Conduct OOB Fuzzing of targets with payloads towards callback server
Brought to you with courtesey of Team Entropy, with ❤️ from
@ninposec, @mortensteenrasmussen & @CasperGN
Pip:
$ sudo pip install OOB-Fuzz
Or clone and install via setup:
$ git clone https://github.com/CasperGN/oobfuzz.git; cd oobfuzz; sudo -H python3 -m pip install .
Reasoning:
OOBFuzz requires GAU to run. As such, we need to apt-get install golang
and fetch the binary with go get
and move it into /usr/bin
.
This requires root permissions (unless obscure suid perhaps?) in order to do so.
If in doubt, please chech setup.py to ensure that nothing malicious is happening.
Create a folder containing payloads. The package contains examples at either data/payloads/ or when installed via pip in your site-packages/
directory.
$ python -m oobfuzz --payloads /path/to/payload/directory/ --targets targets.txt --threads 17
Or when installed via cloning:
$ python3 fuzzer.py --payloads /path/to/payload/directory/ --targets targets.txt --threads 17