I started using Boofuzz during my OSCE work, and I wanted to share how simple it is.
Boofuzz – Introduction
I’ll be using Boofuzz for my vulnserver series first, but hopefully I can find some real 0-days with it soon!
First of all, the installation is incredibly easy, since it’s included in pip!
[email protected]:~/OSCE# pip install boofuzz Collecting boofuzz Downloading https://files.pythonhosted.org/packages/50/fd/e70bfd0f079fe437ea98b2e077b1d6eda44fa990ea5368de179e44efa7ec/boofuzz-0.1.2-py2-none-any.whl (109kB) 100% |████████████████████████████████| 112kB 1.3MB/s Requirement already satisfied: attrs in /usr/lib/python2.7/dist-packages (from boofuzz) Requirement already satisfied: Flask~=1.0 in /usr/lib/python2.7/dist-packages (from boofuzz) Collecting psutil (from boofuzz) ... Not uninstalling tornado at /usr/lib/python2.7/dist-packages, outside environment /usr Successfully installed boofuzz-0.1.2 psutil-5.4.8 pydot-1.4.0 tornado-4.5.3
Usage is fairly straightforward, but you can always check out the quick start (???) documentation for more info.
#!/usr/bin/env python from boofuzz import * def main(): session = Session( target=Target( connection=SocketConnection("192.168.98.147", 69, proto='udp')),sleep_time = 3) s_initialize("Request") s_binary("0002") s_string("filename.txt", fuzzable=True) s_binary("00") s_string("netascii", fuzzable=True) s_binary("00") session.connect(s_get("Request")) session.fuzz() if __name__ == "__main__": main()
As you can see, this Python script will open a new session to the target on port 69, send a basic request, and fuzz the filename and (???) parameters. For more info about the TFTP protocol, you can visit (WIKI OR RFC).
Once execution starts, Boofuzz will output the test case that it is on, the connection information, what field it is fuzzing, and what information the fuzzer is sending.
[email protected]:~/OSCE# python tftp_boofuzz.py [2018-12-03 14:36:23,609] Test Case: 1: Request.no-name.1 [2018-12-03 14:36:23,610] Info: Type: String. Default value: 'filename.txt'. Case 1 of 2882 overall. [2018-12-03 14:36:23,611] Info: Opening target connection (192.168.98.147:69)... [2018-12-03 14:36:23,613] Info: Connection opened. [2018-12-03 14:36:23,614] Test Step: Fuzzing Node 'Request' [2018-12-03 14:36:23,615] Transmitting 12 bytes: 00 02 00 6e 65 74 61 73 63 69 69 00 '\x00\x02\x00netascii\x00' [2018-12-03 14:36:23,618] Info: 12 bytes sent [2018-12-03 14:36:23,619] Info: Closing target connection... [2018-12-03 14:36:23,630] Info: Connection closed. [2018-12-03 14:36:23,631] Test Step: Sleep between tests. [2018-12-03 14:36:23,632] Info: sleeping for 3.000000 seconds [2018-12-03 14:36:26,636] Test Case: 2: Request.no-name.2 [2018-12-03 14:36:26,637] Info: Type: String. Default value: 'filename.txt'. Case 2 of 2882 overall. [2018-12-03 14:36:26,638] Info: Opening target connection (192.168.98.147:69)... [2018-12-03 14:36:26,639] Info: Connection opened. [2018-12-03 14:36:27,075] Test Step: Fuzzing Node 'Request' [2018-12-03 14:36:27,076] Transmitting 5018 bytes: 00 02 2f 2e 3a 2f 41 41 41 41 41 41 41 41 41 ... 41 41 41 41 41 41 41 41 41 00 00 00 6e 65 74 61 73 63 69 69 00 '\x00\x02/.:/AAAAAAAAAAA...AAAAAAAAAAAAAAAAAA\x00\x00\x00netascii\x00'
While this screenshot is from a different application (and upcoming post), you can see that it is fairly quick to find some vulnerabilities!
While I haven’t used this feature yet, process monitoring is also supported.
I used this a few times with Sulley, and it looks even easier to configure for Boofuzz. That said, I’m content just watching my crashes and figuring out the input command for now.
The developer removed network monitoring, but that is because the logging functionality is better than Sulley’s was.
For an example … here.
Boofuzz – Conclusion
I’m looking forward to using Boofuzz a bit more in the future, and I plan on using it for all of my vulnserver exploits as well.
I may start a GitHub repository for my fuzzing templates, so keep an eye out for those as well.
If you have any suggestions for fuzzing targets, or optimizing my workflow, then I’d love to hear them!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.