From d532eb3ed2d87d600171293ca0d17729df1c9bf4 Mon Sep 17 00:00:00 2001 From: Fakhir Karim Reda zirsalem Date: Mon, 6 Feb 2023 15:44:14 +0100 Subject: [PATCH 1/2] ndc.py This is an NDC protocol Fuzzer , NDC is a protocol used by ATMS --- examples/ndc.py | 106 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 examples/ndc.py diff --git a/examples/ndc.py b/examples/ndc.py new file mode 100644 index 00000000..db4b43da --- /dev/null +++ b/examples/ndc.py @@ -0,0 +1,106 @@ +#! /usr/bin/python +# Fuzz NDC protocol +# Author Fakhir Karim Reda +#kf@cyber-defense.ma / www.cyber-defense.ma + +from boofuzz import * +from binascii import * +from struct import * +import os + + + +s_initialize("ndcallrandom") + +if s_block_start("elements"): + s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=7000,fuzzable=True,num_mutations=50) +s_block_end() + + +s_initialize("RandomBalance") + +if s_block_start("elements"): + s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=1000,fuzzable=True,num_mutations=50) +s_block_end() + + +#unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex') +# unsolicitedEjectCardMessage: { +# session: undefined, +# device: 'cardReader', +# deviceStatus: '2', +# severities: ['warning'], +# diagnosticStatus: '1205001000', +# supplies: ['unchanged'], +# deviceStatusDescription: 'The mechanism failed to eject the card, which was either captured or jammed', +# tokens: ['12', '001000001', '', 'D2', '2', '1205001000', '0'] +# } + + +#unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex') +# unsolicitedMessageReceiptPaperLowMessage: { +# session: undefined, +# device: 'receiptPrinter', +# deviceStatus: '0', +# severities: ['noError'], +# diagnosticStatus: '0042000000', +# supplies: ['mediaLow', 'good', 'good', 'good'], +# deviceStatusDescription: 'Successful print', +# tokens: ['12', '001000001', '', 'G0', '0', '0042000000', '2111'] +# }, + + + + +s_initialize("unsolicitedDevices") + +if s_block_start("elements"): + s_static("12"); # Message class + sub class + s_binary("0x1C"); # Separtor + s_static("000"); # Luno code 3 or 9 characters + s_binary("0x1C"); # Separtor + s_binary("0x1C"); # Separtor + #s_binary("D"); #Device Identifier Graphic (DIG). + Group("DEVICES_TYPES", values= ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H','I','J','K','L','M']) # All device types + s_random("2",min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status + s_binary("0x1C"); # Separtor + s_random("2",min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity + s_binary("0x1C"); # Separtor + s_random("2",min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status. + s_binary("0x1C"); # Separtor + s_random("2",min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status + s_binary("0x1C"); # Separtor + s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas + s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer + +s_block_end() + + + +mysession_filename = "audits\\ndc.session" + +# remove session filename if exists +if os.path.isfile(mysession_filename): + os.remove(mysession_filename) + +target_ip = "127.0.0.1" +sess = Session(session_filename=mysession_filename,crash_threshold_request=12) + + +target=Target( + connection=SocketConnection(target_ip,59269, proto="tcp") + ) + + +sess.add_target(target) + +sess.connect(s_get("ndcallrandom")) +sess.connect(s_get("RandomBalance")) +sess.connect(s_get("unsolicitedDevices")) + + +sess.fuzz() + + + + From afcc64514f2386beb60dd9b726c60c31528e1961 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 6 Feb 2023 14:45:00 +0000 Subject: [PATCH 2/2] Fixing style errors. --- examples/ndc.py | 85 +++++++++++++++++++++++++++++-------------------- 1 file changed, 50 insertions(+), 35 deletions(-) diff --git a/examples/ndc.py b/examples/ndc.py index db4b43da..1267a0c0 100644 --- a/examples/ndc.py +++ b/examples/ndc.py @@ -1,7 +1,7 @@ #! /usr/bin/python # Fuzz NDC protocol # Author Fakhir Karim Reda -#kf@cyber-defense.ma / www.cyber-defense.ma +# kf@cyber-defense.ma / www.cyber-defense.ma from boofuzz import * from binascii import * @@ -9,22 +9,31 @@ import os - s_initialize("ndcallrandom") if s_block_start("elements"): - s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=7000,fuzzable=True,num_mutations=50) + s_random( + "31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835", + max_length=7000, + fuzzable=True, + num_mutations=50, + ) s_block_end() s_initialize("RandomBalance") if s_block_start("elements"): - s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=1000,fuzzable=True,num_mutations=50) + s_random( + "31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835", + max_length=1000, + fuzzable=True, + num_mutations=50, + ) s_block_end() -#unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex') +# unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex') # unsolicitedEjectCardMessage: { # session: undefined, # device: 'cardReader', @@ -37,7 +46,7 @@ # } -#unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex') +# unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex') # unsolicitedMessageReceiptPaperLowMessage: { # session: undefined, # device: 'receiptPrinter', @@ -50,46 +59,56 @@ # }, - - s_initialize("unsolicitedDevices") if s_block_start("elements"): - s_static("12"); # Message class + sub class - s_binary("0x1C"); # Separtor - s_static("000"); # Luno code 3 or 9 characters - s_binary("0x1C"); # Separtor - s_binary("0x1C"); # Separtor - #s_binary("D"); #Device Identifier Graphic (DIG). - Group("DEVICES_TYPES", values= ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H','I','J','K','L','M']) # All device types - s_random("2",min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status - s_binary("0x1C"); # Separtor - s_random("2",min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity - s_binary("0x1C"); # Separtor - s_random("2",min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status. - s_binary("0x1C"); # Separtor - s_random("2",min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status - s_binary("0x1C"); # Separtor - s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas - s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer + s_static("12") + # Message class + sub class + s_binary("0x1C") + # Separtor + s_static("000") + # Luno code 3 or 9 characters + s_binary("0x1C") + # Separtor + s_binary("0x1C") + # Separtor + # s_binary("D"); #Device Identifier Graphic (DIG). + Group("DEVICES_TYPES", values=["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M"]) # All device types + s_random("2", min_length=1, max_length=300, fuzzable=True, num_mutations=50) + # Device Status + s_binary("0x1C") + # Separtor + s_random("2", min_length=1, max_length=50, fuzzable=True, num_mutations=30) + # error severity + s_binary("0x1C") + # Separtor + s_random("2", min_length=20, max_length=500, fuzzable=True, num_mutations=100) + # Diagnostic Status. + s_binary("0x1C") + # Separtor + s_random("2", min_length=2, max_length=1000, fuzzable=True, num_mutations=30) + # Supplies Status + s_binary("0x1C") + # Separtor + s_random("2", min_length=20, max_length=1000, fuzzable=True, num_mutations=50) + # Additional datas + s_random("2", min_length=20, max_length=1000, fuzzable=True, num_mutations=50) + # Trailer s_block_end() - mysession_filename = "audits\\ndc.session" # remove session filename if exists -if os.path.isfile(mysession_filename): +if os.path.isfile(mysession_filename): os.remove(mysession_filename) target_ip = "127.0.0.1" -sess = Session(session_filename=mysession_filename,crash_threshold_request=12) +sess = Session(session_filename=mysession_filename, crash_threshold_request=12) -target=Target( - connection=SocketConnection(target_ip,59269, proto="tcp") - ) +target = Target(connection=SocketConnection(target_ip, 59269, proto="tcp")) sess.add_target(target) @@ -100,7 +119,3 @@ sess.fuzz() - - - -