Send generic UDP

[mayhew...@gmail.com]

Hello, I am trying to fuzz a TFTP server as part of an exploitation course I am taking which utilizes an old/unsupported fuzzer. I wanted to use a modern fuzzer that is supported instead of learning an old one, so I chose boofuzz after researching what others suggested.

I am new to fuzzers in general, but have done some preliminary research and watched the Defcon talk the creator gave on this. The TCP makes sense to me and I can recreate that no problem; however, I have found little if nothing regarding fuzzing UDP protocols. I have dug through the documentation, and there is definitely UDP support, but the usage is unclear and I am getting errors. Similarly I have done many "intelligent" google searches to find examples online of TFTP fuzzing, or even UDP fuzzing. I have yet to find anything useful -- does anyone have experience with this? The examples given in the defcon talk were great and made sense, but it didn't touch on UDP.

Thanks for your help!

[L3m0ns]

Hmmm, I had the bind parameter as bind=("127.0.0.1",17999). I changed to 0.0.0.0 and that worked ok. 

Still, there would be much benefit if there were more tutorials out there (nudge nudge to the masters) -- maybe I'll write one when I get more comfortable with it!

[Joshua Pereyda]

Thanks for the question and for posting your solution for future readers! Feel free to post an excerpt showing the code you use to make a UDP connection.

I don't quite understand why your solution worked, but I'm glad it's working now.

[mayhew...@gmail.com]

Yes, that would make sense post my code! I believe the 127.0.0.1 may have failed due to VPN connection. I had not verified the actual crash yesterday so I know this is working now:

#!/usr/bin/env python

## A simple tftp fuzzer and whatnot

from boofuzz import *

import time

def main():

        sesh = Session(

                sleep_time=1,

                target=Target(

                        connection=SocketConnection("[target]",69,proto='udp',bind=('0.0.0.0',17999))

                ),

        )

        s_initialize('get')

        s_binary('0002')

        s_string('file.txt')

        s_binary('00')

        s_string('netascii')

        s_binary('00')

        sesh.connect(s_get('get'))

        sesh.fuzz()

if __name__ == "__main__":

        main()