Skip to content
the Network Protocol Fuzzer that we will want to use.
Python
Branch: master
Clone or download
Mario Rivas
Mario Rivas - UDP Socket Binding Fixed
- Now it is not necessary to bind to an UDP port
Latest commit 7ecf914 Aug 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Docs Aug 1, 2019
fuzzowski - UDP Socket Binding Fixed Aug 15, 2019
tests Initial commit Aug 1, 2019
.gitignore Initial commit Aug 1, 2019
LICENSE.txt Initial commit Aug 1, 2019
README.md Docs Aug 1, 2019
requirements.txt Initial commit Aug 1, 2019

README.md

Fuzzowski

       █      █       
       ████████       
      ██████████      
     ██  ████  ██     
     ██  ████  ██     
    ████      ████    
   █ ████████████ █   
   █  ██████████  █   Fuzzowski Network Fuzzer
   █    █     █   █           🄯  Fuzzers, inc.
       ██     ██       

The idea is to be the Network Protocol Fuzzer that we will want to use.

The aim of this tool is to assist during the whole process of fuzzing a network protocol, allowing to define the communications, helping to identify the "suspects" of crashing a service, and much more

Features

  • Based on Sulley Fuzzer for data generation [https://github.com/OpenRCE/sulley]
  • Actually, forked BooFuzz (which is a fork of Sulley) [https://github.com/jtpereyda/boofuzz ]
  • Python3
  • Improved Strings fuzzing libraries, allowing also for custom lists, files and callback commands
  • Not random (finite number of possibilities)
  • Requires to “create the packets” with types (spike fuzzer style)
  • Also allows to create ""Raw"" packets from parameters, with injection points (quite useful for fuzzing simple protocols)
  • Has a nice console to pause, review and retest any suspect (prompt_toolkit ftw)
  • Allows to skip parameters that cause errors, automatically or with the console
  • Nice print formats for suspect packets (to know exactly what was fuzzed)
  • It saves PoCs as python scripts for you when you mark a test case as a crash
  • Monitor modules to gather information of the target, detecting odd behaviours and marking suspects
  • Restarter modules that will restart the target if the connection is lost (e.g. powering off and on an smart plug)

Protocols implemented

  • LPD (Line Printing Daemon): Fully implemented

Installation

virtualenv venv -p python3
source venv/bin/activate
pip install -r requirements.txt

Help

usage: python -m fuzzowski [-h] [-p {tcp,udp,ssl}] [-b BIND] [-st SEND_TIMEOUT]
                    [-rt RECV_TIMEOUT] [--sleep-time SLEEP_TIME] [-nc] [-tn]
                    [-nr] [-nrf] [-cr]
                    [--threshold-request CRASH_THRESHOLD_REQUEST]
                    [--threshold-element CRASH_THRESHOLD_ELEMENT]
                    [--ignore-aborted] [--ignore-reset] [--error-fuzz-issues]
                    [-c CALLBACK | --file FILENAME] -f
                    {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}
                    [-r FUZZ_REQUESTS [FUZZ_REQUESTS ...]]
                    [--restart module_name [args ...]]
                    [--restart-sleep RESTART_SLEEP_TIME]
                    [--monitors {IPPMon} [{IPPMon} ...]] [--path PATH]
                    [--document_url DOCUMENT_URL]
                    host port

       █      █       
       ████████       
      ██████████      
     ██  ████  ██     
     ██  ████  ██     
    ████      ████    
   █ ████████████ █   
   █  ██████████  █   Fuzzowski Network Fuzzer
   █    █     █   █           🄯  Fuzzers, inc.
       ██     ██       

positional arguments:
  host                  Destination Host
  port                  Destination Port

optional arguments:
  -h, --help            show this help message and exit

Connection Options:
  -p {tcp,udp,ssl}, --protocol {tcp,udp,ssl}
                        Protocol (Default tcp)
  -b BIND, --bind BIND  Bind to port
  -st SEND_TIMEOUT, --send_timeout SEND_TIMEOUT
                        Set send() timeout (Default 5s)
  -rt RECV_TIMEOUT, --recv_timeout RECV_TIMEOUT
                        Set recv() timeout (Default 5s)
  --sleep-time SLEEP_TIME
                        Sleep time between each test (Default 0)
  -nc, --new-conns      Open a new connection after each packet of the same test
  -tn, --transmit-next-node
                        Transmit the next node in the graph of the fuzzed node

