.101\r\n")
s_static("User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n")
s_static("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n")
s_static("Accept-Language: en-US,en;q=0.5\r\n")
s_static("Accept-Encoding: gzip, deflate\r\n")
s_static("Referer: http://192.168.0.101/login.htm\r\n")
s_static("Content-Type: application/x-www-form-urlencoded\r\n")
s_static("Content-Length: 60\r\n")
s_static("Cookie: UserID=")
s_string("1") # this is the part we fuzz
s_static("\r\n")
s_static("Cache-Control: max-age=0\r\n")
s_static("\r\nConnection: close\r\n\r\n")
session.connect(s_get("Command"))
session.fuzz()
from boofuzz import Session, Target, SocketConnection, s_initialize
session = Session(target=Target(
connection=SocketConnection("127.0.0.1", 6021, proto='udp')))
s_initialize("INIT_CHLO")
def initialize_mms(session):
s_initialize('mms_msg')
with s_block("TPKT"):
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="TPKT Version = 3")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="TPKT Reserved = 0")
s_random("\x00\xbb", min_length=0, max_length=100, num_mutations=100000, name="TPKT Length = 187")
# ----------------------
with s_block("COTP"):
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="COTP Length = 2")
s_random("\xf0", min_length=0, max_length=100, num_mutations=100000, name="COTP PDU Type = DT Data (0x0f)")
s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="COTP TPDU number = 0 and COTP Last data unit = yes")
# ----------------------
with s_block("ISO 8327-1 OSI Session Protocol"):
s_random("\x0d", min_length=0, max_length=100, num_mutations=100000, name="SPDU Type: CONNECT (CN) SPDU (13)")
s_random("\xb2", min_length=0, max_length=100, num_mutations=100000, name="Length: 178")
with s_block("Connect Accept Item"):
s_random("\x05", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Connect Accept Item (5)")
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="Parameter 1 length: 6")
with s_block("Protocol Options"):
s_random("\x13", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Protocol Options (19)")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="Parameter length: 1")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="Flags: 0x00")
with s_block("Version Number"):
s_random("\x16", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Version Number (22)")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="Parameter 2 length: 1")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="Flags: 0x02, Protocol Version 2")
with s_block("Session Requirement"):
s_random("\x14", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Session Requirement (20)")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="Parameter 3 length: 2")
s_random("\x00\x02", min_length=0, max_length=100, num_mutations=100000, name="Flags: 0x0002, Duplex functional unit")
with s_block("Calling Session Selector"):
s_random("\x33", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Calling Session Selector (51)")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="Parameter 4 length: 2")
s_random("\x00\x01", min_length=0, max_length=100, num_mutations=100000, name="Calling Session Selector: 0001")
with s_block("Called Session Selector"):
s_random("\x34", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Called Session Selector (52)")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="Parameter 5 length: 2")
s_random("\x00\x01", min_length=0, max_length=100, num_mutations=100000, name="Called Session Selector: 0001")
with s_block("Session user data"):
s_random("\xc1", min_length=0, max_length=100, num_mutations=100000, name="Parameter type: Session user data (193)")
s_random("\x9c", min_length=0, max_length=100, num_mutations=100000, name="Parameter 6 length: 156")
# ----------------------
with s_block("ISO 8823 OSI Presentation Protocol"):
s_random("\x31\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG CP-TYPE")
s_random("\x99", min_length=0, max_length=100, num_mutations=100000, name="LENGTH CP-TYPE = 153")
with s_block("mode selector"):
s_random("\xa0", min_length=0, max_length=100, num_mutations=100000, name="TAG mode selector")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="LENGTH mode selector = 3")
with s_block("mode-value"):
s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="TAG mode-value")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH mode-value = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA mode-value = normal-mode (1)")
with s_block("normal-mode-parameters"):
s_random("\xa2\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG normal-mode-parameters")
s_random("\x91", min_length=0, max_length=100, num_mutations=100000, name="LENGTH normal-mode-parameters = 145")
with s_block("calling-presentation-selector"):
s_random("\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG calling-presentation-selector")
