Module: Msf::Auxiliary::Fuzzer

Defined in:

lib/msf/core/auxiliary/fuzzer.rb

Overview

This module provides methods useful for developing fuzzers

Instance Method Summary

• #fuzz_numbers {|Array<Integer>| ... } ⇒ Array<Array>

  Will return or yield numbers based on the presence of a block.

• #fuzz_string_corrupt_byte(str, max = nil) ⇒ Array

  Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

• #fuzz_string_corrupt_byte_reverse(str, max = nil) ⇒ Array

  Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

• #fuzz_strings {|Array| ... } ⇒ Array

  Will return or yield a string based on the presence of a block.

• #fuzzer_gen_string(len) ⇒ String

  Generates a fuzz string If no block is set, it will retrieve characters from the FuzzChar datastore option.

• #fuzzer_number_power2 ⇒ Array

  Fuzzer Numbers by Powers of Two.

• #fuzzer_number_power2_plus ⇒ Array

  Powers of two by some fuzzing factor.

• #fuzzer_string_filepath_dos ⇒ Array

  Reserved filename array Useful generators (many derived from AxMan).

• #fuzzer_string_format ⇒ Array

  Useful generators (many derived from AxMan).

• #fuzzer_string_giant ⇒ Array

  Creates a giant fuzz string from length 512 -> 131,064 bytes long.

• #fuzzer_string_long ⇒ Array

  Creates a longer fuzz string from length 64 -> 8192 bytes long.

• #fuzzer_string_path_prefixes ⇒ Array

  Generator for common path prefixes.

• #fuzzer_string_paths_dos ⇒ Array

  Generates fuzzer strings using path prefixes.

• #fuzzer_string_paths_format ⇒ Array

  Format for the path generator.

• #fuzzer_string_paths_giant ⇒ Array

  Generates various giant strings.

• #fuzzer_string_paths_long ⇒ Array

  Generates various small strings.

• #fuzzer_string_paths_small ⇒ Array

  Generates various small strings.

• #fuzzer_string_small ⇒ Array

  Creates a smaller fuzz string starting from length 16 -> 512 bytes long.

• #fuzzer_string_uri_dividers ⇒ Array

  Generator for common URI dividers.

• #fuzzer_string_uri_types ⇒ Array

  Various URI types.

• #fuzzer_string_uris_dos ⇒ Array

  Generates various small strings.

• #fuzzer_string_uris_format ⇒ Array

  Format for the URI string generator.

• #fuzzer_string_uris_giant ⇒ Array

  Generates various giant URI string types.

• #fuzzer_string_uris_long ⇒ Array

  Generates various long URI string types.

• #fuzzer_string_uris_small ⇒ Array

  Generates various small URI string types.

• #initialize(info = {}) ⇒ Object

Instance Method Details

#fuzz_numbers {|Array<Integer>| ... } ⇒ Array<Array>

Will return or yield numbers based on the presence of a block.

Yields:

• (Array<Integer>) —

  Yields an array of numbers if there is a block given

Returns:

• (Array<Array>) —

  Returns an array of arrays of numbers if there is no block given

See Also:

• #fuzzer_number_power2

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 27

def fuzz_numbers
  res = []
  self.methods.sort.grep(/^fuzzer_number/).each do |m|
    @last_fuzzer_input = m
    block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
  end
  res
end

#fuzz_string_corrupt_byte(str, max = nil) ⇒ Array

Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

Parameters:

• str (String) —

  The string the mutation will be based on.

• max (Integer, NilClass) (defaults to: nil) —

  Max string size.

Returns:

• (Array) —

  Returns an array of an array of strings

See Also:

• #fuzzer_string_format

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 58

def fuzz_string_corrupt_byte(str,max=nil)
  res = []
  0.upto(max ? [max,str.length-1].min : (str.length - 1)) do |offset|
    0.upto(255) do |val|
      @last_fuzzer_input = "fuzz_string_corrupt_byte offset:#{offset}/#{str.length} byte:#{val}"
      buf = str.dup
      buf[offset,1] = [val].pack('C')
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzz_string_corrupt_byte_reverse(str, max = nil) ⇒ Array

Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.

