def fuzz_ap():
def is_alive():
global IFACE, AUTH_REQ_OPEN
ETH_P_ALL = 3
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))
s.bind((IFACE, ETH_P_ALL))
sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3)
retries = CRASH_RETRIES
alive = False
while retries:
s.send(AUTH_REQ_OPEN)
start_time = time.time()
while (time.time() - start_time) < 1:
ans = s.recv(1024)
alive = isresp(ans)
if alive:
s.send(DEAUTH)
s.close()
if retries != CRASH_RETRIES:
sess.log("retried authentication %d times" % (CRASH_RETRIES - retries), level=1)
return alive
retries -= 1
s.close()
return alive
def check_alive(s):
global AUTH_REQ_OPEN
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
sess.log("checking aliveness of fuzzed access point %s" % AP_MAC, level=3)
while True:
t = s.send(AUTH_REQ_OPEN)
start_time = time.time()
while (time.time() - start_time) < 1:
alive = isresp(s.recv(1024))
if alive:
return alive
sess.log("waiting for the access point to be up", level=1)
time.sleep(DELAY_REBOOT)
def pass_state(s):
'''
'''
return True
def clean_state(s):
global DEAUTH
s.send(DEAUTH)
sess.log("sending deauthentication to come back to initial state", level=3)
# shameless ripped from scapy
def hexdump(x):
x=str(x)
l = len(x)
i = 0
while i < l:
print "%04x " % i,
for j in range(16):
if i+j < l:
print "%02X" % ord(x[i+j]),
else:
print " ",
if j%16 == 7:
print "",
print " ",
print x[i:i+16]
i += 16
def check_auth(session, node, edge, sock):
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
start_time = time.time()
while (time.time() - start_time) < STATE_WAIT_TIME:
pkt = sock.recv(1024)
ans = isresp(pkt)
if ans:
sess.log("authentication successfull with %s" % AP_MAC, level=3)
return
sess.log("authentication not successfull with %s" % AP_MAC, level=1)
if session.fuzz_node.mutant != None:
'''
print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name
print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index
print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index
print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations()
print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index
'''
sess.log("re-trying the current test case", level=1)
session.fuzz_node.mutant_index -= 1
session.fuzz_node.mutant.mutant_index -= 1
session.total_mutant_index -= 1
def check_asso(session, node, edge, sock):
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\x10"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[26:28] == "\x00\x00"):
resp = True
return resp
start_time = time.time()
while (time.time() - start_time) < STATE_WAIT_TIME:
pkt = sock.recv(1024)
ans = isresp(pkt)
if ans:
sess.log("association successfull with %s" % AP_MAC, level=3)
return
sess.log("association not successfull with %s" % AP_MAC, level=1)
if session.fuzz_node.mutant != None:
'''
print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name
print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index
print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index
print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations()
print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index
'''
sess.log("re-trying the current test case", level=1)
session.fuzz_node.mutant_index -= 1
session.fuzz_node.mutant.mutant_index -= 1
session.total_mutant_index -= 1
# Defining the transport protocol
sess = sessions.session(session_filename=FNAME, proto="wifi", timeout=5.0, sleep_time=0.1, log_level=LOG_LEVEL, skip=SKIP, crash_threshold=CRASH_THRESHOLD)
# Defining the target
target = sessions.target(AP_MAC, 0)
# Adding the detect_crash function for target monitoring
target.procmon = instrumentation.external(post=is_alive)
# Adding a check for alive of access point
sess.pre_send = check_alive
# Adding a deauth send to come back to initial state
sess.post_send = clean_state
# Adding the IFACE for socket binding
sess.wifi_iface = IFACE
# Adding the target to the fuzzing session
sess.add_target(target)
# Fuzzing State "Not Authenticated, Not Associated"
sess.connect(s_get("AuthReq: Open"))
for type_subtype in range(256): # 256
sess.connect(s_get("Fuzzy 1: Malformed %d" % type_subtype))
# Fuzzing State "Authenticated, Not Associated"
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Garbage"), callback=check_auth) # Checking Authentication
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Open"), callback=check_auth) # Checking Authentication
