Very Basic Modbus Fuzzing

1. __author__ = 'mtoecker'
2.  
3. import binascii
4. import socket
5. import datetime
6. import time
7. import random
8. from string import maketrans
9.  
10.  
11. ## Code by @mtoecker
12.  
13. print 'Starting Modbus Impersonation routine\n'
14. random.seed(time.time())
15.  
16.  
17. # Modbus Requests from the Test System
18. # Get these by using Wireshark to listen for modbus requests
19. req1 = ''
20. req2 = ''
21. req3 = ''
22. req4 = ''
23. req5 = ''
24.  
25. print ' Requests Stored\n'
26.  
27. # Modbus Responses from the RTU
28. # Use Wireshark to get these as well, they will be the responses FROM the RTU
29. resp1 = ''
30. resp2 = ''
31. resp3 = ''
32. resp4 = ''
33. resp5 = ''
34. print ' Responses Stored\n'
35.  
36. try:
37.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38.     s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
39.     s.bind(('0.0.0.0', 2100))
40.     print 'Created socket\n'
41.     s.listen(5)
42.     print 'Socket now listening\n'
43. except Exception:
44.     print "Socket Error.  Will not continue"
45.     raise
46.  
47. conn, addr = s.accept()
48.  
49. print 'Connected with ' + addr[0] + ':' + str(addr[1])
50.  
51. inc = 1
52.  
53. while True:
54.  
55.     respnum = 0
56.     response = ''
57.     request = conn.recv(1024)
58.     print 'Received:\n' + binascii.hexlify(request) + '\n'
59.  
60.     if request == req1:
61.         response = resp1
62.         respnum = 1
63.     if request == req2:
64.         response = resp2
65.         respnum = 2
66.     if request == req3:
67.         response = resp3
68.         respnum = 3
69.     if request == req4:
70.         response = resp4
71.         respnum = 4
72.     if request == req5:
73.         response = resp5
74.         respnum = 5
75.  
76.     if respnum <> 0:
77.         try:
78.             filename = './NoCRC/' + str(respnum) + '/NoCRCTest-' + str(inc) + '.txt'
79.  
80.             f = open(filename, 'w+')
81.         except Exception:
82.             print "File DNE, not writable, or other file error.  Exiting."
83.             raise
84.  
85.         (f.write('TimeStamp: ' + datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S') + '\n'))
86.  
87.         f.write('Received:' + binascii.hexlify(request) + '\n')
88.         if respnum == 1:
89.             conn.send(response)
90.         else:
91.  
92.             #Start ByteFlippin
93.             flipbyte = random.randint(0, len(response) - 1)
94.             flippos = random.randint(0, 8)
95.  
96.             list_array = list(response)
97.             list_array[flipbyte] = chr(random.randint(0, 255))
98.             response = ''.join(list_array)
99.  
100.             f.write('Altered Byte: ' + str(flipbyte) + '\n')
101.  
102.             f.write('Responded:\n' + binascii.hexlify(response) + '\n')
103.  
104.             conn.send(response)
105.             print 'Responded:\n' + binascii.hexlify(response) + '\n'
106.  
107.     else:
108.  
109.         break
110.  
111.     f.close()
112.  
113.     inc += 1
114.  
115. conn.close()