How to dynamically calculate a length/size field based on payload size?

[psparc82]

Hi,

I'm trying to fuzz a protocol that includes the total length of the payload as part of each request. The payload body has variable length fields that I am fuzzing but I can't figure out how to calculate the total length of a fuzzed packet and have that value sent as part of the fuzzed packet.

For example, if boofuzz tried to send the packet \x01\x02\x03\x04\x05 then the payload length would be 5 and needs to be placed at a specific offset in the payload. Things get difficult when variable length fields are fuzzed and the payload length needs to be dynamically generated depending on how large boofuzz made the payload.

Any ideas? It may be something to do with the Size or Checksum blocks but I haven't managed to get them working! Thanks

[SR4ven]

Hi @psparc82,
check out this example with a size block:

boofuzz/examples/http_with_body.py

Line 28 in f6396b0

s_size("Body-Content", output_format="ascii", name="Content-Length-Value")

It's still using the old static way of defining the protocol with the s_ notation, but the same is achievable with the new protocol definition style.

[psparc82]

Thank you @SR4ven! I still think I'm missing something. Here's the code I'm testing and the output I'm seeing:

  req = Request("req", children=(
      Static(name="major_version", default_value=b"\x01"),
      Static(name="minor_version", default_value=b"\x02"),
      RandomData(name="seq_number", default_value=b"\x12\x34", min_length=2, max_length=2, fuzzable=True),
      # size of the payload (major_version + minor_version + seq_number + length + command_length + command)
      Size(name="length", inclusive=True, fuzzable=False, length=2), # will be fuzzable at some point
      # length of the command string
      Size(name="command_length", length=2, fuzzable=False), # will be fuzzable at some point
      String(name="command", default_value=b"help", fuzzable=False) # will be fuzzable at some point
  ))

The length block should be the length/size in bytes of the whole payload including the length itself (major_version + minor_version + seq_number + length + command_length + command) and the command_length should be the length of the command block (this is intended to be fuzzed so isn't always static).

Now, an example of boofuzz output I am seeing is this:

01 02 c8 8d 02 00 00 00 68 65 6c 70

major_version = 0x1
minor_version = 0x2
seq_number = 0xc88d
length = 0x0200  // should be 0x000c (12)
command_length = 0x0000  // should be 0x0004 (4)
command = 0x68656c70

It feels like I'm missing a way of linking the Size blocks to what I want them to be the size of. Do you know how I can achieve this?

Thanks again

[SR4ven]

I think I was able to get the expected behaviour with the following code:

req = Request("req", children=(
    Static(name="major_version", default_value=b"\x01"),
    Static(name="minor_version", default_value=b"\x02"),
    RandomData(name="seq_number", default_value=b"\x12\x34", min_length=2, max_length=2, fuzzable=True),
    # size of the payload (major_version + minor_version + seq_number + length + command_length + command)
    Size(name="length", block_name="req", inclusive=False, fuzzable=False, length=2),  # will be fuzzable at some point
    # length of the command string
    Size(name="command_length", block_name="command", length=2, fuzzable=False),  # will be fuzzable at some point
    String(name="command", default_value="help", fuzzable=False)  # will be fuzzable at some point
))

You have to pass Size a block_name of the block you want to calculate the size of.
Also inclusive has to be False in this case, as Size is part of the block itself.