Date: Wed, 5 Jul 2006 13:14:03 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 100626 for review Message-ID: <200607051314.k65DE3h4032651@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100626 Change 100626 by clem1@clem1_ipv6vulns on 2006/07/05 13:14:00 Some improvements around icmpsicng and random ipv6 address generation. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#3 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#4 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#4 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/tcpsicng.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/udpsicng.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#3 (text+ko) ==== @@ -1,4 +1,13 @@ -ISICNG (v0.0.2) 04/07/03, by Clément Lecigne (clem1@FreeBSD.org) +ISICNG (v0.0.3) 06/07/05, by Clément Lecigne (clem1@FreeBSD.org) + + o randipv6() improvements + o -L number of link local random ipv6 addresses (in percent) + o -A number of site local random ipv6 addresses (in percent) + o with special icmp6 messages (ie. toobig, unreach) icmpsicng + will generate a random ipv6 packet as data... especially for + *6_ctlinput() functions fuzzing. + +ISICNG (v0.0.2) 06/07/04, by Clément Lecigne (clem1@FreeBSD.org) o Some new feature added to icmpsicng.c o new parameters related to packet size @@ -8,7 +17,7 @@ o bug fix around checksum calculation. -ISICNG (v0.0.1) 03/07/03, by Clément Lecigne (clem1@FreeBSD.org) +ISICNG (v0.0.1) 06/07/03, by Clément Lecigne (clem1@FreeBSD.org) o Port of all *sic.c to IPv6 isicng.c supports IPv6 and extension headers fuzzing. ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#4 (text+ko) ==== @@ -60,6 +60,7 @@ int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0, what; struct timeval tv, tv2; float sec; + unsigned int wwait; unsigned int cx = 0; u_long max_pushed = 10240; /* 10MB/sec */ u_long num_to_send = 0xffffffff; /* Send 4billion packets */ @@ -81,23 +82,33 @@ float RT = 15; float NI = 15; float IcmpOpt = 0; + float Llocal = 10; + float Slocal = 5; maxsize = 1279; minsize = 128; multiple = 1; + wwait = 500; /* wait microseconds between each write() */ + /* Not crypto strong randomness but we don't really care. And this * * gives us a way to determine the seed while the program is running * * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:w:L:A:")) != EOF) { switch (c) { case 'i': device = optarg; break; + case 'L': + Llocal = atof(optarg); + break; + case 'A': + Slocal = atof(optarg); + break; case 'T': TooBig = atof(optarg); break; @@ -134,6 +145,9 @@ case 'K': multiple = atoi(optarg); break; + case 'w': + wwait = atoi(optarg); + break; case 'h': usage(argv[0]); exit(0); @@ -301,6 +315,8 @@ ND = ND / 100 + MLD; RT = RT / 100 + ND; NI = NI / 100 + RT; + Llocal /= 100; + Slocal = Slocal / 100 + Llocal; /************* * Main Loop * @@ -319,9 +335,9 @@ tc = rand() & 0xff; if (src_ip_rand == 1) - ip_src = randipv6(); + ip_src = randipv6(Llocal, Slocal); if (dst_ip_rand == 1) - ip_dst = randipv6(); + ip_dst = randipv6(Llocal, Slocal); if (rand() <= (RAND_MAX * BadIPVer)) ver = rand() & 0xf; @@ -370,6 +386,11 @@ icmp->icmp_mtu = rand(); off += 8; payload_s -= 8; + if(rand() % 5){ + cx = makepkt(buf + off, ip_dst, ip_src); + off += cx; + payload_s -= cx; + } } else if (what <= (RAND_MAX * Redir)) { @@ -383,10 +404,14 @@ else icmp->icmp_target2[c] = rand() & 0xff; } - icmp->icmp_dst = randipv6(); + icmp->icmp_dst = randipv6(Llocal, Slocal); off += 36; payload_s -= 36; - + if(rand() % 5){ + cx = makepkt(buf + off, ip_dst, ip_src); + off += cx; + payload_s -= cx; + } } else if (what <= (RAND_MAX * Echo)) { @@ -403,6 +428,11 @@ icmp->icmp_unused = (rand() % 2) ? 