Function scanner + a lot of logging with the smarter_fuzzer

FUZZER/function_scanner.py

@@ -0,0 +1,194 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+import socket
+import time
+import binascii
+import os
+import sys
+from libmich.formats import *
+import gsm_um
+import smarter_fuzzer_function_def as fuzzer
+import itertools
+from random import randint
+
+from math import factorial
+import logging
+from pythonjsonlogger import jsonlogger
+
+############################################### SETTINGS #############################################
+# Default OpenBTS port
+TESTCALL_PORT = 28670;
+
+# Fill in current mobile device
+
+if len(sys.argv) > 2:
+    device = sys.argv[1];
+    imsi = sys.argv[2];
+else:
+	print("ERROR: Device name not found. \nCall the script with: ./smart_fuzzer #DEVICE #IMSI \nWhere #DEVICE is the name and #IMSI is the IMSI of the mobile device.")
+	sys.exit(0);
+
+# Log file location
+log_all_functions_JSON = "logs/functions/" + device + "_log_" + str(time.strftime("%Y%m%d-%H%M%S")) + ".json";
+
+# Creat socket
+tcsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+tcsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+tcsock.settimeout(2)
+
+ocsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ocsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+HOST = 'localhost'        # Symbolic name meaning all available interfaces
+PORT = 21337              # Arbitrary non-privileged port
+ocsock.bind((HOST, PORT))
+ocsock.settimeout(20)
+
+# Initialize JSON logger
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+# create a file handler
+handler = logging.FileHandler(log_all_functions_JSON)
+handler.setLevel(logging.INFO)
+
+# create a logging format
+formatter = jsonlogger.JsonFormatter()
+handler.setFormatter(formatter)
+
+# add the handlers to the logger
+logger.addHandler(handler)
+
+logger.info({
+		"message": "Function Scanner; Device and SIM information",
+		"device": device,
+		"imsi" : imsi});
+
+################################################# LOG ################################################
+def log_packets(run, maxRun, packet, parsed_packet, reply, parsed_reply):
+	if "ERROR" in parsed_reply:
+		parsed_reply = "libmich ERROR";
+
+	logger.info({
+		"message": run,
+		"maxRun" : maxRun,
+		"packet": str(packet).encode("hex"),
+		"parsed_packet": parsed_packet,
+		"reply": str(reply).encode("hex"),
+		"parsed_reply": parsed_reply
+		})
+
+
+############################################## CHANNEL ###############################################
+# Send a restart to OpenBTS to establish a new channel
+def establishNewChannel():
+   restart = "RESTART";
+   print("Channel restart: Establishing a new channel, this may take a second.");
+   tcsock.sendto(restart, ('127.0.0.1', TESTCALL_PORT));
+
+   # Wait for OpenBTS to confirm new channel.
+   try:
+   	reply = ocsock.recv(20000)
+   except:
+   	print "Could not establish a new channel.";
+   	return False;
+
+   print "New channel established, fuzzing will continue.";
+   time.sleep(1);
+   return True;
+
+def send(tcsock, packet):
+		try:
+			tcsock.sendto(packet, ('127.0.0.1', TESTCALL_PORT))
+			reply = tcsock.recv(1024)
+		except socket.timeout:
+			print "socket.timeout: Mobile device is not responding";
+			return False
+
+		#Libmich parses the output
+		parsed_reply = repr(L3Mobile.parse_L3(reply));
+		if "RELEASE_COMPLETE" in parsed_reply:
+			return False;
+		elif((str(reply).encode("hex") == "786e430200")): #MDL_ERROR_INDICATION
+			return False;
+
+
+
+		print "Received packet: ", str(reply).encode("hex") + "\n";
+		print "GSM_UM interpetation: " + '\n' + parsed_reply + "\n\n";
+
+		return reply
+
+############################################### UTILS ################################################
+def printPacket(packet, currentRun, total_runs):
+		print('------------------------------- INPUT  -------------------------------' + '\n');
+		print('Run ' + str(currentRun) + "/" + str(total_runs) + '\n');
+		# Make the packet readable
+		if(len(packet) % 2 == 0):
+			printable = str(packet).encode("hex");
+			print "Current complete packet: " + printable + '\n';
+
+		# Decode printable hex to make it usable for L3Mobile.
+		# Adding the \x for the bytes.
+		l3msg_input = repr(L3Mobile.parse_L3(str(packet)));
+
+		print "GSM_UM interpetation: \n " + l3msg_input + '\n\n';
+		print "------------------------------- OUTPUT -------------------------------" + '\n';
+
+############################################ SMART FUZZER ############################################
+# This fuzzer targets fields with variable length
+# Tries all different bytes for length byte
+# Tries random bytes for a range of lengths
+######################################################################################################
+# Fuzzer specific settings
+
+maxPacketAttempt = 5;
+currentPacketAttempt = 1;
+
+protocols = [5,6,8];
+
+currentRun = 0;
+total_runs = len(protocols) * 256;
+
+
+print "Total amount of runs: " + str(total_runs);
+time.sleep(1);
+
+for i in protocols:
+	firstByte = "{0:0{1}x}".format(i,2);
+	n = 1;
+	while n < 256:
+		secondByte = "{0:0{1}x}".format(n,2);
+
+		if(i == 5 and n == 17):
+			# Skip because the packet 0511 is a Authentication Reject and disconnects the mobile device
+			secondByte = "{0:0{1}x}".format(n+1,2);
+
+
+		#packet = "\\x" + str(i).zfill(2) + "\\x" + str(n).zfill(2);
+		packet = "\\x" + str(firstByte) + "\\x" + str(secondByte);
+		packet = packet.replace('\\x', '').decode('hex');
+
+		print "Packet: " + str(packet).encode("hex");
+		printPacket(packet, currentRun, total_runs);
+
+		# Send packet to the mobile device.
+		#packet = str(packet);
+		result = send(tcsock, packet);
+
+		if not result:
+			currentPacketAttempt = currentPacketAttempt + 1;
+			establishNewChannel();
+			if(currentPacketAttempt >= maxPacketAttempt):
+				parsed_packet = repr(L3Mobile.parse_L3(packet));
+				log_packets(currentRun, total_runs, packet, parsed_packet, "None", "None");
+				currentRun = currentRun + 1;
+				n = n + 1;
+		else:
+			parsed_result = repr(L3Mobile.parse_L3(result));
+			parsed_packet = repr(L3Mobile.parse_L3(packet));
+			log_packets(currentRun, total_runs, packet, parsed_packet, result, parsed_result);
+			currentRun = currentRun + 1;
+			currentPacketAttempt = 0;
+			n = n + 1;
+

