Bf3

From aldeid
Jump to: navigation, search

Description

Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer. The modules it uses are extendable but also highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing operation. After initialization, bf3 creates test cases in a numbered system. Fuzzing is automated through the browser using the refresh method. If error is detected, server logs can provide insight to the offending test case. The tools currently supports following features:

  • Fuzzes CSS, DOM, HTML, JavaScript and XML
  • Attended and Unattended Fuzzing Modes
  • 7th Generation Fuzzing Oracle
  • Random Data Generator
  • Mutation Fuzzing Engine

Installation

$ cd /data/src/
$ wget http://packetstorm.setnine.com/fuzzer/bf3.tar.gz
$ mkdir -p /pentest/fuzzers/
$ tar xvzf bf3.tar.gz -C /pentest/fuzzers/

Usage

Basic syntax

./bf3 <-M #> <-A/-U> <-O/-R #> [-Z #]
[-X file.ext] [-x extra.html] [-P /www]

Common Options

-M <num>
Target module. Use ./bf3 -D. Use ./bf3 to list modules available.
-A <mode>
Attended fuzzing mode (dom/js only)
Use this option to fuzz DOM or JS. Else, use -U option
-U
Unattended fuzzing mode
-O
Use the fuzzing oracle. Use ./bf3 -T to list Oracle fuzzing modules.
-R
Use random generation
-Z <bytes>
Max number of bytes (random generation)
-X <file>
File to parse for mutation
-x <file>
Extra file for mutation (css/xml only)
-P <path>
Test case output directory (full path)

Information Options

-T
List fuzzing Oracle.
-D
List modules available.

Modules Available

Following modules are available:

  1. Cascading Style Sheets (CSS)
  2. Document Object Model (DOM)
  3. HyperText Markup Language (HTML)
  4. JavaScript (JS)
  5. Extensible Markup Language (XML)

Oracle Modules

  1. Overflow: A x 550
  2. Overflow: A x 1100
  3. Overflow: A x 2100
  4. Overflow: A x 4200
  5. Overflow: A x 8400
  6. Overflow: A x 16500
  7. Overflow: A x 33000
  8. Overflow: A x 65800
  9. Overflow: A x 131200
  10. Overflow: A x 262400
  11. Overflow: A x 525000
  12. Overflow: A x 1050000
  13. Format String: %n x 5
  14. Format String: %p x 5
  15. Format String: %s x 5
  16. Format String: %d x 5
  17. Format String: %x x 5
  18. Format String: %s%p%x%d
  19. Format String: %s x 30
  20. Format String: %.1024d
  21. Format String: %.1025d
  22. Format String: %.2048d
  23. Format String: %.2049d
  24. Format String: %.4096d
  25. Format String: %.4097d
  26. Format String: %99999999999s
  27. Format String: %0%1%2%3%4%5%6%7%8%9%10%11%12%13%14%15%16%17%18%19%20
  28. Format String: %%20n
  29. Format String: %%20p
  30. Format String: %%20s
  31. Format String: %%20d
  32. Format String: %%20x
  33. Format String: %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%
  34. Number: 0
  35. Number: -0
  36. Number: 1
  37. Number: -1
  38. Number: 32767
  39. Number: -32768
  40. Number: 65535
  41. Number: 65536
  42. Number: 65537
  43. Number: 16777215
  44. Number: 16777216
  45. Number: 16777217
  46. Number: 2147483647
  47. Number: -2147483647
  48. Number: 2147483648
  49. Number: -2147483648
  50. Number: 4294967294
  51. Number: 4294967295
  52. Number: 4294967296
  53. Number: 357913942
  54. Number: -357913942
  55. Number: 536870912
  56. Number: -536870912
  57. Number: 5e-324
  58. Number: 1.79769313486231E+308
  59. Number: 3.39519326559384E-313
  60. Number: 0xff
  61. Number: 0x3fffffff
  62. Number: 0xffffffff
  63. Number: 0xfffffffe
  64. Number: 0x3fffffff
  65. Number: 0x7fffffff
  66. Number: 0x7ffffffe
  67. Number: 0x100
  68. Number: 0x1000
  69. Number: 0x10000
  70. Number: 0x100000
  71. Number: 0x80000000
  72. Number: -268435455
  73. Number: 0x99999999
  74. Number: 99999999999
  75. Number: -99999999999
  76. Misc Bug: test|touch /tmp/FU_ZZ_ED|test
  77. Misc Bug: test`touch /tmp/FU_ZZ_ED`test
  78. Misc Bug: test'touch /tmp/FU_ZZ_ED'test
  79. Misc Bug: test;touch /tmp/FU_ZZ_ED;test
  80. Misc Bug: test&&touch /tmp/FU_ZZ_ED&&test
  81. Misc Bug: test|C:/WINDOWS/system32/calc.exe|test
  82. Misc Bug: test`C:/WINDOWS/system32/calc.exe`test
  83. Misc Bug: test'C:/WINDOWS/system32/calc.exe'test
  84. Misc Bug: test;C:/WINDOWS/system32/calc.exe;test
  85. Misc Bug: C:/WINDOWS/system32/calc.exe
  86. Misc Bug: |/bin/sh|
  87. Misc Bug: `/bin/sh`
  88. Misc Bug: %0xa
  89. Misc Bug: %u000
  90. Misc Bug: `[email protected]#$
  91. Misc Bug: %^&*()
  92. Misc Bug: -=_+
  93. Misc Bug: [
  94. Misc Bug: |;\':
  95. Misc Bug: ,./<>?

Examples

  • Fuzz JavaScript in Unattended Mode with the Fuzzing Oracle and output test cases to /var/www/
$ ./bf3 -M 3 -U -O -P /var/www
  • Fuzz DOM in Attended Mode with Random Data up to 10,000 bytes and output 10,000 test cases to /var/www/dom/
$ ./bf3 -M 2 -A -R 10000 -Z 10000 -P /var/www/dom
  • Fuzz CSS by mutating /home/linux/bf3/samples/css/style.css with Random Data up to 100,000 bytes (default) and use /home/linux/bf3/samples/css/bmgsec.html to display the data, output to /var/www/css (total number of test cases = 100 x number of characters in /home/linux/bf3/samples/css/style.css
$ ./bf3 -M 1 -U -R 100 -X /home/linux/bf3/samples/css/style.css \
-x /home/linux/bf3/samples/css/bmgsec.html -P /var/www/css
  • Fuzz JavaScript in Unattended Mode by generating 1,000,000 random test cases and output to /var/www/js
$ ./bf3 -M 4 -U -R 1000000 -P /var/www/js

Comments

Talk:Bf3