Hi,
I fuzzed routers/firewall in the past and my approach was to implement everything in Python from scratch. I'd like to know if boofuzz would have been useful and if I could port what I did to boofuzz in order to have a more generic fuzzer (and maybe contribute to it!)
My original fuzzer does the following:
1) Detection if the target is still alive/crashed
- a) Using an ARP request (Scapy arping())
- b) Or instrumenting a serial line and looking for crash dump patterns
2) If the target previously crashed, detect the device has finished rebooting by sniffing for a gratuitous ARP packet (raw socket) – so we can restart the fuzzing
3) Generation: depends on the protocol
- a) Scapy for SNMP
- b) XML sample for XML-based protocol
- c) Use an external generator like AFL, domato, etc. anything that can generate packets into file for the protocol I am targeting
4) Mutation: depends on the protocol
- a) Take n random bytes and change their values randomly (e.g. SNMP)
- b) Use radamsa (e.g. XML)
- c) No mutation if I take them from files I generated with AFL, domato, etc.
My question is: can I do all steps with boofuzz? And what needs to be added to boofuzz to make it happen?
Thanks for your pointers,
said.