1
0

fuzzVENDOR.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450
  1. /*
  2. Fuzzes vendor specific Information element
  3. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <stdint.h>
  7. #include <string.h>
  8. #include "../frameDefinitions.h"
  9. //Indecates whether the vendorFuzzer is running
  10. int vendorRunningState = 0;
  11. //Number of fuzzing states
  12. const int vendorStates = 17;
  13. //Steps of fuzzers for each fuzzing state
  14. const int vendorSteps[] = {1, 8, 2, 2, 2, 2,2,2,2,2,2,2,2,2,2,2,2};
  15. //Current state and step of the vendorFuzzer
  16. int fuzzState;
  17. int fuzzStep;
  18. void vendorPrintCurrentState()
  19. {
  20. switch (fuzzState)
  21. {
  22. case 0:
  23. {
  24. printf("\e[33mFuzzing vendor IE\e[39m\n");
  25. printf("Trying 255*0xFF data\n");
  26. break;
  27. }
  28. case 1:
  29. {
  30. printf("fuzzing low lengths\n");
  31. break;
  32. }
  33. case 2:
  34. {
  35. printf("fuzzing WMM/WME\n");
  36. break;
  37. }
  38. case 3:
  39. {
  40. printf("fuzzing WPA\n");
  41. break;
  42. }
  43. case 4:
  44. {
  45. printf("fuzzing WPS\n");
  46. break;
  47. }
  48. case 5:
  49. {
  50. printf("fuzzing WPS Version length\n");
  51. break;
  52. }
  53. case 6:
  54. {
  55. printf("fuzzing WPS wpss length\n");
  56. break;
  57. }
  58. case 7:
  59. {
  60. printf("fuzzing WPS model number length\n");
  61. break;
  62. }
  63. case 8:
  64. {
  65. printf("fuzzing WPS response type length\n");
  66. break;
  67. }
  68. case 9:
  69. {
  70. printf("fuzzing WPS uuid length\n");
  71. break;
  72. }
  73. case 10:
  74. {
  75. printf("fuzzing WPS manufacturer length\n");
  76. break;
  77. }
  78. case 11:
  79. {
  80. printf("fuzzing WPS model name length\n");
  81. break;
  82. }
  83. case 12:
  84. {
  85. printf("fuzzing WPS primary device type length\n");
  86. break;
  87. }
  88. case 13:
  89. {
  90. printf("fuzzing WPS device name length\n");
  91. break;
  92. }
  93. case 14:
  94. {
  95. printf("fuzzing WPS config methods length\n");
  96. break;
  97. }
  98. case 15:
  99. {
  100. printf("fuzzing WPS rf bands length\n");
  101. break;
  102. }
  103. case 16:
  104. {
  105. printf("fuzzing WPS vendor extension length\n");
  106. break;
  107. }
  108. case 17:
  109. {
  110. printf("\e[33mDone with fuzzing vendor\e[39m\n");
  111. break;
  112. }
  113. }
  114. }
  115. //Updates vendorFuzzer
  116. //Status 0 indicates start
  117. //Status 1 indicates increaseStep
  118. //Status 2 indicates stop
  119. //Returns -1 if done with fuzzing
  120. int vendorFuzzUpdate(int status)
  121. {
  122. switch (status)
  123. {
  124. case 0: //start fuzzer
  125. {
  126. vendorRunningState = 1;
  127. fuzzState = 0;
  128. fuzzStep = 0;
  129. vendorPrintCurrentState();
  130. break;
  131. }
  132. case 1: //update fuzzer
  133. {
  134. if (vendorRunningState == 1) //sanity check
  135. {
  136. //increase steps until all steps are done
  137. if (fuzzStep < vendorSteps[fuzzState]-1)
  138. fuzzStep = fuzzStep + 1;
  139. //then increase state and notify
  140. else
  141. {
