Archive for the 'Peach' Category
Fuzzing SQL Stored Procedures
Another fun fuzzing target are SQL Stored Procedures. This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment. Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.
Peach see’s stored procedures as callable methods with parameters and possible return types. This allows creating anything from super simple to very complex state machines around your set of stored procedures. Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.
The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database. ?????? ????? ????
Example 1 – Simple Stored Procedure
Our first example is very simple, we will have a single stored procedure called “testproc” that accepts a single parameter “parameter1” that is typed as a “varchar(255).”
The MySQL database schema looks like this:
create table if not exists testtable ( msg varchar(255) ); delimiter // CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255)) BEGIN insert into testtable (msg) values (parameter1); END; //
Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">
<Include ns="default" src="file:defaults.xml"/>
<Include ns="pt" src="file:PeachTypes.xml"/>
<DataModel name="TheDataModel">
<String value="Peachy"/>
</DataModel>
<StateModel name="TheState" initialState="Initial">
<State name="Initial">
<Action type="call" method="call testproc(?)">
<Param name="p1" type="in">
<DataModel ref="TheDataModel"/>
</Param>
</Action>
</State>
</StateModel>
<Test name="TheTest">
<StateModel ref="TheState"/>
<Publisher class="sql.Odbc">
<Param name="dsn" value="TestMySql/root/password"/>
</Publisher>
</Test>
<Run name="DefaultRun">
<Test ref="TheTest"/>
</Run>
</Peach>
?????? ????? ???? ?????? ????? ????
And that’s it! Now, obviously there is little point to fuzzing our example method. The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native” stored procedures (those written in languages like C, or C++).
Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach! If you have any questions please post them on the Peach mailing list.
No commentsChanging Defaults for Data Elements
One feature that has been much requested for Peach is the ability to change data element defaults, for example the default byte order for numbers, or string type (wchar, char, utf8, etc). Now in Peach 2.3 this is possible by using the top level <Defaults> element. ?????? ????? ???? ????? ????? ?????
???? ??????? ????? ??????????? ???? ?????? ???
To change the defaults for the Number element so they are unsigned and big endian you would use the following XML: ?????? ???????
<Defaults> <Number signed=”false” endian=”big” /> </Defaults> ???? ?a????????? ?????No comments
Fuzzing Shared Libraries
Fuzzing shared libraries is not the most common of tasks, but is a useful tool to have available. Many times methods exposed by scripting languages such as JavaScript, PHP, etc are simply methods exposed by a shared library (DLL for you windows peeps).
Sadly most fuzzers do not support fuzzing shared libraries directly, so typically one was stuck dusting off something like SPIKE, or some other framework and writing some custom code to drive everything. Things can get even more complicated if the exposed methods you are fuzzing take complex types comprised of structures with pointers to other structures, etc.
Enter Peach. Peach has always been capable of loading shared libraries and making function calls, however not until version 2.3 has Peach supported complex structure types and pointers.
Lets take a look at a few samples to get an idea of how easy this is with Peach.
Use Case #1 – Non-complex data types ?????????????? ? ??????????
Out first example will emulate the follow code:
mydll.Initialize(); mydll.DoCoolThings( char* s );
First we will need to create a quick data model for our “s” parameter:
<DataModel name=”s”> <String value=”Hello World!” /> </DataModel>
Next is the state model that will have the method calls:
<StateModel name=”TheStateModel” initialState=”State1”>
<State name=”State1”>
<Action type=”call” method=”Initialize” />
<Action type=”call” method=”DoCoolThings”>
<Param name=”s” type=”in”>
<DataModel ref=”s” />
</Param>
</Action>
</State>
</StateModel>
And finally we will need to configure a publisher:
??? ??????? ?????????? ???????? ?????
<Publisher class=”dll.Dll”> <Param name=”library” value=”mydll.dll” /> </Publisher>
And that’s it!
Use Case #2 – Complex data types
Now, lets change to the definition of DoCoolThings to this:
struct otherstruct
{
int a;
int b;
};
struct mystruct
{
struct otherstruct * val;
};
mydll.DoCoolThings( struct mystruct *s);
First we will need data models:
<DataModel name=”otherstruct”> <Number name=”a” size=”32” value=”0” /> <Number name=”b” size=”32” value=”0” /> </DataModel> <DataModel name=”mystruct” pointer=”true”> <Block ref=”otherstruct” pointer=”true” /> </DataModel>
Next we need the sate model:
<StateModel name=”TheStateModel” initialState=”State1”>
<State name=”State1”>
<Action type=”call” method=”Initialize” />
<Action type=”call” method=”DoCoolThings”>
<Param name=”s” type=”in”>
<DataModel ref=”mystruct” />
</Param>
</Action>
</State>
</StateModel>
And finally we will need to configure a publisher:
<Publisher class=”dll.Dll”> <Param name=”library” value=”mydll.dll” /> </Publisher>
And there you go. Easy! I hope this was a good introduction to fuzzing shared libraries with Peach.
2 commentsPeach Dojo @ CanSecWest 2009
CanSecWest 2009 is coming up in March and we are offering a two day Peach Dojo! For more information and pricing check out the CanSecWest website.
Ghosts of Mars divx download Owning Mahowny movie
No commentsPeach 2.1 BETA2 Released
Two Rode Together movies The latest in the Peach 2 series has been posted. This release includes many bug fixes, features, improvements, and supercedes 2.0 as the recommended version to use.
- Unittests to improve stability and reliability
- Improved COM support including properties
- Improved state machine
- Fuzz network clients easily by listening for connections, not just creating them
- Remote publishers allow sending data through a Peach Agent to a remote host
- Improved Linux and OS X support via debugger.UnixGdb monitor (uses beta pygdb module)
- Deterministic fuzzing will perform test count calculation in separate thread to speed fuzzing
- Improved documentation. See the Peach 2 Tutorial which is quickly becoming the Peach 2 Guide :)
Nights in Rodanthe movie download
download open season divx Beauty and the Beast movie
No comments
Peach 2.1 BETA1 Released!
I’m just about to jet up to CanSecWest this is it full movie , and though I would toss up a beta of Peach 2.1. Peach 2.1 includes a new state machine which allows modeling the state of a protocol at a high level. This makes complex fuzzer creation much easier. Additionally, call based fuzzers such as COM are much easier to fuzz.
PS- If your up at CanSecWest be sure to check out my talk on Peach Friday morning.
No comments