def run(): session = initfuzz() s_initialize(name="Request") with s_block("Request-Line"): s_group("Method", [ 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE' ]) s_delim(" ", name='space-1') s_string("/get", name='Request-URI') s_delim(" ", name='space-2') s_string('HTTP/1.1', name='HTTP-Version') s_static("\r\n", name="Request-Line-CRLF") s_string("Host:", name="Host-Line") s_delim(" ", name="space-3") s_string("example.com", name="Host-Line-Value") s_static("\r\n", name="Host-Line-CRLF") s_string("Connection:", name="Connection-Line") s_delim(" ", name="space-4") s_string("Keep-Alive", name="Connection-Line-Value") s_static("\r\n", name="Connection-Line-CRLF") s_string("User-Agent:", name="User-Agent-Line") s_delim(" ", name="space-5") s_string( "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1", name="User-Agent-Line-Value") s_static("\r\n", name="User-Agent-Line-CRLF") s_static("\r\n", "Request-CRLF") session.connect(s_get("Request")) session.fuzz(max_depth=1)
def main() -> None: """Run the fuzzer""" port = 80 host = "192.168.99.100" protocol = "tcp" csv_log = open("fuzz_results_easyshare.csv", "w") my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)] target = bf.Target( connection=bf.SocketConnection(host, port, proto=protocol)) session = bf.Session(target=target) # FUZZING PARAMETERS bf.s_initialize(name="Request") with bf.s_block("Request-Line"): bf.s_group("Method", [ 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE' ]) bf.s_delim(" ", name='space-1') bf.s_string("/index.html", name='Request-URI') bf.s_delim(" ", name='space-2') bf.s_string('HTTP/1.1', name='HTTP-Version') bf.s_static("\r\n", name="Request-Line-CRLF") bf.s_static("\r\n", "Request-CRLF") session.connect(bf.s_get("Request")) session.sleep_time = 1.0 session.fuzz()
def test_no_response_causes_restart(self): """ Given: A listening server which will give no response and: A Session ready to fuzz that server, including two messages in sequence When: Calling fuzz_single_case() Then: The restart_target method is called. """ # Given server = MiniTestServer(host='localhost', stay_silent=True) server.bind() t = threading.Thread(target=server.serve_once) t.daemon = True t.start() session = Session( target=Target( connection=SocketConnection('localhost', server.active_port, proto='tcp'), ), fuzz_loggers=[], # log to nothing check_data_received_each_request=True, keep_web_open=False, ) session._restart_target = self._mock_restart_target() s_initialize("test-msg-a") s_string("test-str-value") s_static("\r\n") s_initialize("test-msg-b") s_string("test-str-value") s_static("\r\n") session.connect(s_get("test-msg-a")) session.connect(s_get("test-msg-a"), s_get("test-msg-b")) # When session.fuzz_single_case(s_get("test-msg-a").num_mutations() + 1) # Then t.join(THREAD_WAIT_TIMEOUT) self.assertFalse(t.isAlive()) self.assertEqual(1, self.restarts)
def generate_headers(config): # Append headers from config headers = config["headers"] if headers is not None: for key, value in headers.items(): s_static(key + ": " + value) s_static("\r\n") # Append host, if it is not provided in config if not RequestBuildHelper._is_header_in_config(headers, "Host"): s_static("Host: " + config["target"]["hostname"]) s_static("\r\n") # Append content-length, if it is not provided in config if not RequestBuildHelper._is_header_in_config(headers, "Content-Length"): s_static('Content-Length: ') # s_size calculates the byte length of Boofuzz block with name "body", # which contains whole HTTP request content part. with actual mutation. s_size("body", output_format="ascii", fuzzable=False)
def main() -> None: """Run the fuzzer""" port = 9999 host = "192.168.99.100" protocol = "tcp" csv_log = open("fuzz_results_GMON.csv", "w") my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)] target = bf.Target(connection=bf.SocketConnection(host, port, proto=protocol)) session = bf.Session(target=target, fuzz_loggers=my_logger) # FUZZING PARAMETERS bf.s_initialize("GMON") bf.s_string("GMON", fuzzable=False) bf.s_delim(" ", fuzzable=False) bf.s_string("FUZZ") #Fuzzable parameter bf.s_static("\r\n") session.sleep_time = 1.0 session.connect(bf.s_get("GMON"), callback=get_banner) session.fuzz()
