Module: Msf::Auxiliary::Fuzzer

Defined in:
lib/msf/core/auxiliary/fuzzer.rb

Overview

This module provides methods useful for developing fuzzers

Instance Method Summary collapse

Instance Method Details

#fuzz_numbers {|Array<Integer>| ... } ⇒ Array<Array>

Will return or yield numbers based on the presence of a block.

Yields:

  • (Array<Integer>)

    Yields an array of numbers if there is a block given

Returns:

  • (Array<Array>)

    Returns an array of arrays of numbers if there is no block given

See Also:


27
28
29
30
31
32
33
34
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 27

def fuzz_numbers
  res = []
  self.methods.sort.grep(/^fuzzer_number/).each do |m|
    @last_fuzzer_input = m
    block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
  end
  res
end

#fuzz_string_corrupt_byte(str, max = nil) ⇒ Array

Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

Parameters:

  • str (String)

    The string the mutation will be based on.

  • max (Integer, NilClass) (defaults to: nil)

    Max string size.

Returns:

  • (Array)

    Returns an array of an array of strings

See Also:


58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 58

def fuzz_string_corrupt_byte(str,max=nil)
  res = []
  0.upto(max ? [max,str.length-1].min : (str.length - 1)) do |offset|
    0.upto(255) do |val|
      @last_fuzzer_input = "fuzz_string_corrupt_byte offset:#{offset}/#{str.length} byte:#{val}"
      buf = str.dup
      buf[offset,1] = [val].pack('C')
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzz_string_corrupt_byte_reverse(str, max = nil) ⇒ Array

Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

Parameters:

  • str (String)

    The string the mutation will be based on.

  • max (Integer, NilClass) (defaults to: nil)

    Max string size.

Returns:

  • (Array)

    Returns an array of an array of strings

See Also:


78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 78

def fuzz_string_corrupt_byte_reverse(str,max=nil)
  res = []
  (max ? [max,str.length-1].min : (str.length - 1)).downto(0) do |offset|
    0.upto(255) do |val|
      @last_fuzzer_input = "fuzz_string_corrupt_byte_reverse offset:#{offset}/#{str.length} byte:#{val}"
      buf = str.dup
      buf[offset,1] = [val].pack('C')
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzz_strings {|Array| ... } ⇒ Array

Will return or yield a string based on the presense of a block

Yields:

  • (Array)

    Yields array of strings if there is a block given

Returns:

  • (Array)

    Returns and array of arrays of strings if there is no block given


42
43
44
45
46
47
48
49
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 42

def fuzz_strings
  res = []
  self.methods.sort.grep(/^fuzzer_string/).each do |m|
    @last_fuzzer_input = m
    block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
  end
  res
end

#fuzzer_gen_string(len) ⇒ String

Generates a fuzz string If no block is set, it will retrive characters from the FuzzChar datastore option.

Parameters:

  • len (Integer)

    String size.

Returns:

  • (String)

    Returns a string of size 1024 * 512 specified by the user


156
157
158
159
160
161
162
163
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 156

def fuzzer_gen_string(len)
  @gen_string_block ||= datastore['FuzzChar'][0,1] * (1024 * 512)
  res = ''
  while (res.length < len)
    res += @gen_string_block
  end
  res[0,len]
end

#fuzzer_number_power2Array

Fuzzer Numbers by Powers of Two

Returns:

  • (Array)

    Returns an array with pre-set values


114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 114

def fuzzer_number_power2
  res = [
    0x100000000,
    0x80000000,
    0x40000000,
    0x20000000,
    0x10000000,
    0x01000000,
    0x00100000,
    0x00010000,
    0x00001000,
    0x00000100,
    0x00000010,
    0x00000001
  ]
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_number_power2_plusArray

Powers of two by some fuzzing factor.

Returns:

  • (Array)

    Returns and array of integers.


136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 136

def fuzzer_number_power2_plus
  res = []
  fuzzer_number_power2 do |num|
    res << num + 1
    res << num + 2
    res << num - 1
    res << num - 2
    res << num * -1
    res << (num  + 1) * -1
    res << (num  + 2) * -1
  end
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_filepath_dosArray

Reserved filename array Useful generators (many derived from AxMan)

Returns:

  • (Array)

    Returns and array of reserved filenames in Windows.


105
106
107
108
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 105

def fuzzer_string_filepath_dos
  res = %W{ aux con nul com1 com2 com3 com4 lpt1 lpt2 lp3 lpt4 prn }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_formatArray

Useful generators (many derived from AxMan)

Returns:

  • (Array)

    Returns and array of strings.