RECV() Options:
  -nr, --no-recv        Do not recv() in the socket after each send
  -nrf, --no-recv-fuzz  Do not recv() in the socket after sending a fuzzed request
  -cr, --check-recv     Check that data has been received in recv()

Crashes Options:
  --threshold-request CRASH_THRESHOLD_REQUEST
                        Set the number of allowed crashes in a Request before skipping it (Default 9999)
  --threshold-element CRASH_THRESHOLD_ELEMENT
                        Set the number of allowed crashes in a Primitive before skipping it (Default 3)
  --ignore-aborted      Ignore ECONNABORTED errors
  --ignore-reset        Ignore ECONNRESET errors
  --error-fuzz-issues   Log as error when there is any connection issue in the fuzzed node

Fuzz Options:
  -c CALLBACK, --callback CALLBACK
                        Set a callback address to fuzz with callback generator instead of normal mutations
  --file FILENAME       Use contents of a file for fuzz mutations

Fuzzers:
  -f {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}, --fuzz {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}
                        Available Protocols
  -r FUZZ_REQUESTS [FUZZ_REQUESTS ...], --requests FUZZ_REQUESTS [FUZZ_REQUESTS ...]
                        Requests of the protocol to fuzz, default All
                          dhcp: [opt82]
                          ipp: [http_headers, get_printer_attribs, print_uri_message, send_uri, get_jobs, get_job_attribs]
                          lpd: [long_queue, short_queue, ctrl_file, data_file, remove_job]
                          telnet_cli: [commands]
                          tftp: [read]
                          raw: ['\x01string\n' '\x02request2\x00' ...]

Restart options:
  --restart module_name [args ...]
                        Restarter Modules:
                          run: '<executable> [<argument> ...]' (Pass command and arguments within quotes, as only one argument)
                          smartplug: It will turn off and on the Smart Plug
                          teckin: <PLUG_IP>
  --restart-sleep RESTART_SLEEP_TIME
                        Set sleep seconds after a crash before continue (Default 5)

Monitor options:
  --monitors {IPPMon} [{IPPMon} ...], -m {IPPMon} [{IPPMon} ...]
                        Monitor Modules:
                          IPPMon: Sends a get-attributes IPP message to the target

Other Options:
  --path PATH           Set path when fuzzing HTTP based protocols (Default /)
  --document_url DOCUMENT_URL
                        Set Document URL for print_uri

Examples

Fuzz the get_printer_attribs IPP operation with default options:

python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs --restart smartplug

asciicast

Use the raw feature of IPP to fuzz the finger protocol:

python -m fuzzowski printer 79 -f raw -r '{{root}}\n'

asciicast

Use the raw feature of IPP to fuzz the finger protocol, but instead of using the predefined mutations, use a file:

python -m fuzzowski printer 79 -f raw -r '{{root}}\n' --file 'path/to/my/fuzzlist'

Next Steps

  • Recode the whole session and primitive modules (in progress)
  • Add support to L2 protocols (boofuzz has connection modules, but I have not tested them in python3)
  • Add ThreadedMonitors to the session
  • Implement more generic monitors (process, ICMP, ...)
  • Implement more generic restarters (?)
  • Possibility for random mutations (infinite number of tests)
  • Raw packet parsing from a PCAP or hex for quick fuzzing??
  • More protocols!
  • ???
You can’t perform that action at this time.