s_random("\x04", min_length=0, max_length=100, num_mutations=100000, name="LENGTH calling-presentation-selector = 4")
s_random("\x00\x00\x00\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA calling-presentation-selector = 00000001")
with s_block("called-presentation-selector"):
s_random("\x82", min_length=0, max_length=100, num_mutations=100000, name="TAG called-presentation-selector")
s_random("\x04", min_length=0, max_length=100, num_mutations=100000, name="LENGTH called-presentation-selector = 4")
s_random("\x00\x00\x00\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA called-presentation-selector = 00000001")
with s_block("presentation-context-definition-list"):
s_random("\xa4", min_length=0, max_length=100, num_mutations=100000, name="TAG presentation-context-definition-list")
s_random("\x23", min_length=0, max_length=100, num_mutations=100000, name="LENGTH presentation-context-definition-list = 35")
with s_block("Context-list item 1"):
s_random("\x30", min_length=0, max_length=100, num_mutations=100000, name="TAG Context-list item 1")
s_random("\x0f", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Context-list item 1 = 15")
with s_block("presentation-context-identifier 1"):
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="TAG presentation-context-identifier 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH presentation-context-identifier 1 = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA presentation-context-identifier 1 = 1")
with s_block("abstract-syntax-name 1"):
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="TAG abstract-syntax-name 1")
s_random("\x04", min_length=0, max_length=100, num_mutations=100000, name="LENGTH abstract-syntax-name 1 = 4")
s_random("\x52\x01\x00\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA abstract-syntax-name 1")
with s_block("transfer-syntax-name-list 1"):
s_random("\x30", min_length=0, max_length=100, num_mutations=100000, name="TAG transfer-syntax-name-list 1")
s_random("\x04", min_length=0, max_length=100, num_mutations=100000, name="LENGTH transfer-syntax-name-list 1 = 4")
s_random("\x06\x02\x51\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA transfer-syntax-name-list 1")
with s_block("Context-list item 2"):
s_random("\x30", min_length=0, max_length=100, num_mutations=100000, name="TAG Context-list item 2")
s_random("\x10", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Context-list item 2 = 16")
with s_block("presentation-context-identifier 2"):
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="TAG presentation-context-identifier 2")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH presentation-context-identifier 2 = 1")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="DATA presentation-context-identifier 2 = 1")
with s_block("abstract-syntax-name 2"):
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="TAG abstract-syntax-name 2")
s_random("\x05", min_length=0, max_length=100, num_mutations=100000, name="LENGTH abstract-syntax-name 2 = 5")
s_random("\x28\xca\x22\x02\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA abstract-syntax-name 2")
with s_block("transfer-syntax-name-list 2"):
s_random("\x30", min_length=0, max_length=100, num_mutations=100000, name="TAG transfer-syntax-name-list 2")
s_random("\x04", min_length=0, max_length=100, num_mutations=100000, name="LENGTH transfer-syntax-name-list 2 = 4")
s_random("\x06\x02\x51\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA transfer-syntax-name-list 2")
with s_block("user-data"):
s_random("\x61", min_length=0, max_length=100, num_mutations=100000, name="TAG user-data")
s_random("\x5e", min_length=0, max_length=100, num_mutations=100000, name="LENGTH user-data = 94")
with s_block("PDV-list"):
s_random("\x30", min_length=0, max_length=100, num_mutations=100000, name="TAG PDV-list")
s_random("\x5c", min_length=0, max_length=100, num_mutations=100000, name="LENGTH PDV-list = 92")
with s_block("presentation-context-identifier"):
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="TAG presentation-context-identifier")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH presentation-context-identifier = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA presentation-context-identifier = 1")
with s_block("presentation-data-values"):
s_random("\xa0", min_length=0, max_length=100, num_mutations=100000, name="TAG presentation-data-values")
s_random("\x57", min_length=0, max_length=100, num_mutations=100000, name="LENGTH presentation-data-values = 87")
# ----------------------
with s_block("ISO 8650-1 OSI Association Control Service"):
s_random("\x60", min_length=0, max_length=100, num_mutations=100000, name="TAG aarq")
s_random("\x55", min_length=0, max_length=100, num_mutations=100000, name="LENGTH aarq = 85")
with s_block("?"):
s_random("\xa1", min_length=0, max_length=100, num_mutations=100000, name="TAG ?")
