Closed kmendoza-bt closed 3 years ago
While this is not a feature of boofuzz, it is possible to get the current value of a primitive from the Session.
Small example I put together:
from boofuzz import *
def test(target, fuzz_data_logger, session, sock, *args, **kwargs):
fuzz_data_logger.log_info(session.nodes[1].names["path"]._value)
s_initialize("HTTP")
with s_block("body"):
s_static("GET")
s_delim(" ", fuzzable=False)
s_delim("/", fuzzable=False)
s_string("index.html", name="path")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
s_static("\r\n\r\n")
sess = Session(
target=Target(connection=SocketConnection("127.0.0.1", 80, proto="tcp")),
post_test_case_callbacks=[test],
sleep_time=1,
)
sess.connect(s_get("HTTP")) # Appends the HTTP-node to the list. The root node is 0 so HTTP is 1
sess.fuzz()
Not exactly convenient, but I guess it does the job.
Thanks for the question @kmendoza-bt . I had started a refactor to decrease the statefulness of the message model. If something like that were to finish, we'd want to keep a reference around to the previous message's model for this kind of purpose.
@SR4ven and @jtpereyda thank you for your responses. My apologies for just following-up now; I've been diverted to other matters.
@jtpereyda
I had started a refactor to decrease the statefulness of the message model. If something like that were to finish, we'd want to keep a reference around to the previous message's model for this kind of purpose.
I have another use case where I have a field whose values need to be shared across blocks; so the definition looks like this:
s_initialize("Preamble")
s_size("header", name="header_len")
with s_block("header"):
s_string("abcdefg", name="msgid_preamble")
s_string("Thing 1", name="message_name")
s_initialize("DataOne")
s_size("msg_info", name="msg_info_len")
with s_block("msg_info"):
s_string("abcdefg", name="msgid_data_one") # This needs to be the same data as "msgid_preable" above
s_sting("Data For Thing 1", name="dataone_label")
s_connect(s_get("Preamble"))
s_connect(s_get("Preamble"), s_get("DataOne"))
Could you refactor expand into supporting this? Let me know of you guys want me to file a new issue to discuss this further.
@kmendoza-bt As to your case, since the Preamble
and DataOne
are two nodes, when fuzzing the node DataOne
, the field msgid_preamble
of node Preamble
uses its original static value abcdefg
.
Firstly I think s_mirror
primitive shoule be expanded to achieve your purpose. However, this's not the case. To reach your goal, the s_string
primitive should generate the exact same data for the field msgid_preamble
and msgid_data_one
.
After looking roughly the code of s_string
, a simple way is to set a seed for the random, for random.randint() is called when generating string. (PS: if I understood your case correctly ... )
@cq674350529 I'll look into s_mirror. If it's not in the documentation I'll make sure to contribute the change.
@kmendoza-bt Currently, I'm not very clear what you mean with This needs to be the same data as "msgid_preable" above
. Let's make it more clear?
If what you want are:
Preamble
, the value of field msgid_data_one
in node DataOne
keeps sync to the value of field msgid_preamble
in node Preamble
DataOne
, the value of field msgid_data_one
in node DataOne
keeps sync to the value of field msgid_preamble
in node Preamble
. Actually in this case, the value is simply abcedfg
Then, s_mirror
may be expanded to accomplish it.
But if what you want is:
DataOne
, the value of field msgid_data_one
in node DataOne
needs to be all values the field msgid_preamble
have when fuzzing node Preamble
Then, s_mirror
is not applicable. Instead, s_string
may be expanded to accomplish it, as I mentioned already.
I think we've provided a few solutions for this problem. Thanks @cq674350529 and @kmendoza-bt Don't hesitate to reopen.
Is it possible to get the value of a primitive either from Target or Session instance passed to the post test case callback? I know the Session object has a "last_send" property; but, that would mean I have to parse out the raw message to extract the value I want to check on the remote side.