def __init__(self,
value,
fuzz_value=True,
fuzz_length=True,
fuzz_delim=True,
name=None):
'''
:param value: str, will be enclosed in String
:param fuzz_value: bool (default: True)
:param fuzz_length: bool (default: True)
:param fuzz_delim: bool (default: True)
:param name: name of container (default: None)
'''
name = name if name is not None else _unique_name(type(self).__name__)
if isinstance(value, str):
fvalue = String(value=value,
fuzzable=fuzz_value,
name=_merge(name, 'value'))
else:
fvalue = value
fvalue_name = fvalue.get_name()
super(TString,
self).__init__(name=name,
fields=[
SizeInBytes(sized_field=fvalue_name,
length=32,
encoder=ENC_INT_DEC,
fuzzable=fuzz_length,
name=_merge(name, 'length')),
Delimiter(value=':',
fuzzable=fuzz_delim,
name=_merge(name, 'delim')), fvalue
])
def __init__(self,
data='',
fuzz_delims=False,
fuzz_param=False,
fuzz_value=True,
fuzzable=True,
name=None):
'''
:param data: data string (default: '')
:param fuzz_delims: should fuzz the delimiters (default: False)
:param name: name of container (default: None)
:param fuzzable: should fuzz the container (default: True)
'''
fields = []
for i, part in enumerate(data.split('&')):
part = part.split('=')
if len(fields) >= 1:
fields.append(
Delimiter(name='search_delim_%d' % i,
value='&',
fuzzable=fuzz_delims))
fields.append(
Container(name='param_%s' % part[0],
fields=[
String(name='search_%d_key' % i,
value=part[0],
fuzzable=fuzz_param),
Delimiter(value='=', fuzzable=fuzz_delims),
String(name='search_%d_value' % i,
value=part[1],
fuzzable=fuzz_value)
]))
super(PostFormUrlencoded, self).__init__(name=name,
fields=fields,
fuzzable=fuzzable)
def __init__(self, fields={}, fuzz_keys=True, fuzz_delims=True, name=None):
'''
:param fields: dictionary of strings and torrent fields
:fuzz_delims: bool (default: True)
:param name: name of container (default: None)
'''
name = name if name is not None else _unique_name(type(self).__name__)
dictionary_fields = []
for k, v in fields.items():
dictionary_fields.append(
Container(name=_merge(name, 'container', k),
fields=[
TString(value=k,
fuzz_value=fuzz_keys,
fuzz_length=fuzz_keys,
fuzz_delim=fuzz_delims,
name=_merge(name, 'key', k)), v
]))
super(TDict, self).__init__(
name=name,
fields=[
String(value='d',
max_size=1,
fuzzable=fuzz_delims,
name=_merge(name, 'start')),
TakeFrom(name=_merge(name, 'fields'),
fields=dictionary_fields,
min_elements=len(dictionary_fields) / 2),
String(value='e',
max_size=1,
fuzzable=fuzz_delims,
name=_merge(name, 'end'))
])
def __init__(self, the_type, fuzz_delims=True, fuzzable=True, name=None):
'''
:type the_type: str
:param the_type: the FTP type
:param fuzz_delims: should fuzz delimiters (default: True)
:param fuzzable: is the container fuzzable (default: True)
:param name: name of the container (default: None)
'''
super(FType, self).__init__(
name=name,
fuzzable=fuzzable,
fields=[
Delimiter(name='delim from path',
value=';',
fuzzable=fuzz_delims),
String(name='key', value='ftype'),
Delimiter(name='delim from value',
value='=',
fuzzable=fuzz_delims),
OneOf(name='file type',
fields=[
Group(name='possible valid values',
values=['A', 'I', 'D', 'a', 'i', 'd']),
String(name='mutations', value=the_type),
])
])
def __init__(self,
key,
username,
password,
end=False,
delim=':',
fuzz_username=True,
fuzz_password=True,
fuzzable_key=False,
fuzzable=True):
value_field = [
Static('Basic '),
Container(name='base64_auth',
fields=[
String(name='username',
value=username,
fuzzable=fuzz_username),
Delimiter(delim, fuzzable=False),
String(name='password',
value=password,
fuzzable=fuzz_password),
],
encoder=ENC_BITS_BASE64)
]
super(AuthorizationField, self).__init__(key, value_field, end,
fuzzable_key, fuzzable)
def __init__(self,
path=None,
path_delim='/',
fuzz_delims=True,
fuzzable=True,
name=None):
'''
:type path: str
:param path: path string
:param path_delim: delimiter in the path str
:param fuzz_delims: should fuzz the delimiters (default: False)
:param name: name of container (default: None)
:param fuzzable: should fuzz the container (default: True)
'''
fields = []
if path is not None:
fields.append(
Delimiter(name='main delim', value='/', fuzzable=fuzz_delims))
path_parts = path.split(path_delim)
if not path_parts[0]:
path_parts = path_parts[1:]
for i in range(len(path_parts) - 1):
fields.append(
