Can I use boofuzz for file format fuzzing?

[chandnib...@gmail.com]

Hi,

I am looking for examples of file format fuzzing with boofuzz and/or want to know if it can be used for file based fuzzing.

I started writing some code this purpose. I implemented a custom class ExecuteFileConnection(itarget_connection.ITargetConnection) that overrides boofuzz.itarget_connection Class methods. Currently my code is just printing out fuzz data. I want to save the fuzz data to a file since my program reads from a file.

Here is a copy of my program:

#!/usr/bin/env python

# Designed for use with boofuzz v0.0.8
from boofuzz import *


import time
from boofuzz import itarget_connection
import subprocess


class ExecuteFileConnection(itarget_connection.ITargetConnection):
 
    def __init__(self, executable_path):
        print('*** init')
        self.executable_path=executable_path
        self.proc=None

    def close(self):
        print('*** close')
        if self.proc and self.proc.poll():
            self.proc.kill()

    def open(self):
        print('*** open')
        pass

    def recv(self, max_bytes):
        print('*** recv')
        if self.proc:
            while self.proc.poll() == None:
                # p.subprocess is alive
                time.sleep(1)
            o,e = self.proc.communicate()
            return o

    def send(self, data):
        print('*** send: {}'.format(data))



    @property
    def info(self):
        return self.executable_path


def recordlength(str):
    return str
 
def main():

    session = Session(
        target=Target(
            connection=ExecuteFileConnection("lz4")))
 
    s_initialize("lz4_frame")
    
    s_static("\x04\x22\x4D\x18")
    
    s_bit_field(0,name="Dict_ID",width=1,fuzzable="True")
    s_bit_field(0,name="Reserved",width=1,fuzzable="True")
    s_bit_field(0,name="Content_checksum_flag",width=1,fuzzable="True")
    s_bit_field(0,name="Content_size_flag",width=1,fuzzable="True")
    s_bit_field(0,name="Block_checksum_flag",width=1,fuzzable="True")
    s_bit_field(0,name="Block_independence_flag",width=1,fuzzable="True")
    s_bit_field(0,name="Version_Number",width=2,fuzzable="True")
        
    
    s_bit_field(0,name="Reserved1",width=4,fuzzable="True")
    s_bit_field(0,name="Block_MaxSize",width=3,fuzzable="True")
    s_bit_field(0,name="Reserved2",width=1,fuzzable="True")

    s_byte(0,name="Checksum",fuzzable="True")
    s_size("data", length=4, endian="<",fuzzable="True")
    s_string("data")
 
    session.connect(s_get("lz4_frame"))
    
    request = s_get("lz4_frame")

    session.fuzz()
 
 
if __name__ == "__main__":
    main()

Any help with this is highly appreciated.

Thank you,

Chandni Bhowmik

[Joshua Pereyda]

It looks like you are a good bit of the way there. For send, I would do something like:

    def send(self, data):
        with open(self.target_filename, "wb") as f:

            f.write(data)

And modify your __init__ function to take a file name and set self.target_filename.

For recv, a file format fuzzer has no real way to receive. This will be fine since you just have the one message. In the Session constructor, I would add receive_data_after_each_request=False.

See: https://boofuzz.readthedocs.io/en/latest/source/Session.html

I haven't tested it but that's the general idea.

[Joshua Pereyda]

You would probably also open the executable within send -- using the subprocess module.

I don't think you'd want all the code you have in recv, unless you're attempting to read the stdout channel from the process.