search

jtpereyda / boofuzz

A fork and successor of the Sulley Fuzzing Framework
GNU General Public License v2.0
2.02k stars 343 forks source link

Support modifying the message, such as encryption. #710

Open lhpqaq opened 6 months ago

lhpqaq commented 6 months ago

I made modifications to session.py to support obtaining and modifying the mutated version of the message before sending it. To encrypt the fields requiring encryption in the message, you can use the following method:

secret_key = None

def pre_send_callback(target, fuzz_data_logger, session, sock):
    mc = session.mutation_context

    # Method 1:
    # The mutated data packet to be sent
    original_data = session.fuzz_node.render(mc).hex()
    if secret_key:
        modified_data = original_data^secret_key
    session.modified_data = modified_data
    # Method 2:
    if list(mc.mutations.keys())[0] == "field requiring encryption"
        mc.mutations[list(mc.mutations.keys())[0]].value ^= secret_key
    session.modified_data = session.fuzz_node.render(mc).hex()

def post_test_case_callback(target, fuzz_data_logger, session, sock):
    if not secret_key:
        receive_data = session.last_recv.hex()
        secret_key = get_secret_key(receive_data)

session = Session(target=Target(SocketConnection(host, int(port))),receive_data_after_fuzz=True,,post_test_case_callbacks=[post_test_case_callback],pre_send_callbacks=[pre_send_callback])
phix33 commented 1 month ago

Curious if this approach is going to be accepted? I'd also like to encrypt some data blocks post-mutation and just prior to sending. Will probably adopt this approach in the meantime - thanks @lhpqaq

lhpqaq commented 1 month ago

Curious if this approach is going to be accepted? I'd also like to encrypt some data blocks post-mutation and just prior to sending. Will probably adopt this approach in the meantime - thanks @lhpqaq

My code might be a bit rudimentary, and the author may not choose to accept it.

jtpereyda commented 1 month ago

Thanks for the PR! A few notes:

  1. There is a way to do this with blocks: Create a block type that has an encode function. The encode function encodes data after mutation. For an example, see repeat.py.
  2. That said, I'm not entirely opposed to this approach.
  3. One note on the PR: It seems like it might make sense not to have modified_data in the constructor. At least for the described use case, it seems like something you always set after construction.
lhpqaq commented 1 month ago

Thanks for the PR! A few notes:

  1. There is a way to do this with blocks: Create a block type that has an encode function. The encode function encodes data after mutation. For an example, see repeat.py.

  2. That said, I'm not entirely opposed to this approach.

  3. One note on the PR: It seems like it might make sense not to have modified_data in the constructor. At least for the described use case, it seems like something you always set after construction.

Thanks. My understanding of boofuzz is not deep enough. I will continue to study it in the next few days.

phix33 commented 1 month ago

Thanks for the PR! A few notes:

1. There is a way to do this with blocks: Create a block type that has an encode function. The encode function encodes data after mutation. For an example, see `repeat.py`.

Ahh nice! Hadn't realised we could call s_block("block2", encoder=encrypt_block2) then encrypt_block2(block2) gets called with the mutated block! Much simpler, thanks!

(I now see the iso8385.py example too!).