nstarke/lldp-fuzzer.py

## lldp-fuzzer.py
#!/usr/bin/env python

#
# A naive LLDP Fuzzer
# Released Jun 18, 2019
# Author: Nicholas Starke
#

from scapy.all import *
import time

load_contrib("lldp")
conf.contribs["LLDP"].strict_mode_disable()

#
# All Chassis Types
#
chassis = [
         LLDPDUChassisID.SUBTYPE_CHASSIS_COMPONENT
        , LLDPDUChassisID.SUBTYPE_INTERFACE_ALIAS
        , LLDPDUChassisID.SUBTYPE_PORT_COMPONENT
        , LLDPDUChassisID.SUBTYPE_MAC_ADDRESS
        , LLDPDUChassisID.SUBTYPE_NETWORK_ADDRESS
        , LLDPDUChassisID.SUBTYPE_INTERFACE_NAME
        , LLDPDUChassisID.SUBTYPE_LOCALLY_ASSIGNED
        ]

#
# All Port ID Types
#
port = [
        LLDPDUPortID.SUBTYPE_INTERFACE_ALIAS
        , LLDPDUPortID.SUBTYPE_PORT_COMPONENT
        , LLDPDUPortID.SUBTYPE_MAC_ADDRESS
        , LLDPDUPortID.SUBTYPE_NETWORK_ADDRESS
        , LLDPDUPortID.SUBTYPE_INTERFACE_NAME
        , LLDPDUPortID.SUBTYPE_AGENT_CIRCUIT_ID
        , LLDPDUPortID.SUBTYPE_LOCALLY_ASSIGNED
        ]

#
# What payloads to test
#
payloads = [
        "A" * 254,
        "\x00" * 254,
        "%s" * 127,
        "%n" * 127
        ]

#
# Begin main fuzzing process
#
for l in payloads:
    for x in range(0, 254):
        for c in chassis:
            for p in port:
                frm = Ether(dst=LLDP_NEAREST_BRIDGE_MAC)/             \
                    LLDPDUChassisID(subtype=c, id=l, _length=x)/      \
                    LLDPDUPortID(subtype=p, id=l, _length=x)/         \
                    LLDPDUTimeToLive(ttl=2)/                          \
                    LLDPDUPortDescription(description=l, _length=x)/  \
                    LLDPDUSystemName(system_name=l, _length=x)/       \
                    LLDPDUSystemDescription(description=l, _length=x)/\
                    LLDPDUEndOfLLDPDU()
                frm = frm.build()
                sendp(Ether(frm), verbose=0)
                time.sleep(1)
	#!/usr/bin/env python

	#
	# A naive LLDP Fuzzer
	# Released Jun 18, 2019
	# Author: Nicholas Starke
	#

	from scapy.all import *
	import time

	load_contrib("lldp")
	conf.contribs["LLDP"].strict_mode_disable()

	#
	# All Chassis Types
	#
	chassis = [
	LLDPDUChassisID.SUBTYPE_CHASSIS_COMPONENT
	, LLDPDUChassisID.SUBTYPE_INTERFACE_ALIAS
	, LLDPDUChassisID.SUBTYPE_PORT_COMPONENT
	, LLDPDUChassisID.SUBTYPE_MAC_ADDRESS
	, LLDPDUChassisID.SUBTYPE_NETWORK_ADDRESS
	, LLDPDUChassisID.SUBTYPE_INTERFACE_NAME
	, LLDPDUChassisID.SUBTYPE_LOCALLY_ASSIGNED
	]

	#
	# All Port ID Types
	#
	port = [
	LLDPDUPortID.SUBTYPE_INTERFACE_ALIAS
	, LLDPDUPortID.SUBTYPE_PORT_COMPONENT
	, LLDPDUPortID.SUBTYPE_MAC_ADDRESS
	, LLDPDUPortID.SUBTYPE_NETWORK_ADDRESS
	, LLDPDUPortID.SUBTYPE_INTERFACE_NAME
	, LLDPDUPortID.SUBTYPE_AGENT_CIRCUIT_ID
	, LLDPDUPortID.SUBTYPE_LOCALLY_ASSIGNED
	]

	#
	# What payloads to test
	#
	payloads = [
	"A" * 254,
	"\x00" * 254,
	"%s" * 127,
	"%n" * 127
	]

	#
	# Begin main fuzzing process
	#
	for l in payloads:
	for x in range(0, 254):
	for c in chassis:
	for p in port:
	frm = Ether(dst=LLDP_NEAREST_BRIDGE_MAC)/ \
	LLDPDUChassisID(subtype=c, id=l, _length=x)/ \
	LLDPDUPortID(subtype=p, id=l, _length=x)/ \
	LLDPDUTimeToLive(ttl=2)/ \
	LLDPDUPortDescription(description=l, _length=x)/ \
	LLDPDUSystemName(system_name=l, _length=x)/ \
	LLDPDUSystemDescription(description=l, _length=x)/\
	LLDPDUEndOfLLDPDU()
	frm = frm.build()
	sendp(Ether(frm), verbose=0)
	time.sleep(1)