Finished Association response fuzzer

assFuzzer/IE/fuzzEDCA.c

@@ -0,0 +1,211 @@
+/*
+Fuzzes ht capabilities Information element
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "../frameDefinitions.h"
+
+//Indecates whether the edcaFuzzer is running
+int edcaRunningState = 0;
+
+//Number of fuzzing states
+const int edcaStates =  4;
+//Steps of fuzzers for each fuzzing state
+const int edcaSteps[] =   {1, 2, 32, 32};
+
+//Current state and step of the edcaFuzzer
+int fuzzState;
+int fuzzStep;
+
+void edcaPrintCurrentState()
+{
+    switch (fuzzState)
+    {
+        case 0: 
+        {
+            printf("\e[33mFuzzing edca IE\e[39m\n");
+            printf("Trying 255*0xFF data\n");
+            break;
+        }
+        case 1: 
+        {
+            printf("Fuzzing data\n");
+            break;
+        }
+        case 2: 
+        {
+            printf("Fuzzing lengths with 0xFF data\n");
+            break;
+        }
+        case 3: 
+        {
+            printf("Fuzzing lengths with 0x00 data\n");
+            break;
+        }
+        case 4:
+        {
+            printf("\e[33mDone with fuzzing edca\e[39m\n");
+            break;
+        }
+    }
+}
+
+//Updates edcaFuzzer
+//Status 0 indicates start
+//Status 1 indicates increaseStep
+//Status 2 indicates stop
+//Returns -1 if done with fuzzing
+int edcaFuzzUpdate(int status)
+{
+    switch (status)
+    {
+        case 0: //start fuzzer
+        {
+            edcaRunningState    = 1;
+            fuzzState       = 0;
+            fuzzStep        = 0;
+            edcaPrintCurrentState();
+            break;
+        }
+        case 1: //update fuzzer
+        {
+            if (edcaRunningState == 1) //sanity check
+            {
+                //increase steps until all steps are done
+                if (fuzzStep < edcaSteps[fuzzState]-1)
+                    fuzzStep = fuzzStep + 1;
+                //then increase state and notify
+                else
+                {
+                    fuzzStep = 0;
+                    fuzzState = fuzzState + 1;
+                    edcaPrintCurrentState();
+                }
+                //when all states are done, stop
+                if (fuzzState == edcaStates)
+                {
+                    edcaRunningState = 0;
+                    return -1;
+                }
+            }
+            break;
+        }
+        case 2: //stop fuzzer
+        {
+            edcaRunningState = 0;
+            break;
+        }
+    }
+    return 0;
+}
+
+//Returns an edca information element
+infoElem edcaFuzz()
+{
+    infoElem edca;
+
+    //What to return when not fuzzed
+    if (edcaRunningState == 0)
+    {
+        edca.id = 0;
+        edca.len = 1;
+        edca.len_data = -1;
+        edca.data = "\xab";
+    }
+    else
+    {
+        switch (fuzzState) //update this
+        {
+            case 0:     //255*0xff
+            {
+                edca.id = 12;
+                edca.len = 255;
+                edca.len_data = 255;
+                //create data of 255 times 0xff
+                u_char *data = malloc(255);
+                memset(data, 0xff, 255);
+                edca.data = data;
+                break;
+            }
+            case 1:  //edca data
+            {
+                if (fuzzStep == 0)
+                {
+                    edca.id = 12;
+                    edca.len = 18;
+                    edca.len_data = 18;
+                    edca.data = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+                }
+                else
+                {
+                    edca.id = 12;
+                    edca.len = 18;
+                    edca.len_data = 18;
+                    edca.data = "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
+                }
+                
+                break;
+            } 
+            case 2:  //length with 0xff data
+            {
+                if (fuzzStep < 26)
+                {
+                    int dataSize = fuzzStep;
+
+                    edca.id = 12;
+                    edca.len = dataSize;
+                    edca.len_data = dataSize;
+                    //create data of datasize times 0xff
+                    u_char *data = malloc(dataSize);
+                    memset(data, 0xff, dataSize);
+                    edca.data = data;
+                }
+                else
+                {
+                    int dataSize = 255 - fuzzStep + 26;
+
+                    edca.id = 12;
+                    edca.len = dataSize;
+                    edca.len_data = dataSize;
+                    //create data of datasize times 0xff
+                    u_char *data = malloc(dataSize);
+                    memset(data, 0xff, dataSize);
+                    edca.data = data;
+                }
+                break;
+            } 
+            case 3:  //length with 0x00 data
+            {
+                if (fuzzStep < 26)
+                {
+                    int dataSize = fuzzStep;
+
+                    edca.id = 12;
+                    edca.len = dataSize;
+                    edca.len_data = dataSize;
+                    //create data of datasize times 0x00
+                    u_char *data = malloc(dataSize);
+                    memset(data, 0x00, dataSize);
+                    edca.data = data;
+                }
+                else
+                {
+                    int dataSize = 255 - fuzzStep + 26;
+
+                    edca.id = 12;
+                    edca.len = dataSize;
+                    edca.len_data = dataSize;
+                    //create data of datasize times 0x00
+                    u_char *data = malloc(dataSize);
+                    memset(data, 0x00, dataSize);
+                    edca.data = data;
+                }
+                break;
+            } 
+        }
+    }
+    
+    return edca;
+}