String(name='path part %d' % i, value=path_parts[i]))
fields.append(
Delimiter(name='path delim %d' % i,
value=path_delim,
fuzzable=fuzz_delims))
fields.append(String(name='path last part', value=path_parts[-1]))
super(Path, self).__init__(name=name, fields=fields, fuzzable=fuzzable)
def __init__(self,
search='',
fuzz_delims=False,
fuzz_param=False,
fuzz_value=True,
fuzzable=True,
name=None):
'''
:param search: search string (default: '')
:param fuzz_delims: should fuzz the delimiters (default: False)
:param name: name of container (default: None)
:param fuzzable: should fuzz the container (default: True)
'''
fields = [
Delimiter(name='search main delim',
value='?',
fuzzable=fuzz_delims),
]
for i, part in enumerate(search.split('&')):
part = part.split('=')
fields.append(
Container(name='param_%s' % part[0],
fields=[
String(name='search_%d_key' % i,
value=part[0],
fuzzable=fuzz_param),
Delimiter(value='=', fuzzable=fuzz_delims),
String(name='search_%d_value' % i,
value=part[1],
fuzzable=fuzz_value)
]))
super(Search, self).__init__(name=name,
fields=fields,
fuzzable=fuzzable)
def testCorrectCallbackIsCalledForAllEdgesInPath(self):
template1 = Template(name='template1', fields=String('str1'))
template2 = Template(name='template2', fields=String('str2'))
template3 = Template(name='template3', fields=String('str3'))
self.cb2_call_count = 0
self.cb3_call_count = 0
def t1_t2_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template1)
self.assertEqual(edge.dst, template2)
self.cb2_call_count += 1
def t2_t3_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template2)
self.assertEqual(edge.dst, template3)
self.cb3_call_count += 1
model = GraphModel()
model.logger = self.logger
model.connect(template1)
model.connect(template1, template2, t1_t2_cb)
model.connect(template2, template3, t2_t3_cb)
self.model = model
self.fuzzer.set_model(model)
self.fuzzer.set_range()
self.fuzzer.start()
self.assertEqual(template2.num_mutations() + template3.num_mutations(),
self.cb2_call_count)
self.assertEqual(template3.num_mutations(), self.cb3_call_count)
def testAbsoluteOffsetOfPreFieldNotAtTheBeginning(self):
uut = self.get_default_field()
pre_field = String(name='first', value='first')
container = Container(name='container', fields=[pre_field, self.to, uut])
while container.mutate():
container.render()
uut_rendered = uut.render()
uut_val = unpack('>I', uut_rendered.tobytes())[0]
self.assertEqual(len(pre_field.render()), uut_val)
def testCorrectOffsetIsSetMiddleFieldSingleLevel(self):
uut = self.get_default_field()
first_field = String('Reykjavik', name='first_field')
con = Container(name='container', fields=[first_field, uut])
con.render()
self.assertEqual(uut.get_offset(), len(first_field.render()))
while con.mutate():
con.render()
self.assertEqual(uut.get_offset(), len(first_field.render()))
def testCorrectionInt(self):
self.correction = 5
uut = self.get_default_field()
pre_field = String(name='first', value='first')
container = Container(name='container', fields=[pre_field, self.to, uut])
while container.mutate():
container.render()
uut_rendered = uut.render()
uut_val = unpack('>I', uut_rendered.tobytes())[0]
self.assertEqual(len(pre_field.render()) + 5, uut_val)
def __init__(self, handler_type, component_name, fuzzable=True):
super(HdlrBox, self).__init__("hdlr", fields=[
String(name="predefined", value="\x00\x00\x00\x00", fuzzable=False),
String(name="handler_type", value=handler_type, fuzzable=False),
String(name="manufacturer", value="appl", fuzzable=False),
BE32(name="component_flags", value=0x00000000),
BE32(name="component_mask", value=0x00000000),
String(name="component_name", value=component_name,
encoder=STR_ENC_NULLTERM),
], fuzzable=fuzzable)
def __init__(self, name, fuzzable=False):
'''
:param name: block name
:param fuzzable: should we fuzz this field (default: False)
'''
field = String('null', fuzzable=fuzzable, name=_valuename(name))
super(JsonNull, self).__init__(field, name=name)
def get_templates(self):
res = []
for i in range(20):
name = 't%d' % i
value = 'd%d' % i
res.append(Template(name=name, fields=[String(value)]))
return res
def new_model(self):
model = GraphModel()
model.logger = self.logger
model.connect(
Template(name='simple_str_template',
fields=[String(name='str1', value='kitty')]))
return model
