KernW0lf@github.io ~ $

Mastering Boofuzz: From Basics to Advanced

tags
#Fuzzing #Boofuzz
published
reading time
7 minutes

In the world of software security, fuzzing is a critical technique used to identify vulnerabilities in software by bombarding it with unexpected or malformed inputs. One of the most popular and versatile fuzzing tools is Boofuzz, an open-source fuzzing framework widely used by security researchers and developers alike. Based on the legacy Sulley Fuzzing Framework, Boofuzz continues its mission of being a robust, modular, and extensible fuzzer for both beginners and seasoned professionals.🚀

In this comprehensive guide, we will explore Boofuzz from scratch to advanced usage, walking through everything from installation and basic usage to developing sophisticated fuzzers for real-world applications. Whether you’re a beginner just getting started or looking to master fuzzing with Boofuzz, this guide has you covered.

What is Boofuzz?

Boofuzz is a Python-based fuzzing framework that allows security professionals to test the robustness of their applications by generating and sending malformed inputs to target software, hardware, or network protocols. It’s flexible and supports network protocols, file formats, and even embedded systems fuzzing.

Key Features of Boofuzz:

  • Modular design for flexibility.
  • Support for both stateful and stateless fuzzing.
  • Built-in monitoring for target crash detection.
  • Extensibility through Python scripting.
  • Rich logging and reporting options.

Installing Boofuzz

Boofuzz is available via pip, making installation straightforward.

pip install boofuzz

You can also clone the source code from GitHub for more control or contribute to development:

git clone https://github.com/jtpereyda/boofuzz.git
cd boofuzz
python setup.py install

Getting Started: Basic Fuzzing with Boofuzz

To begin fuzzing with Boofuzz, you need to define a target, create fuzzing input (fuzz template), and monitor the target for crashes or anomalies. Let’s fuzz a simple network server as an example. We will be using netcat as simple network server.

Basic TCP Fuzzing Script using Boofuzz:

from boofuzz import *

def main():
    # Define the target to fuzz (localhost and port 9999)
    target_ip = "127.0.0.1"
    target_port = 9999

    # Initialize the session
    session = Session(
        target=Target(connection=SocketConnection(target_ip, target_port, proto='tcp'))
    )

    # Define the fuzzing request
    # This will fuzz a simple string sent over TCP
    s_initialize("Fuzzing")
    s_string("FUZZ_ME")

    # Add this fuzz request to the session
    session.connect(s_get("Fuzzing"))

    # Start fuzzing
    session.fuzz()

if __name__ == "__main__":
    main()

Before executing the fuzzing script, ensure that netcat is set up to listen continuously on port 9999. The -k flag ensures that netcat remains in listening mode after handling each connection. You can do this with the following command:

$ nc -nlvp 9999 -k

Once netcat is up and running, you can proceed to execute the fuzzing script by running:

$ python simple_tcpfuzz.py

This will initiate the fuzzing process, sending various mutated payloads to the target service listening on port 9999 and monitoring for any crashes or abnormal behavior.

Key Steps in the Example:

  • Session: Handles the fuzzing logic.
  • Target: Defines the target system (IP, port, and protocol).
  • s_initialize(): Initializes a fuzz case.
  • s_string(): Defines fuzzable inputs.

Creating Advanced Fuzzers

For complex applications, simple fuzzing isn’t enough. You’ll need to work with complex state machines, perform multi-stage fuzzing, or handle authentication mechanisms.

Stateful Fuzzing:

Boofuzz allows for stateful fuzzing, which means you can define different states in a protocol (e.g., handshake → authentication → data exchange) and fuzz each state independently.

s_initialize("handshake")
s_string("INIT", fuzzable=True)

s_initialize("auth")
s_string("USER", fuzzable=True)
s_string("PASS", fuzzable=True)

session.connect(s_get("handshake"))
session.connect(s_get("auth"))
session.fuzz()

This fuzzer simulates a protocol handshake before moving to the authentication stage.

Developing Custom Protocol Fuzzers

Boofuzz is ideal for network protocol fuzzing, but what if you’re dealing with a custom protocol? The framework allows you to define custom packet structures, message flows, and encoding formats.

Custom Protocol Fuzzing Example:

from boofuzz import *

# Define a packet structure with custom checksum
s_initialize("custom_packet")
s_static(b"\x01\x02\x03\x04")  # Packet header 
s_string("payload", size=10, fuzzable=True)  # size : Static size of this field, leave None for dynamic
s_checksum("custom_packet", algorithm="md5", length=16) # Custom checksum calculation for data integrity

session.connect(s_get("custom_packet"))
session.fuzz()

This example demonstrates adding a checksum to the fuzzed packet, ensuring the fuzzed input conforms to the protocol’s structure.

We can utilize the following checksum algorithms: CRC32, CRC32C, Adler32, MD5, SHA-1, IPv4, and UDP.

Now, we’ll explore how to set up a fuzzing session for a custom protocol using the Boofuzz library. Our target protocol requires an initial 4-byte header, a specific payload length of 10 bytes, and a 2-byte checksum using the CRC32 algorithm.

Let’s fuzz for a protocol which needs initial 4 bytes to be \xaa\xbb\xcc\xdd and packet length should be 10 and checksum (ipv4) should be of 2 bytes.

from boofuzz import *

# Target IP address and port
ip_addr = "127.0.0.1"
ip_port = 9999

def main():
    # Initialize the fuzzing session with the target TCP socket
    session = Session(target=Target(TCPSocketConnection(ip_addr, ip_port)))

    # Define the packet structure and initialize a new block request
    s_initialize("Fuzz_Me")
    
    # Set the initial header
    s_static(b"\xaa\xbb\xcc\xdd")
    
    # Define the payload size: 10 bytes total minus 4 for the header and 4 for the checksum
    s_string("Fuzz", size=2)  # This leaves us with 2 bytes for fuzzing

    # Add a CRC32 checksum to ensure data integrity
    s_checksum("Fuzz_Me", algorithm="crc32")

    # Connect the defined packet structure to the session
    session.connect(s_get("Fuzz_Me"))

    # Start the fuzzing process
    session.fuzz()

if __name__ == "__main__":
    main()

Let’s verify the results using netcat and xxd: Structure

Targeted Fuzzing for Known Vulnerabilities

If you’re fuzzing a specific application or protocol with known vulnerabilities, targeted fuzzing can help focus on potentially dangerous areas of the code, such as user inputs or particular functions.

Example: Fuzzing an HTTP POST Request

Below is a practical example of how to use the boofuzz library to fuzz an HTTP request:

from boofuzz import *

ip_addr = "127.0.0.1"
ip_port = 8000

def main():
    # Initialize the fuzzing session
    session = Session(target=Target(TCPSocketConnection(ip_addr, ip_port)))


    # Define the fuzzing template for an HTTP request
    s_initialize("http_get")
    s_static("GET /")
    s_string("Fuzz_Me") # We will Fuzz Here
    s_static("HTTP/1.1\r\n")
    s_static("Host: 127.0.0.1\r\n")
    s_static("User-Agent: boofuzz/0.4.2\r\n\r\n")  # I used boofuzz/0.4.2 as User Agent but you can use whatever you need
    
    # Connect the fuzzing template to the session
    session.connect(s_get("http_get"))

    # Start fuzzing
    session.fuzz()

if __name__ == "__main__":
    main()

In this example, we target an HTTP GET request while fuzzing only the endpoint. The other components of the request—such as the headers—remain intact.

We can set up a listener on port 8000 using netcat, and then run the script to check if it’s functioning correctly.

$ nc -nlp 8000 -k
GET /!@#$%%^#$%#$@#$%$$@#$%^^**(()HTTP/1.1
Host: 127.0.0.1
User-Agent: boofuzz/0.4.2

GET /HTTP/1.1
Host: 127.0.0.1
User-Agent: boofuzz/0.4.2

GET /$(reboot)HTTP/1.1
Host: 127.0.0.1
User-Agent: boofuzz/0.4.2

GET /$;rebootHTTP/1.1
Host: 127.0.0.1
User-Agent: boofuzz/0.4.2

GET /%00HTTP/1.1
Host: 127.0.0.1
User-Agent: boofuzz/0.4.2

Monitoring Fuzzing Progress via the Boofuzz Web Interface

Boofuzz provides a built-in web interface that allows you to monitor your fuzzing progress in real time. By default, this web server runs on port 26000, this allows you to view the current status of your fuzzing session, including the number of test cases executed, crashes, and other metrics, all from a browser-friendly interface.

To change the web interface port, simply specify a web_port when creating your fuzzing session:

from boofuzz import Session

# Initialize the session and enable web interface on port 26000
session = Session(web_port=26000)

# Add your target and fuzzing logic...
session.fuzz()

Once the fuzzing session starts, open your browser and navigate to http://localhost:26000. You’ll be able to see real-time updates on the fuzzing process, making it easier to track progress or investigate crashes.

This web interface provides a user-friendly way to manage and visualize your fuzzing efforts, especially during long or complex fuzzing sessions.

Fuzzing FTP Server

To fuzz an FTP server that requires authentication (username and password), you can use Boofuzz to simulate an FTP connection, provide the credentials, and fuzz different parts of the FTP protocol. Since your FTP server runs on port 2221 and the credentials are admin:password, we’ll need to build an authenticated fuzzing session.

Here’s an example of how you can fuzz your FTP server with Boofuzz:

Boofuzz Script for Fuzzing FTP

from boofuzz import *
import sys

def main():
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target_ip> <target_port>")
        sys.exit(1)

    target_ip = sys.argv[1]
    target_port = int(sys.argv[2])

    # Define session and target
    session = Session(
        target=Target(
            connection=TCPSocketConnection(target_ip, target_port)
        )
    )

    # FUZZ_MKD block
    s_initialize("FUZZ_MKD")
    with s_block("ftp_FUZZ_MKD"):
        s_static("USER admin\r\n")  # Static username
        s_static("PASS password\r\n")  # Static password
        s_static("MKD ")              # MKD command
        s_string("FUZZ_DIR", fuzzable=True)  # Fuzz directory name
        s_static("\r\n")

    # Connect and fuzz
    session.connect(s_get("FUZZ_MKD"))
    session.fuzz()

if __name__ == "__main__":
    main()

Further Reading: Official Boofuzz Documentation

While this guide covers the essentials of Boofuzz, the official documentation is an excellent resource for diving deeper into the framework’s full capabilities. It contains detailed descriptions of all classes, methods, and parameters, as well as advanced usage examples, troubleshooting tips, and community-contributed content.

You can explore the full Boofuzz documentation here: Boofuzz Documentation

Conclusion

In this blog, we walked through setting up and using Boofuzz for fuzzing, covering everything from basic installation to advanced scenarios. Now you’re equipped to dive into fuzzing with Boofuzz and enhance the security of your software.

In the next blog, we’ll explore spike, another powerful fuzzing tool for identifying vulnerabilities in network protocols and applications.

Happy Fuzzing! 🎉