QueFuzz is reborn as QueMod: https://github.com/struct/QueMod

The original QueFuzz is dead ...

Updates - May 2009

QueFuzz is outdated, I have replaced it with QueRub which you can read more about here.

STOP QueFuzz is old, read the text above this!

QueFuzz is a small fuzzer that uses libnetfilter_queue to take in packets from iptables. It's fuzzing engine reads a small template file and fuzzes the packets as you requested. QueFuzz has a very short learning curve, unlike many other fuzzing frameworks. It may not be as powerful but you can have it up and fuzzing in under a minute.

Unlike other fuzzers, QueFuzz is not focused on data generation. It relies on a valid application to generate the data and instead just mutates the network traffic inline and passes it on. Heres an a quick how-to:

1. Setup an iptables rule that queues all outgoing packets with a TCP destination port of 80.

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE

2. Start QueFuzz with an HTTP template that looks like this

$ cat http.fuz quefuzz HTTP { ip_src (192.168.4.3) ip_dst (192.168.4.2) replace (AAAA) (BBBB) replace (GET /index.html) (GET /../../../../) replace (Content-Length: 90) (Content-Length: -1) replace (User-Agent: Mozilla) (User-Agent: Moz%n%n) binary_replace (04050f) (616263) fuzz_word (Content-Length) random_binary random_ascii random_depth 2 } $./quefuzz -t http.fuz -v -f 3. Open your HTTP browser, and connect to your server at 192.168.4.2 as normal. QueFuzz takes care of the packet mutation inline, all you have to do is monitor your server or client with a debugger for any potential crashes.

(The example template has all keywords used)

QueFuzz can obviously be used in the opposite direction. You can fuzz your client using your server. It doesn't care what direction the traffic is going. Its not as in-depth as some of the better fuzzing frameworks out there like Sulley or Spike, but it gets the job done.

Heres a basic flow chart of how it works:

http://em386.blogspot.com | http://chris.rohlf.googlepages.com/index.html