s_random("\x07", min_length=0, max_length=100, num_mutations=100000, name="LENGTH ? = 7")
with s_block("aSO-context-name"):
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="TAG aSO-context-name")
s_random("\x05", min_length=0, max_length=100, num_mutations=100000, name="LENGTH aSO-context-name = 5")
s_random("\x28\xca\x22\x02\x03", min_length=0, max_length=100, num_mutations=100000, name="DATA aSO-context-name = 1.0.9506.2.3 (MMS)")
with s_block("called-AP-title"):
s_random("\xa2", min_length=0, max_length=100, num_mutations=100000, name="TAG called-AP-title")
s_random("\x07", min_length=0, max_length=100, num_mutations=100000, name="LENGTH called-AP-title = 7")
s_random("\x06\x05\x29\x01\x87\x67\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA called-AP-title)")
with s_block("called-AE-qualifier"):
s_random("\xa3", min_length=0, max_length=100, num_mutations=100000, name="TAG called-AE-qualifier")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="LENGTH called-AE-qualifier = 3")
s_random("\x02\x01\x0c", min_length=0, max_length=100, num_mutations=100000, name="DATA called-AE-qualifier")
with s_block("calling-AP-title"):
s_random("\xa6", min_length=0, max_length=100, num_mutations=100000, name="TAG calling-AP-title")
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="LENGTH calling-AP-title = 6")
s_random("\x06\x04\x29\x01\x87\x67", min_length=0, max_length=100, num_mutations=100000, name="DATA calling-AP-title")
with s_block("calling-AE-qualifier"):
s_random("\xa7", min_length=0, max_length=100, num_mutations=100000, name="TAG calling-AE-qualifier")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="LENGTH calling-AE-qualifier = 3")
s_random("\x02\x01\x0c", min_length=0, max_length=100, num_mutations=100000, name="DATA calling-AE-qualifier")
with s_block("user-information"):
s_random("\xbe", min_length=0, max_length=100, num_mutations=100000, name="TAG user-information")
s_random("\x2f", min_length=0, max_length=100, num_mutations=100000, name="LENGTH user-information = 47")
with s_block("Association-data"):
s_random("\x28", min_length=0, max_length=100, num_mutations=100000, name="TAG Association-data")
s_random("\x2d", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Association-data = 45")
with s_block("indirect-reference"):
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="TAG indirect-reference")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH indirect-reference = 1")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="DATA indirect-reference = 3")
with s_block("encoding: single-ASN1-type"):
s_random("\xa0", min_length=0, max_length=100, num_mutations=100000, name="TAG encoding: single-ASN1-type (0)")
s_random("\x28", min_length=0, max_length=100, num_mutations=100000, name="LENGTH encoding: single-ASN1-type (0) = 40")
# ----------------------
with s_block("MMS"):
s_random("\xa8", min_length=0, max_length=100, num_mutations=100000, name="TAG initiate-RequestPDU")
s_random("\x26", min_length=0, max_length=100, num_mutations=100000, name="LENGTH initiate-RequestPDU = 38")
with s_block("localDetailCalling"):
s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="TAG localDetailCalling")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="LENGTH localDetailCalling = 3")
s_random("\x00\xfd\xe8", min_length=0, max_length=100, num_mutations=100000, name="DATA localDetailCalling = 65000")
with s_block("proposedMaxServOutstandingCalling"):
s_random("\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG proposedMaxServOutstandingCalling")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH proposedMaxServOutstandingCalling = 1")
s_random("\x05", min_length=0, max_length=100, num_mutations=100000, name="DATA proposedMaxServOutstandingCalling = 5")
with s_block("proposedMaxServOutstandingCalled"):
s_random("\x82", min_length=0, max_length=100, num_mutations=100000, name="TAG proposedMaxServOutstandingCalled")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH proposedMaxServOutstandingCalled = 1")
s_random("\x05", min_length=0, max_length=100, num_mutations=100000, name="DATA proposedMaxServOutstandingCalled = 5")
with s_block("proposedDataStructureNestingLevel"):
s_random("\x83", min_length=0, max_length=100, num_mutations=100000, name="TAG proposedDataStructureNestingLevel")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH proposedDataStructureNestingLevel = 1")
