def push_header(self):
"""
struct MsgHeader {
int32 messageLength; // total message size, including this
int32 requestID; // identifier for this message
int32 responseTo; // requestID from the original request
// (used in reponses from db)
int32 opCode; // request type - see table below
}
opCode value Comments
OP_REPLY 1 Reply to a client request
OP_MSG 1000 generic msg command followed by a string
OP_UPDATE 2001 update document
OP_INSERT 2002 insert new document
RESERVED 2003 formerly used for OP_GET_BY_OID
OP_QUERY 2004 query a collection
OP_GET_MORE 2005 Get more data from a query. See Cursors
OP_DELETE 2006 Delete documents
OP_KILL_CURSORS 2007 Tell database client is done with a cursor
"""
# Size the inner block.
SulleyBlock.push(self, s_sizer(self.block_name,
self.request,
inclusive=True,
signed=True))
# Add the rest of the header to the inner block.
self.block.push(dword(self.requestID, signed=True))
if isinstance(self.responseTo, list):
self.block.push(group(self.block_name + "responseTo",
self.responseTo))
else:
self.block.push(dword(self.responseTo, signed=True))
self.block.push(dword(self.opCode, signed=True))
def __init__(self, name, request, value, options):
options = self.init_options(options, opCodes['query'])
MongoMsg.__init__(self, name, request, options)
# 255 is 11111111 in (unsigned) binary, which represents
# the first 8 flags beging turned on.
self.flags = options.get('flags', 255)
self.db = options.get('db', 'test')
self.collection = options.get('collection', 'fuzzing')
self.numberToSkip = options.get('numberToSkip', 8)
self.numberToReturn = options.get('numberToReturn', 20)
self.query = options.get('query', {})
self.returnFieldsSelector = options.get('returnFieldsSelector', {})
# int32 flags
self.push(dword(self.flags, signed=True))
# cstring fullCollectionName
self.push_namespace(self.db, self.collection)
# int32 numberToSkip
self.push(dword(self.numberToSkip, signed=True))
# int32 numberToReturn
self.push(dword(self.numberToReturn, signed=True))
# document query
self.push_bson_doc(self.query)
# [document returnFieldsSelector]
if self.returnFieldsSelector is not None:
self.push_bson_doc(self.returnFieldsSelector)
self.end_block()
def s_dword (value, endian="<", format="binary", signed=False, full_range=False, fuzzable=True, name=None, hex_vals=False):
'''
Push a double word onto the current block stack.
@see: Aliases: s_long(), s_int()
@type value: Integer
@param value: Default integer value
@type endian: Character
@param endian: (Optional, def=LITTLE_ENDIAN) Endianess of the bit field (LITTLE_ENDIAN: <, BIG_ENDIAN: >)
@type format: String
@param format: (Optional, def=binary) Output format, "binary" or "ascii"
@type signed: Boolean
@param signed: (Optional, def=False) Make size signed vs. unsigned (applicable only with format="ascii")
@type full_range: Boolean
@param full_range: (Optional, def=False) If enabled the field mutates through *all* possible values.
@type fuzzable: Boolean
@param fuzzable: (Optional, def=True) Enable/disable fuzzing of this primitive
@type name: String
@param name: (Optional, def=None) Specifying a name gives you direct access to a primitive
@type hex_vals: Boolean
@param hex_vals: (Optional, def=False) Only applicable when format="ascii". Return the hex representation of the fuzz values
'''
dword = primitives.dword(value, endian, format, signed, full_range, fuzzable, name, hex_vals)
blocks.CURRENT.push(dword)
def s_dword(value,
endian="<",
format="binary",
signed=False,
full_range=False,
fuzzable=True,
name=None):
'''
Push a double word onto the current block stack.
@see: Aliases: s_long(), s_int()
@type value: Integer
@param value: Default integer value
@type endian: Character
@param endian: (Optional, def=LITTLE_ENDIAN) Endianess of the bit field (LITTLE_ENDIAN: <, BIG_ENDIAN: >)
@type format: String
@param format: (Optional, def=binary) Output format, "binary" or "ascii"
@type signed: Boolean
@param signed: (Optional, def=False) Make size signed vs. unsigned (applicable only with format="ascii")
@type full_range: Boolean
@param full_range: (Optional, def=False) If enabled the field mutates through *all* possible values.
@type fuzzable: Boolean
@param fuzzable: (Optional, def=True) Enable/disable fuzzing of this primitive
@type name: String
@param name: (Optional, def=None) Specifying a name gives you direct access to a primitive
'''
dword = primitives.dword(value, endian, format, signed, full_range,
fuzzable, name)
blocks.CURRENT.push(dword)
def __init__(self, name, request, value, options={}):
"""Initialize."""