def s_http_general(value, payloads, fuzzable=True, encoding: EncodingTypes = EncodingTypes.ascii, name=None, add_quotation_marks=False): # Encode all payloads encoded_payloads: List[bytes] = [] for payload in payloads: encoded = Encoder.encode_string(payload, encoding) if add_quotation_marks: encoded = Encoder.get_ascii_encoded_quotation_mark( ) + encoded + Encoder.get_ascii_encoded_quotation_mark() encoded_payloads.append(encoded) # Encode default value default_value = Encoder.encode_string(value, encoding) if fuzzable: # noinspection PyTypeChecker s_group(name, encoded_payloads, default_value) else: s_static(default_value)
def test_no_response_causes_restart(self): """ Given: A listening server which will give no response and: A Session ready to fuzz that server When: Calling fuzz_single_case() Then: The restart_target method is called. """ # Given server = MiniTestServer(host='localhost', stay_silent=True) server.bind() t = threading.Thread(target=server.serve_once) t.daemon = True t.start() session = Session( target=Target( connection=SocketConnection('localhost', server.active_port, proto='tcp'), ), fuzz_data_logger=FuzzLogger(fuzz_loggers=[]), # log to nothing ) session.restart_target = self._mock_restart_target() s_initialize("test-msg") s_string("test-str-value") s_static("\r\n") session.connect(s_get("test-msg")) # When session.fuzz_single_case(1) # Then t.join(THREAD_WAIT_TIMEOUT) self.assertFalse(t.isAlive()) self.assertEqual(1, self.restarts)
def generate_http_fuzzed_blocks() -> str: request_name = "General HTTP fuzzing:" s_initialize(name=request_name) s_http_string("GET", name="HTTP method") s_delim(" ", name="Delimiter between method and path") s_http_string("/path", encoding=EncodingTypes.ascii, name="HTTP path") s_delim(" ", name="Delimiter between path and version") s_http_string("HTTP/1.1\r\n", name="HTTP version") s_static("Host: " + ConfigurationManager.config["target"]["hostname"] + "\r\n") s_static("Content-Length: 0" + "\r\n") s_static("User-Agent: ") s_http_string("WapiFuzz", name="User-agent") s_delim("\r\n\r\n", name="HTTP headers and body delimiter") return request_name
def initialize_goose(session): s_initialize('goose_msg') with s_block("Preamble"): s_static('\x01\x0c\xcd\x01\x00\x01', name="Destination") s_static('\x00\x00\x00\x00\x00\x00', name="Source") s_static('\x81\x00', name="Tag Protocol Identifier (TPID)") s_static('\x80\x00', name="Tag Control Information (TCI)") s_static('\x88\xb8', name="Ethertype = Goose") s_static('\x03\xe8', name="Application Identifier (APPID) laut Paper allerdings x3f xff") s_static('\x00\xb7', name="Length (183) --> Wovon?") s_static('\x00\x00', name="Reserved 1") s_static('\x00\x00', name="Reserved 2") with s_block("goosePDU"): s_random('\x61', min_length=0, max_length=100, num_mutations=100000, name="TAG goosePDU") s_random('\x81\xac', min_length=0, max_length=100, num_mutations=100000, name="LENGTH goosePDU (172)") with s_block("gocbRef"): s_random("\x80", min_length=0, max_length=100, num_mutations=100000, name="TAG gocbRef") s_random("\x29", min_length=0, max_length=100, num_mutations=100000, name="LENGTH gocbRef = 41") s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65" "\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c" "\x4e\x30\x24\x47\x4f\x24\x67\x63\x62\x41" "\x6e\x61\x6c\x6f\x67\x56\x61\x6c\x75\x65" "\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA gocbRef") with s_block("TimeAllowedToLive"): s_random("\x81", min_length=0, max_length=100, num_mutations=100000, name="TAG TimeAllowedToLive") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH TimeAllowedToLive = 1") s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA TimeAllowedToLive") with s_block("datSet"): s_random("\x82", min_length=0, max_length=100, num_mutations=100000, name="TAG datSet") s_random("\x23", min_length=0, max_length=100, num_mutations=100000, name="Length datSet = 