s_random("\x0a", min_length=0, max_length=100, num_mutations=100000, name="DATA proposedDataStructureNestingLevel = 10")
with s_block("mmsInitRequestDetail"):
s_random("\xa4", min_length=0, max_length=100, num_mutations=100000, name="TAG mmsInitRequestDetail")
s_random("\x16", min_length=0, max_length=100, num_mutations=100000, name="LENGTH mmsInitRequestDetail = 22")
with s_block("proposedVersionNumber"):
s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="TAG proposedVersionNumber")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH proposedVersionNumber = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA proposedVersionNumber = 1")
with s_block("Padding 1"):
s_random("\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG Padding 1")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Padding 1 = 3")
s_random("\x05\xf1\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA Padding 1: = 5 & proposedParameterCBB: f100")
with s_block("Padding 2"):
s_random("\x82", min_length=0, max_length=100, num_mutations=100000, name="TAG Padding 2")
s_random("\x0c", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Padding 2 = 12")
s_random("\x03\xee\x1c\x00\x00\x04\x08\x00\x00\x79\xef\x18", min_length=0, max_length=100, num_mutations=100000, name="DATA Padding 2: = 3 & servicesSupportedCalling")
session.connect(s_get('mms_msg'))
def initialize_goose(session):
s_initialize('goose_msg')
with s_block("Preamble"):
s_static('\x01\x0c\xcd\x01\x00\x01', name="Destination")
s_static('\x00\x00\x00\x00\x00\x00', name="Source")
s_static('\x81\x00', name="Tag Protocol Identifier (TPID)")
s_static('\x80\x00', name="Tag Control Information (TCI)")
s_static('\x88\xb8', name="Ethertype = Goose")
s_static('\x03\xe8', name="Application Identifier (APPID) laut Paper allerdings x3f xff")
s_static('\x00\xb7', name="Length (183) --> Wovon?")
s_static('\x00\x00', name="Reserved 1")
s_static('\x00\x00', name="Reserved 2")
with s_block("goosePDU"):
s_random('\x61', min_length=0, max_length=100, num_mutations=100000, name="TAG goosePDU")
s_random('\x81\xac', min_length=0, max_length=100, num_mutations=100000, name="LENGTH goosePDU (172)")
with s_block("gocbRef"):
s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="TAG gocbRef")
s_random("\x29", min_length=0, max_length=100, num_mutations=100000, name="LENGTH gocbRef = 41")
s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65"
"\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c"
"\x4e\x30\x24\x47\x4f\x24\x67\x63\x62\x41"
"\x6e\x61\x6c\x6f\x67\x56\x61\x6c\x75\x65"
"\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA gocbRef")
with s_block("TimeAllowedToLive"):
s_random("\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG TimeAllowedToLive")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH TimeAllowedToLive = 1")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA TimeAllowedToLive")
with s_block("datSet"):
s_random("\x82", min_length=0, max_length=100, num_mutations=100000, name="TAG datSet")
s_random("\x23", min_length=0, max_length=100, num_mutations=100000, name="Length datSet = 35")
s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65"
"\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c"
"\x4e\x30\x24\x41\x6e\x61\x6c\x6f\x67\x56"
"\x61\x6c\x75\x65\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA datSet")
with s_block("goID"):
s_random("\x83", min_length=0, max_length=100, num_mutations=100000, name="TAG goID")
s_random("\x29", min_length=0, max_length=100, num_mutations=100000, name="LENGTH goID = 41")
s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65"
"\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c"
"\x4e\x30\x24\x47\x4f\x24\x67\x63\x62\x41"
"\x6e\x61\x6c\x6f\x67\x56\x61\x6c\x75\x65"
"\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA goID")
with s_block("time"):
s_random("\x84", min_length=0, max_length=100, num_mutations=100000, name="TAG time")
s_random("\x08", min_length=0, max_length=100, num_mutations=100000, name="LENGTH time = 8")
s_random("\x5d\xe6\x60\x85\xb8\xd4\xfd\x0a", min_length=0, max_length=100, num_mutations=100000, name="DATA time")
with s_block("stNum"):