FUZZER/gsm_um.py

@@ -311,7 +311,6 @@ def assignmentFailure():
     packet = a / b / c
     return packet
 
-
 # Network to MS
 def channelModeModify(VgcsTargetModeIdentication_presence=0,
                       MultiRateConfiguration_presence=0):
@@ -1489,7 +1488,7 @@ def locationUpdatingRequest():
     c = LocationUpdatingTypeAndCiphKeySeqNr()
     e = LocalAreaId()
     f = MobileStationClassmark1()
-    g = MobileId()
+    g = MobileIdTooLong()
     packet = a / b / c / e / f / g
     #packet = a / b
     return packet

FUZZER/logs/functions/IPHONE_log_20151120-053042.json

@@ -0,0 +1 @@
+{"message": "Function Scanner; Device and SIM information", "device": "IPHONE", "imsi": "204045220670380"}

FUZZER/logs/functions/IPHONE_log_20151120-053229.json

@@ -0,0 +1 @@
+{"message": "Function Scanner; Device and SIM information", "device": "IPHONE", "imsi": "204045220670380"}

FUZZER/logs/functions/IPHONE_log_20151120-053631.json

@@ -0,0 +1 @@
+{"message": "Function Scanner; Device and SIM information", "device": "IPHONE", "imsi": "204045220670380"}

FUZZER/logs/functions/IPHONE_log_20151120-053712.json

@@ -0,0 +1,5 @@
+{"message": "Function Scanner; Device and SIM information", "device": "IPHONE", "imsi": "204045220670380"}
+{"message": 0, "parsed_packet": "<[ALERTING]: TI(Transaction Identifier):0, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'1 : Call establishment - ALERTING'>", "parsed_reply": "<[STATUS]: TI(Transaction Identifier):8, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):1, Type():'61 : Misc - STATUS', Cause():<[Cause]: L():2, V():'\\xe0\\xe2'>, CallState():0xc9>", "packet": "0301", "reply": "837d02e0e2c900", "maxRun": 1024}
+{"message": 1, "parsed_packet": "<[CALL_PROCEEDING]: TI(Transaction Identifier):0, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'2 : Call establishment - CALL PROCEEDING'>", "parsed_reply": "<[STATUS]: TI(Transaction Identifier):8, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'61 : Misc - STATUS', Cause():<[Cause]: L():2, V():'\\xe0\\xe2'>, CallState():0xc9>", "packet": "0302", "reply": "833d02e0e2c900", "maxRun": 1024}
+{"message": 2, "parsed_packet": "<[PROGRESS]: TI(Transaction Identifier):0, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'3 : Call establishment - PROGRESS', ProgressInd():<[ProgressInd]: L():0, V():''>>", "parsed_reply": "<[STATUS]: TI(Transaction Identifier):8, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):1, Type():'61 : Misc - STATUS', Cause():<[Cause]: L():2, V():'\\xe0\\xe0'>, CallState():0xc9>", "packet": "0303", "reply": "837d02e0e0c900", "maxRun": 1024}
+{"message": 3, "parsed_packet": "<[CC_ESTABLISHMENT]: TI(Transaction Identifier):0, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'4 : Call establishment - CC-ESTABLISHMENT', SetupCont():<[SetupCont]: L():0, V():''>>", "parsed_reply": "<[STATUS]: TI(Transaction Identifier):8, PD(Protocol Discriminator):'3 : call control; call related SS messages', seq(Sequence Number):0, Type():'61 : Misc - STATUS', Cause():<[Cause]: L():2, V():'\\xe0\\xe0'>, CallState():0xc9>", "packet": "0304", "reply": "833d02e0e0c900", "maxRun": 1024}