Get current value of test case prior to submission. #619

ninp0 · 2022-04-06T21:00:10Z

ninp0
Apr 6, 2022

I can't for the life of me, determine how this is done...consider the following block for fuzzing empd:

  s_initialize(name='epmd_request') 
  with s_block('epmd-request-line'):
    # BEGINNING BYTE
    s_byte(0x00, name='request_begin', fuzzable=False)
    
    # REQUEST BODY LEN BYTE
    s_byte(0x01, name='request_len', fuzzable=True, full_range=True)
    # TODO: get current length of line above
    # this_request_len = int.from_bytes(request_len???, 'big')
    
    # REQUEST CMD BYTE
    s_byte(0x6E, name='request_cmd', fuzzable=True)

    # TODO: pass this_request_len into request_body
    # s_bytes(size=this_request_len, name='request_body', fuzzable=True)
    # INSTEAD OF:
    s_bytes(size=217, name='request_body', fuzzable=True)

    # CLOSING BYTE
    s_byte(0x00, name='request_end', fuzzable=False)

  session.connect(s_get('epmd_request'))
  session.fuzz()

I need to get the current byte value of, 'request_len' for each test step / fuzz mutation request and convert it to an int, (i.e. int.from_bytes()) prior to sending the request. The issue I'm running into is deriving the current value of:

s_byte(0x01, name='request_len', fuzzable=True, full_range=True)

so that I can calculate its integer value and pass it as a size constraint to request_body:

s_bytes(size=this_request_len, name='request_body', fuzzable=True)

How would I go about extracting out the current fuzz payload from the s_byte named request_len so that I can populate its integer value as a value to the size parameter? Thank you for any help in advance...much appreciated!

Answered by cq674350529

Apr 7, 2022

It seems that it's not possible to get the mutated value of request_len in this initial stage.

If I understand you correctly, maybe you can choose another way: mutate the request_body, then set the request_len based on the length of request_body. In this case, it's similar to the content-length field used in HTTP POST request, where s_size() can be used.

View full answer

cq674350529 · 2022-04-07T01:56:38Z

cq674350529
Apr 7, 2022

It seems that it's not possible to get the mutated value of request_len in this initial stage.

If I understand you correctly, maybe you can choose another way: mutate the request_body, then set the request_len based on the length of request_body. In this case, it's similar to the content-length field used in HTTP POST request, where s_size() can be used.

0 replies

ninp0 · 2022-04-07T17:37:37Z

ninp0
Apr 7, 2022
Author

That worked! More specifically:

s_size('request_body', name='request_len', output_format='binary', length=1, endian='>')

Thank you, @cq674350529 !

0 replies

ninp0 · 2022-04-11T18:31:35Z

ninp0
Apr 11, 2022
Author

fwiw, here's the epmd fuzzer in its entirety: https://gist.github.com/ninp0/f8d1e37b5c72fb127b92141698159532

Thanks again!

0 replies

cq674350529 · 2022-04-12T01:38:35Z

cq674350529
Apr 12, 2022

Cool, thanks for sharing!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Get current value of test case prior to submission. #619

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Get current value of test case prior to submission. #619

ninp0 Apr 6, 2022

Replies: 4 comments

cq674350529 Apr 7, 2022

ninp0 Apr 7, 2022 Author

ninp0 Apr 11, 2022 Author

cq674350529 Apr 12, 2022

ninp0
Apr 6, 2022

cq674350529
Apr 7, 2022

ninp0
Apr 7, 2022
Author

ninp0
Apr 11, 2022
Author

cq674350529
Apr 12, 2022