# Fuzz iso8385 protocol
# Author Fakhir Karim Reda
# kf@cyber-defense.ma / www.cyber-defense.ma
from boofuzz import *
import os
def recordlength(s):
pad = 4 - (len(s) % 4)
if pad == 4:
pad = 0
s = "0" * pad + s
return s
s_initialize("allrandom")
if s_block_start("singlebitmapnaive"):
s_random(
"30 33 32 37 49 53 4F 37 30 31 30 30 30 30 30 31 31 31 30 F6 F3 00 21 8E E1 A0 08 00 00 00 00 00 00 00 01 31 "
"36 34 32 36 30 30 30 30 30 30 31 35 31 30 33 33 35 31 37 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 "
"30 30 30 30 30 30 30 31 30 30 30 31 37 30 39 32 37 32 31 35 33 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 "
"31 30 30 30 39 32 37 31 39 31 31 31 35 31 32 30 30 30 30 31 36 30 34 30 31 31 31 32 31 36 30 36 35 30 30 30 "
"32 30 30 36 30 30 30 30 30 31 30 32 30 36 38 37 30 31 39 31 31 39 31 35 38 34 30 31 39 30 39 32 30 30 31 30 "
"30 30 33 32 30 30 30 30 30 31 35 30 30 30 30 30 30 33 34 30 42 41 4E 41 4E 41 20 52 45 50 55 42 4C 49 43 20 "
"20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 54 59 20 50 52 30 36 32 50 38 37 30 30 31 34 50 32 "
"35 30 30 31 33 50 38 38 30 30 31 34 50 35 34 30 30 31 52 50 39 35 30 30 32 30 31 50 36 38 30 32 30 30 33 30 "
"30 30 39 32 37 30 32 30 36 38 37 30 31 39 31 31 39 38 34 30 38 34 30 30 30 39 30 33 39 30 30 33 39 30 39 36 "
"30 43 30 46 31 31 39",
min_length=331,
max_length=350,
fuzzable=True,
num_mutations=500,
)
s_block_end()
s_initialize("littlestatic")
if s_block_start("singlebitmapverynaive"):
s_binary("30 33 32 37") # size + 3byte of header
s_random(
"49 53 4F 37 30 31 30 30 30 30 30 31 31 31 30 F6 F3 00 21 8E E1 A0 08 00 00 00 00 00 00 00 01 31 36 34 32 36 "
"30 30 30 30 30 30 31 35 31 30 33 33 35 31 37 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 "
"30 30 30 31 30 30 30 31 37 30 39 32 37 32 31 35 33 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 "
"39 32 37 31 39 31 31 31 35 31 32 30 30 30 30 31 36 30 34 30 31 31 31 32 31 36 30 36 35 30 30 30 32 30 30 36 "
"30 30 30 30 30 31 30 32 30 36 38 37 30 31 39 31 31 39 31 35 38 34 30 31 39 30 39 32 30 30 31 30 30 30 33 32 "
"30 30 30 30 30 31 35 30 30 30 30 30 30 33 34 30 42 41 4E 41 4E 41 20 52 45 50 55 42 4C 49 43 20 20 20 20 20 "
"20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 54 59 20 50 52 30 36 32 50 38 37 30 30 31 34 50 32 35 30 30 31 "
"33 50 38 38 30 30 31 34 50 35 34 30 30 31 52 50 39 35 30 30 32 30 31 50 36 38 30 32 30 30 33 30 30 30 39 32 "
"37 30 32 30 36 38 37 30 31 39 31 31 39 38 34 30 38 34 30 30 30 39 30 33 39 30 30 33 39 30 39 36 30 43 30 46 "
"31 31 39",
min_length=331,
max_length=331,
fuzzable=True,
num_mutations=500,
)
s_block_end()
# fuzz just financial datas
s_initialize("iso8583ng")
if s_block_start("eltsize", encoder=recordlength):
s_size("elements", length=2, endian=">", fuzzable=False) # size
s_block_end()
if s_block_start("elements"):
s_binary("49 53 4F 37 30 31 30 30 30 30") # header
s_binary("30 31 31 31") # MTI
s_random(
"30 F6 F3 00 21 8E E1 A0 08 00 00 00 00 00 00 00 01 31 36 34 32 36 30 30 30 30 30 30 31 35 31 30 33 33 35 31 "
"37 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 37 30 39 32 37 32 "
