Is it possible to fuzz RIP with boofuzz?
entroychang opened this issue · 3 comments
Well ... since RIP protocol uses UDP packets to communicate. I'm not sure that boofuzz is able to detect "crack".
from boofuzz import *
def post_test_callback(target, fuzz_data_logger, session, sock, *args, **kwargs):
# res = target.recv(2000)
print("=" * 20)
# print(dir(target))
# print("res:", res)
# print("=" * 20)
def main():
session = Session(
target=Target(
connection=UDPSocketConnection(host="192.168.105.134", port=520),
),
)
s_initialize(name="RIP")
if s_block_start("RIP_BLOCK"):
fuzzable = True
s_byte(0x00, name='COM', fuzzable=fuzzable)
s_byte(0x02, name='Ver', fuzzable=fuzzable)
s_word(0x0000, name='RD', fuzzable=fuzzable)
s_word(0x0200, name='AFI', fuzzable=fuzzable)
s_word(0x0100, name='RT', fuzzable=fuzzable)
s_dword(0xc0a86986, name='IP', fuzzable=fuzzable)
s_dword(0x00000000, name='SM', fuzzable=fuzzable)
s_dword(0x00000000, name='NH', fuzzable=fuzzable)
s_dword(0x1, name='mertic', fuzzable=fuzzable)
s_block_end("RIP_BLOCK")
a = session.connect(s_get("RIP"))
session.fuzz()
if __name__ == "__main__":
main()
I'm pretty sure I send a correct packet using the code above.
Is it possible to fuzz RIP with boofuzz?
It's a tough time ;´༎ຶД༎ຶ`
Sorry for the delayed answer.
What exactly is the problem you're facing? Your scripts looks fine on first sight.
Did you use Wireshark to verify your packets are valid?
Well ... the main problem I face is how to detect the rip server whether it is crash or not. However it is impossible detect it with boofuzz since rip server is UDP protocol.
In fact, me and my partner had solved the problem few weeks ago. We send a normal rip request to check, using scapy, because rip server will response it. The code is as follow:
from boofuzz import *
import os
import time
from scapy.all import IP, UDP, RIP, RIPEntry, sr1
target_host = '192.168.40.101'
target_port = 520
local_bind = ("0.0.0.0", 520) # local (host, port)
def check_live(host, port):
ip_header = IP(dst=host)
udp_header = UDP(dport=port, sport=port)
rip_header = RIP(cmd=1, version=2, null=0)
rip_body = RIPEntry(addr=host)
px = ip_header/udp_header/rip_header/rip_body
try:
res = sr1(px, timeout = 10)
if res[RIP].cmd == 2:
return True
except:
pass
print("\nCheck_live: Timeout or Error!!")
return False
def main():
session = Session(
target=Target(
connection=UDPSocketConnection(host=target_host, port=target_port, bind=local_bind),
),
pre_send_callbacks =[pre_send_callback],
)
s_initialize(name="RIP")
if s_block_start("RIP_BLOCK"):
fuzzable = True
s_byte(0x01, name='COM', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_byte(0x02, name='Ver', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_word(0x0000, name='RD', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_word(0x0002, name='AFI', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_word(0x0001, name='RT', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_dword(0xc0a82865, name='IP', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_dword(0x00000000, name='SM', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_dword(0x00000000, name='NH', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_dword(0x1, name='mertic', endian=BIG_ENDIAN, fuzzable=fuzzable)
s_block_end("RIP_BLOCK")
a = session.connect(s_get("RIP"))
session.fuzz()
if __name__ == "__main__":
main()
Thanks for sharing your solution @entroy0421!