#!/usr/bin/python
import random, sys,logging,os
from random import *
from scapy.all import *
logging.getLogger("scapy").setLevel(1)

##fuzzer core##
def onerand(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(256))))
    pack[choice(range(len(packet)))]= byte
    print "fuzzing rand byte:%s\n" % (byte.encode("hex"))
    return pack

def doublerand(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(256))))
    byte2 = str(chr(choice(range(256))))
    pack[choice(range(len(packet)))]= byte
    pack[choice(range(len(packet)))]= byte2
    print "fuzzing rand byte:%s byte2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
    return pack

def longrand(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(256))))
    lon = randrange(0,600)
    pack[choice(range(len(packet)))]= byte*lon
    print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
    return pack

def longerrand(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(256))))
    lon = randrange(0,600)
    pack[choice(range(len(packet)))]= byte
    pack[choice(range(len(packet)))]= byte*lon
    print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
    return pack

def longerrandnull(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(256))))
    lon = randrange(0,600)
    pack[choice(range(len(packet)))]= byte
    pack[choice(range(len(packet)))]= byte+"\x00"*lon
    print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
    return pack

def opnum(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(0,2))))
    pack[choice(range(len(packet)))]= byte
    print "fuzzing opnum:%s\n" % (byte.encode("hex"))
    return pack

def doubleopnum(packet):
    pack  = packet[:]
    byte = str(chr(choice(range(0,2))))
    byte2 = str(chr(choice(range(0,2))))
    pack[choice(range(len(packet)))]= byte
    pack[choice(range(len(packet)))]= byte2
    print "fuzzing opnum:%s et opnum no-2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
    return pack

def remove1(packet):
    pack  = packet[:]
    i = randrange(0, len(pack)-1)
    b = pack[:i] + pack[i+1:]
    print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))
    return b

def changenull(packet):
    pack = packet[:]
    null = [i for i in range(len(pack)) if pack[i] == '\x00']
    byte = str(chr(choice(range(256))))
    pack[choice(null)] = byte
    print "replaced one null by a %s"%(byte.encode("hex"))
    return pack


def removenull(packet):
    pack = packet[:]
    null = [i for i in range(len(pack)) if pack[i] == '\x00']
    num = choice(null)
    del pack[choice(null)]
    print "deleted null no-:%s"%(num)
    return pack

def randfunc(packet):
    func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])
    print "using %s fuzzing type (HARD)"%(func.__name__) 
    return func(packet)

def zenfunc(packet):
    func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])
    print "using %s fuzzing type (ZEN)"%(func.__name__) 
    return func(packet)

##End fuzzer core##

ip = [chr(int(a, 16)) for a in """
4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64
c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 77
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00""".split()]

icmp = [chr(int(a, 16)) for a in """
08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 00
04 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
""".split()]

def longueur(payload):
   length = struct.pack(">i", len(''.join(payload)))
   a= length[2:4]
   pack = payload[:]
   pack[2:4]= a
   return pack

def OpIP(packet):
    pack = packet[:]
    num = str(chr(choice(range(1,9))))
    num1 = str(chr(choice(range(0,150))))
    #pack[0] = num
    #pack[9] = num1
    print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))
    return pack   

def OpIcmp(packet):
    pack = packet[:]
    num = str(chr(choice(range(0,42))))
    pack[0] = num
    print "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))
    return pack 

##checksum calculation and replacement##
##checksum() ripped from scapy, hard to do better...
def checksum(pkt):
    pkt=str(pkt)
    s=0
    if len(pkt) % 2 == 1:
        pkt += "\0"
    for i in range(len(pkt)/2):
        s = s +  (struct.unpack("!H",pkt[2*i:2*i+2])[0])
    s = (s >> 16) + (s & 0xffff)
    s += s >> 16
    return  ~s & 0xffff
##/checksum() ripped from scapy, hard to do better...

def add_checksum(packet):
    a = struct.pack(">i",checksum(''.join(packet)))
    b =  a[2:4]
    pack = packet[:]
    pack[2:4]=b
    return pack

def add_ip_checksum(packet):
    a = struct.pack(">i",checksum(''.join(packet)))
    b =  a[2:4]
    pack = packet[:]
    pack[10:12]=b
    return pack

##checksum calculation and replacement##

### snort is an example of hookin' a prog in your fuzzin'

pid = os.system("pidof snort")
while os.system("pidof snort") == pid:

    a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))
    b = ''.join(add_ip_checksum(a))
    packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b) 
    print "packet IP:%s\n"%(b.encode("hex"))
    sendp(packet)

    ##enjoy !