  142. fuzzStep = 0;
  143. fuzzState = fuzzState + 1;
  144. vendorPrintCurrentState();
  145. }
  146. //when all states are done, stop
  147. if (fuzzState == vendorStates)
  148. {
  149. vendorRunningState = 0;
  150. return -1;
  151. }
  152. }
  153. break;
  154. }
  155. case 2: //stop fuzzer
  156. {
  157. vendorRunningState = 0;
  158. break;
  159. }
  160. }
  161. return 0;
  162. }
  163. //Returns an vendor information element
  164. infoElem vendorFuzz()
  165. {
  166. infoElem vendor;
  167. //What to return when not fuzzed
  168. if (vendorRunningState == 0)
  169. {
  170. vendor.id = 0;
  171. vendor.len = 1;
  172. vendor.len_data = -1;
  173. vendor.data = "\xab";
  174. }
  175. else
  176. {
  177. switch (fuzzState) //update this
  178. {
  179. case 0: //255*0xff
  180. {
  181. vendor.id = 221;
  182. vendor.len = 255;
  183. vendor.len_data = 255;
  184. //create data of 255 times 0xff
  185. u_char *data = malloc(255);
  186. memset(data, 0xff, 255);
  187. vendor.data = data;
  188. break;
  189. }
  190. case 1: //short lengths
  191. {
  192. int dataSize = 0 + fuzzStep;
  193. vendor.id = 221;
  194. vendor.len = dataSize;
  195. vendor.len_data = dataSize;
  196. //create data of datasize times 0xFF
  197. u_char *data = malloc(dataSize);
  198. memset(data, 0xFF, dataSize);
  199. vendor.data = data;
  200. break;
  201. }
  202. case 2:
  203. {
  204. if (fuzzStep == 0)
  205. {
  206. vendor.id = 221;
  207. vendor.len = 255;
  208. vendor.len_data = 255;
  209. u_char *data = malloc(255);
  210. memset(data, 0xFF, 255);
  211. data[0] = 0x00; //oui
  212. data[1] = 0x50; //oui
  213. data[2] = 0xf2; //oui
  214. data[3] = 0x02; //type
  215. vendor.data = data;
  216. }
  217. if (fuzzStep == 1)
  218. {
  219. vendor.id = 221;
  220. vendor.len = 4;
  221. vendor.len_data = 4;
  222. vendor.data = "\x00\x50\xf2\x02";
  223. }
  224. break;
  225. }
  226. case 3:
  227. {
  228. if (fuzzStep == 0)
  229. {
  230. vendor.id = 221;
  231. vendor.len = 255;
  232. vendor.len_data = 255;
  233. u_char *data = malloc(255);
  234. memset(data, 0xFF, 255);
  235. data[0] = 0x00; //oui
  236. data[1] = 0x50; //oui
  237. data[2] = 0xf2; //oui
  238. data[3] = 0x01; //type
  239. vendor.data = data;
  240. }
  241. if (fuzzStep == 1)
  242. {
  243. vendor.id = 221;
  244. vendor.len = 4;
  245. vendor.len_data = 4;
  246. vendor.data = "\x00\x50\xf2\x01";
  247. }
  248. break;
  249. }
  250. case 4:
  251. {
  252. if (fuzzStep == 0)
  253. {
  254. vendor.id = 221;
  255. vendor.len = 255;
  256. vendor.len_data = 255;
  257. u_char *data = malloc(255);
  258. memset(data, 0xFF, 255);
  259. data[0] = 0x00; //oui
  260. data[1] = 0x50; //oui
  261. data[2] = 0xf2; //oui
  262. data[3] = 0x04; //type
  263. vendor.data = data;
  264. }
  265. if (fuzzStep == 1)
  266. {
  267. vendor.id = 221;
  268. vendor.len = 4;
  269. vendor.len_data = 4;
  270. vendor.data = "\x00\x50\xf2\x04";
  271. }
  272. break;
  273. }
  274. default:
  275. {
  276. if (fuzzStep == 0)
  277. {
  278. vendor.id = 221;
  279. vendor.len = 255;
  280. vendor.len_data = 255;
