Other Modules
Test Case Session Reference
- class boofuzz.ProtocolSessionReference(name: str, default_value)[source]
Bases:
object
Refers to a dynamic value received or generated in the context of an individual test case.
Pass this object as a primitive’s
default_value
argument, and make sure you set the referred-to value using callbacks, e.g.post_test_case_callbacks
(seeSession
).- Parameters:
name (str) – Refers to a test case session key. Must be set in the
ProtocolSession
by the time the value is required in the protocol definition. SeeSession
.default_value – The default value, used if the element must be rendered outside the context of a test case, or sometimes for generating mutations.
Test Case Context
- class boofuzz.ProtocolSession(session_variables=_Nothing.NOTHING, previous_message=None, current_message=None)[source]
Bases:
object
Contains a
session_variables
dictionary used to store data specific to a single fuzzing test case.Generally, values in
session_variables
will be set in a callback function, e.g.post_test_case_callbacks
(seeSession
). Variables may be used in a later callback function, or by aProtocolSessionReference
object.
Helpers
- boofuzz.helpers.crc16(string, value=0)[source]
CRC-16 poly: p(x) = x**16 + x**15 + x**2 + 1
@param string: Data over which to calculate crc. @param value: Initial CRC value.
- boofuzz.helpers.format_log_msg(msg_type, description=None, data=None, indent_size=2, timestamp=None, truncated=False, format_type='terminal')[source]
- boofuzz.helpers.get_boofuzz_version()[source]
Gets the currently installed boofuzz version
- Return type:
str
- Returns:
Boofuzz version as string
- boofuzz.helpers.get_max_udp_size()[source]
Crazy CTypes magic to do a getsockopt() which determines the max UDP payload size in a platform-agnostic way.
Deprecated since version 0.2.0: Use
UDPSocketConnection.max_payload()
instead.- Returns:
The maximum length of a UDP packet the current platform supports
- Return type:
int
- boofuzz.helpers.hex_str(s)[source]
Returns a hex-formatted string based on s.
- Parameters:
s (bytes) – Some string.
- Returns:
Hex-formatted string representing s.
- Return type:
str
- boofuzz.helpers.hex_to_hexstr(input_bytes)[source]
Render input_bytes as ASCII-encoded hex bytes, followed by a best effort utf-8 rendering.
- Parameters:
input_bytes (bytes) – Arbitrary bytes
- Returns:
Printable string
- Return type:
str
- boofuzz.helpers.ip_str_to_bytes(ip)[source]
Convert an IP string to a four-byte bytes.
- Parameters:
ip – IP address string, e.g. ‘127.0.0.1’
:return 4-byte representation of ip, e.g. b’’ :rtype bytes
:raises ValueError if ip is not a legal IP address.
- boofuzz.helpers.ipv4_checksum(msg)[source]
Return IPv4 checksum of msg. :param msg: Message to compute checksum over. :type msg: bytes
- Returns:
IPv4 checksum of msg.
- Return type:
int
- boofuzz.helpers.mkdir_safe(directory_name, file_included=False)[source]
Creates directory_name and subdirectories. If file_included is true, removes final element of the path
- boofuzz.helpers.parse_test_case_name(test_case)[source]
Parse a test case name into a message path and a list of mutation names.
Example
Input: “message1:[message1.first_byte:2, message1.second_byte:1, message1.third_byte:2]” Output: [“message1”], [“message1.first_byte:2”, “message1.second_byte:1”, “message1.third_byte:2”]
- Returns:
A message path (list of message names) and a list of mutation names.
- boofuzz.helpers.pause_for_signal()[source]
Pauses the current thread in a way that can still receive signals like SIGINT from Ctrl+C.
- Implementation notes:
Linux uses signal.pause()
Windows uses a loop that sleeps for 1 ms at a time, allowing signals to interrupt the thread fairly quickly.
- Returns:
None
- Return type:
None
- boofuzz.helpers.udp_checksum(msg, src_addr, dst_addr)[source]
Return UDP checksum of msg.
Recall that the UDP checksum involves creating a sort of pseudo IP header. This header requires the source and destination IP addresses, which this function takes as parameters.
If msg is too big, the checksum is undefined, and this method will truncate it for the sake of checksum calculation. Note that this means the checksum will be invalid. This loosey goosey error checking is done to support fuzz tests which at times generate huge, invalid packets.
- Parameters:
msg (bytes) – Message to compute checksum over.
src_addr (bytes) – Source IP address – 4 bytes.
dst_addr (bytes) – Destination IP address – 4 bytes.
- Returns:
UDP checksum of msg.
- Return type:
int
IP Constants
This file contains constants for the IPv4 protocol.
Changed in version 0.2.0: ip_constants has been moved into the connections subpackage. The full path is now boofuzz.connections.ip_constants
- boofuzz.connections.ip_constants.UDP_MAX_LENGTH_THEORETICAL = 65535
Theoretical maximum length of a UDP packet, based on constraints in the UDP packet format. WARNING! a UDP packet cannot actually be this long in the context of IPv4!
- boofuzz.connections.ip_constants.UDP_MAX_PAYLOAD_IPV4_THEORETICAL = 65507
Theoretical maximum length of a UDP payload based on constraints in the UDP and IPv4 packet formats. WARNING! Some systems may set a payload limit smaller than this.
PED-RPC
Boofuzz provides an RPC primitive to host monitors on remote machines. The main boofuzz instance acts as a client that connects to (remotely) running RPC server instances, transparently calling functions that are called on the instance of the client on the server instance and returning their result as a python object. As a general rule, data that’s passed over the RPC interface needs to be able to be pickled.
Note that PED-RPC provides no authentication or authorization in any form. It is advisable to only run it on trusted networks.
DCE-RPC
Crash binning
@author: Pedram Amini @license: GNU General Public License 2.0 or later @contact: pedram.amini@gmail.com @organization: www.openrce.org
- class boofuzz.utils.crash_binning.CrashBinning[source]
Bases:
object
@todo: Add MySQL import/export.
- bins = {}
- crash_synopsis(crash=None)[source]
For the supplied crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. If not crash is specified, then call through to last_crash_synopsis() which returns the same information for the last recorded crash.
@see: crash_synopsis()
@type crash: CrashBinStruct @param crash: (Optional, def=None) Crash object to generate report on
@rtype: str @return: Crash report
- export_file(file_name)[source]
Dump the entire object structure to disk.
@see: import_file()
@type file_name: str @param file_name: File name to export to
@rtype: CrashBinning @return: self
- import_file(file_name)[source]
Load the entire object structure from disk.
@see: export_file()
@type file_name: str @param file_name: File name to import from
@rtype: CrashBinning @return: self
- last_crash = None
- last_crash_synopsis()[source]
For the last recorded crash, generate and return a report containing the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind.
@see: crash_synopsis()
@rtype: String @return: Crash report
- pydbg = None
- record_crash(pydbg, extra=None)[source]
Given a PyDbg instantiation that at the current time is assumed to have “crashed” (access violation for example) record various details such as the disassemly around the violating address, the ID of the offending thread, the call stack and the SEH unwind. Store the recorded data in an internal dictionary, binning them by the exception address.
@type pydbg: pydbg @param pydbg: Instance of pydbg @type extra: Mixed @param extra: (Optional, Def=None) Whatever extra data you want to store with this bin
EventHook
- class boofuzz.event_hook.EventHook[source]
Bases:
object
An EventHook that registers events using +=and -=.
Based on spassig’s solution here: http://stackoverflow.com/a/1094423/461834