search

jtpereyda / boofuzz

A fork and successor of the Sulley Fuzzing Framework
GNU General Public License v2.0
2.02k stars 341 forks source link

Getting fuzzed data in post test case callback #368

Closed kmendoza-bt closed 3 years ago

kmendoza-bt commented 4 years ago

Is it possible to get the value of a primitive either from Target or Session instance passed to the post test case callback? I know the Session object has a "last_send" property; but, that would mean I have to parse out the raw message to extract the value I want to check on the remote side.

SR4ven commented 4 years ago

While this is not a feature of boofuzz, it is possible to get the current value of a primitive from the Session.

Small example I put together:

from boofuzz import *

def test(target, fuzz_data_logger, session, sock, *args, **kwargs):
    fuzz_data_logger.log_info(session.nodes[1].names["path"]._value)

s_initialize("HTTP")
with s_block("body"):
    s_static("GET")
    s_delim(" ", fuzzable=False)
    s_delim("/", fuzzable=False)
    s_string("index.html", name="path")
    s_delim(" ")
    s_string("HTTP")
    s_delim("/")
    s_string("1")
    s_delim(".")
    s_string("1")
    s_static("\r\n\r\n")

sess = Session(
    target=Target(connection=SocketConnection("127.0.0.1", 80, proto="tcp")),
    post_test_case_callbacks=[test],
    sleep_time=1,
)

sess.connect(s_get("HTTP"))  # Appends the HTTP-node to the list. The root node is 0 so HTTP is 1
sess.fuzz()

Not exactly convenient, but I guess it does the job.

jtpereyda commented 4 years ago

Thanks for the question @kmendoza-bt . I had started a refactor to decrease the statefulness of the message model. If something like that were to finish, we'd want to keep a reference around to the previous message's model for this kind of purpose.

kmendoza-bt commented 4 years ago

@SR4ven and @jtpereyda thank you for your responses. My apologies for just following-up now; I've been diverted to other matters.

@jtpereyda

I had started a refactor to decrease the statefulness of the message model. If something like that were to finish, we'd want to keep a reference around to the previous message's model for this kind of purpose.

I have another use case where I have a field whose values need to be shared across blocks; so the definition looks like this:

s_initialize("Preamble")
s_size("header", name="header_len")
with s_block("header"):
    s_string("abcdefg", name="msgid_preamble")
    s_string("Thing 1", name="message_name")

s_initialize("DataOne")
s_size("msg_info", name="msg_info_len")
with s_block("msg_info"):
    s_string("abcdefg", name="msgid_data_one") # This needs to be the same data as "msgid_preable" above
    s_sting("Data For Thing 1", name="dataone_label")

s_connect(s_get("Preamble"))
s_connect(s_get("Preamble"), s_get("DataOne"))

Could you refactor expand into supporting this? Let me know of you guys want me to file a new issue to discuss this further.

cq674350529 commented 4 years ago

@kmendoza-bt As to your case, since the Preamble and DataOne are two nodes, when fuzzing the node DataOne, the field msgid_preamble of node Preamble uses its original static value abcdefg.

Firstly I think s_mirror primitive shoule be expanded to achieve your purpose. However, this's not the case. To reach your goal, the s_string primitive should generate the exact same data for the field msgid_preamble and msgid_data_one.

After looking roughly the code of s_string, a simple way is to set a seed for the random, for random.randint() is called when generating string. (PS: if I understood your case correctly ... )

kmendoza-bt commented 4 years ago

@cq674350529 I'll look into s_mirror. If it's not in the documentation I'll make sure to contribute the change.

cq674350529 commented 4 years ago

@kmendoza-bt Currently, I'm not very clear what you mean with This needs to be the same data as "msgid_preable" above. Let's make it more clear?

If what you want are:

  1. when fuzzing the node Preamble, the value of field msgid_data_one in node DataOne keeps sync to the value of field msgid_preamble in node Preamble
  2. when fuzzing the node DataOne, the value of field msgid_data_one in node DataOne keeps sync to the value of field msgid_preamble in node Preamble. Actually in this case, the value is simply abcedfg

Then, s_mirror may be expanded to accomplish it.

But if what you want is:

  1. when fuzzing the node DataOne, the value of field msgid_data_one in node DataOne needs to be all values the field msgid_preamble have when fuzzing node Preamble

Then, s_mirror is not applicable. Instead, s_string may be expanded to accomplish it, as I mentioned already.

SR4ven commented 3 years ago

I think we've provided a few solutions for this problem. Thanks @cq674350529 and @kmendoza-bt Don't hesitate to reopen.