def randval(self):
count = volatile.RandNum(0, 4)
reprobj = self.cls()
items = []
for _ in range(count):
items.append(packet.fuzz(reprobj))
return items
def yield_test_case(self, count, constraints=None):
"""
Is a Python generator which yields potential test cases to use.
:param constraints: Dictionary of constraints to apply. Optionally takes an entry "check_valid"=False to disable checking to see if the produced frame makes sense to Scapy.
:yield: A byte array generated as a possible test case.
"""
check_valid = constraints.get(
'check_valid', True) if constraints is not None else True
#print("*** Validity check status {}".format(check_valid))
for i in range(count):
pkt = Dot15d4FCS(seqnum=self.__start_seqnum, fcf_srcaddrmode=2, fcf_ackreq=True, fcf_destaddrmode=2, fcf_panidcompress=True) / \
Dot15d4Data(dest_panid=self.__target_pan_id, dest_addr=self.__target_short_addr, src_addr=self.__src_short_addr)
base_pkt_length = len(pkt)
pkt = pkt / fuzz(
LengthRaw(max_length=MAX_DOT15D4_LENGTH - base_pkt_length))
self.__start_seqnum = (self.__start_seqnum + 1) % (0xFF + 1)
#pkt.show2()
if not check_valid:
yield str(pkt)
else:
# Due to use of fuzz(), each call to str(pkt) produces different values, and some of these aren't
# seen as valid by Scapy. Thus we optionally retry till we get a "good" one.
pb = str(pkt)
is_valid = Dot15d4FCS(pb).haslayer(Dot15d4Data)
while not is_valid:
print(
"Trying again as initial packet didn't pass validity check."
)
#print("Initial pkt that failed - formed:", pkt.summary())
#print("Initial pkt that failed - parsed:", Dot15d4FCS(pb).summary())
pb = str(pkt)
is_valid = Dot15d4FCS(pb).haslayer(Dot15d4Data)
#print("New pkt - parsed:", Dot15d4FCS(pb).summary())
yield pb
def randval(self):
randchoices = []
for p in self.choices.itervalues():
if hasattr(p, "ASN1_root"): # should be ASN1_Packet class
randchoices.append(packet.fuzz(p()))
elif hasattr(p, "ASN1_tag"):
if isinstance(p, type): # should be (basic) ASN1F_field class
randchoices.append(p("dummy", None).randval())
else: # should be ASN1F_PACKET instance
randchoices.append(p.randval())
return RandChoice(*randchoices)
def randval(self):
randchoices = []
for p in six.itervalues(self.choices):
if hasattr(p, "ASN1_root"): # should be ASN1_Packet class
randchoices.append(packet.fuzz(p()))
elif hasattr(p, "ASN1_tag"):
if isinstance(p, type): # should be (basic) ASN1F_field class # noqa: E501
randchoices.append(p("dummy", None).randval())
else: # should be ASN1F_PACKET instance
randchoices.append(p.randval())
return RandChoice(*randchoices)
def test_fuzz_packets(self):
"""
Parses 1000 randomly-generated probe requests with the
'ProbeRequestParser.parse()' function.
"""
# pylint: disable=no-self-use
for i in range(0, 1000):
packet = RadioTap() / fuzz(Dot11() / Dot11ProbeReq() / Dot11Elt())
ProbeRequestParser.parse(packet)
def generate_packet_with_random_values(the_class):
# Instantiates an instance of the class `the_class`
# and fills its fields with random values
if isinstance(the_class, string_types):
payload = eval(the_class)()
elif isinstance(the_class, Packet_metaclass):
payload = the_class()
else:
raise TypeError("Only strings or Packet metaclasses are allowed.")
payload = fuzz(payload)
return payload
def randval(self):
return packet.fuzz(self.asn1pkt())
def randval(self):
# type: () -> ASN1_Packet
return packet.fuzz(self.cls())
def genPackets(self):
return [
RadioTap() / Dot11() / fuzz(Dot11AssoReq()),
]
def randval(self):
return packet.fuzz(self.asn1pkt())
from USBFuzz.QCDM import *
import os
import sys
arg = sys.argv[1].split(':')
iface = 0
if len(sys.argv) > 2:
iface = int(sys.argv[2])
dev = QCDMDevice(vid=arg[0], pid=arg[1], iface=iface)
while dev.is_alive():
cmd = QCDMFrame()/fuzz(Command())/Raw(os.urandom(8))
# avoid switching to downloader or test modes
if cmd.code == 58 or cmd.code == 59:
cmd.code = 0
cmd.show2()
print dev.hex_dump(str(cmd[Raw]))
dev.send(str(cmd))
res = dev.receive_response()
if QCDMFrame in res:
res.show()
if Raw in res:
print dev.hex_dump(str(res[Raw]))
else:
def genPackets(self):
return [
RadioTap() / Dot11() / fuzz(Dot11Beacon()),
]
def genPackets(self):
p = RadioTap() / Dot11(FCfield="to-DS") / LLC() / SNAP() / fuzz(EAP())
return [
p,
]
def genPackets(self):
return [
RadioTap() / Dot11() / fuzz(Dot11ProbeReq()) /
Dot11Elt(ID='SSID', info=self.driver.ssid) /
fuzz(Dot11Elt(ID='Rates')),
]
def genPackets(self):
return [
RadioTap() / Dot11() / fuzz(Dot11Deauth()),
]
def randval(self):
return RandChoice(*(packet.fuzz(x())
for x in self.choices.itervalues()))
from scapy.packet import Raw, fuzz
from USBFuzz.CCID import *
import sys
arg = sys.argv[1].split(':')
dev = CCIDDevice(vid=arg[0], pid=arg[1], timeout=2000)
dev.reset()
while dev.is_alive():
print "Sending command %u" % (dev.cur_seq() + 1)
cmd = CCID(bSeq=dev.next_seq(),bSlot=0)/PC_to_RDR_XfrBlock()/fuzz(APDU(CLA=0x80))
dev.send(str(cmd))
res = dev.receive()
if (len(res)):
reply = CCID(res)
if Raw in reply and reply[Raw].load[0] != '\x6D':
cmd.show2()
print dev.hex_dump(str(cmd))
reply.show2()
if Raw in reply:
print dev.hex_dump(str(reply[Raw]))
else:
print "No response to command %u!" % dev.cur_seq()
cmd.show2()
if len(response[0]) != 12 or response[0].Code != ResCodes["OK"]:
print "Error opening session!"
