Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    8litz
    @8litz
    @pAP3R is this for linux too?
    pAP3R
    @pAP3R
    Honestly I’m not sure— I’ve only been fuzzing windows apps. If Libasm, PyDbg and the procmon library support Linux (RPC calls, for instance) I don’t see why it wouldn’t. Have you tried it?
    Hari Charan Konduri
    @GrepSecurity
    Any good resource to read about Sulley?
    JkShah1992
    @JkShah1992
    Hello, I believe you have worked on boofuzz for a longer time now. Could you give me a short description of pros and cons of boofuzz?
    pAP3R
    @pAP3R
    @jtpereyda Wish I could have seen you BlackHat talk! Good work man, boofuzz rules
    Josh Pitts
    @secretsquirrel
    @jtpereyda or anyone that knows.. I have a packet that sends size of packet at the beginning of the packet. Obviously I want to fuzz this at first, so I'm not concerned about making sure that size is correct, however, later I want size to be correct for better code coverage. How to I use the s_size() function in a block to do this correctly - at the beginning of the packet?
    in peach, I know you could do a fixup... but not sure if there is something similar in boofuzz
    Josh Pitts
    @secretsquirrel
    nevermind... I see you can have s_size before a sub_block:
    # table entry: [type][len][string][checksum]
    if s_block_start("table entry"):
        # we don't know what the valid types are, so we'll fill this in with random data.
        s_random("\x00\x00", 2, 2)
    
        # next, we insert a sizer of length 2 for the string field to follow.
        s_size("string field", length=2)
    
        # block helpers only apply to blocks, so encapsulate the string primitive in one.
        if s_block_start("string field"):
            # the default string will simply be a short sequence of C's.
            s_string("C" * 10)
        s_block_end()
    
        # append the CRC-32 checksum of the string to the table entry.
        s_checksum("string field")
    s_block_end()
    
    # repeat the table entry from 100 to 1,000 reps stepping 50 elements on each iteration.
    s_repeat("table entry", min_reps=100, max_reps=1000, step=50)
    pAP3R
    @pAP3R
    You could just fuzz the size with normal binary fuzzing, then use the s_size
    that way you send random size data
    then accurate data when linking size to the block
    Josh Pitts
    @secretsquirrel
    @jtpereyda or anyone that knows how to do this: I'm trying to fuzz the 4th packet in a sequence, basically after authentication to this application. How would I go about fuzzing after authn using boofuzz? I can do successful authn via python, then on the next socket send I want to fuzz that input. I'm guessing I would need to do a one off fuzz attempt and increment, but I can use any advice. thx.
    pAP3R
    @pAP3R
    @jtpereyda Hey man, did you remove the skip from session in the newest release? Granted, I have been using 0.0.12 for some time, but just updated and noted that the documentation no longer contains a 'skip' either
    Unitiser
    @Unitiser
    Hi, I'm quite new to boofuzz. The documentation mention "Extensible instrumentation/failure detection". I'd like to implement some kind of custom failure detection based on the server's reply. I can't find the section in the doc about that subject. Where should I start if I where to implement such a thing ? Anything would help : examples, code, docs.
    ajaySec
    @ajaySec
    Hi, I am new to fuzzing. I am writing fuzzer for APIs. I have written for GET request but I don't have idea about POST request. I want to fuzz for POST data of JSON format. Can anyone help me here what to use. Thanks
    Jan Stárek
    @starek4
    It would be great if boofuzz works on Python 3.x. It is quite limitation now, since Python 2 retires after 9 months.
    Paul Sorensen
    @aedrax
    I'm working on that right now actually
    https://github.com/aedrax/boofuzz/tree/feature/python3
    I'm keeping it compatible with 2 and 3 so it doesn't just take down everyone
    hopefully should be working soon
    Jan Stárek
    @starek4
    @aedrax, that's great :) looking forward to it
    Paul Sorensen
    @aedrax
    thanks! I was making great progress but then became busy all weekend, I'm back on it now though!
    Paul Sorensen
    @aedrax
    just submitted a pull request!
    @starek4 if you want to give a test, please do and let me know of any issue you find
    Jan Stárek
    @starek4

    @aedrax thanks! I do not have a lot of time for this right now, but I can look at it later.

    While I was working with Boofuzz I found so far two things we could get better. The first (and main) one is s_string. Even if we restrict max_len if generated mutations, there are quite lot of duplications of long strings. Well, not exact duplications, but just different length of the same type of payload. Another thing is that maybe some of payloads seems to have quite low change to break something. The second issue is logging. If Boofuzz is used in some CI enviroment, there still need to be written some tool which takes data from .db file or whatever other logs we defined and parse it to some of the standardized format of test reports, e.g. JUnit. So my suggestion is to write another built-in logger class, which will produce JUnit file.

    I will focus on these two things and I will try to create some general solution and open some PR for further discussion.

    And sorry for my english. Doing my best.
    Paul Sorensen
    @aedrax
    is there a way to mutate multiple types simultaneously?
    Jan Stárek
    @starek4
    @aedrax I think that there is no built-in way to do that.
    Jan Stárek
    @starek4
    Well, I have another problem. When I run a bunch of tests, sometimes (for me usually after between 15 000 - 30 000 test cases, I got "OSError: [Errno 98] Address already in use").
    Jan Stárek
    @starek4
    It does not make sense to me. I use SocketConnection so after every test case, connection should be close. Socket is open with "SO_REUSEADDR", which means that there is no waiting for "TIME_WAIT" when closing socket.
    @jtpereyda any ideas, what can be wrong? Can this be related to jtpereyda/boofuzz#281 issue?
    Alan Lacerda a.k.a. alacerda
    @alacerda
    I am trying to fuzz a FTP Application but boofuzz is crashing with the error: UnicodeDecodeError: 'ascii' codec can't decode byte 0xfe in position 6: ordinal not in range(128)
    How can I deal with this error?
    It happens on the 20th iteration, whe it sends the string:
    'USER %\xfe\xf0%\x00\xff\r\n'
    Paul Sorensen
    @aedrax
    are you using the boofuzz-ftp example?
    Alan Lacerda a.k.a. alacerda
    @alacerda
    Yes, the same happens with boofuzz-ftp
    cmdline:
    python ftp.py fuzz --target-host=192.168.0.108 --target-port=21 --username=intruderlabs --password=123 --csv-out=result.cvs --procmon-host=192.168.0.108 --procmon-port=26002 --procmon-start="C:\Program Files (x86)\FTP\server.exe"
    Test Case: 20: user.no-name.20 raises the error
    Paul Sorensen
    @aedrax
    what does pip show boofuzz return?
    Alan Lacerda a.k.a. alacerda
    @alacerda
    image.png
    mour
    @mylamour
    Boofuzz is only for network protocol fuzz ?
    Jeff Linahan
    @jeffythedragonslayer
    does anyone know how to generate random packets with boofuzz?
    like if I don't know/don't care what protocol is being used on a port
    Jeff Linahan
    @jeffythedragonslayer
    or how about let's say I want to generate soap messages
    Jan Stárek
    @starek4
    Hello, I am facing problem which had some workaround in Sulley, but knownbugs from google forums are deleted now.
    Does anybody knows, what was the solution to this problem?
    Also noticed here: OpenRCE/sulley#22