def __init__(self,
key,
value,
keep_size=False,
encoder=ENC_STR_DEFAULT,
fuzzable=True,
name=None):
'''
:param key: key for data in the session information
:param value: the default value of the Dynamic field
:param keep_size: should limit the size of the string based on the original string (default: False)
:param encoder: string encoder (default: ``ENC_STR_DEFAULT``)
:param fuzzable: is this field fuzzable (default: True)
:param name: name of the container (default: None)
'''
str_len = len(value) if keep_size else None
additional_field = String(value=value,
max_size=str_len,
encoder=encoder,
name=_join_name(name, 'string'))
if keep_size:
additional_field = Pad(str_len * 8,
fields=additional_field,
name=_join_name(name, 'string_wrap'))
super(DynamicString, self).__init__(key=key,
value=value,
additional_field=additional_field,
fuzzable=fuzzable,
name=name)
def testContainerWithInternalContainer(self):
container = Container(name=self.depends_on_name,
fields=[
String('abc'),
String('def'),
Container(name='counts_as_one',
fields=[
String('ghi'),
String('jkl'),
])
])
uut = self.get_default_field()
full = Container([container, uut])
full.render()
self.assertEqual(uut.render(), self.calculate(container))
del full
def __init__(self,
method='GET',
uri='/',
protocol='HTTP',
version=1.0,
fuzzable_method=False,
fuzzable_uri=False,
fuzzable=True):
method_value = [method] if isinstance(method, str) else method
parsed = urlparse(uri)
uri_value = [Path(parsed.path, name='path', fuzz_delims=False)]
if parsed.query:
uri_value.append(
Search(parsed.query, name='search', fuzz_value=True))
fields = [
Group(name='method', values=method_value,
fuzzable=fuzzable_method),
Static(' '),
Container(name='uri', fields=uri_value, fuzzable=fuzzable_uri),
Static(' '),
String(name='protocol', value=protocol, fuzzable=False),
Float(name='version', value=version),
Static('\r\n'),
]
super(HttpRequestLine, self).__init__(name='http url',
fields=fields,
fuzzable=fuzzable)
def test_default_value(self):
additional_field = String('the_string')
uut = DynamicExtended(key=self.the_key,
value=self.def_value,
additional_field=additional_field)
res = uut.render().bytes
self.assertEqual(res, self.def_value)
def __init__(self, name, fields, fuzzable=True):
header = Container(name="header", fields=[
SizeInBytes(name="length", sized_field=self, length=32, encoder=ENC_INT_BE),
String(name="name", value=name, fuzzable=False)
])
content = Container(name="content", fields=fields)
super(Mp4Box, self).__init__(name=name.replace("\xa9", "\\xa9"), fields=[header, content],
fuzzable=fuzzable)
def testInternalContainer(self):
internal_container = Container(name=self.depends_on_name,
fields=[
String('ghi', name='field3'),
String('jkl', name='field4'),
])
container = Container(name='this_doesnt_count',
fields=[
String('abc', name='field1'),
String('def', name='field2'),
internal_container
])
uut = self.get_default_field()
full = Container([container, uut])
full.render()
self.assertEqual(uut.render(), self.calculate(internal_container))
del full
def test_not_fuzzable(self):
additional_field = String('the_string')
uut = DynamicExtended(key=self.the_key,
value=self.def_value,
additional_field=additional_field,
fuzzable=False)
res = uut.render().bytes
self.assertEqual(res, self.def_value)
self.assertEqual(uut.num_mutations(), 0)
def __init__(self,
data=b'',
boundary=b'',
fuzz_delims=False,
fuzz_param=False,
fuzz_value=True,
name=None):
self.separator = b'--%s' % boundary
self.terminator = b'--%s--' % boundary
multipart = self.multipart2json_parse(data)
fields = []
for item in multipart:
fields += [
Delimiter(self.separator, fuzzable=fuzz_delims),
Static(b'\r\n')
]
inner_container_header = []
ContentDisposition = item.get(b'header').get(
b'Content-Disposition').get(b'params')
var_name = ContentDisposition.get(b'name')
var_value = item.get(b'value')
for header_field in item.get(b'header'):
header_value = item.get(b'header')[header_field].get(b'value')
header_params = item.get(b'header')[header_field].get(
b'params')
multipart_header_name = '%s_%s' % (header_field.decode(),
var_name.decode())
inner_container_header.append(
TextField(key=header_field,
value=header_value,
params=header_params,
name=multipart_header_name,
fuzzable_key=fuzz_param,
fuzzable_value=fuzz_value))
inner_container_header.append(Static(b'\r\n'))
