Fuzzungus: Advanced Network Protocol Fuzzing

Fuzzungus is a fork of the Boofuzz framework, itself a fork and the successor of to the venerable Sulley fuzzing framework. Fuzzungus was created as part of a Safran Electronics & Defense project.

Why?

Boofuzz was lacking a lot of the features needed to fuzz aerospace protocols. By forking Boofuzz, the goal was to be able to easily add them without having to undergo the code review of Boofuzz maintainers, to speed up the development.

This project won’t be maintained much further, excepted some minor fixes and updates by the Safran Electronics & Defense Red Team, so feel free to fork it and make it your own, or, if you happen to be one of the maintainers of Boofuzz, to integrate the changes back into the main project. We would be happy to help you with that.

Features

Fuzzungus incorporates all the elements from Boofuzz :

• Easy and quick data generation.

• Instrumentation – AKA failure detection.

• Target reset after failure.

• Recording of test data.

• Much easier install experience!

• Support for arbitrary communications mediums.

• Built-in support for serial fuzzing, ethernet- and IP-layer, UDP broadcast.

• Better recording of test data – consistent, thorough, clear.

• Test result CSV export.

• Extensible instrumentation/failure detection.

• Far fewer bugs.

Fuzzungus also includes a number of new features:

• Refactored codebase of a number of modules to make it easier to understand and extend.

• Better configuration system

• Three generation modes (library, random mutation, and random generation)

• New primitives for data generation

• Great restart and continue on failure

• Timeout detection

• Full protocol sessions supports (multiple acks, fragmentation…)

In the continuity of Boofuzz, Fuzzungus is also named after a character from Monsters Inc. This time, it’s Fungus, the assistant of the villain Randall Boggs, just because it’s a funny name.

Jeff Fungus from Monsters Inc

Installation

Boofuzz was installable as a Python library through pip, but it isn’t the case of Fuzzungus, that has to be installed through the source code. See Installing Fuzzungus for advanced and detailed instructions.

User Guide

• Installing Fuzzungus
  • Install with docker
  • Prerequisites
  • Install from source
  • Extras
• Quickstart
  • Create the file
  • Configuration process
  • Callbacks
  • Call the file
  • Debugging
• Contributing
  • Issues and Bugs
  • Code Reviews
  • Contributors
  • Maintainers

API Documentation

• Main File
  • Help
  • Verbose
  • Fuzz
  • Continue
  • Replay
  • Open
  • Db list
  • Db connect
  • Ssh-copy-id
  • Open-shell
• Callgraph
  • session.fuzz_indefinitely()
  • session._main_fuzz_loop()
  • session._fuzz_current_case()
  • session.fragmentation_check()
• Packages
  • Boofuzz
  • Blocks
  • Callbacks
  • CLI
  • Connections
  • Loggers
  • Monitors
  • Primitives
  • Session
  • Graph
• Session
  • Session
  • Request-Graph visualisation options
  • Backward link to the session
  • Timeout calculation
  • Fragmentation
  • Multiple Acks
• Target
  • Target Interface
  • Target Class
  • Future
  • Target Source Code
  • Repeater
  • TimeRepeater
  • CountRepeater
• Connections
  • ITargetConnection
  • BaseSocketConnection
  • TCPSocketConnection
  • UDPSocketConnection
  • SSLSocketConnection
  • RawL2SocketConnection
  • RawL3SocketConnection
  • SocketConnection
  • SerialConnection
  • WebSocketConnection
• Monitors
  • Monitor Interface (BaseMonitor)
  • BusyboxMonitor
  • ProcessMonitor
  • NetworkMonitor
  • CallbackMonitor
• Logging
  • Fuzzing Levels
  • Logging Interface (IFuzzLogger)
  • Postgres Logging
  • Text Logging
  • Db Logging
  • CSV Logging
  • Console-GUI Logging
  • FuzzLogger Object
• Other Modules
  • Test Case Session Reference
  • Test Case Context
  • Helpers
  • IP Constants
  • PED-RPC
  • DCE-RPC
  • Crash binning
  • EventHook
• Callbacks
  • How to define it ?
  • How to use it ?
  • Example
  • Change Default value during a fuzzing session

Protocol Definition

• Protocol Overview
  • Overview
  • Example
  • Making Your Own Block/Primitive
  • Flagging blocks/primitives as depreciated
• Blocks
  • Request
  • Block
  • Checksum
  • Repeat
  • Size
  • Aligned
• Primitives
  • BasePrimitive
  • BitField
  • Byte
  • Bytes
  • Delim
  • DWord
  • FromFile
  • Group
  • Mirror
  • MultipleDefault
  • QWord
  • RandomData
  • Simple
  • Static
  • String
  • Word
• Data Generation
  • Data Generation Modes
  • Library
  • Random Mutation
  • Random Generation
  • Example Fuzzing Session
• Configuration of a session
  • Configuration files
  • Nominal Data

Changelog

• Changelog

Contributions

Pull requests are welcome, as boofuzz is actively maintained (at the time of this writing ;)). See Contributing.

Community

For questions that take the form of “How do I… with boofuzz?” or “I got this error with boofuzz, why?”, consider posting your question on Stack Overflow. Make sure to use the fuzzing tag.

If you’ve found a bug, or have an idea/suggestion/request, file an issue here on GitHub.

For other questions, check out boofuzz on gitter or Google Groups.

For updates, follow @b00fuzz on Twitter.

Indices and tables

• Index

• Module Index

• Search Page