boofuzz icon indicating copy to clipboard operation
boofuzz copied to clipboard

Published 20 hours ago verified publisher icon jtpereyda

Raw L4 Connection To Send/Receive On Top Of IP Layer

Open zhouzoe opened this issue 3 years ago • 4 comments

  • I'm trying to generate OSPF packets with boofuzz, and I use SOCKT RawL3SocketConnection to send those packets, just as follows): sess = Session( target=Target( connection=RawL3SocketConnection("ens33", 5.0, 5.0, ethernet_proto=2048), monitors=[procmon], ), console_gui = True, )

-- However I found that I must add the IP data with every OSPF packet. And I wonder if is there any other SOCKET that I can use to only send OSPF socket without IP data. -- By the way, OSPF runs over IP, just like ICMP

zhouzoe avatar May 10 '21 11:05 zhouzoe

Currently there is no boofuzz Connection class which builds the IP header for you. So you'll have to use RawL3SocketConnection and write a protocol definition for the IP header yourself.

But I get your point, it would be convenient to have an IPSocketConnection class for L4 IP protocol communication. I'll mark this as a feature request.

SR4ven avatar May 10 '21 19:05 SR4ven

Thanks for reply. I intend to write IP header myself but there's another problem that when I use s_size() to calculate the total length of the entire packet , just as follows, it seems include all fields.

s_initialize("ospf") .... s_size("ospf_packet", name="ospf_pack_len", endian=">", length=2, math=lambda x:x+20) .... if s_block_start("ospf_packet"): s_bit_field(2, name="version", width=8, endian=">", fuzzable=True) s_group(name="type", values=[b'\x01',b'\x02',b'\x03',b'\x04',b'\x05'], default_value=b'\x01') .... s_bytes(helpers.ip_str_to_bytes('192.168.32.128'), name= "router_id", size=4, fuzzable=True, field_type="IP") s_bytes(helpers.ip_str_to_bytes('0.0.0.0'), name= "area_id", size=4, fuzzable=True, field_type="IP") .... if s_block_start("body"): ### Hello packet if s_block_start("hello_packet", dep="type", dep_value=b'\x01'): s_bytes(helpers.ip_str_to_bytes('255.255.255.0'), name= "network_mask", size=4, fuzzable=True, field_type="IP") s_word(7676, name="holleinterval", endian=">", fuzzable=False) .... s_block_end() ### database description and link state acknowledgment if s_block_start("data_packet", dep="type", dep_values=[b'\x02', b'\x05']): s_word(1500, name="interface_mtu", endian=">", fuzzable=False) s_bit_field(0x52, name="options1", width=8, endian=">", fuzzable=True) .... s_block_end() ### link state request if s_block_start("link_reqst_packet", dep="type", dep_value=b'\x03'): s_dword([0,1,2,3,4,5], name="ls_type1", endian=">", fuzzable=True) s_dword(0, name="link_state_id1", endian=">", fuzzable=True) s_dword(0, name="advertising_router1", endian=">", fuzzable=True) s_block_end() ### link state update if s_block_start("link_update_packet", dep="type", dep_value=b'\x04'): s_dword(0, name="lsa_num", endian=">", fuzzable=False) .... s_block_end() s_block_end() s_block_end()

But there are different block dependent on different value of field "TYPE", and not all block are present at the same time. What I hope is that teh value of s_size() is the length of data I actully send every time, instead of the length of all fields in the stack. Does s_size() can't meet this need or I got it wrong?

zhouzoe avatar May 11 '21 06:05 zhouzoe

Hey, I misused s_size() and my problem has solved. Thanks a lot.

zhouzoe avatar May 11 '21 07:05 zhouzoe