This is a short message to release an IP/ICMPv4 fuzzer, destinated for UTesting, and else.I'd like to thanks Philippe Biondi for making such a library as scapyIn this example we go deep as layer 3 fuzzing, thanks scapy, we fuzz IP and ICMP by disassembling the packet in bytes, and modifing it, and then joining it and sending backYou can simply capture a ping echo (for example) you sended and then fuzz it, you will need to replace the checksum bytes by 00 00 always, for more information :http://www.networksorcery.com/enp/protocol/ip.htmhttp://www.networksorcery.com/enp/protocol/icmp.htmYou can easily adapt this fuzzer to any kind of networking fuzzing.Dont forget it's a prototype, and i ASSUME you know what you're doing, do not ask for help.As blogger is not python friendly: http://pastebin.com/f5c536013Have fun with this concept :)#!/usr/bin/pythonimport random, sys,logging,osfrom random import *from scapy.all import *logging.getLogger("scapy").setLevel(1)##fuzzer core##def onerand(packet):pack = packet[:]byte = str(chr(choice(range(256))))pack[choice(range(len(packet)))]= byteprint "fuzzing rand byte:%s

" % (byte.encode("hex"))return packdef doublerand(packet):pack = packet[:]byte = str(chr(choice(range(256))))byte2 = str(chr(choice(range(256))))pack[choice(range(len(packet)))]= bytepack[choice(range(len(packet)))]= byte2print "fuzzing rand byte:%s byte2:%s

" % (byte.encode("hex"),byte2.encode("hex"))return packdef longrand(packet):pack = packet[:]byte = str(chr(choice(range(256))))lon = randrange(0,600)pack[choice(range(len(packet)))]= byte*lonprint "fuzzing rand byte:%s len:%s

" % (byte.encode("hex"),lon)return packdef longerrand(packet):pack = packet[:]byte = str(chr(choice(range(256))))lon = randrange(0,600)pack[choice(range(len(packet)))]= bytepack[choice(range(len(packet)))]= byte*lonprint "fuzzing rand byte:%s len:%s

" % (byte.encode("hex"),lon)return packdef longerrandnull(packet):pack = packet[:]byte = str(chr(choice(range(256))))lon = randrange(0,600)pack[choice(range(len(packet)))]= bytepack[choice(range(len(packet)))]= byte+"\x00"*lonprint "fuzzing rand byte:%s len:%s

" % (byte.encode("hex"),lon)return packdef opnum(packet):pack = packet[:]byte = str(chr(choice(range(0,2))))pack[choice(range(len(packet)))]= byteprint "fuzzing opnum:%s

" % (byte.encode("hex"))return packdef doubleopnum(packet):pack = packet[:]byte = str(chr(choice(range(0,2))))byte2 = str(chr(choice(range(0,2))))pack[choice(range(len(packet)))]= bytepack[choice(range(len(packet)))]= byte2print "fuzzing opnum:%s et opnum no-2:%s

" % (byte.encode("hex"),byte2.encode("hex"))return packdef remove1(packet):pack = packet[:]i = randrange(0, len(pack)-1)b = pack[:i] + pack[i+1:]print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))return bdef changenull(packet):pack = packet[:]null = [i for i in range(len(pack)) if pack[i] == '\x00']byte = str(chr(choice(range(256))))pack[choice(null)] = byteprint "replaced one null by a %s"%(byte.encode("hex"))return packdef removenull(packet):pack = packet[:]null = [i for i in range(len(pack)) if pack[i] == '\x00']num = choice(null)del pack[choice(null)]print "deleted null no-:%s"%(num)return packdef randfunc(packet):func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])print "using %s fuzzing type (HARD)"%(func.__name__)return func(packet)def zenfunc(packet):func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])print "using %s fuzzing type (ZEN)"%(func.__name__)return func(packet)##End fuzzer core##ip = [chr(int(a, 16)) for a in """4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 7700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00""".split()]icmp = [chr(int(a, 16)) for a in """08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 0004 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20""".split()]def longueur(payload):length = struct.pack(">i", len(''.join(payload)))a= length[2:4]pack = payload[:]pack[2:4]= areturn packdef OpIP(packet):pack = packet[:]num = str(chr(choice(range(1,9))))num1 = str(chr(choice(range(0,150))))#pack[0] = num#pack[9] = num1print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))return packdef OpIcmp(packet):pack = packet[:]num = str(chr(choice(range(0,42))))pack[0] = numprint "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))return pack##checksum calculation and replacement####checksum() ripped from scapy, hard to do better...def checksum(pkt):pkt=str(pkt)s=0if len(pkt) % 2 == 1:pkt += "\0"for i in range(len(pkt)/2):s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0])s = (s >> 16) + (s & 0xffff)s += s >> 16return ~s & 0xffff##/checksum() ripped from scapy, hard to do better...def add_checksum(packet):a = struct.pack(">i",checksum(''.join(packet)))b = a[2:4]pack = packet[:]pack[2:4]=breturn packdef add_ip_checksum(packet):a = struct.pack(">i",checksum(''.join(packet)))b = a[2:4]pack = packet[:]pack[10:12]=breturn pack##checksum calculation and replacement##### snort is an example of hookin' a prog in your fuzzin'pid = os.system("pidof snort")while os.system("pidof snort") == pid:a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))b = ''.join(add_ip_checksum(a))packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b)print "packet IP:%s

"%(b.encode("hex"))sendp(packet)##enjoy !