Module: Ronin::Fuzzing

Defined in:

lib/ronin/fuzzing.rb,
lib/ronin/fuzzing/fuzzer.rb,
lib/ronin/fuzzing/mutator.rb,
lib/ronin/fuzzing/repeater.rb,
lib/ronin/fuzzing/template.rb

Overview

Contains class-methods which generate malicious data for fuzzing.

See Also:

• Fuzzing.[]

Defined Under Namespace

Classes: Fuzzer, Mutator, Repeater, Template

Constant Summary

SHORT_LENGTHS =

Short String lengths

Set[1, 100, 500, 1_000, 10_000]

LONG_LENGTHS =

Long String lengths

Set[
  128, 255, 256, 257, 511, 512, 513, 1023, 1024, 2048, 2049, 4095,
  4096, 4097, 5_000, 10_000, 20_000, 32762, 32763, 32764, 32765, 32766,
  32767, 32768, 32769,
  0xffff-2, 0xffff-1, 0xffff, 0xffff+1, 0xffff+2,
  99_999, 100_000, 500_000, 1_000_000
]

NULL_BYTES =

Null bytes in various encodings

['%00', '%u0000', "\x00"]

NEW_LINES =

Newline characters

["\n", "\r", "\n\r"]

FORMAT_STRINGS =

Format String flags

['%p', '%s', '%n']

Class Method Summary

• .[](name) ⇒ Enumerator

  Returns a fuzzer method.

• .bad_paths {|path| ... } ⇒ Object

  Various bad paths and directory traversals.

• .bad_strings {|string| ... } ⇒ Object

  Various bad-strings.

• .bit_fields {|bitfield| ... } ⇒ Object

  The range of bit-fields.

• .format_strings {|fmt_string| ... } ⇒ Object

  Various format-strings.

• .int16 {|int| ... } ⇒ Object

  The range of signed 16bit integers.

• .int32 {|int| ... } ⇒ Object

  The range of signed 32bit integers.

• .int64 {|int| ... } ⇒ Object

  The range of signed 64bit integers.

• .int8 {|int| ... } ⇒ Object

  The range of signed 8bit integers.

• .signed_bit_fields {|bitfield| ... } ⇒ Object

  The range of signed bit-fields.

• .sint16 {|int| ... } ⇒ Object

  The range of negative-signed 16bit integers.

• .sint32 {|int| ... } ⇒ Object

  The range of negative-signed 32bit integers.

• .sint64 {|int| ... } ⇒ Object

  The range of negative-signed 64bit integers.

• .sint8 {|int| ... } ⇒ Object

  The range of negative-signed 8bit integers.

• .uint16 {|int| ... } ⇒ Object

  The range of unsigned 16bit integers.

• .uint32 {|int| ... } ⇒ Object

  The range of unsigned 32bit integers.

• .uint64 {|int| ... } ⇒ Object

  The range of unsigned 64bit integers.

• .uint8 {|int| ... } ⇒ Object

  The range of unsigned 8bit integers.

Class Method Details

.[](name) ⇒ Enumerator

Returns a fuzzer method.

Parameters:

• name (Symbol) —

  The name of the fuzzer to return.

Returns:

• (Enumerator) —

  An Enumerator for the fuzzer method.

Raises:

• (NoMethodError) —

  The fuzzing method could not be found.

# File 'lib/ronin/fuzzing.rb', line 71

def self.[](name)
  if (!respond_to?(name) || Module.respond_to?(name))
    raise(NoMethodError,"no such fuzzing method: #{name}")
  end

  return enum_for(name)
end

.bad_paths {|path| ... } ⇒ Object

Various bad paths and directory traversals.

Yields:

• (path) —

  The given block will be passed each path.

Yield Parameters:

• path (String) —

  A known bad path.

# File 'lib/ronin/fuzzing.rb', line 151

def bad_paths(&block)
  padding = 'A' * 5_000

  yield "/.:/#{padding}\x00\x00"
  yield "/.../#{padding}\x00\x00"

  yield "\\\\*"
  yield "\\\\?\\"

  yield "/\\" * 5_000
  yield '/.'  * 5_000

  NULL_BYTES.each do |c|
    if c.start_with?('%')
      yield "#{c}/"
      yield "/#{c}"
      yield "/#{c}/"
    end
  end
end

.bad_strings {|string| ... } ⇒ Object

Various bad-strings.

Yields:

• (string) —

  The given block will be passed each bad-string.

Yield Parameters:

• string (String) —

  A bad-string containing known control characters, deliminators or null-bytes (see NULL_BYTES), of varying length (see SHORT_LENGTHS and LONG_LENGTHS).

# File 'lib/ronin/fuzzing.rb', line 92

def bad_strings(&block)
  yield ''

  chars = [
    'A', 'a', '1', '<', '>', '"', "'", '/', "\\", '?', '=', 'a=', '&',
    '.', ',', '(', ')', ']', '[', '%', '*', '-', '+', '{', '}',
    "\x14", "\xfe", "\xff"
  ]
  
  chars.each do |c|
    LONG_LENGTHS.each { |length| yield c * length }
  end

  yield '!@#$%%^#$%#$@#$%$$@#$%^^**(()'
  yield '%01%02%03%04%0a%0d%0aADSF'
  yield '%01%02%03@%04%0a%0d%0aADSF'

  NULL_BYTES.each do |c|
    SHORT_LENGTHS.each { |length| yield c * length }
  end

  yield "%\xfe\xf0%\x00\xff"
  yield "%\xfe\xf0%\x00\xff" * 20

  SHORT_LENGTHS.each do |length|
    yield "\xde\xad\xbe\xef" * length
  end

  yield "\n\r" * 100
  yield "<>"   * 500
end

.bit_fields {|bitfield| ... } ⇒ Object

The range of bit-fields.

Yields:

• (bitfield) —

  The given block will be passed each bit-field.

Yield Parameters:

• bitfield (String) —

  A bit-field (8bit - 64bit).

# File 'lib/ronin/fuzzing.rb', line 181

def bit_fields(&block)
  ("\x00".."\xff").each do |c|
    yield c
    yield c << c # x2
    yield c << c # x4
    yield c << c # x8
  end
end

.format_strings {|fmt_string| ... } ⇒ Object

Various format-strings.

Yields:

• (fmt_string) —

  The given block will be passed each format-string.

Yield Parameters:

• fmt_string (String) —

  A format-string containing format operators (see FORMAT_STRINGS).

# File 'lib/ronin/fuzzing.rb', line 133

def format_strings(&block)
  FORMAT_STRINGS.each do |fmt|
    yield fmt
    yield fmt * 100
    yield fmt * 500
    yield "\"#{fmt}\"" * 500
  end
end

.int16 {|int| ... } ⇒ Object

The range of signed 16bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A signed 16bit integer.

# File 'lib/ronin/fuzzing.rb', line 282

def int16
  int8 { |c| yield c * 2 }
end

.int32 {|int| ... } ⇒ Object

The range of signed 32bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A signed 32bit integer.

# File 'lib/ronin/fuzzing.rb', line 295

def int32
  int8 { |c| yield c * 4 }
end

.int64 {|int| ... } ⇒ Object

The range of signed 64bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A signed 64bit integer.

# File 'lib/ronin/fuzzing.rb', line 308

def int64
  int8 { |c| yield c * 8 }
end

.int8 {|int| ... } ⇒ Object

The range of signed 8bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A signed 8bit integer.

# File 'lib/ronin/fuzzing.rb', line 269

def int8(&block)
  ("\x00".."\x70").each(&block)
end

.signed_bit_fields {|bitfield| ... } ⇒ Object

The range of signed bit-fields.

Yields:

• (bitfield) —

  The given block will be passed each bit-field.

Yield Parameters:

• bitfield (String) —

  A signed bit-field (8bit - 64bit).

# File 'lib/ronin/fuzzing.rb', line 199

def signed_bit_fields(&block)
  ("\x80".."\xff").each do |c|
    yield c
    yield c << c # x2
    yield c << c # x4
    yield c << c # x8
  end
end

.sint16 {|int| ... } ⇒ Object

The range of negative-signed 16bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A negative-signed 16bit integer.

# File 'lib/ronin/fuzzing.rb', line 334

def sint16
  sint8 { |c| yield c * 2 }
end

.sint32 {|int| ... } ⇒ Object

The range of negative-signed 32bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A negative-signed 32bit integer.

# File 'lib/ronin/fuzzing.rb', line 347

def sint32
  sint8 { |c| yield c * 4 }
end

.sint64 {|int| ... } ⇒ Object

The range of negative-signed 64bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A negative-signed 64bit integer.

# File 'lib/ronin/fuzzing.rb', line 360

def sint64
  sint8 { |c| yield c * 8 }
end

.sint8 {|int| ... } ⇒ Object

The range of negative-signed 8bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A negative-signed 8bit integer.

# File 'lib/ronin/fuzzing.rb', line 321

def sint8(&block)
  ("\x80".."\xff").each(&block)
end

.uint16 {|int| ... } ⇒ Object

The range of unsigned 16bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A unsigned 16bit integer.

# File 'lib/ronin/fuzzing.rb', line 230

def uint16
  uint8 { |c| yield c * 2 }
end

.uint32 {|int| ... } ⇒ Object

The range of unsigned 32bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A unsigned 32bit integer.

# File 'lib/ronin/fuzzing.rb', line 243

def uint32
  uint8 { |c| yield c * 4 }
end

.uint64 {|int| ... } ⇒ Object

The range of unsigned 64bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A unsigned 64bit integer.

# File 'lib/ronin/fuzzing.rb', line 256

def uint64
  uint8 { |c| yield c * 8 }
end

.uint8 {|int| ... } ⇒ Object

The range of unsigned 8bit integers.

Yields:

• (int) —

  The given block will be passed each integer.

Yield Parameters:

• int (String) —

  A unsigned 8bit integer.

# File 'lib/ronin/fuzzing.rb', line 217

def uint8(&block)
  ("\x00".."\xff").each(&block)
end