def fuzz_timeout(client):
for i in range(0xff):
# i = 0x1
print("Fuzzing timeout: " + str(hex(i)))
# Construct an enip packet from raw
enippkt = ENIP_TCP(session=client.session_id)
# Symbol Instanc Addressing
cippkt = CIP(service=0x4c,
path=CIP_Path.make(class_id=0x6b, instance_id=0x227))
# interface handle, timeout, count, items
enippkt /= ENIP_SendUnitData(
timeout=i,
items=[
# type_id, length, connection id
ENIP_SendUnitData_Item() /
ENIP_ConnectionAddress(connection_id=client.enip_connid),
# type_id, length, sequence
ENIP_SendUnitData_Item() /
ENIP_ConnectionPacket(sequence=client.sequence) / cippkt
])
client.sequence += 1
if client.sock is not None:
client.sock.send(str(enippkt))
# Show the response only if it does not contain data
resppkt = client.recv_enippkt()
if resppkt is not None:
print("Status: " + str(resppkt[ENIP_TCP].status))
print("TImeout: " + str(hex(resppkt[ENIP_SendUnitData].timeout)))
def simple_read_tag(client, pathsize, classid, instanceid):
# Symbol Instanc Addressing
data = "\x01\x00"
cippkt = CIP(service=0x4c,
path=CIP_Path.make(class_id=classid,
instance_id=instanceid,
word_size=pathsize)) / data
# Construct an enip packet from raw
enippkt = ENIP_TCP(session=client.session_id)
# interface handle, timeout, count, items
enippkt /= ENIP_SendUnitData(
interface_handle=0x0,
items=[
# type_id, length, connection id
ENIP_SendUnitData_Item() /
ENIP_ConnectionAddress(connection_id=client.enip_connid),
# type_id, length, sequence
ENIP_SendUnitData_Item() /
ENIP_ConnectionPacket(sequence=client.sequence) / cippkt
])
client.sequence += 1
if client.sock is not None:
client.sock.send(str(enippkt))
enippkt.show()
# Show the response only if it does not contain data
resppkt = client.recv_enippkt()
if resppkt is not None:
print("Status: " + str(resppkt[CIP].status))
def send_unit_cip(self, cippkt):
"""Send a CIP packet over the TCP connection as an ENIP Unit Data"""
enippkt = ENIP_TCP(session=self.session_id)
enippkt /= ENIP_SendUnitData(items=[
ENIP_SendUnitData_Item() /
ENIP_ConnectionAddress(connection_id=self.enip_connid),
ENIP_SendUnitData_Item() /
ENIP_ConnectionPacket(sequence=self.sequence) / cippkt
])
self.sequence += 1
if self.sock is not None:
self.sock.send(str(enippkt))