def main() -> None:
"""Run the fuzzer"""
port = 80
host = "192.168.99.100"
protocol = "tcp"
csv_log = open("fuzz_results_easyshare.csv", "w")
my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)]
target = bf.Target(
connection=bf.SocketConnection(host, port, proto=protocol))
session = bf.Session(target=target)
# FUZZING PARAMETERS
bf.s_initialize(name="Request")
with bf.s_block("Request-Line"):
bf.s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
bf.s_delim(" ", name='space-1')
bf.s_string("/index.html", name='Request-URI')
bf.s_delim(" ", name='space-2')
bf.s_string('HTTP/1.1', name='HTTP-Version')
bf.s_static("\r\n", name="Request-Line-CRLF")
bf.s_static("\r\n", "Request-CRLF")
session.connect(bf.s_get("Request"))
session.sleep_time = 1.0
session.fuzz()
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server, including two messages in sequence
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_loggers=[], # log to nothing
check_data_received_each_request=True,
keep_web_open=False,
)
session._restart_target = self._mock_restart_target()
s_initialize("test-msg-a")
s_string("test-str-value")
s_static("\r\n")
s_initialize("test-msg-b")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg-a"))
session.connect(s_get("test-msg-a"), s_get("test-msg-b"))
# When
session.fuzz_single_case(s_get("test-msg-a").num_mutations() + 1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def main() -> None:
"""Run the fuzzer"""
port = 9999
host = "192.168.99.100"
protocol = "tcp"
csv_log = open("fuzz_results_GMON.csv", "w")
my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)]
target = bf.Target(connection=bf.SocketConnection(host, port, proto=protocol))
session = bf.Session(target=target, fuzz_loggers=my_logger)
# FUZZING PARAMETERS
bf.s_initialize("GMON")
bf.s_string("GMON", fuzzable=False)
bf.s_delim(" ", fuzzable=False)
bf.s_string("FUZZ") #Fuzzable parameter
bf.s_static("\r\n")
session.sleep_time = 1.0
session.connect(bf.s_get("GMON"), callback=get_banner)
session.fuzz()
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_data_logger=FuzzLogger(fuzz_loggers=[]), # log to nothing
)
session.restart_target = self._mock_restart_target()
s_initialize("test-msg")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg"))
# When
session.fuzz_single_case(1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def main():
session = Session(
target=Target(connection=SocketConnection("192.168.0.101", 80, proto='tcp')),
)
s_initialize(name="Command")
s_static("GET /vfolder.ghp HTTP/1.1\r\n")
s_static("Host: 192.168.0.101\r\n")
s_static("User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n")
s_static("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n")
s_static("Accept-Language: en-US,en;q=0.5\r\n")
s_static("Accept-Encoding: gzip, deflate\r\n")
s_static("Referer: http://192.168.0.101/login.htm\r\n")
s_static("Content-Type: application/x-www-form-urlencoded\r\n")
s_static("Content-Length: 60\r\n")
s_static("Cookie: UserID=")
s_string("1") # this is the part we fuzz
s_static("\r\n")
s_static("Cache-Control: max-age=0\r\n")
s_static("\r\nConnection: close\r\n\r\n")
session.connect(s_get("Command"))
session.fuzz()
def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
s_delim(" ", name='space-1')
s_string("/get", name='Request-URI')
s_delim(" ", name='space-2')
s_string('HTTP/1.1', name='HTTP-Version')
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("example.com", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_string("Connection:", name="Connection-Line")
s_delim(" ", name="space-4")
s_string("Keep-Alive", name="Connection-Line-Value")
s_static("\r\n", name="Connection-Line-CRLF")
s_string("User-Agent:", name="User-Agent-Line")
s_delim(" ", name="space-5")
s_string(
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1",
name="User-Agent-Line-Value")
s_static("\r\n", name="User-Agent-Line-CRLF")
s_static("\r\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
node.names['Authority'].value = 1 + node.names['auth_nameservers'].current_reps
s_initialize("query")
s_word(0, name="TransactionID")
s_word(0, name="Flags")
s_word(1, name="Questions", endian='>')
s_word(0, name="Answer", endian='>')
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")
s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_block_end()
s_repeat("query", 0, 1000, 40, name="queries")
######## Authorities ############
if s_block_start("auth_nameserver"):
if s_block_start("name_chunk_auth"):
s_size("string_auth", length=1)
#!/usr/bin/env python3
import boofuzz
import socket
TARGET_IP = "192.168.1.62"
TARGET_PORT = 9999
LOGGER = boofuzz.FuzzLogger(fuzz_loggers=[boofuzz.FuzzLoggerText()])
SESSION = boofuzz.sessions.Session(sleep_time=0.0,fuzz_data_logger
=LOGGER)
CONNECTION = boofuzz.SocketConnection(TARGET_IP, TARGET_PORT,
proto="tcp")
TARGET = boofuzz.sessions.Target(CONNECTION)
SESSION.add_target(TARGET)
boofuzz.s_initialize("trunc")
boofuzz.s_string("TRUN")
boofuzz.s_delim(" ")
boofuzz.s_string("anonymous")
boofuzz.s_static("\r\n")
SESSION.connect(boofuzz.s_get("trunc"))
SESSION.fuzz()
def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS",
"TRACE", "PURGE"
])
s_delim(" ", name="space-1")
s_string("/post", name="Request-URI")
s_delim(" ", name="space-2")
s_string("HTTP/1.1", name="HTTP-Version")
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("127.0.0.1:9080", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_static('User-Agent', name='User-Agent-Header')
s_delim(':', name='User-Agent-Colon-1')
s_delim(' ', name='User-Agent-Space-1')
s_string(
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3223.8 Safari/537.36',
name='User-Agent-Value')
s_static('\r\n', name='User-Agent-CRLF'),
s_static('Accept', name='Accept-Header')
s_delim(':', name='Accept-Colon-1')
s_delim(' ', name='Accept-Space-1')
s_string(
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
name='Accept-Value')
s_static('\r\n', name='Accept-CRLF')
s_static("Content-Length:", name="Content-Length-Header")
s_delim(" ", name="space-4")
s_size("Body-Content",
output_format="ascii",
name="Content-Length-Value")
s_static("\r\n", "Content-Length-CRLF")
s_static('Connection', name='Connection-Header')
s_delim(':', name='Connection-Colon-1')
s_delim(' ', name='Connection-Space-1')
s_group('Connection-Type', ['keep-alive', 'close'])
s_static('\r\n', 'Connection-CRLF')
s_static('Content-Type', name='Content-Type-Header')
s_delim(':', name='Content-Type-Colon-1')
s_delim(' ', name='Content-Type-Space-1')
s_string('application/x-www-form-urlencoded',
name='Content-Type-Value')
s_static('\r\n', name='Content-Type-CRLF')
s_static("\r\n", "Request-CRLF")
with s_block("Body-Content"):
s_string('{"a":"b"}', name="Body-Content-Value")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
s_initialize("query")
s_word(0, name="TransactionID")
s_word(0, name="Flags")
s_word(1, name="Questions", endian='>')
s_word(0, name="Answer", endian='>')
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk",
min_reps=2,
max_reps=4,
step=1,
fuzzable=True,
name="aName")
s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_block_end()
s_repeat("query", 0, 1000, 40, name="queries")