35") s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65" "\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c" "\x4e\x30\x24\x41\x6e\x61\x6c\x6f\x67\x56" "\x61\x6c\x75\x65\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA datSet") with s_block("goID"): s_random("\x83", min_length=0, max_length=100, num_mutations=100000, name="TAG goID") s_random("\x29", min_length=0, max_length=100, num_mutations=100000, name="LENGTH goID = 41") s_random("\x73\x69\x6d\x70\x6c\x65\x49\x4f\x47\x65" "\x6e\x65\x72\x69\x63\x49\x4f\x2f\x4c\x4c" "\x4e\x30\x24\x47\x4f\x24\x67\x63\x62\x41" "\x6e\x61\x6c\x6f\x67\x56\x61\x6c\x75\x65" "\x73", min_length=0, max_length=100, num_mutations=100000, name="DATA goID") with s_block("time"): s_random("\x84", min_length=0, max_length=100, num_mutations=100000, name="TAG time") s_random("\x08", min_length=0, max_length=100, num_mutations=100000, name="LENGTH time = 8") s_random("\x5d\xe6\x60\x85\xb8\xd4\xfd\x0a", min_length=0, max_length=100, num_mutations=100000, name="DATA time") with s_block("stNum"): s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG stNum") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH stNum = 1") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA stNum") with s_block("sqNum"): s_random("\x86", min_length=0, max_length=100, num_mutations=100000, name="TAG sqNum") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH sqNum = 1") s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA sqNum") with s_block("Test Bit"): s_random("\x87", min_length=0, max_length=100, num_mutations=100000, name="TAG Test Bit") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH Test Bit = 1") s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA Test Bit") with s_block("ConfRev"): s_random("\x88", min_length=0, max_length=100, num_mutations=100000, name="TAG ConfRev") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH ConfRev = 1") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="DATA ConfRev") with s_block("ndsCom"): s_random("\x89", min_length=0, max_length=100, num_mutations=100000, name="TAG ndsCom") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH ndsCom = 1") s_random("\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA ndsCom") with s_block("numDatSetEntries"): s_random("\x8a", min_length=0, max_length=100, num_mutations=100000, name="TAG numDatSetEntries") s_random("\x01", min_length=0, max_length=100, num_mutations=100000, name="LENGTH numDatSetEntries = 1") s_random("\x03", min_length=0, max_length=100, num_mutations=100000, name="DATA numDatSetEntries") with s_block("allData"): s_random("\xab", min_length=0, max_length=100, num_mutations=100000, name="TAG allData") s_random("\x10", min_length=0, max_length=100, num_mutations=100000, name="LENGTH allData = 16") with s_block("data 1"): s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG data 1 = integer") s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 1 = 2") s_random("\x04\xd2", min_length=0, max_length=100, num_mutations=100000, name="DATA data 1") with s_block("data 2"): s_random("\x8c", min_length=0, max_length=100, num_mutations=100000, name="TAG data 2 = binary-time") s_random("\x06", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 2 = 6") s_random("\x00\x00\x00\x00\x00\x00", min_length=0, max_length=100, num_mutations=100000, name="DATA data 2") with s_block("data 3"): s_random("\x85", min_length=0, max_length=100, num_mutations=100000, name="TAG data 3 = integer") s_random("\x02", min_length=0, max_length=100, num_mutations=100000, name="LENGTH data 3 = 2") s_random("\x16\x2e", min_length=0, max_length=100, num_mutations=100000, name="DATA data 3") session.connect(s_get('goose_msg'))
