This python script is a fuzzer for the NDC protocol. The NDC protocol enables international and local payment transactions in cash as well as with bank cards. NDC permit Terminals "ATMS" to send unsolicited requests to the Server "NDC Server". This script sends fuzzed requests to the server in order to discover memory related security flaws.
5f5273c43dc8bb3a4edff6ba5eb375ca9168c43124cbd5198b85dbabec1bc16d
#! /usr/bin/python
# Fuzz NDC protocol
# Author Fakhir Karim Reda
#kf@cyber-defense.ma / www.cyber-defense.ma
from boofuzz import *
from binascii import *
from struct import *
import os
s_initialize("ndcallrandom")
if s_block_start("elements"):
s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=7000,fuzzable=True,num_mutations=50)
s_block_end()
s_initialize("RandomBalance")
if s_block_start("elements"):
s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=1000,fuzzable=True,num_mutations=50)
s_block_end()
#unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex')
# unsolicitedEjectCardMessage: {
# session: undefined,
# device: 'cardReader',
# deviceStatus: '2',
# severities: ['warning'],
# diagnosticStatus: '1205001000',
# supplies: ['unchanged'],
# deviceStatusDescription: 'The mechanism failed to eject the card, which was either captured or jammed',
# tokens: ['12', '001000001', '', 'D2', '2', '1205001000', '0']
# }
#unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex')
# unsolicitedMessageReceiptPaperLowMessage: {
# session: undefined,
# device: 'receiptPrinter',
# deviceStatus: '0',
# severities: ['noError'],
# diagnosticStatus: '0042000000',
# supplies: ['mediaLow', 'good', 'good', 'good'],
# deviceStatusDescription: 'Successful print',
# tokens: ['12', '001000001', '', 'G0', '0', '0042000000', '2111']
# },
s_initialize("unsolicitedDevices")
if s_block_start("elements"):
s_static("12"); # Message class + sub class
s_binary("0x1C"); # Separtor
s_static("000"); # Luno code 3 or 9 characters
s_binary("0x1C"); # Separtor
s_binary("0x1C"); # Separtor
#s_binary("D"); #Device Identifier Graphic (DIG).
Group("DEVICES_TYPES", values= ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H','I','J','K','L','M']) # All device types
s_random("2",min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status
s_binary("0x1C"); # Separtor
s_random("2",min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity
s_binary("0x1C"); # Separtor
s_random("2",min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status.
s_binary("0x1C"); # Separtor
s_random("2",min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status
s_binary("0x1C"); # Separtor
s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas
s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer
s_block_end()
mysession_filename = "audits\\ndc.session"
# remove session filename if exists
if os.path.isfile(mysession_filename):
os.remove(mysession_filename)
target_ip = "127.0.0.1"
sess = Session(session_filename=mysession_filename,crash_threshold_request=12)
target=Target(
connection=SocketConnection(target_ip,59269, proto="tcp")
)
sess.add_target(target)
sess.connect(s_get("ndcallrandom"))
sess.connect(s_get("RandomBalance"))
sess.connect(s_get("unsolicitedDevices"))
sess.fuzz()