def _configure_session(self):
target_config = ConfigurationManager.get_target()
startup_command = ConfigurationManager.get_startup_command()
ssl_context = None
if self._protocol == 'ssl':
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
recv_timeout = ConfigurationManager.get_receive_timeout()
remote_connection = SocketConnection(target_config["hostname"],
target_config["port"],
proto=self._protocol,
sslcontext=ssl_context,
recv_timeout=recv_timeout)
if startup_command:
process_monitor = pedrpc.Client(target_config["hostname"], 26002)
process_monitor_options = {"start_commands": [startup_command]}
target = Target(connection=remote_connection,
procmon=process_monitor,
procmon_options=process_monitor_options)
else:
target = Target(connection=remote_connection)
self._session = Session(
target=target,
fuzz_loggers=[self._text_logger, self._junit_logger],
post_test_case_callbacks=[PostTestCaseCallback.post_test_callback],
restart_sleep_time=0,
keep_web_open=False,
fuzz_db_keep_only_n_pass_cases=sys.maxsize,
crash_threshold_element=10,
crash_threshold_request=30)
def initfuzz():
fw = open(cur_dir() + "/test.log",'w')
fuzz_loggers = [FuzzLoggerText(file_handle=fw)]
session = Session(
target=Target(
connection=TCPSocketConnection("127.0.0.1", 9080, send_timeout=5.0, recv_timeout=5.0, server=False)
),
fuzz_loggers=fuzz_loggers,
keep_web_open=False,
)
return session
def setup_session(protocol):
arguments = setup_argparse(protocol)
if arguments.debug:
procmon = ProcessMonitor('127.0.0.1', arguments.dport)
procmon.set_options(start_commands=[
arguments.command.split(),
])
if not arguments.command:
raise ValueError(
'Please specify command if debugger should be attached')
try:
if arguments.host and arguments.port:
session = Session(target=Target(
connection=connections.UDPSocketConnection(
arguments.host, arguments.port)
if arguments.udp else connections.TCPSocketConnection(
arguments.host, arguments.port),
monitors=[procmon]), )
else:
session = Session(target=Target(
connection=connections.RawL2SocketConnection(
interface='lo', ethernet_proto=33024),
monitors=[procmon]), )
except BoofuzzRpcError:
raise ValueError(
'Please start process monitor first if debugger shall be attached'
)
else:
if arguments.host and arguments.port:
session = Session(target=Target(
connection=connections.
UDPSocketConnection(arguments.host, arguments.port
) if arguments.udp else connections.
TCPSocketConnection(arguments.host, arguments.port)))
else:
session = Session(target=Target(
connection=connections.RawL2SocketConnection(
interface='lo', ethernet_proto=33024)))
return session
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server, including two messages in sequence
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_loggers=[], # log to nothing
check_data_received_each_request=True,
keep_web_open=False,
)
session._restart_target = self._mock_restart_target()
s_initialize("test-msg-a")
s_string("test-str-value")
s_static("\r\n")
s_initialize("test-msg-b")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg-a"))
session.connect(s_get("test-msg-a"), s_get("test-msg-b"))
# When
session.fuzz_single_case(s_get("test-msg-a").num_mutations() + 1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def main():
arguments = setup_argparse()
if arguments.original:
data = get_original__pck(arguments.protocol)
elif arguments.path:
data = get_crashing_pck(arguments.path)
else:
print("You have to specify a path to the packet to be send or choose to send an original packet")
sys.exit()
if arguments.host and arguments.port:
target = Target(
connection=SocketConnection(arguments.host, arguments.port, proto='tcp'))
session = Session(target=target, check_data_received_each_request=True, keep_web_open=False)
target.open()
target.send(data)
target.close()
else:
sendp(data, iface="lo")
def test_foo_bar(self):
session = Session(target=Target(connection=UDPSocketConnection(
recv_timeout=1,
host="172.26.87.144",
port=6234,
bind=("0.0.0.0", 12345),
), ),
keep_web_open=False)
s_initialize("foo")
s_group("version", values=["\x06"])
session.connect(s_get("foo"))
session.fuzz()
self.open("http://localhost:26000")
self.assert_text("boofuzz Fuzz Control", "div.main-title")
def test_no_response_causes_restart(self):
"""
Given: A listening server which will give no response
and: A Session ready to fuzz that server
When: Calling fuzz_single_case()
Then: The restart_target method is called.
