# Fuzz NDC protocol
# Author Fakhir Karim Reda
#kf@cyber-defense.ma / www.cyber-defense.ma
from boofuzz import *
from binascii import *
from struct import *
import os
s_initialize(“ndcallrandom”)
if s_block_start(“elements”):
s_random(“31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835”,max_length=7000,fuzzable=True,num_mutations=50)
s_block_end()
s_initialize(“RandomBalance”)
if s_block_start(“elements”):
s_random(“31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835”,max_length=1000,fuzzable=True,num_mutations=50)
s_block_end()
#unsolicitedEjectCard: Buffer.from(‘31321c3030313030303030311c1c44321c321c313230353030313030301c30’, ‘hex’), // Buffer.from(’12^\001000001^\^\D2^\2^\1205001000^\0′, ‘ascii’).toString(‘hex’)
# unsolicitedEjectCardMessage: {
# session: undefined,
# device: ‘cardReader’,
# deviceStatus: ‘2’,
# severities: [‘warning’],
# diagnosticStatus: ‘1205001000’,
# supplies: [‘unchanged’],
# deviceStatusDescription: ‘The mechanism failed to eject the card, which was either captured or jammed’,
# tokens: [’12’, ‘001000001’, ”, ‘D2’, ‘2’, ‘1205001000’, ‘0’]
# }
#unsolicitedReceiptPaperLow: Buffer.from(‘31321c3030313030303030311c1c47301c301c303034323030303030301c32313131’, ‘hex’), // Buffer.from(’12^\001000001^\^\G0^\0^\0042000000^\2111′, ‘ascii’).toString(‘hex’)
# unsolicitedMessageReceiptPaperLowMessage: {
# session: undefined,
# device: ‘receiptPrinter’,
# deviceStatus: ‘0’,
# severities: [‘noError’],
# diagnosticStatus: ‘0042000000’,
# supplies: [‘mediaLow’, ‘good’, ‘good’, ‘good’],
# deviceStatusDescription: ‘Successful print’,
# tokens: [’12’, ‘001000001’, ”, ‘G0’, ‘0’, ‘0042000000’, ‘2111’]
# },
s_initialize(“unsolicitedDevices”)
if s_block_start(“elements”):
s_static(“12”); # Message class + sub class
s_binary(“0x1C”); # Separtor
s_static(“000”); # Luno code 3 or 9 characters
s_binary(“0x1C”); # Separtor
s_binary(“0x1C”); # Separtor
#s_binary(“D”); #Device Identifier Graphic (DIG).
Group(“DEVICES_TYPES”, values= [‘A’, ‘B’, ‘C’, ‘D’, ‘E’, ‘F’, ‘G’, ‘H’,’I’,’J’,’K’,’L’,’M’]) # All device types
s_random(“2”,min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status
s_binary(“0x1C”); # Separtor
s_random(“2”,min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity
s_binary(“0x1C”); # Separtor
s_random(“2”,min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status.
s_binary(“0x1C”); # Separtor
s_random(“2”,min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status
s_binary(“0x1C”); # Separtor
s_random(“2”,min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas
s_random(“2”,min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer
s_block_end()
mysession_filename = “audits\\ndc.session”
# remove session filename if exists
if os.path.isfile(mysession_filename):
os.remove(mysession_filename)
target_ip = “127.0.0.1”
sess = Session(session_filename=mysession_filename,crash_threshold_request=12)
target=Target(
connection=SocketConnection(target_ip,59269, proto=”tcp”)
)
sess.add_target(target)
sess.connect(s_get(“ndcallrandom”))
sess.connect(s_get(“RandomBalance”))
sess.connect(s_get(“unsolicitedDevices”))
sess.fuzz()