Parameters:

• str (String) —

  The string the mutation will be based on.

• max (Integer, NilClass) (defaults to: nil) —

  Max string size.

Returns:

• (Array) —

  Returns an array of an array of strings

See Also:

• #fuzzer_string_format

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 78

def fuzz_string_corrupt_byte_reverse(str,max=nil)
  res = []
  (max ? [max,str.length-1].min : (str.length - 1)).downto(0) do |offset|
    0.upto(255) do |val|
      @last_fuzzer_input = "fuzz_string_corrupt_byte_reverse offset:#{offset}/#{str.length} byte:#{val}"
      buf = str.dup
      buf[offset,1] = [val].pack('C')
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzz_strings {|Array| ... } ⇒ Array

Will return or yield a string based on the presence of a block

Yields:

• (Array) —

  Yields array of strings if there is a block given

Returns:

• (Array) —

  Returns and array of arrays of strings if there is no block given

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 42

def fuzz_strings
  res = []
  self.methods.sort.grep(/^fuzzer_string/).each do |m|
    @last_fuzzer_input = m
    block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
  end
  res
end

#fuzzer_gen_string(len) ⇒ String

Generates a fuzz string If no block is set, it will retrieve characters from the FuzzChar datastore option.

Parameters:

• len (Integer) —

  String size.

Returns:

• (String) —

  Returns a string of size 1024 * 512 specified by the user

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 156

def fuzzer_gen_string(len)
  @gen_string_block ||= datastore['FuzzChar'][0,1] * (1024 * 512)
  res = ''
  while (res.length < len)
    res += @gen_string_block
  end
  res[0,len]
end

#fuzzer_number_power2 ⇒ Array

Fuzzer Numbers by Powers of Two

Returns:

• (Array) —

  Returns an array with pre-set values

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 114

def fuzzer_number_power2
  res = [
    0x100000000,
    0x80000000,
    0x40000000,
    0x20000000,
    0x10000000,
    0x01000000,
    0x00100000,
    0x00010000,
    0x00001000,
    0x00000100,
    0x00000010,
    0x00000001
  ]
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_number_power2_plus ⇒ Array

Powers of two by some fuzzing factor.

Returns:

• (Array) —

  Returns and array of integers.

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 136

def fuzzer_number_power2_plus
  res = []
  fuzzer_number_power2 do |num|
    res << num + 1
    res << num + 2
    res << num - 1
    res << num - 2
    res << num * -1
    res << (num  + 1) * -1
    res << (num  + 2) * -1
  end
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_filepath_dos ⇒ Array

Reserved filename array Useful generators (many derived from AxMan)

Returns:

• (Array) —

  Returns and array of reserved filenames in Windows.

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 105

def fuzzer_string_filepath_dos
  res = %W{ aux con nul com1 com2 com3 com4 lpt1 lpt2 lp3 lpt4 prn }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_format ⇒ Array

Useful generators (many derived from AxMan)

Returns:

• (Array) —

  Returns and array of strings.

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 95

def fuzzer_string_format
  res = %W{ %s %p %n %x %@ %.257d %.65537d %.2147483648d %.257f %.65537f %.2147483648f}
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_giant ⇒ Array

Creates a giant fuzz string from length 512 -> 131,064 bytes long

Returns:

• (Array) —

  Returns an array of characters

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 193

def fuzzer_string_giant
  res = []
  512.step(65532 * 2, 512) do |len|
    buf = fuzzer_gen_string(len)
    buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_long ⇒ Array

Creates a longer fuzz string from length 64 -> 8192 bytes long

Returns:

• (Array) —

  Returns an array of characters

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 180

def fuzzer_string_long
  res = []
  64.step(8192,64) do |len|
    buf = fuzzer_gen_string(len)
    buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_path_prefixes ⇒ Array

Generator for common path prefixes

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 236

def fuzzer_string_path_prefixes
  res = %W{ C:\\ \\\\localhost\\ / }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_paths_dos ⇒ Array

Generates fuzzer strings using path prefixes

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 396

def fuzzer_string_paths_dos
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_filepath_dos do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_format ⇒ Array