"""
# Given
server = MiniTestServer(host='localhost', stay_silent=True)
server.bind()
t = threading.Thread(target=server.serve_once)
t.daemon = True
t.start()
session = Session(
target=Target(
connection=SocketConnection('localhost', server.active_port, proto='tcp'),
),
fuzz_data_logger=FuzzLogger(fuzz_loggers=[]), # log to nothing
)
session.restart_target = self._mock_restart_target()
s_initialize("test-msg")
s_string("test-str-value")
s_static("\r\n")
session.connect(s_get("test-msg"))
# When
session.fuzz_single_case(1)
# Then
t.join(THREAD_WAIT_TIMEOUT)
self.assertFalse(t.isAlive())
self.assertEqual(1, self.restarts)
def main():
session = Session(
target=Target(connection=SocketConnection("192.168.0.101", 80, proto='tcp')),
)
s_initialize(name="Command")
s_static("GET /vfolder.ghp HTTP/1.1\r\n")
s_static("Host: 192.168.0.101\r\n")
s_static("User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n")
s_static("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n")
s_static("Accept-Language: en-US,en;q=0.5\r\n")
s_static("Accept-Encoding: gzip, deflate\r\n")
s_static("Referer: http://192.168.0.101/login.htm\r\n")
s_static("Content-Type: application/x-www-form-urlencoded\r\n")
s_static("Content-Length: 60\r\n")
s_static("Cookie: UserID=")
s_string("1") # this is the part we fuzz
s_static("\r\n")
s_static("Cache-Control: max-age=0\r\n")
s_static("\r\nConnection: close\r\n\r\n")
session.connect(s_get("Command"))
session.fuzz()
from boofuzz import Session, Target, SocketConnection, s_initialize
session = Session(target=Target(
connection=SocketConnection("127.0.0.1", 6021, proto='udp')))
s_initialize("INIT_CHLO")
#!/usr/bin/env python3
# Designed for use with boofuzz v0.2.0
# Original author:
#
# pedram amini <*****@*****.**>
#
# this was a really half assed fuzz. someone should take it further, see my notes in the requests file for more info.
#
from boofuzz import Session, Target, s_get, TCPSocketConnection
# noinspection PyUnresolvedReferences
# pytype: disable=import-error
from request_definitions import trend # noqa: F401
# pytype: enable=import-error
sess = Session(session_filename="audits/trend_server_protect_20901.session",
sleep_time=0.25)
sess.add_target(Target(connection=TCPSocketConnection("127.0.0.1", 20901)))
sess.connect(s_get("20901"))
sess.fuzz()
class Fuzzer:
def __init__(self, endpoints, text_logger, junit_logger, protocol: str):
self._endpoints = endpoints
self._text_logger = text_logger
self._junit_logger = junit_logger
self._protocol = protocol
self._session = None
self._configure_session()
self._remove_endpoints_by_keywords(
ConfigurationManager.get_keywords_for_endpoints_skipping())
if ConfigurationManager.is_http_fuzzing_allowed():
self._generate_http_fuzzing()
self._generate_uri_attributes_fuzzing()
self._generate_request_body_fuzzing()
self._generate_request_body_fuzzing(
add_quotation_marks_into_non_string_primitives=True)
def _configure_session(self):
target_config = ConfigurationManager.get_target()
startup_command = ConfigurationManager.get_startup_command()
ssl_context = None
if self._protocol == 'ssl':
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
recv_timeout = ConfigurationManager.get_receive_timeout()
remote_connection = SocketConnection(target_config["hostname"],
target_config["port"],
proto=self._protocol,
sslcontext=ssl_context,
recv_timeout=recv_timeout)
if startup_command:
process_monitor = pedrpc.Client(target_config["hostname"], 26002)
process_monitor_options = {"start_commands": [startup_command]}
target = Target(connection=remote_connection,
procmon=process_monitor,
procmon_options=process_monitor_options)
else:
target = Target(connection=remote_connection)
self._session = Session(
target=target,
fuzz_loggers=[self._text_logger, self._junit_logger],
post_test_case_callbacks=[PostTestCaseCallback.post_test_callback],
restart_sleep_time=0,
keep_web_open=False,
fuzz_db_keep_only_n_pass_cases=sys.maxsize,
crash_threshold_element=10,
crash_threshold_request=30)
def _generate_http_fuzzing(self):
self._session.connect(s_get(generate_http_fuzzed_blocks()))
def _generate_uri_attributes_fuzzing(self):
for endpoint in self._endpoints:
for request in endpoint["Requests"]:
request_name = generate_url_attributes_fuzzed_blocks(
endpoint, request)
self._session.connect(s_get(request_name))
def _generate_request_body_fuzzing(
self, add_quotation_marks_into_non_string_primitives=False):
for endpoint in self._endpoints:
for request in endpoint["Requests"]:
request_name = generate_body_fuzzed_blocks(
endpoint, request,
add_quotation_marks_into_non_string_primitives)
self._session.connect(s_get(request_name))
def _remove_endpoints_by_keywords(self, keywords: List[str]):
for keyword in keywords:
self._endpoints[:] = [
endpoint for endpoint in self._endpoints
if keyword not in endpoint.get('Uri')
]
def fuzz(self):
report_progress(self._session, self._junit_logger)
self._session.fuzz()
def was_there_any_failure(self):
return self._junit_logger.was_there_any_failure
