The first Peach training at Blackhat finished today and it was a blast.  This first class had about 18 people in it writing fuzzers for PNG, QuakeWorld, Yahoo! IM Client, and Quicktime.  Everyone learned allot, we found a number of bugs, and we are planning on many improvements to the error messages and debugging of Peach fuzzers based on this first class.

Tomorrow starts is the start of the second class, hopefully it will be just as fun as the first.

Thanks to everyone who signed up!

A big thanks to Chris Clark who found the second patch worthy bug. This is a gnarly bug in the Mutator code that would sometimes cause a mutator to get skipped.  Chris is also the first to submit a new custom mutator that will be included in next release Peach 2.1.  Thanks Chris!

See this mail list post to correct the problem.

I’ve had a few emails about fuzzing file formats consumed by GUI application, these are applications that display a window such as image viewers, movie players, etc.  Included in Peach 2.1 is good support for fuzzing these types of applications on Windows.  People on OS X and Unix are sadly out of luck for now.

The following article will walk you through an example file fuzzer.

Read more

Peach 2.1 includes a much improved mechanism for performing what I call data fix-ups were we calculate checksums required to make our data correct.  Many protocols and most file formats include some form of checksum field to verify that data was not corrupted.  When we generate/mutate data we want to make sure we re-calculate these checksums after our modifications, otherwise we will likely not get very far down the parser code paths due to failed validations.

Peach 2.1 BETA3 includes the following fixups out of the box:

• checksums.Crc32Fixup — This fixup computes the standard CRC32 as defined by ISO 3309 and is used by PNG, zip, etc.
• checksums.EthernetChecksumFixup — Computes the ethernet checksum.
• checksums.IcmpChecksumFixup — Computes the ICMP packet checksum.

Read more

Well it was bound to happen, the first “stupid developer” (that’s me ;) bug was reported.  I have a patched posted up to the mailing list.  This bug affects the <Number> element when specifying valueType=”hex” values.  Additionally, I fixed the Tutorial_DHCP-Request.xml so it works with beta3.

Thanks to David for reporting this bug.

Patch and List Post

Peach 2.1 BETA3 exposes the mutators used by Peach to perform fuzzing.  Each mutator performs a specific mutation.  Custom mutators can be created and included, additionally the order in which mutators are used can be customized for all fuzzers down to specific tests.

Read more