s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG stNum")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH stNum = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA stNum")
with s_block("sqNum"):
s_random("\x86", min_length=0, max_length=100, num_mutations=100000, name="TAG sqNum")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH sqNum = 1")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA sqNum")
with s_block("Test Bit"):
s_random("\x87", min_length=0, max_length=100, num_mutations=100000, name="TAG Test Bit")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Test Bit = 1")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA Test Bit")
with s_block("ConfRev"):
s_random("\x88", min_length=0, max_length=100, num_mutations=100000, name="TAG ConfRev")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH ConfRev = 1")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA ConfRev")
with s_block("ndsCom"):
s_random("\x89", min_length=0, max_length=100, num_mutations=100000, name="TAG ndsCom")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH ndsCom = 1")
s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA ndsCom")
with s_block("numDatSetEntries"):
s_random("\x8a", min_length=0, max_length=100, num_mutations=100000, name="TAG numDatSetEntries")
s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH numDatSetEntries = 1")
s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="DATA numDatSetEntries")
with s_block("allData"):
s_random("\xab", min_length=0, max_length=100, num_mutations=100000, name="TAG allData")
s_random("\x10", min_length=0, max_length=100, num_mutations=100000, name="LENGTH allData = 16")
with s_block("data 1"):
s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG data 1 = integer")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 1 = 2")
s_random("\x04\xd2", min_length=0, max_length=100, num_mutations=100000, name="DATA data 1")
with s_block("data 2"):
s_random("\x8c", min_length=0, max_length=100, num_mutations=100000, name="TAG data 2 = binary-time")
s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 2 = 6")
s_random("\x00\x00\x00\x00\x00\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA data 2")
with s_block("data 3"):
s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG data 3 = integer")
s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 3 = 2")
s_random("\x16\x2e", min_length=0, max_length=100, num_mutations=100000, name="DATA data 3")
session.connect(s_get('goose_msg'))
def initialize_sampled_values(session):
s_initialize('sv_msg')
with s_block("Preamble"):
s_static('\x01\x0c\xcd\x01\x00\x01', name="Destination")
s_static('\x00\x00\x00\x00\x00\x00', name="Source")
s_static('\x81\x00', name="Tag Protocol Identifier (TPID)")
s_static('\x80\x00', name="Tag Control Information (TCI)")
s_static('\x88\xba', name="Ethertype = Sampled Value Transmission")
s_static('\x40\x00', name="Application Identifier (APPID)")
s_static('\x00\x61', name="Length (97)")
s_static('\x00\x00', name="Reserved 1")
s_static('\x00\x00', name="Reserved 2")
s_static('\x60', name="TAG savPDU")
s_static('\x57', name="LENGTH savPDU = 87")
with s_block("noASDU"):
s_random('\x80',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG noASDU")
s_random('\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH noASDU = 1")
s_random('\x02',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA noASDU = 2")
with s_block("seqASDU"):
s_random('\xa2',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG seqASDU")
s_random('\x52',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH seqASDU = 82")
with s_block("ASDU (1)"):
s_random('\x30',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG Sequence ASDU (1)")
s_random('\x27',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH Sequence ASDU (1) = 39")
with s_block("svID 1"):
s_random('\x80',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG svID 1")
s_random('\x06',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH svID 1 = 6")
s_random('\x73\x76\x70\x75\x62\x31',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA svID")
with s_block("smpCnt 1"):
s_random('\x82',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG smpCnt 1")
s_random('\x02',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH smpCnt 1 = 2")
