Boofuzz Introduction – Installation and Basic Usage

I started using Boofuzz during my OSCE work, and I wanted to share how simple it is.

Boofuzz - Introduction

First, Boofuzz is a fork and successor to the Sulley framework. I've used Sulley off and on since my GXPN, but it definitely isn't the easiest to deal with.

I'll be using Boofuzz for my vulnserver series first, but hopefully I can find some real 0-days with it soon!

You can check out the GitHub repository or documentation for Boofuzz if you want to just jump right in!

Installation

First of all, the installation is incredibly easy, since it's included in pip!

root@kali:~/OSCE# pip install boofuzz
Collecting boofuzz
  Downloading https://files.pythonhosted.org/packages/50/fd/e70bfd0f079fe437ea98b2e077b1d6eda44fa990ea5368de179e44efa7ec/boofuzz-0.1.2-py2-none-any.whl (109kB)
    100% |████████████████████████████████| 112kB 1.3MB/s
Requirement already satisfied: attrs in /usr/lib/python2.7/dist-packages (from boofuzz)
Requirement already satisfied: Flask~=1.0 in /usr/lib/python2.7/dist-packages (from boofuzz)
Collecting psutil (from boofuzz)

...

    Not uninstalling tornado at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed boofuzz-0.1.2 psutil-5.4.8 pydot-1.4.0 tornado-4.5.3

Usage

Usage is fairly straightforward, but you can always check out the quick start (???) documentation for more info.

For example, if you were trying to discover a vulnerability in aTFTP server, then you could start with the following script.

#!/usr/bin/env python

from boofuzz import *

def main():
    session = Session(
        target=Target(
            connection=SocketConnection("192.168.98.147", 69, proto='udp')),sleep_time = 3)

    s_initialize("Request")
    s_binary("0002")
    s_string("filename.txt", fuzzable=True)
    s_binary("00")
    s_string("netascii", fuzzable=True)
    s_binary("00")
    
    session.connect(s_get("Request"))
    session.fuzz()
   
if __name__ == "__main__":
    main()

As you can see, this Python script will open a new session to the target on port 69, send a basic request, and fuzz the filename and (???) parameters. For more info about the TFTP protocol, you can visit (WIKI OR RFC).

Once execution starts, Boofuzz will output the test case that it is on, the connection information, what field it is fuzzing, and what information the fuzzer is sending.

root@kali:~/OSCE# python tftp_boofuzz.py
[2018-12-03 14:36:23,609] Test Case: 1: Request.no-name.1
[2018-12-03 14:36:23,610]     Info: Type: String. Default value: 'filename.txt'. Case 1 of 2882 overall.
[2018-12-03 14:36:23,611]     Info: Opening target connection (192.168.98.147:69)...
[2018-12-03 14:36:23,613]     Info: Connection opened.
[2018-12-03 14:36:23,614]   Test Step: Fuzzing Node 'Request'
[2018-12-03 14:36:23,615]     Transmitting 12 bytes: 00 02 00 6e 65 74 61 73 63 69 69 00 '\x00\x02\x00netascii\x00'
[2018-12-03 14:36:23,618]     Info: 12 bytes sent
[2018-12-03 14:36:23,619]     Info: Closing target connection...
[2018-12-03 14:36:23,630]     Info: Connection closed.
[2018-12-03 14:36:23,631]   Test Step: Sleep between tests.
[2018-12-03 14:36:23,632]     Info: sleeping for 3.000000 seconds
[2018-12-03 14:36:26,636] Test Case: 2: Request.no-name.2
[2018-12-03 14:36:26,637]     Info: Type: String. Default value: 'filename.txt'. Case 2 of 2882 overall.
[2018-12-03 14:36:26,638]     Info: Opening target connection (192.168.98.147:69)...
[2018-12-03 14:36:26,639]     Info: Connection opened.
[2018-12-03 14:36:27,075]   Test Step: Fuzzing Node 'Request'
[2018-12-03 14:36:27,076]     Transmitting 5018 bytes: 00 02 2f 2e 3a 2f 41 41 41 41 41 41 41 41 41 ... 41 41 41 41 41 41 41 41 41 00 00 00 6e 65 74 61 73 63 69 69 00 '\x00\x02/.:/AAAAAAAAAAA...AAAAAAAAAAAAAAAAAA\x00\x00\x00netascii\x00'

While this screenshot is from a different application (and upcoming post), you can see that it is fairly quick to find some vulnerabilities!

Boofuzz - EIP Overwrite

Process Monitoring?

While I haven't used this feature yet, process monitoring is also supported.

I used this a few times with Sulley, and it looks even easier to configure for Boofuzz. That said, I'm content just watching my crashes and figuring out the input command for now.

The developer removed network monitoring, but that is because the logging functionality is better than Sulley's was.

For an example ... here.

Boofuzz - Conclusion

I'm looking forward to using Boofuzz a bit more in the future, and I plan on using it for all of my vulnserver exploits as well.

I may start a GitHub repository for my fuzzing templates, so keep an eye out for those as well.

If you have any suggestions for fuzzing targets, or optimizing my workflow, then I'd love to hear them!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.

2 Comments

Filed under Security Not Included

2 Responses to Boofuzz Introduction – Installation and Basic Usage

  1. Elite Mocca

    Fuzzing in real world, without instrumentation or at least process monitoring can be pain in the neck. You will find easy crashes that perhaps many have found as Wells or crashes that will take longer time when running root-cause analysis.

    • Definitely! That said, sometimes the simplest solution works from time to time. Especially if you can monitor the process with your eyes and figure out quickly.

      When fuzzing something completely new, or for an extended period of time, then I definitely recommend at least process monitoring.

      I’m hoping to play with this feature in Boofuzz soon!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.