"31 35 33 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 39 32 37 31 39 31 31 31 35 31 32 30 30 30 "
"30 31 36 30 34 30 31 31 31 32 31 36 30 36 35 30 30 30 32 30 30 36 30 30 30 30 30 31 30 32 30 36 38 37 30 31 "
"39 31 31 39 31 35 38 34 30 31 39 30 39 32 30 30 31 30 30 30 33 32 30 30 30 30 30 31 35 30 30 30 30 30 30 33 "
"34 30 42 41 4E 41 4E 41 20 52 45 50 55 42 4C 49 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 "
"20 54 59 20 50 52 30 36 32 50 38 37 30 30 31 34 50 32 35 30 30 31 33 50 38 38 30 30 31 34 50 35 34 30 30 31 "
"52 50 39 35 30 30 32 30 31 50 36 38 30 32 30 30 33 30 30 30 39 32 37 30 32 30 36 38 37 30 31 39 31 31 39 38 "
"34 30 38 34 30 30 30 39 30 33 39 30 30 33 39 30 39 36 30 43 30 46 31 31 39",
min_length=331,
max_length=350,
fuzzable=True,
num_mutations=500,
)
s_block_end()
# Fuzz all iso8385 payloads
s_initialize("nastyiso")
if s_block_start("eltsize", encoder=recordlength):
s_size("elements", length=2, endian=">", fuzzable=False)
s_block_end()
if s_block_start("elements"):
s_random("49 53 4F 37 30 31 30 30 30 30", min_length=10, max_length=10, num_mutations=50, fuzzable=True) # header
s_random("30 31 31 31", min_length=4, max_length=4, num_mutations=50, fuzzable=True) # MTI
s_random("30 F6 F3 00 21 8E E1 A0", min_length=8, max_length=16, num_mutations=100, fuzzable=True) # BITMAP
s_random(
"08 00 00 00 00 00 00 00 01 31 36 34 32 36 30 30 30 30 30 30 31 35 31 30 33 33 35 31 37 30 30 30 30 30 30 30 "
"30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 37 30 39 32 37 32 31 35 33 30 30 30 30 30 "
"30 30 31 30 30 30 30 30 30 30 31 30 30 30 39 32 37 31 39 31 31 31 35 31 32 30 30 30 30 31 36 30 34 30 31 31 "
"31 32 31 36 30 36 35 30 30 30 32 30 30 36 30 30 30 30 30 31 30 32 30 36 38 37 30 31 39 31 31 39 31 35 38 34 "
"30 31 39 30 39 32 30 30 31 30 30 30 33 32 30 30 30 30 30 31 35 30 30 30 30 30 30 33 34 30 42 41 4E 41 4E 41 "
"20 52 45 50 55 42 4C 49 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 54 59 20 50 52 30 36 "
"32 50 38 37 30 30 31 34 50 32 35 30 30 31 33 50 38 38 30 30 31 34 50 35 34 30 30 31 52 50 39 35 30 30 32 30 "
"31 50 36 38 30 32 30 30 33 30 30 30 39 32 37 30 32 30 36 38 37 30 31 39 31 31 39 38 34 30 38 34 30 30 30 39 "
"30 33 39 30 30 33 39 30 39 36 30 43 30 46 31 31 39",
min_length=305,
max_length=600,
fuzzable=True,
num_mutations=100,
)
s_block_end()
mysession_filename = "audits\\iso8385.session2"
# remove session filename if exists
if os.path.isfile(mysession_filename):
os.remove(mysession_filename)
target_ip = "8.8.8.8"
start_cmd = ["MYDI_SID", "030001"]
sess = Session(session_filename=mysession_filename, crash_threshold_element=20)
target = Target(target_ip, 6771)
target.netmon = pedrpc.Client("127.0.0.1", 26001)
target.procmon = pedrpc.Client(target_ip, 26013)
target.procmon_options = {
"proc_name": "SID",
"start_commands": ["/usr/bin/start_sid"],
"stop_commands": ["/usr/bin/kill_sid"],
}
sess.add_target(target)
sess.connect(s_get("allrandom"))
sess.connect(s_get("littlestatic"))
sess.connect(s_get("iso8583ng"))
sess.connect(s_get("nastyiso"))
sess.fuzz()