TypeError: can't concat int to bytes when mutating with layer 2 structure

Question

TypeError: can't concat int to bytes when mutating with layer 2 structure

Tresvian opened this issue 3 years ago · comments

I'm attempting to make a layer 2 fuzzer for a broadcast protocol, and am running into an issue with "can't concat int to bytes" on spinning up the prototype script.

asdf@ubuntu:~/fuzzer$ sudo python3 ./l2_prototype.py ens2
[2021-11-08 10:37:06,149]     Info: Web interface can be found at http://localhost:26000
[2021-11-08 10:37:06,150] Test Case: 1: AA:[AA.AA.DD.EE/PID:0]
[2021-11-08 10:37:06,150]     Info: Type: DWord
[2021-11-08 10:37:06,150]     Info: Opening target connection (ens2, type 0x0000)...
[2021-11-08 10:37:06,150]     Info: Connection opened.
[2021-11-08 10:37:06,150]   Test Step: Monitor CallbackMonitor#140737306343648[pre=[],post=[],restart=[],post_start_target=[]].pre_send()
[2021-11-08 10:37:06,150]   Test Step: Fuzzing Node 'AA'
[2021-11-08 10:37:06,158]     Error!!!! Unexpected exception! Traceback (most recent call last):
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/sessions.py", line 1388, in _main_fuzz_loop
                                  self._fuzz_current_case(mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/sessions.py", line 1754, in _fuzz_current_case
                                  self.transmit_fuzz(
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/sessions.py", line 1166, in transmit_fuzz
                                  data = self.fuzz_node.render(mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/blocks/request.py", line 130, in render
                                  return self.get_child_data(mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/fuzzable_block.py", line 71, in get_child_data
                                  rendered += item.render(mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/fuzzable.py", line 154, in render
                                  return self.encode(value=self.get_value(mutation_context=mutation_context), mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/blocks/block.py", line 114, in encode
                                  child_data = super(Block, self).get_child_data(mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/fuzzable_block.py", line 71, in get_child_data
                                  rendered += item.render(mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/fuzzable.py", line 154, in render
                                  return self.encode(value=self.get_value(mutation_context=mutation_context), mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/blocks/block.py", line 114, in encode
                                  child_data = super(Block, self).get_child_data(mutation_context=mutation_context)
                                File "/usr/local/lib/python3.8/dist-packages/boofuzz-0.4.0-py3.8.egg/boofuzz/fuzzable_block.py", line 71, in get_child_data
                                  rendered += item.render(mutation_context=mutation_context)
                              TypeError: can't concat int to bytes

Sorry I can't give the actual structure, but it's a combination of about 6 Byte, 6 DWord, 4 Block, and a single Repeat.
It's being run with this simple setup:

    interf=sys.argv[1]
    sess = boofuzz.Session(
        target=boofuzz.Target(
            connection=boofuzz.RawL2SocketConnection(interface=interf)
        )
    )
    req = boofuzz.Request("AA_fuzzer", children=(
        AA_struct
    ))
    sess.connect(req)
    sess.fuzz()

Veerce · Answer 1 · Tue Nov 09 2021 04:26:16 GMT+0800 (China Standard Time)

Found out the issue - I was using an int instead of bytes.
boofuzz.Bytes("MySpecialBlock", size=3, default_value=0x0000CC, fuzzable=False)
Is accepted but breaks.

boofuzz.Bytes("MySpecialBlock", size=3, default_value=b'\x00\x00\xCC', fuzzable=False)
No issues.

Maybe a type assertion would be preferable?

Maximilian Lindner · Answer 2 · Wed Nov 10 2021 05:39:43 GMT+0800 (China Standard Time)

Thanks for sharing your problem + solution @Tresvian!

A type assertion would indeed be helpful here, we also have them for other primitives if I remember correctly.
Feel free to open a PR!

Joshua Pereyda · Answer 3 · Sun Dec 05 2021 08:14:30 GMT+0800 (China Standard Time)

Thanks @Tresvian for the report and @SR4ven for the type check idea.

In this case, we could also make the code accept an integer. One tiny complication is that there would have to be an implied endianness, and then we'd probably want an argument to choose endianness too. 🤷‍♂️ Not a big priority; just a thought if someone has an appetite to do it.