Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I started using Boofuzz during my OSCE work, and I wanted to share how simple it is.
First, Boofuzz is a fork and successor to the Sulley framework. I’ve used Sulley off and on since my GXPN, but it definitely isn’t the easiest to deal with.
I’ll be using Boofuzz for my vulnserver series first, but hopefully I can find some real 0-days with it soon!
You can check out the GitHub repository or documentation for Boofuzz if you want to just jump right in!
First of all, the installation is incredibly easy, since it’s included in pip!
[email protected]:~/OSCE# pip install boofuzz Collecting boofuzz Downloading https://files.pythonhosted.org/packages/50/fd/e70bfd0f079fe437ea98b2e077b1d6eda44fa990ea5368de179e44efa7ec/boofuzz-0.1.2-py2-none-any.whl (109kB) 100% |�-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-��-�| 112kB 1.3MB/s Requirement already satisfied: attrs in /usr/lib/python2.7/dist-packages (from boofuzz) Requirement already satisfied: Flask~=1.0 in /usr/lib/python2.7/dist-packages (from boofuzz) Collecting psutil (from boofuzz) ... Not uninstalling tornado at /usr/lib/python2.7/dist-packages, outside environment /usr Successfully installed boofuzz-0.1.2 psutil-5.4.8 pydot-1.4.0 tornado-4.5.3
Usage is fairly straightforward, but you can always check out the quick start (???) documentation for more info.
For example, if you were trying to discover a vulnerability in aTFTP server, then you could start with the following script.
#!/usr/bin/env python from boofuzz import * def main(): session = Session( target=Target( connection=SocketConnection("192.168.98.147", 69, proto='udp')),sleep_time = 3) s_initialize("Request") s_binary("0002") s_string("filename.txt", fuzzable=True) s_binary("00") s_string("netascii", fuzzable=True) s_binary("00") session.connect(s_get("Request")) session.fuzz() if __name__ == "__main__": main()
As you can see, this Python script will open a new session to the target on port 69, send a basic request, and fuzz the filename and (???) parameters. For more info about the TFTP protocol, you can visit (WIKI OR RFC).
Once execution starts, Boofuzz will output the test case that it is on, the connection information, what field it is fuzzing, and what information the fuzzer is sending.
[email protected]:~/OSCE# python tftp_boofuzz.py [2018-12-03 14:36:23,609] Test Case: 1: Request.no-name.1 [2018-12-03 14:36:23,610] Info: Type: String. Default value: 'filename.txt'. Case 1 of 2882 overall. [2018-12-03 14:36:23,611] Info: Opening target connection (192.168.98.147:69)... [2018-12-03 14:36:23,613] Info: Connection opened. [2018-12-03 14:36:23,614] Test Step: Fuzzing Node 'Request' [2018-12-03 14:36:23,615] Transmitting 12 bytes: 00 02 00 6e 65 74 61 73 63 69 69 00 '\x00\x02\x00netascii\x00' [2018-12-03 14:36:23,618] Info: 12 bytes sent [2018-12-03 14:36:23,619] Info: Closing target connection... [2018-12-03 14:36:23,630] Info: Connection closed. [2018-12-03 14:36:23,631] Test Step: Sleep between tests. [2018-12-03 14:36:23,632] Info: sleeping for 3.000000 seconds [2018-12-03 14:36:26,636] Test Case: 2: Request.no-name.2 [2018-12-03 14:36:26,637] Info: Type: String. Default value: 'filename.txt'. Case 2 of 2882 overall. [2018-12-03 14:36:26,638] Info: Opening target connection (192.168.98.147:69)... [2018-12-03 14:36:26,639] Info: Connection opened. [2018-12-03 14:36:27,075] Test Step: Fuzzing Node 'Request' [2018-12-03 14:36:27,076] Transmitting 5018 bytes: 00 02 2f 2e 3a 2f 41 41 41 41 41 41 41 41 41 ... 41 41 41 41 41 41 41 41 41 00 00 00 6e 65 74 61 73 63 69 69 00 '\x00\x02/.:/AAAAAAAAAAA...AAAAAAAAAAAAAAAAAA\x00\x00\x00netascii\x00'
While this screenshot is from a different application (and upcoming post), you can see that it is fairly quick to find some vulnerabilities!
While I haven’t used this feature yet, process monitoring is also supported.
I used this a few times with Sulley, and it looks even easier to configure for Boofuzz. That said, I’m content just watching my crashes and figuring out the input command for now.
The developer removed network monitoring, but that is because the logging functionality is better than Sulley’s was.
For an example … here.
I’m looking forward to using Boofuzz a bit more in the future, and I plan on using it for all of my vulnserver exploits as well.
I may start a GitHub repository for my fuzzing templates, so keep an eye out for those as well.
If you have any suggestions for fuzzing targets, or optimizing my workflow, then I’d love to hear them!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
Fuzzing in real world, without instrumentation or at least process monitoring can be pain in the neck. You will find easy crashes that perhaps many have found as Wells or crashes that will take longer time when running root-cause analysis.
Definitely! That said, sometimes the simplest solution works from time to time. Especially if you can monitor the process with your eyes and figure out quickly.
When fuzzing something completely new, or for an extended period of time, then I definitely recommend at least process monitoring.
I’m hoping to play with this feature in Boofuzz soon!