assFuzzer/IE/fuzzEDCA.h

@@ -0,0 +1,10 @@
+#ifndef FUZZEDCA_H_
+#define FUZZEDCA_H_
+
+#include "../frameDefinitions.h"
+
+int edcaFuzzUpdate(int status);
+
+infoElem edcaFuzz();
+
+#endif

assFuzzer/cfuzz.c

@@ -37,7 +37,7 @@ u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
 //Comment out the SUT
 //u_char sutMAC[6]            =  "\xec\x9b\xf3\x1e\x19\x71"; //Galaxy S6
 //u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
-//u_char sutMAC[6]            =  "\xd0\x17\x6a\xe8\xe9\x7a"; //Galaxy Ace
+u_char sutMAC[6]            =  "\xd0\x17\x6a\xe8\xe9\x7a"; //Galaxy Ace
 //u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
 //u_char sutMAC[6]            =  "\x00\x09\xbf\x7d\x6d\xaa"; //Nintendo DS
 //u_char sutMAC[6]            =  "\x00\x01\x4a\x93\xce\x34"; //PSP
@@ -47,7 +47,7 @@ u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
 //u_char sutMAC[6]            = "\xb8\x27\xeb\xf1\x89\x68"; //RPI 3
 //u_char sutMAC[6]            = "\x84\x00\xd2\xe0\x81\xb2"; //Xperia Ray
 //u_char sutMAC[6]            = "\x54\x60\x09\xf8\xbe\x28"; //Chromecast Audio
-u_char sutMAC[6]            = "\x80\x7d\x3a\x73\x81\xc7"; //Power plug
+//u_char sutMAC[6]            = "\x80\x7d\x3a\x73\x81\xc7"; //Power plug
 
 //Returns filter for libpcap
 //we want to use as many filters here as possible, since libpcap is closer to the hardware than this user-level program
@@ -372,7 +372,7 @@ int main(int argc, char *argv[])
                     u_char *packet = createProbeResponse(sourceAddr, &packetSize, radioTapHeader, myMAC);
                     sendPacket(pcap_h, packet, packetSize);
                     free(packet);      //free allocated memory
-                    waitForACK = 3;
+                    waitForACK = 0;
                     startTimer();
                     break;
                 } 

assFuzzer/fuzzAssResponse.c

@@ -50,6 +50,11 @@ void AssRespPrintCurrentState()
             break;
         }
         case 4:
+        {
+            printf("Fuzzing static elements\n");
+            break;
+        }
+        case 5:
         {
             printf("\e[33mDone with fuzzing AssResp\e[39m\n");
             break;

assFuzzer/fuzzer.c

@@ -11,17 +11,18 @@ Manages what to fuzz when.
 #include "fuzzHTCAPAB.h"
 #include "fuzzHTINFO.h"
 #include "fuzzEXTCAPAB.h"
+#include "fuzzEDCA.h"
 #include "fuzzAssResponse.h"
 //CHANGE WHEN NEW SUBFUZZER
 
 //CHANGE WHEN NEW SUBFUZZER
 //Number of subfuzzers
-#define SUBFUZZERS (5)
+#define SUBFUZZERS (6)
 
 //CHANGE WHEN NEW SUBFUZZER
 //Array of pointers to subfuzzers update functions
 int (*p[SUBFUZZERS]) (int i) = {
-    ratesFuzzUpdate, extratesFuzzUpdate, htcapabFuzzUpdate, htinfoFuzzUpdate, extcapabFuzzUpdate};
+    ratesFuzzUpdate, extratesFuzzUpdate, htcapabFuzzUpdate, htinfoFuzzUpdate, extcapabFuzzUpdate, edcaFuzzUpdate};
 
 //State of sub-fuzzer
 //-1 = Done
@@ -35,8 +36,8 @@ int genFuzzState = -1;
 
 //Current sub-fuzzer
 //Starts with -1 to prevent skipping the first sub-fuzzer
-//int subFuzzerIdx = -1;
-int subFuzzerIdx = 99; //to test generic fuzzing part
+int subFuzzerIdx = -1;
+//int subFuzzerIdx = 99; //to test generic fuzzing part
 
 //Flag to indicate if the done with all subfuzzers notification has been sent
 int notifyDone = 0;

prbFuzzer/cfuzz.c

@@ -36,12 +36,12 @@ u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
 //Is needed to ignore frames from other devices
 //Comment out the SUT
 //u_char sutMAC[6]            =  "\xec\x9b\xf3\x1e\x19\x71"; //Galaxy S6
-u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
+//u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
 //u_char sutMAC[6]            =  "\xd0\x17\x6a\xe8\xe9\x7a"; //Galaxy Ace
 //u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
 //u_char sutMAC[6]            =  "\x00\x09\xbf\x7d\x6d\xaa"; //Nintendo DS
 //u_char sutMAC[6]            =  "\x00\x01\x4a\x93\xce\x34"; //PSP
-//u_char sutMAC[6]            =  "\xe0\xe7\x51\x45\x5e\x5d"; //DSI
+u_char sutMAC[6]            =  "\xe0\xe7\x51\x45\x5e\x5d"; //DSI
 //u_char sutMAC[6]            =  "\x9c\xe6\x35\x2a\x69\x16"; //WII U
 //u_char sutMAC[6]            =  "\x6c\xad\xf8\xc8\x77\xca"; //Chromecast 1
 //u_char sutMAC[6]            = "\xb8\x27\xeb\xf1\x89\x68"; //RPI 3