fields.append(
Container(fields=inner_container_header,
name='%s_header' % var_name))
# Append multipart param value
if var_value.isdigit():
fields.append(
DecimalNumber(name="multipart_value_%s" %
var_name.decode(),
num_bits=bit_length(int(var_value)),
value=int(var_value),
signed=True))
else:
fields.append(String(var_value))
fields.append(Static(b'\r\n'))
# Append terminator boundary
fields += [
Delimiter(self.terminator, fuzzable=fuzz_delims),
Static(b'\r\n')
]
super(PostMultipartFormData, self).__init__(name=name,
fields=fields,
fuzzable=fuzz_value)
def _testCorrectIndex(self, expected_index):
field_list = [String('%d' % i) for i in range(20)]
field_list[expected_index] = self.get_original_field()
uut = self.get_default_field()
t = Container(name='level1', fields=[uut, Container(name='level2', fields=field_list)])
rendered = uut.render().tobytes()
result = unpack('>I', rendered)[0]
self.assertEqual(result, expected_index)
del t
def setUp(self):
super(WebInterfaceTest, self).setUp(None)
self.t_str = Template(name='simple_str_template', fields=[String(name='str1', value='kitty')])
self.t_int = Template(name='simple_int_template', fields=[UInt32(name='int1', value=0x1234)])
self.fuzzer = None
self.host = '127.0.0.1'
self.port = 11223
self.url = 'http://%(host)s:%(port)s' % {'host': self.host, 'port': self.port}
self.prepare()
def __init__(self,
key,
value,
end=False,
fuzzable_key=False,
fuzzable_value=True):
value_field = [String(name="value", value=value)]
super(TextField, self).__init__(key, value_field, end, fuzzable_key,
fuzzable_value)
def test_vanilla(self):
similar_string = String(self.def_value)
uut = DynamicString(key=self.the_key, value=self.def_value)
similar_mutations = get_mutation_set(similar_string)
uut_mutations = get_mutation_set(uut)
if not any(x in uut_mutations for x in similar_mutations):
raise AssertionError(
'Not all similar_mutations are in uut_mutations')
self.assertGreater(len(uut_mutations), len(similar_mutations))
def setUp(self):
self.logger = get_test_logger()
self.logger.debug('TESTING METHOD: %s', self._testMethodName)
self.t_str = Template(name='simple_str_template', fields=[String(name='str1', value='kitty')])
self.t_int = Template(name='simple_int_template', fields=[UInt32(name='int1', value=0x1234)])
self.fuzzer = None
self.prepare()
def get_stage_map(self):
stages = {}
for i in range(1, 4):
s = Stage(str(i), str(i), 1234)
for n in range(i):
name = 't%d_%d' % (i, n)
value = 'd%d_%d' % (i, n)
s.add_template(Template(name=name, fields=[String(value)]))
stages[s] = i
return stages
def __init__(self, tag, fuzzable=True):
name = 'end_tag_%s' % tag
fields = [
Group(['<', '', '</'], fuzzable=False),
String(name=name, value=tag),
Group(['>', '', ' />'], fuzzable=False),
]
super(endTag, self).__init__(name='container_%s' % name,
fields=fields,
fuzzable=fuzzable)
def __init__(self, value, fuzz_value=True, fuzz_length=True, fuzz_delim=True, name=None):
'''
:param value: str, will be enclosed in String
:param fuzz_value: bool (default: True)
:param fuzz_length: bool (default: True)
:param fuzz_delim: bool (default: True)
:param name: name of container (default: None)
'''
name = name if name is not None else _unique_name(type(self).__name__)
if isinstance(value, str):
fvalue = String(value=value, fuzzable=fuzz_value, name=_merge(name, 'value'))
else:
fvalue = value
fvalue_name = fvalue.get_name()
super(TString, self).__init__(name=name, fields=[
SizeInBytes(sized_field=fvalue_name, length=32, encoder=ENC_INT_DEC, fuzzable=fuzz_length, name=_merge(name, 'length')),
Delimiter(value=':', fuzzable=fuzz_delim, name=_merge(name, 'delim')),
fvalue
])
def testCallbackIsCalledBetweenTwoNodes(self):
template1 = Template(name='template1', fields=String('str1'))
template2 = Template(name='template2', fields=String('str2'))
self.cb_call_count = 0
def t1_t2_cb(fuzzer, edge, response):
self.assertEqual(fuzzer, self.fuzzer)
self.assertEqual(edge.src, template1)
self.assertEqual(edge.dst, template2)
self.cb_call_count += 1
model = GraphModel()
model.logger = self.logger
model.connect(template1)
model.connect(template1, template2, t1_t2_cb)
self.model = model
self.fuzzer.set_model(model)
self.fuzzer.set_range()
self.fuzzer.start()
self.assertEqual(template2.num_mutations(), self.cb_call_count)