0 : rand(); off += 8; payload_s -= 8; + if(rand() % 5){ + cx = makepkt(buf + off, ip_dst, ip_src); + off += cx; + payload_s -= cx; + } } else if (what <= (RAND_MAX * MLD)) { @@ -514,6 +544,7 @@ if (skip <= acx) { for (cx = 0; cx < repeat; cx++) { + usleep(wwait); #ifdef LIBNET_BSDISH_OS c = libnet_write_link(l, buf, off + payload_s); #else /* !BSD */ @@ -546,7 +577,6 @@ - (tv.tv_usec - tv2.tv_usec) / 1000000.0; if ((datapushed / sec) >= max_pushed) usleep(10); /* 10 should give up our timeslice */ - sleep(1); } @@ -562,7 +592,88 @@ return (0); } +u_int32_t makepkt(char *payload, struct libnet_in6_addr ip_src, + struct libnet_in6_addr ip_dst) +{ + struct libnet_ipv6_hdr *ip6; + u_int32_t off = 0; + + ip6 = (struct libnet_ipv6_hdr *)(payload); + ip6->ip_flags[0] = 6 << 4; + ip6->ip_flags[1] = ((rand() & 0x0F) << 4) | ((rand() & 0xF0000) >> 16); + ip6->ip_flags[2] = (rand() & 0x0FF00 >> 8); + ip6->ip_flags[3] = (rand() & 0x000FF); + ip6->ip_hl = rand() & 0xff; + memcpy(&ip6->ip_src, &ip_src, 16); + memcpy(&ip6->ip_dst, &ip_dst, 16); + + off += 40; + + switch(rand() % 4) + { + case 0: + { + /* tcp header */ + struct tcphdr *tcp = (struct tcphdr *)(payload + off); + ip6->ip_nh = IPPROTO_TCP; + ip6->ip_len = LIBNET_TCP_H + rand() % 0xFF; + + tcp->th_off = rand() & 0xf; + tcp->th_sport = rand() & 0xffff; + tcp->th_dport = rand() & 0xffff; + tcp->th_seq = ((rand() & 0xffff) << 8) | (rand() & 0xffff); + tcp->th_ack = ((rand() & 0xffff) << 8) | (rand() & 0xffff); + tcp->th_x2 = rand() & 0xf; /* 4bit */ + tcp->th_flags = rand() & 0xff; + tcp->th_win = rand() & 0xffff; + tcp->th_sum = rand() & 0xffff; + tcp->th_urp = rand() & 0xffff; + + off += 20; + break; + } + case 1: + { + /* udp header */ + struct udphdr *udp = (struct udphdr *)(payload + off); + ip6->ip_nh = IPPROTO_UDP; + ip6->ip_len = LIBNET_UDP_H + rand() % 0xff; + + udp->uh_sport = rand() & 0xffff; + udp->uh_dport = rand() & 0xffff; + udp->uh_ulen = rand() & 0xffff; + udp->uh_sum = rand() & 0xffff; + + off += 8; + break; + } + case 2: + { + /* icmp header */ + struct libnet_icmpv6_hdr *icmp = + (struct libnet_icmpv6_hdr *)(payload + off); + ip6->ip_nh = IPPROTO_ICMP6; + ip6->ip_len = LIBNET_ICMPV6_H + rand() % 0xff; + icmp->icmp_type = rand() & 0xff; + icmp->icmp_code = rand() & 0xff; + icmp->icmp_sum = rand() & 0xffff; + off += 4; + break; + } + case 3: + /* + * XXX : extension header support + */ + ip6->ip_nh = rand() & 0xff; + ip6->ip_len = rand() & 0xffff; + break; + default: + break; + } + return (off); +} + void usage(u_char *name) { fprintf(stderr, @@ -574,10 +685,11 @@ #endif " [-r seed] [-m <max kB/s to generate>]\n" " [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n" - " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>]\n" + " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>] [-w <wait time in ms>]\n" "\n" " Percentage Opts: [-F frags] [-V Bad IP Version]\n" " [-H hop limit] [-I Bad checksum]\n" + " [-L linklocal addr] [-A sitelocal addr]\n" " [-P IcmpOpt]\n" " [-T Toobig] [-R Redirect] [-E Echo]\n" " [-U Unreach] [-M MLD] [-O Router]\n" @@ -618,7 +730,7 @@ exit(0); } -struct libnet_in6_addr randipv6(void) +struct libnet_in6_addr randipv6(float Llocal, float Slocal) { char *ip, *p; int i; @@ -629,8 +741,19 @@ exit(EXIT_FAILURE); } for(i = 0; i < 8; i++){ + if (i == 0) + { + if (rand() <= (RAND_MAX * Llocal)) + { + p += sprintf(p, "fe80:"); + continue; + }else if (rand() <= (RAND_MAX * Slocal)){ + p += sprintf(p, "fec0:"); + continue; + } + } p += sprintf(p, "%x", rand() % 0xffff); - if(i != 7) p += sprintf(p, ":"); + if (i != 7) p += sprintf(p, ":"); } ip6 = libnet_name2addr6(NULL, ip, 0); free(ip); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#4 (text+ko) ==== @@ -72,6 +72,8 @@ float AhPct = 10; float BadIPVer = 10; float IPLength = 20; + float Llocal = 10; + float Slocal = 5; int MaxEHdr = 10; /* Not crypto strong randomness but we don't really care. And this * @@ -79,8 +81,7 @@ * if we need to repeat the results */ seed = getpid(); - - while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:")) != EOF) + while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:L:Q:")) != EOF) { switch (c) { @@ -91,6 +92,12 @@ case 'i': device = optarg; break; + case 'L': + Llocal = atof(optarg); + break; + case 'Q': + Slocal = atof(optarg); + break; case 'd': dst_ok = 1; /* just to pass sanity checks */ if (strncmp(optarg, "rand", sizeof("rand")) == 0) @@ -271,6 +278,8 @@ EspPct /= 100; AhPct /= 100; IPLength /= 100; + Llocal /= 100; + Slocal = Slocal / 100 + Llocal; @@ -290,9 +299,9 @@ tc = rand() & 0xff; if (src_ip_rand == 1) - ip_src = randipv6(); + ip_src = randipv6(Llocal, Slocal); if (dst_ip_rand == 1) - ip_dst = randipv6(); + ip_dst = randipv6(Llocal, Slocal); if (rand() <= (RAND_MAX * BadIPVer)) ver = rand() & 0xffff; @@ -489,6 +498,7 @@ " [-m <max kB/s to generate>] [-M <max ext header>]\n" " Percentage Opts: [-F <frags>] [-R <routing>] [-H <hopbyhop>]\n" " [-O <dstopts>] [-E <ipsecesp> [-A <ipsecah> ]\n" + " [-L <linklocal addr>] [-A <sitelocal addr>]\n" " [-V <Bad IP Version>]\n" " [-I <Random IP Header length>]\n" "notes:\n" @@ -508,7 +518,7 @@ : (char *) rindex(name, '/') + 1); } -struct libnet_in6_addr randipv6(void) +struct libnet_in6_addr randipv6(float Llocal, float Slocal) { char *ip, *p; int i; @@ -519,8 +529,19 @@ exit(EXIT_FAILURE); } for(i = 0; i < 8; i++){ + if (i == 0) + { + if (rand() <= (RAND_MAX * Llocal)) + { + p += sprintf(p, "fe80:"); + continue; + }else if (rand() <= (RAND_MAX * Slocal)){ + p += sprintf(p, "fec0:"); + continue; + } + } p += sprintf(p, "%x", rand() % 0xffff); - if(i != 7) p += sprintf(p, ":"); + if (i != 7) p += sprintf(p, ":"); } ip6 = libnet_name2addr6(NULL, ip, 0); free(ip); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.h#2 (text+ko) ==== @@ -13,4 +13,5 @@ void usage(u_char *); void sighandler(int); -struct libnet_in6_addr randipv6(void); +struct libnet_in6_addr randipv6(float, float); +u_int32_t makepkt(char *, struct libnet_in6_addr, struct libnet_in6_addr); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/tcpsicng.c#2 (text+ko) ==== @@ -71,6 +71,8 @@ float UrgPct = 30; float TCPOptsPct= 50; float TCPCksm = 10; + float Llocal = 10; + float Slocal = 5; @@ -79,7 +81,7 @@ * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:u:T:t:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:u:T:t:vx:L:A:")) != EOF) { switch (c) { @@ -90,6 +92,12 @@ usage(argv[0]); exit(0); break; + case 'L': + Llocal = atof(optarg); + break; + case 'A': + Slocal = atof(optarg); + break; case 'd': dst_ok = 1; if ((tmp_port = index(optarg, ',')) != NULL) @@ -277,6 +285,8 @@ UrgPct /= 100; TCPOptsPct /= 100; TCPCksm /= 100; + Llocal /= 100; + Slocal = Slocal / 100 + Llocal; @@ -295,9 +305,9 @@ tc = rand() & 0xff; if (src_ip_rand == 1) - ip_src = randipv6(); + ip_src = randipv6(Llocal, Slocal); if (dst_ip_rand == 1) - ip_dst = randipv6(); + ip_dst = randipv6(Llocal, Slocal); if (rand() <= (RAND_MAX * BadIPVer)) ver = rand() & 0xf; @@ -452,6 +462,7 @@ " [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n" "\n" " Percentage Opts: [-F frags] [-V <Bad IP Version>]\n" + " [-L <linklocal addr>] [-A <sitelocal addr>]\n" " [-T <TCP Options>] [-u <urgent data>] [-t <TCP Cksm>]\n" "\n" " [-v] causes packet info to be printed out -- DEBUGGING\n\n" @@ -489,7 +500,7 @@ exit(0); } -struct libnet_in6_addr randipv6(void) +struct libnet_in6_addr randipv6(float Llocal, float Slocal) { char *ip, *p; int i; @@ -500,8 +511,19 @@ exit(EXIT_FAILURE); } for(i = 0; i < 8; i++){ + if (i == 0) + { + if (rand() <= (RAND_MAX * Llocal)) + { + p += sprintf(p, "fe80:"); + continue; + }else if (rand() <= (RAND_MAX * Slocal)){ + p += sprintf(p, "fec0:"); + continue; + } + } p += sprintf(p, "%x", rand() % 0xffff); - if(i != 7) p += sprintf(p, ":"); + if (i != 7) p += sprintf(p, ":"); } ip6 = libnet_name2addr6(NULL, ip, 0); free(ip); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/udpsicng.c#2 (text+ko) ==== @@ -69,6 +69,8 @@ float FragPct = 30; float BadIPVer = 10; float UDPCksm = 5; + float Llocal = 10; + float Slocal = 5; dst_prt = src_prt = 0; @@ -77,13 +79,19 @@ * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:s:i:r:m:k:D:S:p:V:F:U:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:s:i:r:m:k:D:S:p:V:F:U:A:L:vx:")) != EOF) { switch (c) { case 'i': device = optarg; break; + case 'L': + Llocal = atof(optarg); + break; + case 'A': + Slocal = atof(optarg); + break; case 'h': usage(argv[0]); exit(EXIT_SUCCESS); @@ -261,6 +269,8 @@ BadIPVer /= 100; FragPct /= 100; UDPCksm /= 100; + Llocal /= 100; + Slocal = Slocal / 100 + Llocal; /************* * Main Loop * @@ -276,9 +286,9 @@ tc = rand() & 0xff; if (src_ip_rand == 1) - ip_src = randipv6(); + ip_src = randipv6(Llocal, Slocal); if (dst_ip_rand == 1) - ip_dst = randipv6(); + ip_dst = randipv6(Llocal, Slocal); if (rand() <= (RAND_MAX * BadIPVer)) ver = rand() & 0xf; @@ -416,6 +426,7 @@ " [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n" "\n" " Percentage Opts: [-F frags] [-V <Bad IP Version>]\n" + " [-L linklocal addr] [-A sitelocal addr]\n" " [-U <UDP Checksum>]\n" "\n" " [-v] causes packet info to be printed out -- DEBUGGING\n\n" @@ -453,7 +464,7 @@ exit(0); } -struct libnet_in6_addr randipv6(void) +struct libnet_in6_addr randipv6(float Llocal, float Slocal) { char *ip, *p; int i; @@ -464,8 +475,19 @@ exit(EXIT_FAILURE); } for(i = 0; i < 8; i++){ + if (i == 0) + { + if (rand() <= (RAND_MAX * Llocal)) + { + p += sprintf(p, "fe80:"); + continue; + }else if (rand() <= (RAND_MAX * Slocal)){ + p += sprintf(p, "fec0:"); + continue; + } + } p += sprintf(p, "%x", rand() % 0xffff); - if(i != 7) p += sprintf(p, ":"); + if (i != 7) p += sprintf(p, ":"); } ip6 = libnet_name2addr6(NULL, ip, 0); free(ip);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607051314.k65DE3h4032651>