def initialize_sampled_values(session): s_initialize('sv_msg') with s_block("Preamble"): s_static('\x01\x0c\xcd\x01\x00\x01', name="Destination") s_static('\x00\x00\x00\x00\x00\x00', name="Source") s_static('\x81\x00', name="Tag Protocol Identifier (TPID)") s_static('\x80\x00', name="Tag Control Information (TCI)") s_static('\x88\xba', name="Ethertype = Sampled Value Transmission") s_static('\x40\x00', name="Application Identifier (APPID)") s_static('\x00\x61', name="Length (97)") s_static('\x00\x00', name="Reserved 1") s_static('\x00\x00', name="Reserved 2") s_static('\x60', name="TAG savPDU") s_static('\x57', name="LENGTH savPDU = 87") with s_block("noASDU"): s_random('\x80', min_length=0, max_length=100, num_mutations=100000, name="TAG noASDU") s_random('\x01', min_length=0, max_length=100, num_mutations=100000, name="LENGTH noASDU = 1") s_random('\x02', min_length=0, max_length=100, num_mutations=100000, name="DATA noASDU = 2") with s_block("seqASDU"): s_random('\xa2', min_length=0, max_length=100, num_mutations=100000, name="TAG seqASDU") s_random('\x52', min_length=0, max_length=100, num_mutations=100000, name="LENGTH seqASDU = 82") with s_block("ASDU (1)"): s_random('\x30', min_length=0, max_length=100, num_mutations=100000, name="TAG Sequence ASDU (1)") s_random('\x27', min_length=0, max_length=100, num_mutations=100000, name="LENGTH Sequence ASDU (1) = 39") with s_block("svID 1"): s_random('\x80', min_length=0, max_length=100, num_mutations=100000, name="TAG svID 1") s_random('\x06', min_length=0, max_length=100, num_mutations=100000, name="LENGTH svID 1 = 6") s_random('\x73\x76\x70\x75\x62\x31', min_length=0, max_length=100, num_mutations=100000, name="DATA svID") with s_block("smpCnt 1"): s_random('\x82', min_length=0, max_length=100, num_mutations=100000, name="TAG smpCnt 1") s_random('\x02', min_length=0, max_length=100, num_mutations=100000, name="LENGTH smpCnt 1 = 2") s_random('\x00\x01', min_length=0, max_length=100, num_mutations=100000, name="DATA smpCnt 1 = 1") with s_block("confRef 1"): s_random('\x83', min_length=0, max_length=100, num_mutations=100000, name="TAG confRef 1") s_random('\x01', min_length=0, max_length=100, num_mutations=100000, name="LENGTH confRef 1") s_random('\x00\x00\x00\x01', min_length=0, max_length=100, num_mutations=100000, name="DATA confRef 1 = 1") with s_block("smpSynch 1"): s_random('\x85', min_length=0, max_length=100, num_mutations=100000, name="TAG smpSynch 1") s_random('\x01', min_length=0, max_length=100, num_mutations=100000, name="LENGTH smpSynch 1") s_random('\x00', min_length=0, max_length=100, num_mutations=100000, name="DATA smpSynch 1 = 0") with s_block("seqData 1"): s_random('\x87', min_length=0, max_length=100, num_mutations=100000, name="TAG seqData 1") s_random('\x10', min_length=0, max_length=100, num_mutations=100000, name="LENGTH smpSynch 1 = 16") s_random( '\x44\x9a\x52\x2b\x3d\xfc\xd3\x5b\x5e\x3a' '\x91\x59\x65\xa1\xca\x00', min_length=0, max_length=100, num_mutations=100000, name="DATA smpSynch 1") with s_block("ASDU (2)"): s_random('\x30', min_length=0, max_length=100, num_mutations=100000, name="TAG Sequence ASDU (2)") s_random('\x27', min_length=0, max_length=100, num_mutations=100000, name="LENGTH Sequence ASDU (2) = 39") with s_block("svID 2"): s_random('\x80', min_length=0, max_length=100, num_mutations=100000, name="TAG svID 2") s_random('\x06', min_length=0, max_length=100, num_mutations=100000, name="LENGTH svID 2 = 6") s_random('\x73\x76\x70\x75\x62\x32', min_length=0, max_length=100, num_mutations=100000, name="DATA svID 2") with s_block("smpCnt 2"): s_random('\x82', min_length=0, max_length=100, num_mutations=100000, name="TAG smpCnt 2") s_random('\x02', min_length=0, max_length=100, num_mutations=100000, name="LENGTH smpCnt 2 = 2") s_random('\x00\x01', min_length=0, max_length=100, num_mutations=100000, name="DATA smpCnt 2 = 1") with s_block("confRef 2"): s_random('\x83', min_length=0, max_length=100, num_mutations=100000, name="TAG confRef 2") s_random('\x04', min_length=0, max_length=100, num_mutations=100000, name="LENGTH confRef 2 = 4") s_random('\x00\x00\x00\x01', min_length=0, max_length=100, num_mutations=100000, name="DATA confRef 2 = 1") with s_block("smpSynch 2"): s_random('\x85', min_length=0, max_length=100, num_mutations=100000, name="TAG smpSynch 2") s_random('\x01', min_length=0, max_length=100, num_mutations=100000, name="LENGTH smpSynch 2 = 1") s_random('\x00', min_length=0, max_length=100, num_mutations=100000, name="DATA smpSynch 2 = 0") with s_block("seqData 2"): s_random('\x87', min_length=0, max_length=100, num_mutations=100000, name="TAG seqData 2") s_random('\x10', min_length=0, max_length=100, num_mutations=100000, name="LENGTH seqData 2 = 16") s_random( '\x45\x1a\x52\x2b\x3e\x7c\xd3\x5b\x5e\x3a' '\x91\x59\x65\xa1\xca\x00', min_length=0, max_length=100, num_mutations=100000, name="DATA seqData 2") session.connect(s_get('sv_msg'))
