308 lines
7.0 KiB
Ruby
308 lines
7.0 KiB
Ruby
module Msf
|
|
|
|
###
|
|
#
|
|
# This module provides methods useful for developing fuzzers
|
|
#
|
|
###
|
|
module Auxiliary::Fuzzer
|
|
|
|
#
|
|
# Creates an instance of a fuzzer module
|
|
#
|
|
def initialize(info = {})
|
|
super
|
|
register_advanced_options([
|
|
OptString.new('FuzzTracer', [ true, 'Sets the magic string to embed into fuzzer string inputs', 'MSFROCKS']),
|
|
OptString.new('FuzzChar', [ true, 'Sets the character to use for generating long strings', 'X'])
|
|
], Msf::Auxiliary::Fuzzer)
|
|
end
|
|
|
|
|
|
#
|
|
# Self-reflective iterators
|
|
#
|
|
def fuzz_numbers
|
|
res = []
|
|
self.methods.sort.grep(/^fuzzer_number/).each do |m|
|
|
@last_fuzzer_input = m
|
|
block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzz_strings
|
|
res = []
|
|
self.methods.sort.grep(/^fuzzer_string/).each do |m|
|
|
@last_fuzzer_input = m
|
|
block_given? ? self.send(m) {|x| yield(x) } : (res << self.send(m))
|
|
end
|
|
res
|
|
end
|
|
|
|
#
|
|
# General input mangling routines
|
|
#
|
|
|
|
# Modify each byte of the string moving forward
|
|
def fuzz_string_corrupt_byte(str,max=nil)
|
|
res = []
|
|
0.upto(max ? [max,str.length-1].min : (str.length - 1)) do |offset|
|
|
0.upto(255) do |val|
|
|
@last_fuzzer_input = "fuzz_string_corrupt_byte offset:#{offset}/#{str.length} byte:#{val}"
|
|
buf = str.dup
|
|
buf[offset,1] = [val].pack('C')
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
# Modify each byte of the string moving backward
|
|
def fuzz_string_corrupt_byte_reverse(str,max=nil)
|
|
res = []
|
|
(max ? [max,str.length-1].min : (str.length - 1)).downto(0) do |offset|
|
|
0.upto(255) do |val|
|
|
@last_fuzzer_input = "fuzz_string_corrupt_byte_reverse offset:#{offset}/#{str.length} byte:#{val}"
|
|
buf = str.dup
|
|
buf[offset,1] = [val].pack('C')
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
#
|
|
# Useful generators (many derived from AxMan)
|
|
#
|
|
|
|
def fuzzer_string_format
|
|
res = %W{ %s %p %n %x %@ %.257d %.65537d %.2147483648d %.257f %.65537f %.2147483648f}
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_string_filepath_dos
|
|
res = %W{ aux con nul com1 com2 com3 com4 lpt1 lpt2 lp3 lpt4 prn }
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_number_power2
|
|
res = [
|
|
0x100000000,
|
|
0x80000000,
|
|
0x40000000,
|
|
0x20000000,
|
|
0x10000000,
|
|
0x01000000,
|
|
0x00100000,
|
|
0x00010000,
|
|
0x00001000,
|
|
0x00000100,
|
|
0x00000010,
|
|
0x00000001
|
|
]
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_number_power2_plus
|
|
res = []
|
|
fuzzer_number_power2 do |num|
|
|
res << num + 1
|
|
res << num + 2
|
|
res << num - 1
|
|
res << num - 2
|
|
res << num * -1
|
|
res << (num + 1) * -1
|
|
res << (num + 2) * -1
|
|
end
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_gen_string(len)
|
|
@gen_string_block ||= datastore['FuzzChar'][0,1] * (1024 * 512)
|
|
res = ''
|
|
while (res.length < len)
|
|
res += @gen_string_block
|
|
end
|
|
res[0,len]
|
|
end
|
|
|
|
def fuzzer_string_small
|
|
res = []
|
|
16.step(512,16) do |len|
|
|
buf = fuzzer_gen_string(len)
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_long
|
|
res = []
|
|
64.step(8192,64) do |len|
|
|
buf = fuzzer_gen_string(len)
|
|
buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_giant
|
|
res = []
|
|
512.step(65532 * 2, 512) do |len|
