diff --git a/examples/ndc.py b/examples/ndc.py new file mode 100644 index 00000000..1267a0c0 --- /dev/null +++ b/examples/ndc.py @@ -0,0 +1,121 @@ +#! /usr/bin/python +# Fuzz NDC protocol +# Author Fakhir Karim Reda +# kf@cyber-defense.ma / www.cyber-defense.ma + +from boofuzz import * +from binascii import * +from struct import * +import os + + +s_initialize("ndcallrandom") + +if s_block_start("elements"): + s_random( + "31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835", + max_length=7000, + fuzzable=True, + num_mutations=50, + ) +s_block_end() + + +s_initialize("RandomBalance") + +if s_block_start("elements"): + s_random( + "31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835", + max_length=1000, + fuzzable=True, + num_mutations=50, + ) +s_block_end() + + +# unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex') +# unsolicitedEjectCardMessage: { +# session: undefined, +# device: 'cardReader', +# deviceStatus: '2', +# severities: ['warning'], +# diagnosticStatus: '1205001000', +# supplies: ['unchanged'], +# deviceStatusDescription: 'The mechanism failed to eject the card, which was either captured or jammed', +# tokens: ['12', '001000001', '', 'D2', '2', '1205001000', '0'] +# } + + +# unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex') +# unsolicitedMessageReceiptPaperLowMessage: { +# session: undefined, +# device: 'receiptPrinter', +# deviceStatus: '0', +# severities: ['noError'], +# diagnosticStatus: '0042000000', +# supplies: ['mediaLow', 'good', 'good', 'good'], +# deviceStatusDescription: 'Successful print', +# tokens: ['12', '001000001', '', 'G0', '0', '0042000000', '2111'] +# }, + + +s_initialize("unsolicitedDevices") + +if s_block_start("elements"): + s_static("12") + # Message class + sub class + s_binary("0x1C") + # Separtor + s_static("000") + # Luno code 3 or 9 characters + s_binary("0x1C") + # Separtor + s_binary("0x1C") + # Separtor + # s_binary("D"); #Device Identifier Graphic (DIG). + Group("DEVICES_TYPES", values=["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M"]) # All device types + s_random("2", min_length=1, max_length=300, fuzzable=True, num_mutations=50) + # Device Status + s_binary("0x1C") + # Separtor + s_random("2", min_length=1, max_length=50, fuzzable=True, num_mutations=30) + # error severity + s_binary("0x1C") + # Separtor + s_random("2", min_length=20, max_length=500, fuzzable=True, num_mutations=100) + # Diagnostic Status. + s_binary("0x1C") + # Separtor + s_random("2", min_length=2, max_length=1000, fuzzable=True, num_mutations=30) + # Supplies Status + s_binary("0x1C") + # Separtor + s_random("2", min_length=20, max_length=1000, fuzzable=True, num_mutations=50) + # Additional datas + s_random("2", min_length=20, max_length=1000, fuzzable=True, num_mutations=50) + # Trailer + +s_block_end() + + +mysession_filename = "audits\\ndc.session" + +# remove session filename if exists +if os.path.isfile(mysession_filename): + os.remove(mysession_filename) + +target_ip = "127.0.0.1" +sess = Session(session_filename=mysession_filename, crash_threshold_request=12) + + +target = Target(connection=SocketConnection(target_ip, 59269, proto="tcp")) + + +sess.add_target(target) + +sess.connect(s_get("ndcallrandom")) +sess.connect(s_get("RandomBalance")) +sess.connect(s_get("unsolicitedDevices")) + + +sess.fuzz()