Format for the path generator

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 380

def fuzzer_string_paths_format
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_format do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_giant ⇒ Array

Generates various giant strings

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 364

def fuzzer_string_paths_giant
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_giant do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_long ⇒ Array

Generates various small strings

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 348

def fuzzer_string_paths_long
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_long do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_paths_small ⇒ Array

Generates various small strings

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 332

def fuzzer_string_paths_small
  res = []
  fuzzer_string_path_prefixes do |pre|
    fuzzer_string_small do |str|
      buf = pre + str
      block_given? ? yield(buf) : (res << buf)
    end
  end
  res
end

#fuzzer_string_small ⇒ Array

Creates a smaller fuzz string starting from length 16 -> 512 bytes long

Returns:

• (Array) —

  Returns an array of characters

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 168

def fuzzer_string_small
  res = []
  16.step(512,16) do |len|
    buf = fuzzer_gen_string(len)
    block_given? ? yield(buf) : (res << buf)
  end
  res
end

#fuzzer_string_uri_dividers ⇒ Array

Generator for common URI dividers

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 227

def fuzzer_string_uri_dividers
  res = %W{ : :// }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_uri_types ⇒ Array

Various URI types

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 206

def fuzzer_string_uri_types
  res = %W{
    aaa  aaas  about  acap  adiumxtra  afp  aim  apt  aw  bolo  callto  cap  chrome  cid
    content  crid  cvs  data  dav  designates  dict  disk  dns  doi  ed2k  example  examples
    fax  feed  file  finger  fish  ftp  gg  gizmoproject  go  gopher  h323  hcp  http  https
    iax2  icap  im  imap  info  ipp  irc  ircs  iris  iris.beep  iris.lws  iris.xpc  iris.xpcs
    itms  jar  javascript  keyparc  lastfm  ldap  ldaps  lsid  magnet  mailto  mid  mms  modem
    ms-help  msnim  msrp  msrps  mtqp  mupdate  mvn  news  nfs  nntp  notes  opaquelocktoken
    over  pop  pres  prospero  psyc  res  rlogin  rmi  rsync  rtsp  secondlife  service  sftp
    sgn  shell  shttp  sip  sips  skype  smb  sms  snews  snmp  soap.beep  soap.beeps  soldat
    ssh  steam  svn  tag  teamspeak  tel  telephone  telnet  tftp  thismessage  tip  tv  unreal
    urn  ut2004  vbscript  vemmi  ventrilo  view-source  wais  webcal  worldwind  wtai  wyciwyg
    wysiwyg  xfire  xmlrpc.beep  xmpp  xri  ymsgr  z39.50r  z39.50s
  }
  block_given? ? res.each { |n| yield(n) } : res
end

#fuzzer_string_uris_dos ⇒ Array

Generates various small strings

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 314

def fuzzer_string_uris_dos
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_filepath_dos do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_format ⇒ Array

Format for the URI string generator

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 296

def fuzzer_string_uris_format
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_format do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_giant ⇒ Array

Generates various giant URI string types

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 279

def fuzzer_string_uris_giant
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_giant do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_long ⇒ Array

Generates various long URI string types

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 262

def fuzzer_string_uris_long
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_long do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#fuzzer_string_uris_small ⇒ Array

Generates various small URI string types

Returns:

• (Array) —

  Returns an array of strings

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 245

def fuzzer_string_uris_small
  res = []
  fuzzer_string_uri_types do |proto|
    fuzzer_string_uri_dividers do |div|
      fuzzer_string_small do |str|
        buf = proto + div + str
        block_given? ? yield(buf) : (res << buf)
      end
    end
  end
  res
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/auxiliary/fuzzer.rb', line 12

def initialize(info = {})
  super
  register_advanced_options([
    OptString.new('FuzzTracer',   [ true, 'Sets the magic string to embed into fuzzer string inputs', 'MSFROCKS']),
    OptString.new('FuzzChar',     [ true, 'Sets the character to use for generating long strings', 'X'])
  ], Msf::Auxiliary::Fuzzer)
end