def _generate_http_header(request, endpoint, fuzzable): s_static(request["Method"].upper() + " ") RequestBuildHelper.generate_uri(endpoint["Uri"], request["UriAttributes"], fuzzable) s_static(" HTTP/1.1\r\n") RequestBuildHelper.generate_headers(ConfigurationManager.config) s_static("\r\n\r\n")
def main(): session = Session( target=Target(connection=SocketConnection("192.168.0.101", 80, proto='tcp')), ) s_initialize(name="Command") s_static("GET /vfolder.ghp HTTP/1.1\r\n") s_static("Host: 192.168.0.101\r\n") s_static("User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n") s_static("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n") s_static("Accept-Language: en-US,en;q=0.5\r\n") s_static("Accept-Encoding: gzip, deflate\r\n") s_static("Referer: http://192.168.0.101/login.htm\r\n") s_static("Content-Type: application/x-www-form-urlencoded\r\n") s_static("Content-Length: 60\r\n") s_static("Cookie: UserID=") s_string("1") # this is the part we fuzz s_static("\r\n") s_static("Cache-Control: max-age=0\r\n") s_static("\r\nConnection: close\r\n\r\n") session.connect(s_get("Command")) session.fuzz()
#!/usr/bin/env python3 import boofuzz import socket TARGET_IP = "192.168.1.62" TARGET_PORT = 9999 LOGGER = boofuzz.FuzzLogger(fuzz_loggers=[boofuzz.FuzzLoggerText()]) SESSION = boofuzz.sessions.Session(sleep_time=0.0,fuzz_data_logger =LOGGER) CONNECTION = boofuzz.SocketConnection(TARGET_IP, TARGET_PORT, proto="tcp") TARGET = boofuzz.sessions.Target(CONNECTION) SESSION.add_target(TARGET) boofuzz.s_initialize("trunc") boofuzz.s_string("TRUN") boofuzz.s_delim(" ") boofuzz.s_string("anonymous") boofuzz.s_static("\r\n") SESSION.connect(boofuzz.s_get("trunc")) SESSION.fuzz()
def run(): session = initfuzz() s_initialize(name="Request") with s_block("Request-Line"): s_group("Method", [ "GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PURGE" ]) s_delim(" ", name="space-1") s_string("/post", name="Request-URI") s_delim(" ", name="space-2") s_string("HTTP/1.1", name="HTTP-Version") s_static("\r\n", name="Request-Line-CRLF") s_string("Host:", name="Host-Line") s_delim(" ", name="space-3") s_string("127.0.0.1:9080", name="Host-Line-Value") s_static("\r\n", name="Host-Line-CRLF") s_static('User-Agent', name='User-Agent-Header') s_delim(':', name='User-Agent-Colon-1') s_delim(' ', name='User-Agent-Space-1') s_string( 'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3223.8 Safari/537.36', name='User-Agent-Value') s_static('\r\n', name='User-Agent-CRLF'), s_static('Accept', name='Accept-Header') s_delim(':', name='Accept-Colon-1') s_delim(' ', name='Accept-Space-1') s_string( 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', name='Accept-Value') s_static('\r\n', name='Accept-CRLF') s_static("Content-Length:", name="Content-Length-Header") s_delim(" ", name="space-4") s_size("Body-Content", output_format="ascii", name="Content-Length-Value") s_static("\r\n", "Content-Length-CRLF") s_static('Connection', name='Connection-Header') s_delim(':', name='Connection-Colon-1') s_delim(' ', name='Connection-Space-1') s_group('Connection-Type', ['keep-alive', 'close']) s_static('\r\n', 'Connection-CRLF') s_static('Content-Type', name='Content-Type-Header') s_delim(':', name='Content-Type-Colon-1') s_delim(' ', name='Content-Type-Space-1') s_string('application/x-www-form-urlencoded', name='Content-Type-Value') s_static('\r\n', name='Content-Type-CRLF') s_static("\r\n", "Request-CRLF") with s_block("Body-Content"): s_string('{"a":"b"}', name="Body-Content-Value") session.connect(s_get("Request")) session.fuzz(max_depth=1)