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s" % AP_CONFIG), callback=check_auth) # Checking Authentication
if AP_CONFIG not in ['Open']:
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: %s Fuzzing" % AP_CONFIG ), callback=check_auth) # Checking Authentication
for oui in ouis:
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: Vendor Specific %s" % oui), callback=check_auth)
for ie in list_ies:
sess.connect(s_get("AuthReq: Open"), s_get("AssoReq: IE %d" % ie), callback=check_auth)
#for type_subtype in range(256):
sess.connect(s_get("AuthReq: Open"), s_get("Fuzzy 2: Malformed %d" % type_subtype), callback=check_auth)
# Fuzzing State : "Authenticated, Associated"
for type_subtype in range(256):
sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("Fuzzy 3: Malformed %d" % type_subtype), callback=check_asso)
if AP_CONFIG in ['WPA-PSK', 'RSN-PSK']:
sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Key: %s" % AP_CONFIG), callback=check_asso)
if AP_CONFIG in ['WPA-EAP', 'RSN-EAP']:
sess.connect(s_get("AssoReq: %s" % AP_CONFIG), s_get("EAPoL-Start: %s" % AP_CONFIG), callback=check_asso)
# Launching the fuzzing campaign
sess.fuzz()
def fuzz_ap():
def is_alive():
global IFACE, AUTH_REQ_OPEN
ETH_P_ALL = 3
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
socket.htons(ETH_P_ALL))
s.bind((IFACE, ETH_P_ALL))
sess.log("checking aliveness of fuzzed access point %s" % AP_MAC,
level=3)
retries = CRASH_RETRIES
alive = False
while retries:
s.send(AUTH_REQ_OPEN)
start_time = time.time()
while (time.time() - start_time) < 1:
ans = s.recv(1024)
alive = isresp(ans)
if alive:
s.send(DEAUTH)
s.close()
if retries != CRASH_RETRIES:
sess.log("retried authentication %d times" %
(CRASH_RETRIES - retries),
level=1)
return alive
retries -= 1
s.close()
return alive
def check_alive(s):
global AUTH_REQ_OPEN
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
sess.log("checking aliveness of fuzzed access point %s" % AP_MAC,
level=3)
while True:
t = s.send(AUTH_REQ_OPEN)
start_time = time.time()
while (time.time() - start_time) < 1:
alive = isresp(s.recv(1024))
if alive:
return alive
sess.log("waiting for the access point to be up", level=1)
time.sleep(DELAY_REBOOT)
def pass_state(s):
'''
'''
return True
def clean_state(s):
global DEAUTH
s.send(DEAUTH)
sess.log("sending deauthentication to come back to initial state",
level=3)
# shameless ripped from scapy
def hexdump(x):
x = str(x)
l = len(x)
i = 0
while i < l:
print "%04x " % i,
for j in range(16):
if i + j < l:
print "%02X" % ord(x[i + j]),
else:
print " ",
if j % 16 == 7:
print "",
print " ",
print x[i:i + 16]
i += 16
def check_auth(session, node, edge, sock):
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\xB0"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[28:30] == "\x00\x00"):
resp = True
return resp
start_time = time.time()
while (time.time() - start_time) < STATE_WAIT_TIME:
pkt = sock.recv(1024)
ans = isresp(pkt)
if ans:
sess.log("authentication successfull with %s" % AP_MAC,
level=3)
return
sess.log("authentication not successfull with %s" % AP_MAC, level=1)
if session.fuzz_node.mutant != None:
'''
print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name
print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index
print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index
print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations()
print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index
'''
sess.log("re-trying the current test case", level=1)
session.fuzz_node.mutant_index -= 1
session.fuzz_node.mutant.mutant_index -= 1
session.total_mutant_index -= 1
def check_asso(session, node, edge, sock):
def isresp(pkt):
resp = False
if (len(pkt) >= 30 and pkt[0] == "\x10"\
and pkt[4:10] == mac2str(STA_MAC)\
and pkt[26:28] == "\x00\x00"):
resp = True
return resp
start_time = time.time()
while (time.time() - start_time) < STATE_WAIT_TIME:
pkt = sock.recv(1024)
ans = isresp(pkt)
if ans:
sess.log("association successfull with %s" % AP_MAC, level=3)
return
sess.log("association not successfull with %s" % AP_MAC, level=1)
if session.fuzz_node.mutant != None:
'''
print "XXXXX : session.fuzz_node.name %s" % session.fuzz_node.name
print "XXXXX : session.fuzz_node.mutant_index %d" % session.fuzz_node.mutant_index
