Changes to Fuzzing Strategies in Peach 2.3.8

•February 1, 2011 • 2 Comments

Fuzzing strategies in Peach define the methodology for how data is mutated or modified in Peach.  Traditionally the strategy was specified on the command line and changed for all tests being run.  This proved limiting and required the person running the fuzzer to know which strategy to use.  Additionally, it was near impossible to pass arguments or additional information to the strategy.

With the latest commit of Peach 2.3.8 this is changing.  Instead of a command line parameter a new child element called <Strategy> can be specified in the <Test> element.  Additionally the strategy has the ability to parse attributes or sub-elements for configuration.  This allows different <Test> configurations to use different strategies.

Example:

<!– Our Test element will link together our state model and publisher –>
<Test name="HelloWorldTest">
    <StateModel ref="State"/>
    <Publisher class="stdout.Stdout" />
    <Strategy class="rand.RandomMutationStrategy"/>

</Test>

Posted in Peach

Peach Training @ CanSecWest 2011

•January 29, 2011 • Leave a Comment

I’m happy to announce that we will once again be offering the Peach training at CanSecWest 2011 in Vancouver, BC.  Register now for the best price!

http://cansecwest.com/dojos/2011/csw_2_01.html

Description

The entirety of the course is student centric, hands on, and lab intensive. On day one, students will be instructed on the use of the Peach Fuzzing Platform, from a practitioner’s perspective, learning the ways in which Peach can be used to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will build and run fuzzers that target real world applications.

On the second day, students will be exposed to the internals of Peach for a developer’s perspective. The Peach architecture and module interfaces will be explained in great detail as to equip students with the skills necessary to extend and adapt Peach to their custom needs. Students will then develop their own Peach extensions in a lab environment to reinforce these concepts.

Topics

Upon completion of this course, students will be enabled to create effective fuzzers that target:

  • State-aware network protocol parsers
  • N-tier applications
  • Arbitrary APIs
  • File parsers
  • COM and Active/X components
  • Extend the Peach Fuzzing Platform
  • Apply these concepts and tools to their unique environment
  • Utilize parallel fuzzing to increase fuzzing efficiency

 

Posted in Peach

Using Code Coverage to Select Fuzzing Sample Files

•November 1, 2010 • 10 Comments

Note: This article covers features in Peach 2.3.7 which is currently in SVN.

Selecting good sample files to use when performing file fuzzing can make all the difference.  However, simply tossing several thousand files into a folder and calling it a day doesn’t make allot of sense.  Instead we can use code coverage to select the minimum number of files to get the most coverage from our target.  Peach includes a tool called “minset” to perform this task for us.

The minset tool is located in “c:\peach\tools\minset” and contains a test setup that can be run by saying “test.bat”.

Minset has several modes of operation, from simple to more complex.  We will first cover the simplest usage.

Simple Usage Example

Syntax:

minset [-k] –s samples -m minset command.exe %s

  • -k               Optional argument when using graphical programs that do not automatically close
  • -s samples    This is the folder containing sample files to get coverage of
  • -m minset     This is the folder to place the minimum set of files into
  • command.exe  The target executable to run
  • %s                 Any arguments and also a placeholder for the filename (%s)

This usage will try all files specified by “samples” and place the minimum set of them into the folder “minset”.  The target command will get run as “command.exe filename”.

Example Usage – Command Line Target:

minset -s samples\*.png -m minset bin\pngcheck.exe %s

Example Usage – Graphical Target:

minset –k -s docs\*.doc -m minset "C:\Program Files (x86)\Microsoft Office
Office14\winword.exe" %s

Depending on the complexity of the target program, this type of code coverage can take a while.

Separated Tracing and Coverage Analysis

For complex programs, or when performing coverage on a large set of files you may want to distribute the task across several machines.  To support this minset is able to run just the coverage trace separate from the analysis portion.  This allows running coverage traces on multiple machines then running the analysis on the results.

Running Minset in Coverage Trace Mode

minset [-k] –s samples –t traces command.exe args %s

This command line will perform coverage traces using the sample files in “samples” and place the resulting traces into the folder “traces”.  This is the part you will want to distribute.

Running Minset in Analysis Mode

minset –s samples –t traces –m minset

All of your generated traces must be in “traces” and all of the sample files in “samples”.  Minset will perform the coverage analysis and place the minimum set of files into “minset”.

Normally the analysis process is not distributed, however for especially large sets of sample files you may wan to run the analysis after collecting traces on every node then combining the resulting minsets for a final pass.

Posted in Peach, Tool

Using .NET Assemblies with Peach 2

•October 20, 2010 • Leave a Comment

This is not a common task, but there have been a number of times when I’ve wanted to write something in C#/Microsoft .NET or have had access to a nice library.  Happily there is a python to .NET bridge that allows using .NET assemblies just like python classes.  These are the steps and software you will need to make it happen.