for packet in response:
packet.show()
sys.exit()
while True:
while dev.is_alive():
trans = struct.unpack("I", os.urandom(4))[0]
r = struct.unpack("H", os.urandom(2))[0]
opcode = OpCodes.items()[r%len(OpCodes)][1]
if opcode == OpCodes["CloseSession"]:
opcode = 0
cmd = Container()/fuzz(Operation(OpCode=opcode, TransactionID=trans, SessionID=dev.current_session()))
dev.send(cmd)
response = dev.read_response(trans)
if len(response) == 0:
print "No response to transaction %u" % trans
elif response[-1].Type == 3 and response[-1].Code == ResCodes["Operation_Not_Supported"]:
print "Operation %x not supported!" % cmd.OpCode
else:
cmd.show2()
for packet in response:
if packet.Type == 2:
print dev.hex_dump(str(packet.payload))
else:
packet.show()
def randval(self):
return RandChoice(*(packet.fuzz(x()) for x in self.choices.itervalues()))
from scapy.packet import Raw, fuzz
from USBFuzz.QCDM import *
import os
import sys
arg = sys.argv[1].split(':')
iface = 0
if len(sys.argv) > 2:
iface = int(sys.argv[2])
dev = QCDMDevice(vid=arg[0], pid=arg[1], iface=iface)
while dev.is_alive():
cmd = QCDMFrame() / fuzz(Command()) / Raw(os.urandom(8))
# avoid switching to downloader or test modes
if cmd.code == 58 or cmd.code == 59:
cmd.code = 0
cmd.show2()
print dev.hex_dump(str(cmd[Raw]))
dev.send(str(cmd))
res = dev.receive_response()
if QCDMFrame in res:
res.show()
if Raw in res:
print dev.hex_dump(str(res[Raw]))
else:
def randval(self):
return packet.fuzz(self.cls())
from scapy.packet import Raw, fuzz
from USBFuzz.CCID import *
import sys
arg = sys.argv[1].split(':')
dev = CCIDDevice(vid=arg[0], pid=arg[1], timeout=2000)
dev.reset()
while dev.is_alive():
print "Sending command %u" % (dev.cur_seq() + 1)
cmd = CCID(bSeq=dev.next_seq(), bSlot=0) / PC_to_RDR_XfrBlock() / fuzz(
APDU(CLA=0x80))
dev.send(str(cmd))
res = dev.receive()
if (len(res)):
reply = CCID(res)
if Raw in reply and reply[Raw].load[0] != '\x6D':
cmd.show2()
print dev.hex_dump(str(cmd))
reply.show2()
if Raw in reply:
print dev.hex_dump(str(reply[Raw]))
else:
print "No response to command %u!" % dev.cur_seq()
cmd.show2()
def randval(self):
return packet.fuzz(self.cls())
print "Error opening session!"
for packet in response:
packet.show()
sys.exit()
while True:
while dev.is_alive():
trans = struct.unpack("I", os.urandom(4))[0]
r = struct.unpack("H", os.urandom(2))[0]
opcode = OpCodes.items()[r % len(OpCodes)][1]
if opcode == OpCodes["CloseSession"]:
opcode = 0
cmd = Container() / fuzz(
Operation(OpCode=opcode,
TransactionID=trans,
SessionID=dev.current_session()))
dev.send(cmd)
response = dev.read_response(trans)
if len(response) == 0:
print "No response to transaction %u" % trans
elif response[-1].Type == 3 and response[-1].Code == ResCodes[
"Operation_Not_Supported"]:
print "Operation %x not supported!" % cmd.OpCode
else:
cmd.show2()
for packet in response:
if packet.Type == 2:
print dev.hex_dump(str(packet.payload))