print "XXXXX : session.fuzz_node.mutant.mutant_index %d" % session.fuzz_node.mutant.mutant_index
print "XXXXX : session.fuzz_node.num_mutations() %d" % session.fuzz_node.num_mutations()
print "XXXXX : session.total_mutant_index %d" % session.total_mutant_index
'''
sess.log("re-trying the current test case", level=1)
session.fuzz_node.mutant_index -= 1
session.fuzz_node.mutant.mutant_index -= 1
session.total_mutant_index -= 1
# Defining the transport protocol
sess = sessions.session(session_filename=FNAME,
proto="wifi",
timeout=5.0,
sleep_time=0.1,
log_level=LOG_LEVEL,
skip=SKIP,
crash_threshold=CRASH_THRESHOLD)
# Defining the target
target = sessions.target(AP_MAC, 0)
# Adding the detect_crash function for target monitoring
target.procmon = instrumentation.external(post=is_alive)
# Adding a check for alive of access point
sess.pre_send = check_alive
# Adding a deauth send to come back to initial state
sess.post_send = clean_state
# Adding the IFACE for socket binding
sess.wifi_iface = IFACE
# Adding the target to the fuzzing session
sess.add_target(target)
# Fuzzing State "Not Authenticated, Not Associated"
sess.connect(s_get("AuthReq: Open"))
for type_subtype in range(256): # 256
sess.connect(s_get("Fuzzy 1: Malformed %d" % type_subtype))
# Fuzzing State "Authenticated, Not Associated"
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: Garbage"),
callback=check_auth) # Checking Authentication
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: Open"),
callback=check_auth) # Checking Authentication
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: %s" % AP_CONFIG),
callback=check_auth) # Checking Authentication
if AP_CONFIG not in ['Open']:
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: %s Fuzzing" % AP_CONFIG),
callback=check_auth) # Checking Authentication
for oui in ouis:
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: Vendor Specific %s" % oui),
callback=check_auth)
for ie in list_ies:
sess.connect(s_get("AuthReq: Open"),
s_get("AssoReq: IE %d" % ie),
callback=check_auth)
#for type_subtype in range(256):
sess.connect(s_get("AuthReq: Open"),
s_get("Fuzzy 2: Malformed %d" % type_subtype),
callback=check_auth)
# Fuzzing State : "Authenticated, Associated"
for type_subtype in range(256):
sess.connect(s_get("AssoReq: %s" % AP_CONFIG),
s_get("Fuzzy 3: Malformed %d" % type_subtype),
callback=check_asso)
if AP_CONFIG in ['WPA-PSK', 'RSN-PSK']:
sess.connect(s_get("AssoReq: %s" % AP_CONFIG),
s_get("EAPoL-Key: %s" % AP_CONFIG),
callback=check_asso)
if AP_CONFIG in ['WPA-EAP', 'RSN-EAP']:
sess.connect(s_get("AssoReq: %s" % AP_CONFIG),
s_get("EAPoL-Start: %s" % AP_CONFIG),
callback=check_asso)
# Launching the fuzzing campaign
sess.fuzz()
from sulley import (s_initialize, s_string, s_delim, s_static, s_get, sessions)
host = 'localhost'
port = 1337
s_initialize('hello_world')
s_string('GET')
s_delim(' ')
s_string('/')
s_delim(' ')
s_static('HTTP/1.1\r\n')
s_static('Host: {}:{}\r\n'.format(host, port))
s_static('\r\n')
# GET / HTTP/1.1
# Host: localhost:1337
sess = sessions.session()
target = sessions.target(host, port)
sess.add_target(target)
sess.connect(s_get("hello_world"))
sess.fuzz()
from sulley import *
#just using this for the sake of example, pcap header only
s_initialize('pcap')
if s_block_start('pcap'):
s_dword(0xa1b2c3d4, name='magic', fuzzable=False)
s_word(2, name='major')
s_word(4, name='minor')
s_dword(0, name='thiszone')
s_dword(0, name='sigfigs')
s_dword(96, name='snaplen')
s_dword(1, name='network')
s_block_end()
sess = sessions.file_session(session_filename='\\work\\audit\\test', start_webserver=True, sleep_time=0.0) #no need to delay, throttled by procmon
target = sessions.target('localhost', 30000) # doesnt matter transmit is overridden we ship data over rpc
target.procmon = pedrpc.client('localhost', 26002)
target.procmon_options = {
'proc_path' : '\\progra~1\\wireshark\\tshark-crash.exe', #a modded version of tshark to crash on improper pcap major ver
'proc_args' : '-r %s', #%s will be replaced with the filepath/name to audit
'file_path' : 'c:\\work\\audit\\files\\', #where to store the testcase files
#'finish_bp' : 0x01004a0d, #you may set this to 0 if you wish to rely on max_lifetime/process termination
'finish_bp' : 0,
'max_lifetime' : 3.0, #ttl
'show_window' : False,
}
sess.add_target(target)
sess.connect(sess.root, s_get('pcap'))
sess.fuzz()
