Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import random, sys,logging,os
- from random import *
- from scapy.all import *
- logging.getLogger("scapy").setLevel(1)
- ##fuzzer core##
- def onerand(packet):
- pack = packet[:]
- byte = str(chr(choice(range(256))))
- pack[choice(range(len(packet)))]= byte
- print "fuzzing rand byte:%s\n" % (byte.encode("hex"))
- return pack
- def doublerand(packet):
- pack = packet[:]
- byte = str(chr(choice(range(256))))
- byte2 = str(chr(choice(range(256))))
- pack[choice(range(len(packet)))]= byte
- pack[choice(range(len(packet)))]= byte2
- print "fuzzing rand byte:%s byte2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
- return pack
- def longrand(packet):
- pack = packet[:]
- byte = str(chr(choice(range(256))))
- lon = randrange(0,600)
- pack[choice(range(len(packet)))]= byte*lon
- print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
- return pack
- def longerrand(packet):
- pack = packet[:]
- byte = str(chr(choice(range(256))))
- lon = randrange(0,600)
- pack[choice(range(len(packet)))]= byte
- pack[choice(range(len(packet)))]= byte*lon
- print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
- return pack
- def longerrandnull(packet):
- pack = packet[:]
- byte = str(chr(choice(range(256))))
- lon = randrange(0,600)
- pack[choice(range(len(packet)))]= byte
- pack[choice(range(len(packet)))]= byte+"\x00"*lon
- print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
- return pack
- def opnum(packet):
- pack = packet[:]
- byte = str(chr(choice(range(0,2))))
- pack[choice(range(len(packet)))]= byte
- print "fuzzing opnum:%s\n" % (byte.encode("hex"))
- return pack
- def doubleopnum(packet):
- pack = packet[:]
- byte = str(chr(choice(range(0,2))))
- byte2 = str(chr(choice(range(0,2))))
- pack[choice(range(len(packet)))]= byte
- pack[choice(range(len(packet)))]= byte2
- print "fuzzing opnum:%s et opnum no-2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
- return pack
- def remove1(packet):
- pack = packet[:]
- i = randrange(0, len(pack)-1)
- b = pack[:i] + pack[i+1:]
- print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))
- return b
- def changenull(packet):
- pack = packet[:]
- null = [i for i in range(len(pack)) if pack[i] == '\x00']
- byte = str(chr(choice(range(256))))
- pack[choice(null)] = byte
- print "replaced one null by a %s"%(byte.encode("hex"))
- return pack
- def removenull(packet):
- pack = packet[:]
- null = [i for i in range(len(pack)) if pack[i] == '\x00']
- num = choice(null)
- del pack[choice(null)]
- print "deleted null no-:%s"%(num)
- return pack
- def randfunc(packet):
- func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])
- print "using %s fuzzing type (HARD)"%(func.__name__)
- return func(packet)
- def zenfunc(packet):
- func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])
- print "using %s fuzzing type (ZEN)"%(func.__name__)
- return func(packet)
- ##End fuzzer core##
- ip = [chr(int(a, 16)) for a in """
- 4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64
- c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 77
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00""".split()]
- icmp = [chr(int(a, 16)) for a in """
- 08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 00
- 04 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- """.split()]
- def longueur(payload):
- length = struct.pack(">i", len(''.join(payload)))
- a= length[2:4]
- pack = payload[:]
- pack[2:4]= a
- return pack
- def OpIP(packet):
- pack = packet[:]
- num = str(chr(choice(range(1,9))))
- num1 = str(chr(choice(range(0,150))))
- #pack[0] = num
- #pack[9] = num1
- print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))
- return pack
- def OpIcmp(packet):
- pack = packet[:]
- num = str(chr(choice(range(0,42))))
- pack[0] = num
- print "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))
- return pack
- ##checksum calculation and replacement##
- ##checksum() ripped from scapy, hard to do better...
- def checksum(pkt):
- pkt=str(pkt)
- s=0
- if len(pkt) % 2 == 1:
- pkt += "\0"
- for i in range(len(pkt)/2):
- s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0])
- s = (s >> 16) + (s & 0xffff)
- s += s >> 16
- return ~s & 0xffff
- ##/checksum() ripped from scapy, hard to do better...
- def add_checksum(packet):
- a = struct.pack(">i",checksum(''.join(packet)))
- b = a[2:4]
- pack = packet[:]
- pack[2:4]=b
- return pack
- def add_ip_checksum(packet):
- a = struct.pack(">i",checksum(''.join(packet)))
- b = a[2:4]
- pack = packet[:]
- pack[10:12]=b
- return pack
- ##checksum calculation and replacement##
- ### snort is an example of hookin' a prog in your fuzzin'
- pid = os.system("pidof snort")
- while os.system("pidof snort") == pid:
- a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))
- b = ''.join(add_ip_checksum(a))
- packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b)
- print "packet IP:%s\n"%(b.encode("hex"))
- sendp(packet)
- ##enjoy !
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement