#========================================================================= # A simple fuzzing test for GSM SM-TP over GSM MAP/SCCP/M3UA/SCTP/IPv4. # # With slight code modifications this script can be adopted for _every_ protocol # supported by Linkbit. Contact us at sales@linkbit.com to see the live demo. # #========================================================================= # # If you have a single IP address configured on the host system, you may leave the next # line as is. If the host has multiple IP addresses assigned, specify one of them in # the code line below. # srcIPAddress = "0.0.0.0" # # # Specify the IP of the SUT (System Under Test). # dstIPAddress = "127.0.0.1" # # # How many random SMS to send # randomMsgCount = 3 # # # Restarting random generator. You can change the argument (the seed) to get a new # repeatable sequence, or you can comment out the below line to generate a new packet # sequence on every run. # sk.seedrandom(3) # #========================================================================= def main(): # this function is called at the very end of the script # # Preparations # varMAP = Build_MAP_Data() # create a TCAP/MAP packet (auto-generated, see the function body below) varSCCP = Build_SCCP_Data() # --''-- SCCP --''-- varM3UA = Build_M3UA_Data() # --''-- M3UA --''-- varSCTP = Build_SCTP_Packet() # --''-- SCTP --''-- varIP = Build_IP_Frame() # --''-- IP --''-- sk.settings.reception.random_mode = True # turn on the "random" mode for receive(). # in this mode receive() call works as a random packet generator. sk.settings.reception.simulate_errors = False # turn off error generation sk.settings.sending.check_constraints = False # turn off constraint checking for outgoing packets, so that we can send invalid ones for i in range(randomMsgCount): # repeat 'randomMsgCount' times # # Generating random packet using specialized 'random_mode' for receive() # varSMTPRandom = sk.create() # create variable to hold a random GSM SM-TP PDU API structure # The magic of Linkbit Simulation Kernel (LSK) is demonstrated by the next line of code. # # 'varSMTPRandom' variable is getting initialized to a valid GSM SM-TP packet, # with all mandatory fields included. Presence of optional GSM SM-TP fields # is randomized, and all the fields are initialized to random valid values. # # Each time receive() API call is made, the LSK returns an LSK API data structure # describing the packet. The mandatory packet fields are always included, while for # each optional field the kernel "flips a coin". On each call a valid packet with # a random set of optional fields is generated. # # What about the fields' values? Each generated field is initialized to a random value # from its valid data set. # For example, if a field is of a type INT, with the valid range from 1 to 5, it'll # be initialized randomly to a proper type (INT) value in 1 to 5 range and nothing else. # The design of LSK also allows to easily generate packets with invalid sets of fields, # initialize the fields to invalid values etc. # # The API call below allows a script writer to cover a full dataset space defined in GSM SM-TP. # sk.receive(varSMTPRandom, None, sk.GSM_SM_TP.SMS_DELIVER) # NO actual packet is received here! sk.spoil(varSMTPRandom.TP_Reply_Path) # prepare 'TP-Reply-Path' field for replacement with arbitrary data varSMTPRandom.TP_Reply_Path.octetStr = "1A B7" # replace it with 2 octets (occupies 1 bit in a normal message) # # Sending the generated packet to SUT in a standard way. The arguments are API structures for # GSM SM-TP, GSM MAP, SCCP, M3UA, SCTP and IP layers. # sk.send(varSMTPRandom, varMAP, varSCCP, varM3UA, varSCTP, varIP) #=============================================================== # Functions building IP, SCTP, M3UA etc. layers -- the code auto-generated # by Linkbit Packet Wizard GUI builder. #=============================================================== def Build_MAP_Data(): #----------------------------------------------------- #BEGIN code auto-generated with Linkbit Packet Wizard #----------------------------------------------------- # You can edit this code block (marked by 'BEGIN' and 'END' lines) by positioning the pointer # anywhere in the block and selecting 'Edit Packet...' from the context menu. #-------------------------------------------------------------------------------------------- #create variable "varMAP" of type "TCAP_MAP_R7.Unidirectional" varMAP = sk.create(sk.TCAP_MAP_R7.Unidirectional) #----------------------------- #initialize "varMAP" variable #set number of elements in the array varMAP.components.setsize(1) mbrComp = varMAP.components(0) #the next line is to force presence of "invoke" mbrComp.invoke = sk.present mbrComp.invoke.invokeID = -128 mbrComp.invoke.operationCode.localValue = 46 # Mo_ForwardSM #the next line is to force presence of "parameter" mbrComp.invoke.parameter = sk.present #the next line is to force presence of "Mo_ForwardSM" mbrComp.invoke.parameter.Mo_ForwardSM = sk.present altMFSM = mbrComp.invoke.parameter.Mo_ForwardSM #the next line is to force presence of "imsi" altMFSM.sm_RP_DA.imsi = sk.present #set number of elements in the array altMFSM.sm_RP_DA.imsi.Detailed.setsize(6) fldDet = altMFSM.sm_RP_DA.imsi.Detailed(0) sk.copy(fldDet, 0) # digit 0 fldDet = altMFSM.sm_RP_DA.imsi.Detailed(1) sk.copy(fldDet, 0) # digit 0 fldDet = altMFSM.sm_RP_DA.imsi.Detailed(2) sk.copy(fldDet, 0) # digit 0 fldDet = altMFSM.sm_RP_DA.imsi.Detailed(3) sk.copy(fldDet, 0) # digit 0 fldDet = altMFSM.sm_RP_DA.imsi.Detailed(4) sk.copy(fldDet, 0) # digit 0 fldDet = altMFSM.sm_RP_DA.imsi.Detailed(5) sk.copy(fldDet, 0) # digit 0 # altMFSM.sm_RP_DA.imsi = "00 00 00" #the next line is to force presence of "msisdn" altMFSM.sm_RP_OA.msisdn = sk.present # fldDet1 = altMFSM.sm_RP_OA.msisdn.Detailed # fldDet1.Ext = 0 # fldDet1.Type_of_number = 0 # unknown # fldDet1.Numbering_plan_identification = 0 # unknown # #set number of elements in the array # fldDet1.Number_digits.setsize(0) altMFSM.sm_RP_OA.msisdn = "00" altMFSM.sm_RP_UI = "00" #--------------------------------------------------- #END code auto-generated with Linkbit Packet Wizard #--------------------------------------------------- return varMAP def Build_SCCP_Data(): #----------------------------------------------------- #BEGIN code auto-generated with Linkbit Packet Wizard #----------------------------------------------------- # You can edit this code block (marked by 'BEGIN' and 'END' lines) by positioning the pointer # anywhere in the block and selecting 'Edit Packet...' from the context menu. #-------------------------------------------------------------------------------------------- #create variable "varSCCP" of type "SCCP_ITU.UDT" varSCCP = sk.create(sk.SCCP_ITU.UDT) #------------------------------ #initialize "varSCCP" variable varSCCP.Routing_Label.DPC = 0 varSCCP.Routing_Label.OPC = 0 varSCCP.Routing_Label.SLS = 0 varSCCP.Message_type = 9 # UDT varSCCP.Protocol_class.Protocol_class = 0 # class 0 varSCCP.Protocol_class.Message_handling = 0 # no special options varSCCP.Pointer_to_Called_party_address = 3 varSCCP.Pointer_to_Calling_party_address = 4 varSCCP.Pointer_to_Data = 5 varSCCP.Called_party_address.Length_indicator = 1 mbrAI = varSCCP.Called_party_address.Address_indicator mbrAI.spare = 0 mbrAI.Routing_indicator = 0 # Route on GT mbrAI.Global_title_indicator = 0 # no global title included mbrAI.SSN_indicator = 0 # address does not contain a subsystem number mbrAI.Point_code_indicator = 0 # address does not contain a signalling point code varSCCP.Calling_party_address.Length_indicator = 1 mbrAI = varSCCP.Calling_party_address.Address_indicator mbrAI.spare = 0 mbrAI.Routing_indicator = 0 # Route on GT mbrAI.Global_title_indicator = 0 # no global title included mbrAI.SSN_indicator = 0 # address does not contain a subsystem number mbrAI.Point_code_indicator = 0 # address does not contain a signalling point code varSCCP.Data.Length_indicator = 1 varSCCP.Data.Data = "00" #--------------------------------------------------- #END code auto-generated with Linkbit Packet Wizard #--------------------------------------------------- return varSCCP def Build_M3UA_Data(): #----------------------------------------------------- #BEGIN code auto-generated with Linkbit Packet Wizard #----------------------------------------------------- # You can edit this code block (marked by 'BEGIN' and 'END' lines) by positioning the pointer # anywhere in the block and selecting 'Edit Packet...' from the context menu. #-------------------------------------------------------------------------------------------- #create variable "varM3UA" of type "M3UA.DATA" varM3UA = sk.create(sk.M3UA.DATA) #------------------------------ #initialize "varM3UA" variable varM3UA.Protocol_Version = 1 # Release 1 varM3UA.Reserved = 0 varM3UA.Message_Class = 1 # Transfer varM3UA.Message_Type = 1 # DATA varM3UA.Message_Length = 24 varM3UA.Protocol_Data.Parameter_Tag = 528 # Protocol Data varM3UA.Protocol_Data.Parameter_Length = 16 varM3UA.Protocol_Data.Originating_Point_Code = 0 varM3UA.Protocol_Data.Destination_Point_Code = 0 varM3UA.Protocol_Data.SI = 0 # Signaling Network Management Messages varM3UA.Protocol_Data.NI = 0 # International Network varM3UA.Protocol_Data.MP = 0 varM3UA.Protocol_Data.SLS = 0 varM3UA.Protocol_Data.User_Protocol_Data = "" varM3UA.Protocol_Data.padding = "" #--------------------------------------------------- #END code auto-generated with Linkbit Packet Wizard #--------------------------------------------------- return varM3UA def Build_SCTP_Packet(): #----------------------------------------------------- #BEGIN code auto-generated with Linkbit Packet Wizard #----------------------------------------------------- # You can edit this code block (marked by 'BEGIN' and 'END' lines) by positioning the pointer # anywhere in the block and selecting 'Edit Packet...' from the context menu. #-------------------------------------------------------------------------------------------- #create variable "varSCTP" of type "SCTP.Packet" varSCTP = sk.create(sk.SCTP.Packet) #------------------------------ #initialize "varSCTP" variable varSCTP.Source_Port = 2905 varSCTP.Destination_Port = 2905 varSCTP.Verification_Tag = 0 varSCTP.Checksum = 2627782984 #set number of elements in the array varSCTP.Chunks.setsize(1) mbrChunks = varSCTP.Chunks(0) #the next line is to force presence of "DATA" mbrChunks.DATA = sk.present mbrChunks.DATA.Chunk_Type = 0 # DATA mbrChunks.DATA.Chunk_Flags = 0 mbrChunks.DATA.U = 0 # this is an ordered DATA chunk mbrChunks.DATA.BE = 3 # Unfragmented Message mbrChunks.DATA.Chunk_Length = 16 mbrChunks.DATA.TSN = 0 mbrChunks.DATA.Stream_Identifier_S = 1 mbrChunks.DATA.Stream_Sequence_Number_n = 0 mbrChunks.DATA.Payload_Protocol_Identifier = 0 # no application identifier mbrChunks.DATA.User_Data = "" #--------------------------------------------------- #END code auto-generated with Linkbit Packet Wizard #--------------------------------------------------- return varSCTP def Build_IP_Frame(): #----------------------------------------------------- #BEGIN code auto-generated with Linkbit Packet Wizard #----------------------------------------------------- # You can edit this code block (marked by 'BEGIN' and 'END' lines) by positioning the pointer # anywhere in the block and selecting 'Edit Packet...' from the context menu. #-------------------------------------------------------------------------------------------- #create variable "varIP" of type "IPv4.Frame" varIP = sk.create(sk.IPv4.Frame) #---------------------------- #initialize "varIP" variable varIP.Version = 4 # Version 4 varIP.IHL = 5 varIP.Type_Of_Service.Precedence = 0 # Routine varIP.Type_Of_Service.Delay = 0 # Normal Delay varIP.Type_Of_Service.Throughput = 0 # Normal Throughput varIP.Type_Of_Service.Reliability = 0 # Normal Reliability varIP.Type_Of_Service.Reserved = 0 varIP.Total_Length = 20 varIP.Identification = 0 varIP.Flags.Reserved = 0 varIP.Flags.Fragmentation = 0 # May Fragment varIP.Flags.Fragment = 0 # Last Fragment varIP.Fragment_Offset = 0 varIP.TTL = 0 varIP.Protocol = 0 # Reserved varIP.Header_Checksum = 48360 varIP.Source_Address = "127.0.0.1" varIP.Destination_Address = "127.0.0.1" #set number of elements in the array varIP.Options.setsize(0) varIP.Padding = "" varIP.Data = "" #--------------------------------------------------- #END code auto-generated with Linkbit Packet Wizard #--------------------------------------------------- global srcIPAddress, dstIPAddress varIP.Source_Address = srcIPAddress varIP.Destination_Address = dstIPAddress return varIP main()