Other Modules

Test Case Session Reference

class boofuzz.ProtocolSessionReference(name: str, default_value)[source]

Bases: object

Refers to a dynamic value received or generated in the context of an individual test case.

Pass this object as a primitive’s default_value argument, and make sure you set the referred-to value using callbacks, e.g. post_test_case_callbacks (see Session).

  • name (str) – Refers to a test case session key. Must be set in the ProtocolSession by the time the value is required in the protocol definition. See Session.

  • default_value – The default default value, used if the element must be rendered outside the context of a test case, or sometimes for generating mutations.

Test Case Context

class boofuzz.ProtocolSession(session_variables=NOTHING)[source]

Bases: object

Contains a session_variables dictionary used to store data specific to a single fuzzing test case.

Generally, values in session_variables will be set in a callback function, e.g. post_test_case_callbacks (see Session). Variables may be used in a later callback function, or by a ProtocolSessionReference object.


boofuzz.helpers.calculate_four_byte_padding(string, character='\x00')[source]
boofuzz.helpers.crc16(string, value=0)[source]

CRC-16 poly: p(x) = x**16 + x**15 + x**2 + 1

@param string: Data over which to calculate crc. @param value: Initial CRC value.

boofuzz.helpers.format_log_msg(msg_type, description=None, data=None, indent_size=2, timestamp=None, truncated=False, format_type='terminal')[source]
boofuzz.helpers.format_msg(msg, indent_level, indent_size, timestamp=None)[source]

Parses __init__.py for a version string and returns it like ‘v0.0.0’


boofuzz_class (class) – Any boofuzz class in the same dir as the __init__ class.

Return type



Boofuzz version as string


Crazy CTypes magic to do a getsockopt() which determines the max UDP payload size in a platform-agnostic way.

Deprecated since version 0.2.0: Use UDPSocketConnection.max_payload() instead.


The maximum length of a UDP packet the current platform supports

Return type



Returns a hex-formatted string based on s.


s (bytes) – Some string.


Hex-formatted string representing s.

Return type



Render input_bytes as ASCII-encoded hex bytes, followed by a best effort utf-8 rendering.


input_bytes (bytes) – Arbitrary bytes


Printable string

Return type



Convert an IP string to a four-byte bytes.


ip – IP address string, e.g. ‘’

:return 4-byte representation of ip, e.g. b’’ :rtype bytes

:raises ValueError if ip is not a legal IP address.


Return IPv4 checksum of msg. :param msg: Message to compute checksum over. :type msg: bytes


IPv4 checksum of msg.

Return type



Pauses the current thread in a way that can still receive signals like SIGINT from Ctrl+C.

Implementation notes:
  • Linux uses signal.pause()

  • Windows uses a loop that sleeps for 1 ms at a time, allowing signals to interrupt the thread fairly quickly.



Return type


boofuzz.helpers.udp_checksum(msg, src_addr, dst_addr)[source]

Return UDP checksum of msg.

Recall that the UDP checksum involves creating a sort of pseudo IP header. This header requires the source and destination IP addresses, which this function takes as parameters.

If msg is too big, the checksum is undefined, and this method will truncate it for the sake of checksum calculation. Note that this means the checksum will be invalid. This loosey goosey error checking is done to support fuzz tests which at times generate huge, invalid packets.

  • msg (bytes) – Message to compute checksum over.

  • src_addr (bytes) – Source IP address – 4 bytes.

  • dst_addr (bytes) – Destination IP address – 4 bytes.


UDP checksum of msg.

Return type



Convert a binary UUID to human readable string.

@param uuid: bytes representing UUID.


Converts a UUID string to binary form.

Expected string input format is same as uuid_bin_to_str()’s output format.

Ripped from Core Impacket.


uuid (str) – UUID string to convert to bytes.


UUID as bytes.

Return type


IP Constants

This file contains constants for the IPv4 protocol.

Changed in version 0.2.0: ip_constants has been moved into the connections subpackage. The full path is now boofuzz.connections.ip_constants

boofuzz.connections.ip_constants.UDP_MAX_LENGTH_THEORETICAL = 65535

Theoretical maximum length of a UDP packet, based on constraints in the UDP packet format. WARNING! a UDP packet cannot actually be this long in the context of IPv4!

boofuzz.connections.ip_constants.UDP_MAX_PAYLOAD_IPV4_THEORETICAL = 65507

Theoretical maximum length of a UDP payload based on constraints in the UDP and IPv4 packet formats. WARNING! Some systems may set a payload limit smaller than this.


Boofuzz provides an RPC primitive to host monitors on remote machines. The main boofuzz instance acts as a client that connects to (remotely) running RPC server instances, transparently calling functions that are called on the instance of the client on the server instance and returning their result as a python object. As a general rule, data that’s passed over the RPC interface needs to be able to be pickled.

Note that PED-RPC provides no authentication or authorization in any form. It is advisable to only run it on trusted networks.

class boofuzz.monitors.pedrpc.Client(host, port)[source]

Bases: object


Override this Method in a child class to be notified when the RPC server was restarted.

class boofuzz.monitors.pedrpc.Server(host, port)[source]

Bases: object

The main PED-RPC Server class. To implement an RPC server, inherit from this class. Call serve_forever to start listening for RPC commands.



boofuzz.utils.dcerpc.bind(uuid, version)[source]

Generate the data necessary to bind to the specified interface.


Ensure the data is a bind ack and that the

boofuzz.utils.dcerpc.request(opnum, data)[source]

Return a list of packets broken into 5k fragmented chunks necessary to make the RPC request.

Crash binning

@author: Pedram Amini @license: GNU General Public License 2.0 or later @contact: pedram.amini@gmail.com @organization: www.openrce.org

class boofuzz.utils.crash_binning.CrashBinStruct[source]

Bases: object

class boofuzz.utils.crash_binning.CrashBinning[source]

Bases: object

@todo: Add MySQL import/export.

bins = {}

For the supplied crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. If not crash is specified, then call through to last_crash_synopsis() which returns the same information for the last recorded crash.

@see: crash_synopsis()

@type crash: CrashBinStruct @param crash: (Optional, def=None) Crash object to generate report on

@rtype: str @return: Crash report


Dump the entire object structure to disk.

@see: import_file()

@type file_name: str @param file_name: File name to export to

@rtype: CrashBinning @return: self


Load the entire object structure from disk.

@see: export_file()

@type file_name: str @param file_name: File name to import from

@rtype: CrashBinning @return: self

last_crash = None

For the last recorded crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind.

@see: crash_synopsis()

@rtype: String @return: Crash report

pydbg = None
record_crash(pydbg, extra=None)[source]

Given a PyDbg instantiation that at the current time is assumed to have “crashed” (access violation for example) record various details such as the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. Store the recorded data in an internal dictionary, binning them by the exception address.

@type pydbg: pydbg @param pydbg: Instance of pydbg @type extra: Mixed @param extra: (Optional, Def=None) Whatever extra data you want to store with this bin


class boofuzz.event_hook.EventHook[source]

Bases: object

An EventHook that registers events using +=and -=.

Based on spassig’s solution here: http://stackoverflow.com/a/1094423/461834

fire(*args, **kwargs)[source]

Call each event handler in sequence.

@param args: Forwarded to event handler. @param kwargs: Forwarded to event handler.

@return: None