kavfuzz.py

import windows.rpc
from windows.rpc import ndr
import sys,struct,binascii
import random

for fuzz in xrange(0,1000000):
    pkt=[0x00000000,0x00000000,0x00000000,0x00000000,0x00320101,0x000000e4,0xfffa783b,0x00005294,0xea700002,0x5aa6ca32,0x4667ad6e,0xbdecf62f,0x000001d3,0x00000000,0x00d50000,0x00010000,0x00190000,0x00000000,0x00000000,0x000000c3,0x00000001,0xea8f0100,0x147acded,0x81000000,0x03000302,0x00000000,0xe9817096,0xb1cfbdef,0x02678cbd,0x00000091,0x780e8100,0x32003300,0x62006400,0x20006700,0x20002d00,0x69004600,0x65006c00,0x20003a00,0x76006100,0x2e007000,0x78006500,0x20006500,0x20002d00,0x49005000,0x3a004400,0x36002000,0x30003400,0x2d002000,0x4d002000,0x64006f00,0x6c007500,0x3a006500,0x70002000,0x72007200,0x6d006500,0x74006f00,0x2e006500,0x6c006400,0x20006c00,0x20002d00,0x68005400,0x65007200]
    pkt=[0x00000000,0x00000000,0x00000000,0x00000000,0x00320101,0x00000042,0x00000000,0x00000000,0x0f050000,0x812039cd,0x578cfdda,0xbfbe4c13,0x000201d3,0x0253dee0,0x00000000,0x00000000,0x00000000,0x00610005,0x00700076,0x00690075,0x00000aa0,0x00000000,0x783b0000,0xe6c3fffa,0xe60700dd,0x0aa000dd,0x48640000,0xfc0cdc81,0x0000c695]
    values=[0,1,0x7fffffff,0xffffffff,0x80000000]
    for changes in xrange(1,random.randint(2,5)):
        pkt[random.randint(5,len(pkt)-1)]=random.choice(values)
    print repr(pkt)
    client = windows.rpc.RPCClient(r"\RPC Control\PRRemote:%d" % int(sys.argv[1]) )
    iid = client.bind("806411e0-2ed2-194f-bb8c-e27194948ac1")
    ndr_params = ndr.make_parameters([ndr.NdrLong]*len(pkt))
    try:
       resp = client.call(iid, 4, ndr_params.pack(pkt)) 
       print repr(resp)
    except ValueError:
        pass