Raw L4 Connection To Send/Receive On Top Of IP Layer

[zhouzoe]

• I'm trying to generate OSPF packets with boofuzz, and I use SOCKT RawL3SocketConnection to send those packets, just as follows):
  sess = Session( target=Target( connection=RawL3SocketConnection("ens33", 5.0, 5.0, ethernet_proto=2048), monitors=[procmon], ), console_gui = True, )

-- However I found that I must add the IP data with every OSPF packet. And I wonder if is there any other SOCKET that I can use to only send OSPF socket without IP data.
-- By the way, OSPF runs over IP, just like ICMP

[SR4ven]

Currently there is no boofuzz Connection class which builds the IP header for you.
So you'll have to use RawL3SocketConnection and write a protocol definition for the IP header yourself.

But I get your point, it would be convenient to have an IPSocketConnection class for L4 IP protocol communication.
I'll mark this as a feature request.

[zhouzoe]

Thanks for reply. I intend to write IP header myself but there's another problem that when I use s_size() to calculate the total length of the entire packet , just as follows, it seems include all fields.

s_initialize("ospf")
....
s_size("ospf_packet", name="ospf_pack_len", endian=">", length=2, math=lambda x:x+20)
....
if s_block_start("ospf_packet"):
s_bit_field(2, name="version", width=8, endian=">", fuzzable=True)
s_group(name="type", values=[b'\x01',b'\x02',b'\x03',b'\x04',b'\x05'], default_value=b'\x01')
....
s_bytes(helpers.ip_str_to_bytes('192.168.32.128'), name= "router_id", size=4, fuzzable=True, field_type="IP")
s_bytes(helpers.ip_str_to_bytes('0.0.0.0'), name= "area_id", size=4, fuzzable=True, field_type="IP")
....
if s_block_start("body"):
### Hello packet
if s_block_start("hello_packet", dep="type", dep_value=b'\x01'):
s_bytes(helpers.ip_str_to_bytes('255.255.255.0'), name= "network_mask", size=4, fuzzable=True, field_type="IP")
s_word(7676, name="holleinterval", endian=">", fuzzable=False)
....
s_block_end()
### database description and link state acknowledgment
if s_block_start("data_packet", dep="type", dep_values=[b'\x02', b'\x05']):
s_word(1500, name="interface_mtu", endian=">", fuzzable=False)
s_bit_field(0x52, name="options1", width=8, endian=">", fuzzable=True)
....
s_block_end()
### link state request
if s_block_start("link_reqst_packet", dep="type", dep_value=b'\x03'):
s_dword([0,1,2,3,4,5], name="ls_type1", endian=">", fuzzable=True)
s_dword(0, name="link_state_id1", endian=">", fuzzable=True)
s_dword(0, name="advertising_router1", endian=">", fuzzable=True)
s_block_end()
### link state update
if s_block_start("link_update_packet", dep="type", dep_value=b'\x04'):
s_dword(0, name="lsa_num", endian=">", fuzzable=False)
....
s_block_end()
s_block_end()
s_block_end()

But there are different block dependent on different value of field "TYPE", and not all block are present at the same time. What I hope is that teh value of s_size() is the length of data I actully send every time, instead of the length of all fields in the stack.
Does s_size() can't meet this need or I got it wrong?

[zhouzoe]

Hey, I misused s_size() and my problem has solved. Thanks a lot.

[newbing9527]

Hey, I misused s_size() and my problem has solved. Thanks a lot.

--how to caculate the checksum dynamically?