GitHub

Introduction

参考 Forescout/bgp_boofuzzer 的结构特化了一个 OSPF 版本

Installation

docker 配置文件放置在frrouter-docker中，使用docker-compose up -d即可启动容器，docker 配置的路由环境如下

fuzzer 运行在 frrouter1 上，对 frrouter2 发送 fuzzing 包

# frrouter2
docker exec -it frrouter2 fish
cd /home/fuzzer

python3 main.py --ip [rpc ip] --port [rpc port] --monitor frr

等待 frr 服务重启后，watchfrr 和 boofuzz 的 procmon 会监控 ospfd 的存活情况，此时可以进行 fuzz 了

# frrouter1
docker exec -it frrouter1 fish
cd /home/fuzzer

python3 fuzz_xxx.py --route_id [router ip] --area_id 0.0.0.0 --tip [rpc ip] --trpc_port [rpc port]

Details

报文协议树可视生成

frr-router 的 docker 环境中安装了graphviz，可以在每个报文的do_fuzz方法中加入以下代码，生成每个报文的状态图

with open('somefile.png', 'wb') as file:
    file.write(session.render_graph_graphviz().create_png())

目标修改

在 fuzzer.py 中，可能需要修改这一部分来满足报文能发送到目标服务器上并被识别

self.session_handle = Session(
    target=Target(
        # You need to change l2_dst MAC address and interface name.
        connection=RawL3SocketConnection(
            interface="eth0",
            send_timeout=5,
            recv_timeout=5,
            l2_dst=b'\x01\x00\x5e\x00\x00\x05'
        ),
    ),

其中interface和l2_dst需要根据实际情况修改

路径修改

docker 配置的 volumns 映射是绝对路径，需要根据实际情况修改

        frrouter1:
                build:
                        context: ./build
                        dockerfile: Dockerfile-frrouter
                container_name: frrouter1
                hostname: frrouter1
                networks:
                        net1:
                                ipv4_address: 172.18.0.3
                        net2:
                                ipv4_address: 172.19.0.2
                volumes:
                        - ./files/orchestrator.sh:/usr/src/files/orchestrator.sh
                        - ./configs/frrouter1/.env:/usr/src/config/.env
                        - ./configs/frrouter1/frr/:/etc/frr
                        - /home/ospf_boofuzzer/:/home/fuzzer
                cap_add:
                        - NET_ADMIN
                        - NET_BIND_SERVICE
                        - NET_RAW
                        - SYS_ADMIN
                command: 'sh -c "/usr/src/files/orchestrator.sh"'
                privileged: true
                ports:
                        - "26000:12345"

        frrouter2:
                build:
                        context: ./build
                        dockerfile: Dockerfile-frrouter
                container_name: frrouter2
                hostname: frrouter2
                networks:
                        net2:
                                ipv4_address: 172.19.0.3
                        net3:
                                ipv4_address: 172.20.0.3
                volumes:
                        - ./files/orchestrator.sh:/usr/src/files/orchestrator.sh
                        - ./configs/frrouter2/.env:/usr/src/config/.env
                        - ./configs/frrouter2/frr/:/etc/frr
                        - /home/ospf_boofuzzer/:/home/fuzzer
                cap_add:
                        - NET_ADMIN
                        - NET_BIND_SERVICE
                        - NET_RAW
                        - SYS_ADMIN
                command: 'sh -c "/usr/src/files/orchestrator.sh"'
                privileged: true

Result

测试复现CVE-2024-27913漏洞，结果如下

Name		Name	Last commit message	Last commit date
Latest commit History 33 Commits
base		base
frrouter-docker		frrouter-docker
img		img
.gitignore		.gitignore
README.md		README.md
fuzz_dd.py		fuzz_dd.py
fuzz_hello.py		fuzz_hello.py
fuzz_lsack.py		fuzz_lsack.py
fuzz_lsr.py		fuzz_lsr.py
fuzz_lsu.py		fuzz_lsu.py
fuzz_lsu_cvetest.py		fuzz_lsu_cvetest.py
main.py		main.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Introduction

Installation

Details

报文协议树可视生成

目标修改

路径修改

Result

About

Releases

Packages

Languages

AimiP02/OSPF_BooFuzzer

Folders and files

Latest commit

History

Repository files navigation

Introduction

Installation

Details

报文协议树可视生成

目标修改

路径修改

Result

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages