ruckus 0.5.4

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,22 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+*.gem
+
+## PROJECT::SPECIFIC

data/README.markdown

@@ -0,0 +1,51 @@
+*Under construction: we're in the process of extracting this from our toolshed
+repository; please pardon the flaws.*
+
+# Ruckus: A DOM-Inspired Ruby Smart Fuzzer
+
+Ruckus is a:
+
+### Fuzzer
+
+A tool used in security testing to generate pathological inputs for 
+target code. Two common use cases:
+
+*	Generating malicious protocol messages to attack network
+	software
+
+*	Creating malicious files in specific file formats to feed
+	to target programs
+
+### Smart Fuzzer
+
+I'm stealing [Mike Eddington's](http://peachfuzzer.com/) term; 
+Smart Fuzzers distinguish themselves from "just plain fuzzers" 
+by being aware of the data format they're being used to test. In
+both Eddington's Peach Fuzzer and Ruckus, you accomplish that by
+defining data models (structures) to describe protocols and file
+formats.
+
+### Ruby
+
+Peach Fuzzer is written in Python. So is Sully, Pedram Amini's
+fuzzer. SPIKE is written in C. Ruckus is Ruby's answer, and it
+tries to play to Ruby's strengths:
+
+*	It's much more DSL-y than Peach Fuzzer or Sully
+
+*	Unlike XML-bound Peach Fuzzer, it's "configuration files"
+	are code
+
+*	You don't really need to know Ruby to write those files
+
+Long term I'm hoping Ruckus bears the same relationship to Ruby as
+Expect did to Tcl.
+
+### DOM-Inspired
+
+Ruckus separates metadata and actual content, and structures packets
+and file formats as trees of nodes, each with classes and (when desired)
+DOM-style id's (we call them "tags"). Ruckus data can be manipulated 
+with tree traversal and "mutated" with cascading style sheet selector-type
+logic.
+

data/Rakefile

@@ -0,0 +1,54 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "ruckus"
+    gem.summary = %Q{A DOM-Inspired Ruby Smart Fuzzer}
+    gem.description = %Q{Ruckus: A DOM-Inspired Ruby Smart Fuzzer}
+    gem.email = "td@matasano.com"
+    gem.homepage = "http://github.com/tduehr/ruckus"
+    gem.authors = ["tduehr", "tqbf"]
+    gem.add_development_dependency "jeweler", ">= 0"
+    gem.rdoc_options = ["--inline-source", "--line-numbers", "--main", "README.markdown"]
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "ruckus #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.5.4

data/lib/ruckus.rb

@@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+
+# == Introduction
+# This is yet another binary formatter for Ruby; compare to bindata,
+# bitstruct, or pack/unpack.
+#
+# Read in this order:
+# * Parsel
+# * Number
+# * Str
+# * Blob
+# * Structure
+
+module Ruckus
+
+  # :stopdoc:
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  # :startdoc:
+  # Returns the version string for the library.
+  #
+  def self.version
+    VERSION
+  end
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the libray path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args )
+    args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args )
+    args.empty? ? PATH : ::File.join(PATH, args.flatten)
+  end
+
+  # Utility method used to require all files ending in .rb that lie in the
+  # directory below this file that has the same name as the filename passed
+  # in. Optionally, a specific _directory_ name can be passed in such that
+  # the _filename_ does not have to be equivalent to the directory.
+  #
+  def self.require_all_libs_relative_to( fname, dir = nil )
+    dir ||= ::File.basename(fname, '.*')
+    search_me = ::File.expand_path(
+        ::File.join(::File.dirname(fname), dir, '**', '*.rb'))
+    extensions = ::File.expand_path(::File.join(::File.dirname(fname),dir,'extensions','**','*.rb'))
+    spath = ::File.expand_path(::File.join(::File.dirname(fname), dir))
+    Dir.glob(extensions).each{|rb| require rb}
+    require ::File.join(spath, 'parsel.rb')
+    require ::File.join(spath, 'number.rb')
+    require ::File.join(spath, 'str.rb')
+    require ::File.join(spath, 'structure.rb')
+    Dir.glob(search_me).reject{|rb| rb =~ /human_display\.rb/}.each {|rb| require rb}
+    require ::File.join(spath, 'human_display.rb')
+  end
+end
+
+Ruckus.require_all_libs_relative_to(__FILE__)
+
+# require 'extensions/extensions'
+# 
+# %w[ parsel number ip str choice null blob filter structure dictionary
+#     mutator vector mac_addr enum time_t selector dfuzz ].each do |f|
+#     require 'ruckus/' + f
+# end

data/lib/ruckus/blob.rb

@@ -0,0 +1,113 @@
+# === Blobs are collections of Parsels.
+
+module Ruckus
+    # A Blob wraps an array. Everything within the array is rendered
+    # sequentially, returning a single string. Blob rendering is effectively
+    # preorder tree traversal (Blobs can contain any Parsel, including other
+    # Blobs)
+    class Blob < Parsel
+        # No special options needed.
+        #
+        def initialize(opts={})
+            @value = Array.new
+            (opts[:populate]||[]).each do |k|
+                self << k.new
+            end
+            super(opts)
+        end
+
+        # This is the only
+        # way you should add elements to a Blob for now.
+        #
+        def <<(v)
+            @value << v
+            v.parent = self
+        end
+
+        # How many elements are in the blob? (<tt>size</tt> returns
+        # the rendered size)
+        #
+        def count; @value.size; end
+
+        # Assign a value to an element of a blob, so if you assign
+        # blob[1] = 1, it works as expected.
+        #
+        def []=(k, v)
+            return @value[k].value = v if not v.kind_of? Parsel
+            @value[k] = v
+        end
+
+        # Where is <tt>o</tt> in this blob? (Pretty sure you could
+        # just use <tt>index</tt> for this, but whatever)
+        #
+        def place(o)
+            @value.each_with_index do |it, i|
+                if o == it
+                    return i
+                end
+            end
+            nil
+        end
+
+        # As with Parsel; this will recurse through any embedded
+        # blobs.
+        #
+        def capture(str)
+            @value.each_with_index do |it, i|
+                begin
+                    str ||= "" # XXX bug
+
+                    # you don't always know the type of object
+                    # you want to instantiate at compile time;
+                    # it can depend on the contents of a packet.
+                    # when it does, there's a flag set that enables
+                    # a "factory" method which does the parse.
+                    #
+                    # the downside of this is once a blob has
+                    # been parsed with a factory, its definition
+                    # changes; that same blob can't be reused
+                    # to parse another packet. So, just don't
+                    # do that.
+
+                    if it.class.factory?
+                        @value[i], str = it.class.factory(str)
+                    else
+                        str = it.capture(str)
+                    end
+                rescue IncompleteCapture
+                    err = "at item #{ i }"
+                    err << " named \"#{ it.name }\"" if it.name
+                    err << " in struct \"#{ it.parent_struct.name }\"" if it.parent_struct
+
+                    raise IncompleteCapture.new(err) if not str or str.empty?
+                end
+            end
+            str
+        end
+
+        # How big in bytes is this blob and everything it contains?
+        # An empty blob has size 0
+        #
+        def size
+            @value.inject(0) {|acc, it| acc + it.size}
+        end
+
+        # Render the blob, or return "" if it's empty.
+        #
+        def to_s(off=nil)
+            @rendered_offset = off || 0
+            voff = @rendered_offset
+            r = ""
+            @value.each do |it|
+                s, voff = it.to_s(voff)
+                r << s
+            end
+
+            if off
+                return r, voff
+            else
+                return r
+            end
+        end
+    end
+end

data/lib/ruckus/choice.rb

@@ -0,0 +1,55 @@
+# === Choices pick binary structures at runtime
+
+module Ruckus
+
+    # A choice wraps a blob, and, on input, picks what to put in the blob
+    # based on a code block. Use choices to dispatch protocol responses
+    # based on type codes, etc.
+    #
+    class Choice < Parsel
+
+        # You must call Choice.new with a block that takes two
+        # arguments --- an input string and a reference to the
+        # choice instance. For instance:
+        #
+        #   data << Choice.new do |buf, this|
+        #            if this.parent_struct.message_code == Codes::ERROR
+        #                this << ErrorFrame.new
+        #            else
+        #                this << ResponseFrame.new
+        #            end
+        #            this[-1].capture(buf)
+        #        end
+        #
+        def initialize(opts={}, &block)
+            @parent = opts[:parent]
+            raise "provide a block" if not block_given? and not opts[:block] and not respond_to? :choose
+            if not opts[:block] and not block_given?
+                opts[:block] = lambda {|x, y| self.choose(x)}
+            end
+            super(opts)
+            @block ||= block
+            @value = Blob.new
+            @value.parent = self
+        end
+
+        # Just render the blob
+        #
+        def to_s(off=nil)
+            @rendered_offset = off || 0
+            (@value)? @value.to_s(off) : ""
+        end
+
+        # Call the block, which must return the remainder string.
+        #
+        def capture(str)
+            block.call(str, self)
+        end
+
+        def <<(o)
+            @value << o
+            o.parent = self
+        end
+    end
+end
+

data/lib/ruckus/dfuzz.rb

@@ -0,0 +1,231 @@
+#!/usr/bin/env ruby
+#
+# = fuzz.rb
+#
+# Fuzz Generators
+#
+# Ruby 1.8 Generators use continuations (which are slow) and leak
+# memory like crazy, so use generators.rb from Ruby 1.9.
+#
+# Author:: Dai Zovi, Dino <ddz@theta44.org>
+# License:: Private
+# Revision:: $Id$
+#
+
+require 'generator'
+
+module DFuzz
+    # Generate Xi-F...Xi+F for each Xi in boundaries and fudge_factor F
+    class Fudge < Generator
+        def initialize(boundaries, fudge_factor, mask = nil)
+            super() { |g|
+                boundaries.each {|b|
+                    0.upto(fudge_factor) { |f|
+                        if (mask)
+                            g.yield((b+f) & mask)
+                            g.yield((b-f) & mask)
+                        else
+                            g.yield b+f
+                            g.yield b-f
+                        end
+                    }
+                }
+            }
+        end
+    end
+
+    # Serially generate each variable in turn (equivalent to
+    # recursively nesting generators)
+    class Block
+        def initialize(defaults, generators)
+            @defaults = defaults
+            @generators = generators
+        end
+
+        def run(&block)
+            generators_index = 0
+
+            # Baseline
+            block.call(@defaults)
+
+            # Iterate through generators, fully exhausting each and
+            # calling the code block with each set of values
+            @generators.each { |g|
+                values = Array.new(@defaults)
+                while (g.next?)
+                    values[generators_index] = g.next
+                    block.call(values)
+                end
+                generators_index += 1;
+            }
+        end
+    end
+
+    class Integer < Fudge
+        def initialize(delta = 128)
+            super([0, 0x7FFF, 0xFFFF, 0x7FFFFFFF,
+                   0x7FFFFFFFFFFFFFFF], delta)
+        end
+    end
+
+    class Byte < Fudge
+        def initialize(delta = 16)
+            super([0x00, 0x01, 0x7F, 0xFF], delta, 0xFF)
+        end
+    end
+
+    class Short < Fudge
+        def initialize(delta = 128)
+            super([0x0000, 0x0001, 0x7FFF, 0xFFFF], delta, 0xFFFF)
+        end
+    end
+
+    class Long < Fudge
+        def initialize(delta = 256)
+            super([0x00000000, 0x0000001, 0x7FFFFFFF, 0xFFFFFFFF, 0x40000000, 0xC0000000], delta, 0xffffffff)
+        end
+    end
+
+    class Char < Generator
+        def initialize()
+            c = ["A", "0", "~", "`", "!", "@", "#", "$", "%", "^", "&",
+                 "*", "(", ")", "-", "=", "+", "[", "]", "\\", "|", ";",
+                 ":", "'", "\"", ",", "<", ".", ">", "/", "?",
+         " ", "~", "_", "{", "}", "\x7f","\x00","\x01",
+         "\x02","\x03","\x04","\x05", "\x06","\x07","\x08","\x09",
+         "\x0a","\x0b","\x0c","\x0d", "\x0e","\x0f","\x10","\x11",
+         "\x12","\x13","\x14","\x15", "\x16","\x17","\x18","\x19",
+         "\x1a","\x1b","\x1c","\x1d", "\x1e","\x1f",
+         "\x80","\x81","\x82","\x83","\x84","\x85","\x86","\x87",
+         "\x88","\x89","\x8a","\x8b","\x8c","\x8d","\x8e","\x8f",
+         "\x90","\x91","\x92","\x93","\x94","\x95","\x96","\x97",
+         "\x98","\x99","\x9a","\x9b","\x9c","\x9d","\x9e","\x9f",
+         "\xa0","\xa1","\xa2","\xa3","\xa4","\xa5","\xa6","\xa7",
+         "\xa8","\xa9","\xaa","\xab","\xac","\xad","\xae","\xaf",
+         "\xb0","\xb1","\xb2","\xb3","\xb4","\xb5","\xb6","\xb7",