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.SullyRuntimeError("MISSING LEGO.ber_integer DEFAULT VALUE")
self.push(primitives.dword(self.value, endian=">"))
def __init__(self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.ber_integer DEFAULT VALUE")
self.push(primitives.dword(self.value, endian=">"))
def __init__(self, name, request, value, options):
# Create the super class and push a header to the block.
options = self.init_options(options, opCodes['get_more'])
MongoMsg.__init__(self, name, request, options)
self.db = options.get("db", "test")
self.collection = options.get("collection", "fuzzing")
self.numberToReturn = options.get("numberToReturn", 35)
self.cursorID = options.get("cursorID", 34970110)
# int32 ZERO
self.push(dword(0, signed=True))
# cstring fullCollectionName
self.push_namespace(self.db, self.collection)
# int32 numberToReturn
self.push(dword(self.numberToReturn, signed=True))
# int64 numberToReturn
self.push(qword(self.cursorID, signed=True))
self.end_block()
def __init__(self, name, request, value, options):
# Create the super class and push a header to the block.
options = self.init_options(options, opCodes['kill_cursors'])
MongoMsg.__init__(self, name, request, options)
self.numberOfCursorIDs = options.get('numberOfCursorIDs', 10)
self.cursorIDs = options.get('cursorIDs', None)
if not self.cursorIDs or len(self.cursorIDs) != self.numberOfCursorIDs:
self.cursorIDs = []
for i in xrange(self.numberOfCursorIDs):
self.cursorIDs.append(randint(0,2**63-1))
# int32 ZERO
self.push(dword(0, signed=True))
# int32 numberOfCursorIDs
self.push(dword(self.numberOfCursorIDs, signed=True))
# int64* cursorIDs
for cursor_id in self.cursorIDs:
self.push(qword(cursor_id, signed=True))
self.end_block()
def __init__(self, name, request, value, options):
# Create the super class and push a header to the block.
options = self.init_options(options, opCodes['update'])
MongoMsg.__init__(self, name, request, options)
self.db = options.get("db", "test")
self.collection = options.get("collection", "fuzzing")
self.flags = options.get("flags", 2)
self.selector = options.get("selector", {})
self.update = options.get("update", {})
# int32 ZERO
self.push(dword(0, signed=True))
# cstring fullCollectionname
self.push_namespace(self.db, self.collection)
# int32 flags
self.push(dword(self.flags, signed=True))
# document selector
self.push_bson_doc(self.selector)
# document update
self.push_bson_doc(self.update)
self.end_block()
def __init__(self, name, request, value, options):
# Create the super class and push a header to the block.
options = self.init_options(options, opCodes['delete'])
MongoMsg.__init__(self, name, request, options)
self.db = options.get("db", "test")
self.collection = options.get("collection", "fuzzing")
# Bit 0 represents SingleRemove.
self.flags = options.get("flags", [pack('<i',0), pack('<i', 1)])
self.selector = options.get("selector", {})
# int32 ZERO
self.push(dword(0, signed=True))
# cstring fullCollectionname
self.push_namespace(self.db, self.collection)
# int32 flags
if isinstance(self.flags, list):
self.block.push(group(name + "Flags",
self.flags))
else:
self.block.push(dword(self.flags, signed=True))
# document selector
self.push_bson_doc(self.selector)
self.end_block()
def __init__(self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
# fuzz by default
if self.options.has_key('fuzzable'):
fuzzable = self.options['fuzzable']
else:
fuzzable = True
self.push(primitives.string("q", fuzzable=fuzzable))
self.push(primitives.delim("="))
self.push(primitives.string("0", fuzzable=fuzzable))
self.push(primitives.delim("."))
self.push(
primitives.dword(5, fuzzable=True, signed=True, format="ascii"))
def __init__(self, name, request, value, options):
# Create the super class and push a header to the block.
options = self.init_options(options, opCodes['insert'])
MongoMsg.__init__(self, name, request, options)
self.flags = options.get("flags", 1)
self.db = options.get("db", "test")
self.collection = options.get("collection", "fuzzing")
self.documents = options.get("documents", [{}])
# int32 flags
self.push(dword(self.flags, signed=True))
# cstring fullCollectionname
self.push_namespace(self.db, self.collection)
# document* documents
for doc in self.documents:
self.push_bson_doc(doc)
self.end_block()