Slides from my talk at CanSecWest 2013 are online. Thanks again to all the peeps who make this such a great conference year after year.
Just realized how long it’s been since I’ve posted. Been busy growing Déjà vu Security and working on the new version of Peach. The new v3 has been in final testing and should released this week (cross-fingers).
The latest bits are always available from git via source forge.
Along with a new version of Peach we have moved to using a support forum instead of mailing list for this latest version. The support forums are located here.
Fuzzing strategies in Peach define the methodology for how data is mutated or modified in Peach. Traditionally the strategy was specified on the command line and changed for all tests being run. This proved limiting and required the person running the fuzzer to know which strategy to use. Additionally, it was near impossible to pass arguments or additional information to the strategy.
With the latest commit of Peach 2.3.8 this is changing. Instead of a command line parameter a new child element called <Strategy> can be specified in the <Test> element. Additionally the strategy has the ability to parse attributes or sub-elements for configuration. This allows different <Test> configurations to use different strategies.
<!– Our Test element will link together our state model and publisher –>
<Publisher class="stdout.Stdout" />
I’m happy to announce that we will once again be offering the Peach training at CanSecWest 2011 in Vancouver, BC. Register now for the best price!
The entirety of the course is student centric, hands on, and lab intensive. On day one, students will be instructed on the use of the Peach Fuzzing Platform, from a practitioner’s perspective, learning the ways in which Peach can be used to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will build and run fuzzers that target real world applications.
On the second day, students will be exposed to the internals of Peach for a developer’s perspective. The Peach architecture and module interfaces will be explained in great detail as to equip students with the skills necessary to extend and adapt Peach to their custom needs. Students will then develop their own Peach extensions in a lab environment to reinforce these concepts.
Upon completion of this course, students will be enabled to create effective fuzzers that target:
- State-aware network protocol parsers
- N-tier applications
- Arbitrary APIs
- File parsers
- COM and Active/X components
- Extend the Peach Fuzzing Platform
- Apply these concepts and tools to their unique environment
- Utilize parallel fuzzing to increase fuzzing efficiency
Note: This article covers features in Peach 2.3.7 which is currently in SVN.
Selecting good sample files to use when performing file fuzzing can make all the difference. However, simply tossing several thousand files into a folder and calling it a day doesn’t make allot of sense. Instead we can use code coverage to select the minimum number of files to get the most coverage from our target. Peach includes a tool called “minset” to perform this task for us.
The minset tool is located in “c:\peach\tools\minset” and contains a test setup that can be run by saying “test.bat”.
Minset has several modes of operation, from simple to more complex. We will first cover the simplest usage.
Simple Usage Example
minset [-k] –s samples -m minset command.exe %s
- -k Optional argument when using graphical programs that do not automatically close
- -s samples This is the folder containing sample files to get coverage of
- -m minset This is the folder to place the minimum set of files into
- command.exe The target executable to run
- %s Any arguments and also a placeholder for the filename (%s)
This usage will try all files specified by “samples” and place the minimum set of them into the folder “minset”. The target command will get run as “command.exe filename”.
Example Usage – Command Line Target:
minset -s samples\*.png -m minset bin\pngcheck.exe %s
Example Usage – Graphical Target:
minset –k -s docs\*.doc -m minset "C:\Program Files (x86)\Microsoft Office
Depending on the complexity of the target program, this type of code coverage can take a while.
Separated Tracing and Coverage Analysis
For complex programs, or when performing coverage on a large set of files you may want to distribute the task across several machines. To support this minset is able to run just the coverage trace separate from the analysis portion. This allows running coverage traces on multiple machines then running the analysis on the results.
Running Minset in Coverage Trace Mode
minset [-k] –s samples –t traces command.exe args %s
This command line will perform coverage traces using the sample files in “samples” and place the resulting traces into the folder “traces”. This is the part you will want to distribute.
Running Minset in Analysis Mode
minset –s samples –t traces –m minset
All of your generated traces must be in “traces” and all of the sample files in “samples”. Minset will perform the coverage analysis and place the minimum set of files into “minset”.
Normally the analysis process is not distributed, however for especially large sets of sample files you may wan to run the analysis after collecting traces on every node then combining the resulting minsets for a final pass.
This is not a common task, but there have been a number of times when I’ve wanted to write something in C#/Microsoft .NET or have had access to a nice library. Happily there is a python to .NET bridge that allows using .NET assemblies just like python classes. These are the steps and software you will need to make it happen.
First, here is the setup I’ll be starting with:
- Windows 7 (32 or 64bit)
- ActiveState Python v2.5 32bit (c:\python25)
- Source version of Peach (from svn) (c:\peach)
Next you will need “Python for .NET” which you can download from here. At the time of writing the binary version was for .NET 2.0 and Python 2.5. I do not recommend compiling from scratch unless you know what your about.
Unzip the archive someplace. For the sake of this article lets unzip it to “c:\pnet”.
You will also want to create your Peach PIT file and place it in this folder along with any python code you might have written.
To use a .NET assembly you can simply use “from/import” as normal. The python patch will be searched just like for a python module. So for example you could say “from System.Reflection import Assembly” and then you have access to the .NET Assembly class!
OKAY – Now that you have your PIT and some code that uses .NET it’s time to run everything. This is were the source version of Peach comes in. The “python.exe” that we got from Python for .NET will load the normal binary Python runtime, but also special code to interact with .NET. This is all hidden, just run peach using this custom executable like normal:
python.exe c:\peach\peach.py mydotnet.xml
And that’s it!
NOTE FOR 64BIT USERS
If your on a 64bit machine you will get an error running this. You must mark python.exe as requiring the 32bit .NET runtime. This is fairly easy assuming you have the Windows SDK.
"c:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\x64\CorFlags.exe" python.exe /32BIT+
Peach 3 is the next major release of Peach and is currently under development. Peach 3 will be a complete re-write of Peach using the C# language and .NET Framework. We will keep cross-platform support thanks to the Mono project.
- Cross platform support (Linux, OS X, Windows, etc.)
- Mono compatibility
- Backwards comparable with existing Peach definitions
- Easier to drive Peach programmatically
- Design to allow for next generation of fuzzing technology
- A number of GUI programs for:
- Simple File Fuzzing
- Simple Network Fuzzing
Reasons For Switch
- Better development tools
- Better GUI support (even cross-platform)
- Better dependency support (no more module hell)
- Much better XML library (schema validation!!)
- Proper web services support!
- Full COM/DCOM support, etc.
- Language more suited to what Peach has become