Boofuzz Introduction – Installation and Basic Usage

I started using Boofuzz during my OSCE work, and I wanted to share how simple it is.

Boofuzz – Introduction

First, Boofuzz is a fork and successor to the Sulley framework. I’ve used Sulley off and on since my GXPN, but it definitely isn’t the easiest to deal with.

I’ll be using Boofuzz for my vulnserver series first, but hopefully I can find some real 0-days with it soon!

You can check out the GitHub repository or documentation for Boofuzz if you want to just jump right in!

Installation

First of all, the installation is incredibly easy, since it’s included in pip!

[email protected]:~/OSCE# pip install boofuzz
Collecting boofuzz
  Downloading https://files.pythonhosted.org/packages/50/fd/e70bfd0f079fe437ea98b2e077b1d6eda44fa990ea5368de179e44efa7ec/boofuzz-0.1.2-py2-none-any.whl (109kB)
    100% |████████████████████████████████| 112kB 1.3MB/s
Requirement already satisfied: attrs in /usr/lib/python2.7/dist-packages (from boofuzz)
Requirement already satisfied: Flask~=1.0 in /usr/lib/python2.7/dist-packages (from boofuzz)
Collecting psutil (from boofuzz)

...

    Not uninstalling tornado at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed boofuzz-0.1.2 psutil-5.4.8 pydot-1.4.0 tornado-4.5.3

Usage

Usage is fairly straightforward, but you can always check out the quick start (???) documentation for more info.

For example, if you were trying to discover a vulnerability in aTFTP server, then you could start with the following script.

#!/usr/bin/env python

from boofuzz import *

def main():
    session = Session(
        target=Target(
            connection=SocketConnection("192.168.98.147", 69, proto='udp')),sleep_time = 3)

    s_initialize("Request")
    s_binary("0002")
    s_string("filename.txt", fuzzable=True)
    s_binary("00")
    s_string("netascii", fuzzable=True)
    s_binary("00")
    
    session.connect(s_get("Request"))
    session.fuzz()
   
if __name__ == "__main__":
    main()

As you can see, this Python script will open a new session to the target on port 69, send a basic request, and fuzz the filename and (???) parameters. For more info about the TFTP protocol, you can visit (WIKI OR RFC).

Once execution starts, Boofuzz will output the test case that it is on, the connection information, what field it is fuzzing, and what information the fuzzer is sending.

[email protected]:~/OSCE# python tftp_boofuzz.py
[2018-12-03 14:36:23,609] Test Case: 1: Request.no-name.1
[2018-12-03 14:36:23,610]     Info: Type: String. Default value: 'filename.txt'. Case 1 of 2882 overall.
[2018-12-03 14:36:23,611]     Info: Opening target connection (192.168.98.147:69)...
[2018-12-03 14:36:23,613]     Info: Connection opened.
[2018-12-03 14:36:23,614]   Test Step: Fuzzing Node 'Request'
[2018-12-03 14:36:23,615]     Transmitting 12 bytes: 00 02 00 6e 65 74 61 73 63 69 69 00 '\x00\x02\x00netascii\x00'
[2018-12-03 14:36:23,618]     Info: 12 bytes sent
[2018-12-03 14:36:23,619]     Info: Closing target connection...
[2018-12-03 14:36:23,630]     Info: Connection closed.
[2018-12-03 14:36:23,631]   Test Step: Sleep between tests.
[2018-12-03 14:36:23,632]     Info: sleeping for 3.000000 seconds
[2018-12-03 14:36:26,636] Test Case: 2: Request.no-name.2
[2018-12-03 14:36:26,637]     Info: Type: String. Default value: 'filename.txt'. Case 2 of 2882 overall.
[2018-12-03 14:36:26,638]     Info: Opening target connection (192.168.98.147:69)...
[2018-12-03 14:36:26,639]     Info: Connection opened.
[2018-12-03 14:36:27,075]   Test Step: Fuzzing Node 'Request'
[2018-12-03 14:36:27,076]     Transmitting 5018 bytes: 00 02 2f 2e 3a 2f 41 41 41 41 41 41 41 41 41 ... 41 41 41 41 41 41 41 41 41 00 00 00 6e 65 74 61 73 63 69 69 00 '\x00\x02/.:/AAAAAAAAAAA...AAAAAAAAAAAAAAAAAA\x00\x00\x00netascii\x00'

While this screenshot is from a different application (and upcoming post), you can see that it is fairly quick to find some vulnerabilities!

Boofuzz - EIP Overwrite

Process Monitoring?

While I haven’t used this feature yet, process monitoring is also supported.

I used this a few times with Sulley, and it looks even easier to configure for Boofuzz. That said, I’m content just watching my crashes and figuring out the input command for now.

The developer removed network monitoring, but that is because the logging functionality is better than Sulley’s was.

For an example … here.

Boofuzz – Conclusion

I’m looking forward to using Boofuzz a bit more in the future, and I plan on using it for all of my vulnserver exploits as well.

I may start a GitHub repository for my fuzzing templates, so keep an eye out for those as well.

If you have any suggestions for fuzzing targets, or optimizing my workflow, then I’d love to hear them!

2 thoughts on “Boofuzz Introduction – Installation and Basic Usage”

  1. Fuzzing in real world, without instrumentation or at least process monitoring can be pain in the neck. You will find easy crashes that perhaps many have found as Wells or crashes that will take longer time when running root-cause analysis.

    1. Definitely! That said, sometimes the simplest solution works from time to time. Especially if you can monitor the process with your eyes and figure out quickly.

      When fuzzing something completely new, or for an extended period of time, then I definitely recommend at least process monitoring.

      I’m hoping to play with this feature in Boofuzz soon!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.