#! /usr/bin/python # Fuzz NDC protocol # Author Fakhir Karim Reda #kf@cyber-defense.ma / www.cyber-defense.ma from boofuzz import * from binascii import * from struct import * import os s_initialize("ndcallrandom") if s_block_start("elements"): s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=7000,fuzzable=True,num_mutations=50) s_block_end() s_initialize("RandomBalance") if s_block_start("elements"): s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=1000,fuzzable=True,num_mutations=50) s_block_end() #unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex') # unsolicitedEjectCardMessage: { # session: undefined, # device: 'cardReader', # deviceStatus: '2', # severities: ['warning'], # diagnosticStatus: '1205001000', # supplies: ['unchanged'], # deviceStatusDescription: 'The mechanism failed to eject the card, which was either captured or jammed', # tokens: ['12', '001000001', '', 'D2', '2', '1205001000', '0'] # } #unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex') # unsolicitedMessageReceiptPaperLowMessage: { # session: undefined, # device: 'receiptPrinter', # deviceStatus: '0', # severities: ['noError'], # diagnosticStatus: '0042000000', # supplies: ['mediaLow', 'good', 'good', 'good'], # deviceStatusDescription: 'Successful print', # tokens: ['12', '001000001', '', 'G0', '0', '0042000000', '2111'] # }, s_initialize("unsolicitedDevices") if s_block_start("elements"): s_static("12"); # Message class + sub class s_binary("0x1C"); # Separtor s_static("000"); # Luno code 3 or 9 characters s_binary("0x1C"); # Separtor s_binary("0x1C"); # Separtor #s_binary("D"); #Device Identifier Graphic (DIG). Group("DEVICES_TYPES", values= ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H','I','J','K','L','M']) # All device types s_random("2",min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status s_binary("0x1C"); # Separtor s_random("2",min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity s_binary("0x1C"); # Separtor s_random("2",min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status. s_binary("0x1C"); # Separtor s_random("2",min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status s_binary("0x1C"); # Separtor s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer s_block_end() mysession_filename = "audits\\ndc.session" # remove session filename if exists if os.path.isfile(mysession_filename): os.remove(mysession_filename) target_ip = "127.0.0.1" sess = Session(session_filename=mysession_filename,crash_threshold_request=12) target=Target( connection=SocketConnection(target_ip,59269, proto="tcp") ) sess.add_target(target) sess.connect(s_get("ndcallrandom")) sess.connect(s_get("RandomBalance")) sess.connect(s_get("unsolicitedDevices")) sess.fuzz()