Headline
NDC Protocol Fuzzer
This python script is a fuzzer for the NDC protocol. The NDC protocol enables international and local payment transactions in cash as well as with bank cards. NDC permit Terminals “ATMS” to send unsolicited requests to the Server "NDC Server". This script sends fuzzed requests to the server in order to discover memory related security flaws.
#! /usr/bin/python# Fuzz NDC protocol# Author Fakhir Karim Reda#[email protected] / www.cyber-defense.mafrom boofuzz import *from binascii import *from struct import *import oss_initialize("ndcallrandom")if s_block_start("elements"): s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=7000,fuzzable=True,num_mutations=50)s_block_end()s_initialize("RandomBalance")if s_block_start("elements"): s_random("31311C3030313030303030311C1C30314132453136361C31321C3B3530323236353430303038393030303039323D323730383632303935313F1C1C20444220202041441C3030303030303030303030301C303B36303C37383E34343D37373234311C1C1C1C32313633393130303030303030303030303030303030303030301C551C3543414D30303030384331353946303230363946303330363946314130323935303535463241303239413033394330313946333730343946303230363030303030303030303030303946303330363030303030303030303030303832303231383030354130393530323236353430303038393030303039323546333430313031394633363032303942373946323630384232373436303532423238423634313339463334303330323030303039463237303138303946314530383330333033303330333033303330333139463130303730363031304130334130413030303946303930323030393639463333303336303430453839463141303230363038394633353031313439353035383030303034303030303537304635303232363534303030383930303030393244323730383632303935314635463241303230363038394630383032303039363941303331383130303139463431303430303030333831363942303236303030394330313330394633373034303339363930343539463533303135413946303630374130303030303036333531303130353031303530363836393643363937303730363936453635323034343635363236393734354632303141343534343230343234313532343734313434344632463230323032303230323032303230323032303230323032303230323032303546323430333237303833311C3346463741413835",max_length=1000,fuzzable=True,num_mutations=50)s_block_end()#unsolicitedEjectCard: Buffer.from('31321c3030313030303030311c1c44321c321c313230353030313030301c30', 'hex'), // Buffer.from('12^\001000001^\^\D2^\2^\1205001000^\0', 'ascii').toString('hex')# unsolicitedEjectCardMessage: {# session: undefined,# device: 'cardReader',# deviceStatus: '2',# severities: ['warning'],# diagnosticStatus: '1205001000',# supplies: ['unchanged'],# deviceStatusDescription: 'The mechanism failed to eject the card, which was either captured or jammed',# tokens: ['12', '001000001', '', 'D2', '2', '1205001000', '0']# }#unsolicitedReceiptPaperLow: Buffer.from('31321c3030313030303030311c1c47301c301c303034323030303030301c32313131', 'hex'), // Buffer.from('12^\001000001^\^\G0^\0^\0042000000^\2111', 'ascii').toString('hex')# unsolicitedMessageReceiptPaperLowMessage: {# session: undefined,# device: 'receiptPrinter',# deviceStatus: '0',# severities: ['noError'],# diagnosticStatus: '0042000000',# supplies: ['mediaLow', 'good', 'good', 'good'],# deviceStatusDescription: 'Successful print',# tokens: ['12', '001000001', '', 'G0', '0', '0042000000', '2111']# },s_initialize("unsolicitedDevices")if s_block_start("elements"): s_static("12"); # Message class + sub class s_binary("0x1C"); # Separtor s_static("000"); # Luno code 3 or 9 characters s_binary("0x1C"); # Separtor s_binary("0x1C"); # Separtor #s_binary("D"); #Device Identifier Graphic (DIG). Group("DEVICES_TYPES", values= ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H','I','J','K','L','M']) # All device types s_random("2",min_length=1,max_length=300,fuzzable=True,num_mutations=50); # Device Status s_binary("0x1C"); # Separtor s_random("2",min_length=1,max_length=50,fuzzable=True,num_mutations=30); # error severity s_binary("0x1C"); # Separtor s_random("2",min_length=20,max_length=500,fuzzable=True,num_mutations=100); # Diagnostic Status. s_binary("0x1C"); # Separtor s_random("2",min_length=2,max_length=1000,fuzzable=True,num_mutations=30); # Supplies Status s_binary("0x1C"); # Separtor s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Additional datas s_random("2",min_length=20,max_length=1000,fuzzable=True,num_mutations=50); # Trailer s_block_end()mysession_filename = "audits\\ndc.session"# remove session filename if existsif os.path.isfile(mysession_filename): os.remove(mysession_filename)target_ip = "127.0.0.1"sess = Session(session_filename=mysession_filename,crash_threshold_request=12)target=Target( connection=SocketConnection(target_ip,59269, proto="tcp") )sess.add_target(target)sess.connect(s_get("ndcallrandom"))sess.connect(s_get("RandomBalance"))sess.connect(s_get("unsolicitedDevices"))sess.fuzz()