+         "\xb8","\xb9","\xba","\xbb","\xbc","\xbd","\xbe","\xbf",
+         "\xc0","\xc1","\xc2","\xc3","\xc4","\xc5","\xc6","\xc7",
+         "\xc8","\xc9","\xca","\xcb","\xcc","\xcd","\xce","\xcf",
+         "\xd0","\xd1","\xd2","\xd3","\xd4","\xd5","\xd6","\xd7",
+         "\xd8","\xd9","\xda","\xdb","\xdc","\xdd","\xde","\xdf",
+         "\xe0","\xe1","\xe2","\xe3","\xe4","\xe5","\xe6","\xe7",
+         "\xe8","\xe9","\xea","\xeb","\xec","\xed","\xee","\xef",
+         "\xf0","\xf1","\xf2","\xf3","\xf4","\xf5","\xf6","\xf7",
+         "\xf8","\xf9","\xfa","\xfb","\xfc","\xfd","\xfe","\xff", ]
+            super(c)
+        end
+    end
+
+    class String < Generator
+        def initialize(lengths=nil)
+            super() { |g|
+                # Fuzz strings are each of CHARS repeated each of
+                # LENGTHS times and each of strings
+                lengths ||= [16, 32, 64, 100, 128, 192, 256, 384, 512, 768, 1024, 2048, 3072, 4096, 6000, 8192, 10000, 16000, 20000, 32000, 50000, 64000, 72000,  100000]
+                strings = [
+                    "%n%n%n%n%n%n%n%n%n%n", "%252n%252n%252n%252n%252n",
+                    "%x%x%x%x", "%252x%252x%252x%252x",
+                    "../../../../../../../../../../../../../etc/passwd",
+                    "../../../../../../../../../../../../../etc/passwd%00",
+                    "../../../../../../../../../../../../../boot.ini",
+                    "../../../../../../../../../../../../../boot.ini%00",
+                    "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini",
+                    "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini%00",
+                    "<script>alert('XSS');</script>",
+                    "A0`~!@#\$\%^&*()-_=+[]{}\\|;:',.<>/?\""
+                ]
+                chars = Char.new()
+                while chars.next?
+                    c = chars.next
+
+                    lengths.each { |l|
+                        g.yield(c * l)
+                    }
+                end
+
+                strings.each { |s|
+                    g.yield(s)
+                }
+            }
+        end
+    end
+
+    #
+    # Modules for higher-level tokens (e-mail addresses, asn1, etc)
+    #
+    class EmailAddress < Generator
+        def initialize()
+        end
+    end
+
+end
+
+####
+# Unit test
+####
+
+if $0 == __FILE__
+    puts "Testing integers..."
+    i = 0
+    integers = Fuzz::Integer.new()
+    while integers.next?
+        integers.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing bytes..."
+    i = 0
+    bytes = Fuzz::Byte.new()
+    while bytes.next?
+        bytes.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing shorts"
+    i = 0
+    shorts = Fuzz::Short.new()
+    while shorts.next?
+        shorts.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing longs"
+    i = 0
+    longs = Fuzz::Long.new()
+    while longs.next?
+        longs.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing characters"
+    i = 0
+    characters = Fuzz::Char.new()
+    while characters.next?
+        characters.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing strings"
+    i = 0
+    strings = Fuzz::String.new()
+    while strings.next?
+        strings.next
+        i += 1
+    end
+    puts "=> #{i} items"
+
+    puts "Testing Block"
+    b = Fuzz::Block.new(["FOO", "BAR"],
+                        [Fuzz::String.new(), Fuzz::String.new()])
+    i = 0
+    b.run() { |a, b|
+        i += 1
+    }
+    puts "=> #{i} items"
+
+end