|
|
buf = fuzzer_gen_string(len)
|
|
buf[len / 2, datastore['FuzzTracer'].length] = datastore['FuzzTracer']
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_uri_types
|
|
res = %W{
|
|
aaa aaas about acap adiumxtra afp aim apt aw bolo callto cap chrome cid
|
|
content crid cvs data dav designates dict disk dns doi ed2k example examples
|
|
fax feed file finger fish ftp gg gizmoproject go gopher h323 hcp http https
|
|
iax2 icap im imap info ipp irc ircs iris iris.beep iris.lws iris.xpc iris.xpcs
|
|
itms jar javascript keyparc lastfm ldap ldaps lsid magnet mailto mid mms modem
|
|
ms-help msnim msrp msrps mtqp mupdate mvn news nfs nntp notes opaquelocktoken
|
|
over pop pres prospero psyc res rlogin rmi rsync rtsp secondlife service sftp
|
|
sgn shell shttp sip sips skype smb sms snews snmp soap.beep soap.beeps soldat
|
|
ssh steam svn tag teamspeak tel telephone telnet tftp thismessage tip tv unreal
|
|
urn ut2004 vbscript vemmi ventrilo view-source wais webcal worldwind wtai wyciwyg
|
|
wysiwyg xfire xmlrpc.beep xmpp xri ymsgr z39.50r z39.50s
|
|
}
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_string_uri_dividers
|
|
res = %W{ : :// }
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_string_path_prefixes
|
|
res = %W{ C:\\ \\\\localhost\\ / }
|
|
block_given? ? res.each { |n| yield(n) } : res
|
|
end
|
|
|
|
def fuzzer_string_uris_small
|
|
res = []
|
|
fuzzer_string_uri_types do |proto|
|
|
fuzzer_string_uri_dividers do |div|
|
|
fuzzer_string_small do |str|
|
|
buf = proto + div + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_uris_long
|
|
res = []
|
|
fuzzer_string_uri_types do |proto|
|
|
fuzzer_string_uri_dividers do |div|
|
|
fuzzer_string_long do |str|
|
|
buf = proto + div + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_uris_giant
|
|
res = []
|
|
fuzzer_string_uri_types do |proto|
|
|
fuzzer_string_uri_dividers do |div|
|
|
fuzzer_string_giant do |str|
|
|
buf = proto + div + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_uris_format
|
|
res = []
|
|
fuzzer_string_uri_types do |proto|
|
|
fuzzer_string_uri_dividers do |div|
|
|
fuzzer_string_format do |str|
|
|
buf = proto + div + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_uris_dos
|
|
res = []
|
|
fuzzer_string_uri_types do |proto|
|
|
fuzzer_string_uri_dividers do |div|
|
|
fuzzer_string_filepath_dos do |str|
|
|
buf = proto + div + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_paths_small
|
|
res = []
|
|
fuzzer_string_path_prefixes do |pre|
|
|
fuzzer_string_small do |str|
|
|
buf = pre + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_paths_long
|
|
res = []
|
|
fuzzer_string_path_prefixes do |pre|
|
|
fuzzer_string_long do |str|
|
|
buf = pre + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_paths_giant
|
|
res = []
|
|
fuzzer_string_path_prefixes do |pre|
|
|
fuzzer_string_giant do |str|
|
|
buf = pre + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_paths_format
|
|
res = []
|
|
fuzzer_string_path_prefixes do |pre|
|
|
fuzzer_string_format do |str|
|
|
buf = pre + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
def fuzzer_string_paths_dos
|
|
res = []
|
|
fuzzer_string_path_prefixes do |pre|
|
|
fuzzer_string_filepath_dos do |str|
|
|
buf = pre + str
|
|
block_given? ? yield(buf) : (res << buf)
|
|
end
|
|
end
|
|
res
|
|
end
|
|
|
|
end
|
|
end
|