First, here is the setup I’ll be starting with:

  • Windows 7 (32 or 64bit)
  • ActiveState Python v2.5 32bit (c:\python25)
  • Source version of Peach (from svn) (c:\peach)

Next you will need “Python for .NET” which you can download from here.  At the time of writing the binary version was for .NET 2.0 and Python 2.5.  I do not recommend compiling from scratch unless you know what your about.

Unzip the archive someplace.  For the sake of this article lets unzip it to “c:\pnet”.

You will also want to create your Peach PIT file and place it in this folder along with any python code you might have written.

To use a .NET assembly you can simply use “from/import” as normal.  The python patch will be searched just like for a python module.  So for example you could say “from System.Reflection import Assembly” and then you have access to the .NET Assembly class!

OKAY – Now that you have your PIT and some code that uses .NET it’s time to run everything.  This is were the source version of Peach comes in.  The “python.exe” that we got from Python for .NET will load the normal binary Python runtime, but also special code to interact with .NET.  This is all hidden, just run peach using this custom executable like normal:

python.exe c:\peach\peach.py mydotnet.xml

And that’s it!

NOTE FOR 64BIT USERS

If your on a 64bit machine you will get an error running this.  You must mark python.exe as requiring the 32bit .NET runtime.  This is fairly easy assuming you have the Windows SDK.

"c:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\x64\CorFlags.exe" python.exe /32BIT+

Posted in Peach

Looking forward to Peach 3

•October 15, 2010 • 5 Comments

Peach 3 is the next major release of Peach and is currently under development.  Peach 3 will be a complete re-write of Peach using the C# language and .NET Framework.  We will keep cross-platform support thanks to the Mono project.

Features

  • Cross platform support (Linux, OS X, Windows, etc.)
  • Mono compatibility
  • Backwards comparable with existing Peach definitions
  • Easier to drive Peach programmatically
  • Design to allow for next generation of fuzzing technology
  • A number of GUI programs for:
    • Simple File Fuzzing
    • Simple Network Fuzzing

Reasons For Switch

  • Better development tools
  • Better GUI support (even cross-platform)
  • Better dependency support (no more module hell)
  • Much better XML library (schema validation!!)
    • Proper web services support!
  • Full COM/DCOM support, etc.
  • Language more suited to what Peach has become

Posted in Peach
Tags:

Fuzzing SQL Stored Procedures

•July 15, 2009 • 4 Comments

Another fun fuzzing target are SQL Stored Procedures.  This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment.  Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.

Peach see’s stored procedures as callable methods with parameters and possible return types.  This allows creating anything from super simple to very complex state machines around your set of stored procedures.  Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.

The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database.

Example 1 – Simple Stored Procedure

Our first example is very simple, we will have a single stored procedure called “testproc” that accepts a single parameter “parameter1” that is typed as a “varchar(255).”

The MySQL database schema looks like this:

create table if not exists testtable (

   msg varchar(255)
);

delimiter //
CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255))
BEGIN
   insert into testtable (msg) values (parameter1);
END;
//

 

Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

       <Include ns="default" src="file:defaults.xml"/>
       <Include ns="pt" src="file:PeachTypes.xml"/>

       <DataModel name="TheDataModel">
               <String value="Peachy"/>
       </DataModel>

       <StateModel name="TheState" initialState="Initial">

               <State name="Initial">
                       <Action type="call" method="call testproc(?)">
                               <Param name="p1" type="in">
                                       <DataModel ref="TheDataModel"/>
                               </Param>
                       </Action>
               </State>
       </StateModel>

       <Test name="TheTest">
               <StateModel ref="TheState"/>

               <Publisher class="sql.Odbc">
                       <Param name="dsn" value="TestMySql/root/password"/>
               </Publisher>
       </Test>

       <Run name="DefaultRun">
               <Test ref="TheTest"/>
       </Run>
</Peach>

And thats it!  Now, obviously there is little point to fuzzing our example method.  The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native” stored procedures (those written in languages like C, or C++).

Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach!  If you have any questions please post them on the Peach mailing list.

Posted in Peach

Changing Defaults for Data Elements

•July 11, 2009 • Leave a Comment

One feature that has been much requested for Peach is the ability to change data element defaults, for example the default byte order for numbers, or string type (wchar, char, utf8, etc).  Now in Peach 2.3 this is possible by using the top level <Defaults> element.

To change the defaults for the Number element so they are unsigned and big endian you would use the following XML:

<Defaults>
  <Number signed="false" endian="big" />
</Defaults>

Posted in Peach

« Previous Entries
 
Follow

Get every new post delivered to your Inbox.