  281. u_char *data = malloc(255);
  282. memset(data, 0xFF, 255);
  283. data[0] = 0x00; //oui
  284. data[1] = 0x50; //oui
  285. data[2] = 0xf2; //oui
  286. data[3] = 0x04; //type
  287. switch (fuzzState)
  288. {
  289. case 5:{
  290. data[4] = 0x10; //id
  291. data[5] = 0x4a; //id
  292. break;
  293. }
  294. case 6:{
  295. data[4] = 0x10; //id
  296. data[5] = 0x44; //id
  297. break;
  298. }
  299. case 7:{
  300. data[4] = 0x10; //id
  301. data[5] = 0x24; //id
  302. break;
  303. }
  304. case 8:{
  305. data[4] = 0x10; //id
  306. data[5] = 0x3b; //id
  307. break;
  308. }
  309. case 9:{
  310. data[4] = 0x10; //id
  311. data[5] = 0x47; //id
  312. break;
  313. }
  314. case 10:{
  315. data[4] = 0x10; //id
  316. data[5] = 0x21; //id
  317. break;
  318. }
  319. case 11:{
  320. data[4] = 0x10; //id
  321. data[5] = 0x23; //id
  322. break;
  323. }
  324. case 12:{
  325. data[4] = 0x10; //id
  326. data[5] = 0x54; //id
  327. break;
  328. }
  329. case 13:{
  330. data[4] = 0x10; //id
  331. data[5] = 0x11; //id
  332. break;
  333. }
  334. case 14:{
  335. data[4] = 0x10; //id
  336. data[5] = 0x08; //id
  337. break;
  338. }
  339. case 15:{
  340. data[4] = 0x10; //id
  341. data[5] = 0x3c; //id
  342. break;
  343. }
  344. case 16:{
  345. data[4] = 0x10; //id
  346. data[5] = 0x49; //id
  347. break;
  348. }
  349. }
  350. data[6] = 0x00; //len
  351. data[7] = 247; //len
  352. vendor.data = data;
  353. }
  354. if (fuzzStep == 1)
  355. {
  356. vendor.id = 221;
  357. vendor.len = 255;
  358. vendor.len_data = 255;
  359. u_char *data = malloc(255);
  360. memset(data, 0xFF, 255);
  361. data[0] = 0x00; //oui
  362. data[1] = 0x50; //oui
  363. data[2] = 0xf2; //oui
  364. data[3] = 0x04; //type
  365. switch (fuzzState)
  366. {
  367. case 5:{
  368. data[4] = 0x10; //id
  369. data[5] = 0x4a; //id
  370. break;
  371. }
  372. case 6:{
  373. data[4] = 0x10; //id
  374. data[5] = 0x44; //id
  375. break;
  376. }
  377. case 7:{
  378. data[4] = 0x10; //id
  379. data[5] = 0x24; //id
  380. break;
  381. }
  382. case 8:{
  383. data[4] = 0x10; //id
  384. data[5] = 0x3b; //id
  385. break;
  386. }
  387. case 9:{
  388. data[4] = 0x10; //id
  389. data[5] = 0x47; //id
  390. break;
  391. }
  392. case 10:{
  393. data[4] = 0x10; //id
  394. data[5] = 0x21; //id
  395. break;
  396. }
  397. case 11:{
  398. data[4] = 0x10; //id
  399. data[5] = 0x23; //id
  400. break;
  401. }
  402. case 12:{
  403. data[4] = 0x10; //id
  404. data[5] = 0x54; //id
  405. break;
  406. }
  407. case 13:{
  408. data[4] = 0x10; //id
  409. data[5] = 0x11; //id
  410. break;
  411. }
  412. case 14:{
  413. data[4] = 0x10; //id
  414. data[5] = 0x08; //id
  415. break;
  416. }
  417. case 15:{
  418. data[4] = 0x10; //id
  419. data[5] = 0x3c; //id
  420. break;
  421. }
  422. case 16:{
  423. data[4] = 0x10; //id
  424. data[5] = 0x49; //id
  425. break;
  426. }
  427. }
  428. data[6] = 0xff; //len
  429. data[7] = 0xff; //len
  430. vendor.data = data;
  431. }
  432. break;
  433. }
  434. }
  435. }
  436. return vendor;
  437. }