forked from Groundworkstech/dynamips-gdb-mod
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrunFuzzer.py
164 lines (148 loc) · 3.98 KB
/
runFuzzer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#
# Fuzzer template (FTP-Server)
# Use with Dynamips GDB server patch
# and GDB > 7.2, with --target=powerpc-elf
#
# Load from inside GDB with:
# (gdb) source runFuzzer.py
#
# Sebastian Muniz - Alfredo Ortega
# Groundworks Technologies
# http://www.groundworkstech.com
#
import os,time,socket
from subprocess import Popen,PIPE
from multiprocessing import Process
# Customize here
GDBPORT=12345
FTPSERVER="10.100.100.200"
FTPUSER="anonymous"
FTPPASS="[email protected]"
DYNAMIPS="../../dynamips-0.2.8-RC2/dynamips"
IOSIMAGE="../C1700-EN.BIN"
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def log(str):
a=open("fuzz.log","ab")
a.write(str)
a.close()
print bcolors.OKBLUE+str+bcolors.ENDC
def enableTunTap():
print bcolors.WARNING+"Configuring tun/tap interface..."+bcolors.ENDC
#os.system("./networking.sh")
time.sleep(1)
def launchDynamips():
print bcolors.WARNING+"Launching Dynamips..."+bcolors.ENDC
os.system("rm *_lock") # remove possible stale lock file
opcommand = Popen([DYNAMIPS,"-Z",str(GDBPORT), "-j", "-P","1700","-s","0:0:tap:tap0",IOSIMAGE], stdin=PIPE)
time.sleep(1)
return opcommand
def debugDynamips():
gdb.execute("target remote : %d" % GDBPORT)
time.sleep(1)
gdb.execute("c")
log (gdb.execute("i r",to_string=True))
log (gdb.execute("bt",to_string=True))
log (gdb.execute("x/10i $pc-8",to_string=True))
gdb.execute("detach")
def enableFTP():
print bcolors.WARNING+"Enabling FTP..."+bcolors.ENDC
opcommand.stdin.write("\r\n")
opcommand.stdin.write("\r\n")
opcommand.stdin.write("\r\n")
time.sleep(0.1)
opcommand.stdin.write("en\r\n")
time.sleep(0.1)
opcommand.stdin.write("configure terminal\r\n")
time.sleep(0.1)
opcommand.stdin.write("ftp-server enable\r\n")
time.sleep(0.1)
return opcommand
#Connect to FTP and login with anonymous user
def loginFtp():
print bcolors.WARNING+"Connecting to FTP..."+bcolors.ENDC
s=socket.socket()
s.settimeout(5)
s.connect((FTPSERVER,21))
print s.recv(100)
s.send("USER %s\r\n" % FTPUSER)
print s.recv(100)
s.send("PASS %s\r\n" % FTPPASS)
print s.recv(100)
return s
# Get commands from HELP
def getFtpCommands():
s=loginFtp()
s.send("HELP\r\n")
time.sleep(0.5)
helpstr=s.recv(1000)
s.close()
helpstr=helpstr.split("\r\n")[1:-2]
cmds=[]
for line in helpstr:
cmds = cmds + line.split(" ")[1:]
#cmds=["mkd"]
return cmds
# Send RAW FTP command
def sendFTPCommand(command):
log("---- Fuzzing %s -----\n" % command)
s=loginFtp()
s.send("SYST\r\n")
s.recv(10)
s.send(command)
result=s.recv(1000)
s.send("QUIT\r\n")
s.recv(100)
s.close()
return result
def waitt(sec):
for i in range(sec):
time.sleep(1)
print bcolors.OKGREEN+("%d" % i)+bcolors.ENDC
#************************** main ***************************
#init fuzzer
gdb.execute("set pagination off")
#clean log
os.system("rm fuzz.log")
#configure network interface
enableTunTap()
#launch Dynamips process
opcommand=launchDynamips()
#attach in a new process
p = Process(target=debugDynamips,args=())
p.start()
waitt(70) # booting...
#Enable FTP server in config
enableFTP()
#List valid FTP commands
waitt(3)
cmds=getFtpCommands()
print bcolors.WARNING+"Valid commands:"
print repr(cmds)+bcolors.ENDC
#fuzz!
for cmd in cmds:
try:
print bcolors.WARNING+("Fuzzing command '%s'..." % cmd.strip())+bcolors.ENDC
time.sleep(2)
sendFTPCommand("%s %s" % (cmd.strip().upper(),"A"*100))
except: #probably crashed! restarting...
print bcolors.FAIL+"************ CRASH! ****************"+bcolors.ENDC
print bcolors.FAIL+"***********************************"+bcolors.ENDC
print bcolors.FAIL+"************ REBOOT ***************"+bcolors.ENDC
time.sleep(3)
opcommand.terminate()
opcommand=launchDynamips()
p = Process(target=debugDynamips,args=())
p.start()
waitt(70) # booting...
enableFTP()
waitt(3)
print bcolors.FAIL+"************ FINISHED ****************"+bcolors.ENDC
p.terminate()
opcommand.kill()