Other Modules


class boofuzz.event_hook.EventHook[source]

Bases: object

An EventHook that registers events using +=and -=.

Based on spassig’s solution here: http://stackoverflow.com/a/1094423/461834

fire(*args, **kwargs)[source]

Call each event handler in sequence.

@param args: Forwarded to event handler. @param kwargs: Forwarded to event handler.

@return: None


boofuzz.helpers.calculate_four_byte_padding(string, character=u'\x00')[source]
boofuzz.helpers.crc16(string, value=0)[source]

CRC-16 poly: p(x) = x**16 + x**15 + x**2 + 1

@param string: Data over which to calculate crc. @param value: Initial CRC value.

boofuzz.helpers.format_log_msg(msg_type, description=None, data=None, indent_size=2, timestamp=None, truncated=False, format_type=u'terminal')[source]
boofuzz.helpers.format_msg(msg, indent_level, indent_size, timestamp=None)[source]

Parses __init__.py for a version string and returns it like ‘v0.0.0’

Parameters:boofuzz_class (class) – Any boofuzz class in the same dir as the __init__ class.
Return type:str
Returns:Boofuzz version as string

Crazy CTypes magic to do a getsockopt() which determines the max UDP payload size in a platform-agnostic way.

@rtype: long @return: The maximum length of a UDP packet the current platform supports

Returns a hex-formatted string based on s.

Parameters:s (bytes) – Some string.
Returns:Hex-formatted string representing s.
Return type:str

Render input_bytes as ASCII-encoded hex bytes, followed by a best effort utf-8 rendering.

Parameters:input_bytes (bytes) – Arbitrary bytes
Returns:Printable string
Return type:str

Convert an IP string to a four-byte bytes.

Parameters:ip – IP address string, e.g. ‘’

:return 4-byte representation of ip, e.g. b’’ :rtype bytes

:raises ValueError if ip is not a legal IP address.


Return IPv4 checksum of msg. :param msg: Message to compute checksum over. :type msg: bytes

Returns:IPv4 checksum of msg.
Return type:int

Pauses the current thread in a way that can still receive signals like SIGINT from Ctrl+C.

Implementation notes:
  • Linux uses signal.pause()
  • Windows uses a loop that sleeps for 1 ms at a time, allowing signals to interrupt the thread fairly quickly.
Return type:None
boofuzz.helpers.udp_checksum(msg, src_addr, dst_addr)[source]

Return UDP checksum of msg.

Recall that the UDP checksum involves creating a sort of pseudo IP header. This header requires the source and destination IP addresses, which this function takes as parameters.

If msg is too big, the checksum is undefined, and this method will truncate it for the sake of checksum calculation. Note that this means the checksum will be invalid. This loosey goosey error checking is done to support fuzz tests which at times generate huge, invalid packets.

  • msg (bytes) – Message to compute checksum over.
  • src_addr (bytes) – Source IP address – 4 bytes.
  • dst_addr (bytes) – Destination IP address – 4 bytes.

UDP checksum of msg.

Return type:



Convert a binary UUID to human readable string.

@param uuid: bytes representing UUID.


Converts a UUID string to binary form.

Expected string input format is same as uuid_bin_to_str()’s output format.

Ripped from Core Impacket.

@param uuid: UUID string to convert to bytes.


class boofuzz.instrumentation.External(pre=None, post=None, start=None, stop=None)[source]

External instrumentation class Monitor a target which doesn’t support a debugger, allowing external commands to be called


Check if this script is alive. Always True.


Print a debug mesage.


Return the last recorded crash synopsis.

@rtype: String @return: Synopsis of last recorded crash.


This routine is called after the fuzzer transmits a test case and returns the status of the target.

@rtype: Boolean @return: Return True if the target is still active, False otherwise.


This routine is called before the fuzzer transmits a test case and ensure the target is alive.

@type test_number: Integer @param test_number: Test number.


Start up the target. Called when post_send failed. Returns success of failure of the action If no method defined, false is returned


Stop the target.

IP Constants

This file contains constants for the IPv4 protocol.

boofuzz.ip_constants.UDP_MAX_LENGTH_THEORETICAL = 65535

Theoretical maximum length of a UDP packet, based on constraints in the UDP packet format. WARNING! a UDP packet cannot actually be this long in the context of IPv4!

boofuzz.ip_constants.UDP_MAX_PAYLOAD_IPV4_THEORETICAL = 65507

Theoretical maximum length of a UDP payload based on constraints in the UDP and IPv4 packet formats. WARNING! Some systems may set a payload limit smaller than this.


class boofuzz.pedrpc.Client(host, port)[source]

Bases: object

class boofuzz.pedrpc.Server(host, port)[source]

Bases: object



boofuzz.utils.dcerpc.bind(uuid, version)[source]

Generate the data necessary to bind to the specified interface.


Ensure the data is a bind ack and that the

boofuzz.utils.dcerpc.request(opnum, data)[source]

Return a list of packets broken into 5k fragmented chunks necessary to make the RPC request.

Crash binning

@author: Pedram Amini @license: GNU General Public License 2.0 or later @contact: pedram.amini@gmail.com @organization: www.openrce.org

class boofuzz.utils.crash_binning.CrashBinStruct[source]
class boofuzz.utils.crash_binning.CrashBinning[source]

@todo: Add MySQL import/export.

bins = {}

For the supplied crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. If not crash is specified, then call through to last_crash_synopsis() which returns the same information for the last recorded crash.

@see: crash_synopsis()

@type crash: CrashBinStruct @param crash: (Optional, def=None) Crash object to generate report on

@rtype: str @return: Crash report


Dump the entire object structure to disk.

@see: import_file()

@type file_name: str @param file_name: File name to export to

@rtype: CrashBinning @return: self


Load the entire object structure from disk.

@see: export_file()

@type file_name: str @param file_name: File name to import from

@rtype: CrashBinning @return: self

last_crash = None

For the last recorded crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind.

@see: crash_synopsis()

@rtype: String @return: Crash report

pydbg = None
record_crash(pydbg, extra=None)[source]

Given a PyDbg instantiation that at the current time is assumed to have “crashed” (access violation for example) record various details such as the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. Store the recorded data in an internal dictionary, binning them by the exception address.

@type pydbg: pydbg @param pydbg: Instance of pydbg @type extra: Mixed @param extra: (Optional, Def=None) Whatever extra data you want to store with this bin