95
96
97
98
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 95

def fuzzer_string_format
  res = %W{ %s %p %n %x %@ %.257d %.65537d %.2147483648d %.257f %.65537f %.2147483648f}
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_giantArray

Creates a giant fuzz string from length 512 -> 131,064 bytes long

Returns:

  • (Array)

    Returns an array of characters


193
194
195
196
197
198
199
200
201
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 193

def fuzzer_string_giant
  res = []
  512.step(65532 * 2, 512) do |len|
    buf = fuzzer_gen_string(len)
    buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_longArray

Creates a longer fuzz string from length 64 -> 8192 bytes long

Returns:

  • (Array)

    Returns an array of characters


180
181
182
183
184
185
186
187
188
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 180

def fuzzer_string_long
  res = []
  64.step(8192,64) do |len|
    buf = fuzzer_gen_string(len)
    buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_path_prefixesArray

Generator for common path prefixes

Returns:

  • (Array)

    Returns an array of strings


236
237
238
239
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 236

def fuzzer_string_path_prefixes
  res = %W{ C:\\ \\\\localhost\\ / }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_paths_dosArray

Generates fuzzer strings using path prefixes

Returns:

  • (Array)

    Returns an array of stings


396
397
398
399
400
401
402
403
404
405
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 396

def fuzzer_string_paths_dos
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_filepath_dos do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_formatArray

Format for the path generator

Returns:

  • (Array)

    Returns an array of stings


380
381
382
383
384
385
386
387
388
389
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 380

def fuzzer_string_paths_format
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_format do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_giantArray

Generates various giant strings

Returns:

  • (Array)

    Returns an array of stings


364
365
366
367
368
369
370
371
372
373
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 364

def fuzzer_string_paths_giant
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_giant do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_longArray

Generates various small strings

Returns:

  • (Array)

    Returns an array of stings


348
349
350
351
352
353
354
355
356
357
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 348

def fuzzer_string_paths_long
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_long do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_smallArray

Generates various small strings

Returns:

  • (Array)

    Returns an array of stings


332
333
334
335
336
337
338
339
340
341
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 332

def fuzzer_string_paths_small
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_small do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_smallArray

Creates a smaller fuzz string starting from length 16 -> 512 bytes long

Returns:

  • (Array)

    Returns an array of characters


168
169
170
171
172
173
174
175
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 168

def fuzzer_string_small
  res = []
  16.step(512,16) do |len|
    buf = fuzzer_gen_string(len)
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_uri_dividersArray

Generator for common URI dividers

Returns:

  • (Array)

    Returns an array of strings


227
228
229
230
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 227

def fuzzer_string_uri_dividers
  res = %W{ : :// }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_uri_typesArray

Various URI types

Returns:

  • (Array)

    Returns an array of strings


206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 206

def fuzzer_string_uri_types
  res = %W{
    aaa  aaas  about  acap  adiumxtra  afp  aim  apt  aw  bolo  callto  cap  chrome  cid
    content  crid  cvs  data  dav  designates  dict  disk  dns  doi  ed2k  example  examples
    fax  feed  file  finger  fish  ftp  gg  gizmoproject  go  gopher  h323  hcp  http  https
    iax2  icap  im  imap  info  ipp  irc  ircs  iris  iris.beep  iris.lws  iris.xpc  iris.xpcs
    itms  jar  javascript  keyparc  lastfm  ldap  ldaps  lsid  magnet  mailto  mid  mms  modem
    ms-help  msnim  msrp  msrps  mtqp  mupdate  mvn  news  nfs  nntp  notes  opaquelocktoken
    over  pop  pres  prospero  psyc  res  rlogin  rmi  rsync  rtsp  secondlife  service  sftp
    sgn  shell  shttp  sip  sips  skype  smb  sms  snews  snmp  soap.beep  soap.beeps  soldat
    ssh  steam  svn  tag  teamspeak  tel  telephone  telnet  tftp  thismessage  tip  tv  unreal
    urn  ut2004  vbscript  vemmi  ventrilo  view-source  wais  webcal  worldwind  wtai  wyciwyg
    wysiwyg  xfire  xmlrpc.beep  xmpp  xri  ymsgr  z39.50r  z39.50s
  }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_uris_dosArray

Generates various small strings

Returns:

  • (Array)

    Returns an array of stings


314
315
316
317
318
319
320
321
322
323
324
325
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 314

def fuzzer_string_uris_dos
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_filepath_dos do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_formatArray

Format for the URI string generator

Returns:

  • (Array)

    Returns an array of stings


296
297
298
299
300
301
302
303
304
305
306
307
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 296

def fuzzer_string_uris_format
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_format do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_giantArray

Generates various giant URI string types

Returns:

  • (Array)

    Returns an array of stings


279
280
281
282
283
284
285
286
287
288
289
290
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 279

def fuzzer_string_uris_giant
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_giant do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_longArray

Generates various long URI string types

Returns:

  • (Array)

    Returns an array of stings


262
263
264
265
266
267
268
269
270
271
272
273
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 262

def fuzzer_string_uris_long
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_long do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_smallArray

Generates various small URI string types

Returns:

  • (Array)

    Returns an array of stings


245
246
247
248
249
250
251
252
253
254
255
256
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 245

def fuzzer_string_uris_small
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_small do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
# File 'lib/msf/core/auxiliary/fuzzer.rb', line 12

def initialize(info = {})
  super
  register_advanced_options([
    OptString.new('FuzzTracer',   [ true, 'Sets the magic string to embed into fuzzer string inputs', 'MSFROCKS']),
    OptString.new('FuzzChar',     [ true, 'Sets the character to use for generating long strings', 'X'])
  ], Msf::Auxiliary::Fuzzer)
end