s_random('\x00\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA smpCnt 1 = 1")
with s_block("confRef 1"):
s_random('\x83',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG confRef 1")
s_random('\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH confRef 1")
s_random('\x00\x00\x00\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA confRef 1 = 1")
with s_block("smpSynch 1"):
s_random('\x85',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG smpSynch 1")
s_random('\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH smpSynch 1")
s_random('\x00',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA smpSynch 1 = 0")
with s_block("seqData 1"):
s_random('\x87',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG seqData 1")
s_random('\x10',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH smpSynch 1 = 16")
s_random(
'\x44\x9a\x52\x2b\x3d\xfc\xd3\x5b\x5e\x3a'
'\x91\x59\x65\xa1\xca\x00',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA smpSynch 1")
with s_block("ASDU (2)"):
s_random('\x30',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG Sequence ASDU (2)")
s_random('\x27',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH Sequence ASDU (2) = 39")
with s_block("svID 2"):
s_random('\x80',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG svID 2")
s_random('\x06',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH svID 2 = 6")
s_random('\x73\x76\x70\x75\x62\x32',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA svID 2")
with s_block("smpCnt 2"):
s_random('\x82',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG smpCnt 2")
s_random('\x02',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH smpCnt 2 = 2")
s_random('\x00\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA smpCnt 2 = 1")
with s_block("confRef 2"):
s_random('\x83',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG confRef 2")
s_random('\x04',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH confRef 2 = 4")
s_random('\x00\x00\x00\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA confRef 2 = 1")
with s_block("smpSynch 2"):
s_random('\x85',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG smpSynch 2")
s_random('\x01',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH smpSynch 2 = 1")
s_random('\x00',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA smpSynch 2 = 0")
with s_block("seqData 2"):
s_random('\x87',
min_length=0,
max_length=100,
num_mutations=100000,
name="TAG seqData 2")
s_random('\x10',
min_length=0,
max_length=100,
num_mutations=100000,
name="LENGTH seqData 2 = 16")
s_random(
'\x45\x1a\x52\x2b\x3e\x7c\xd3\x5b\x5e\x3a'
'\x91\x59\x65\xa1\xca\x00',
min_length=0,
max_length=100,
num_mutations=100000,
name="DATA seqData 2")
session.connect(s_get('sv_msg'))
#!/usr/bin/env python3
import boofuzz
import socket
TARGET_IP = "192.168.1.62"
TARGET_PORT = 9999
LOGGER = boofuzz.FuzzLogger(fuzz_loggers=[boofuzz.FuzzLoggerText()])
SESSION = boofuzz.sessions.Session(sleep_time=0.0,fuzz_data_logger
=LOGGER)
CONNECTION = boofuzz.SocketConnection(TARGET_IP, TARGET_PORT,
proto="tcp")
TARGET = boofuzz.sessions.Target(CONNECTION)
SESSION.add_target(TARGET)
boofuzz.s_initialize("trunc")
boofuzz.s_string("TRUN")
boofuzz.s_delim(" ")
boofuzz.s_string("anonymous")
boofuzz.s_static("\r\n")
SESSION.connect(boofuzz.s_get("trunc"))
SESSION.fuzz()
s_block_start, \
s_size, \
s_block_end, \
s_string, \
s_repeat, \
s_group, \
s_dword, \
s_binary, \
s_get
def insert_questions(sess, node, edge, sock):
node.names['Questions'].value = 1 + node.names['queries'].current_reps
node.names['Authority'].value = 1 + node.names['auth_nameservers'].current_reps
s_initialize("query")
s_word(0, name="TransactionID")
s_word(0, name="Flags")
s_word(1, name="Questions", endian='>')
s_word(0, name="Answer", endian='>')
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_block_end, \
s_string, \
s_repeat, \
s_group, \
s_dword, \
s_binary, \
s_get
def insert_questions(sess, node, edge, sock):
node.names['Questions'].value = 1 + node.names['queries'].current_reps
node.names[
'Authority'].value = 1 + node.names['auth_nameservers'].current_reps
s_initialize("query")
s_word(0, name="TransactionID")
s_word(0, name="Flags")
s_word(1, name="Questions", endian='>')
s_word(0, name="Answer", endian='>')
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()