Peach see’s stored procedures as callable methods with parameters and possible return types.  This allows creating anything from super simple to very complex state machines around your set of stored procedures.  Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.

The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database. ?????? ????? ????

Example 1 – Simple Stored Procedure

Our first example is very simple, we will have a single stored procedure called “testproc” that accepts a single parameter “parameter1” that is typed as a “varchar(255).”

The MySQL database schema looks like this:

?????? ????? ????

create table if not exists testtable (
   msg varchar(255)
);

delimiter //
CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255))
BEGIN
   insert into testtable (msg) values (parameter1);
END;
//

Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

       <Include ns="default" src="file:defaults.xml"/>
       <Include ns="pt" src="file:PeachTypes.xml"/>

       <DataModel name="TheDataModel">
               <String value="Peachy"/>
       </DataModel>

       <StateModel name="TheState" initialState="Initial">

               <State name="Initial">
                       <Action type="call" method="call testproc(?)">
                               <Param name="p1" type="in">
                                       <DataModel ref="TheDataModel"/>
                               </Param>
                       </Action>
               </State>
       </StateModel>

       <Test name="TheTest">
               <StateModel ref="TheState"/>

               <Publisher class="sql.Odbc">
                       <Param name="dsn" value="TestMySql/root/password"/>
               </Publisher>
       </Test>

       <Run name="DefaultRun">
               <Test ref="TheTest"/>
       </Run>
</Peach>

  ?????? ????? ???? ?????? ????? ????

And that’s it!  Now, obviously there is little point to fuzzing our example method.  The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native” stored procedures (those written in languages like C, or C++).

Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach!  If you have any questions please post them on the Peach mailing list.

???? ??????? ????? ??????????? ???? ?????? ???

??????? ???????????

?????????? ??????? amr

To change the defaults for the Number element so they are unsigned and big endian you would use the following XML: ?????? ???????

???? ??????? ???? ?????

<Defaults>
  <Number signed=”false” endian=”big” />
</Defaults> ???? ?a????????? ????? 

Sadly most fuzzers do not support fuzzing shared libraries directly, so typically one was stuck dusting off something like SPIKE, or some other framework and writing some custom code to drive everything.  Things can get even more complicated if the exposed methods you are fuzzing take complex types comprised of structures with pointers to other structures, etc.

download this is it movie

Enter Peach.  Peach has always been capable of loading shared libraries and making function calls, however not until version 2.3 has Peach supported complex structure types and pointers.

Lets take a look at a few samples to get an idea of how easy this is with Peach.

Use Case #1 – Non-complex data types ?????????????? ? ??????????

Out first example will emulate the follow code:

mydll.Initialize();
mydll.DoCoolThings( char* s );

?????? ????? ??????

?????? ????? ???????? ???????

First we will need to create a quick data model for our “s” parameter:

<DataModel name=”s”>
  <String value=”Hello World!” />
</DataModel>

Next is the state model that will have the method calls:

<StateModel name=”TheStateModel” initialState=”State1”>
  <State name=”State1”>
    <Action type=”call” method=”Initialize” />
    <Action type=”call” method=”DoCoolThings”>
      <Param name=”s” type=”in”>
        <DataModel ref=”s” />
      </Param>
    </Action>
  </State>
</StateModel>

• ????? ????????? ?????????

And finally we will need to configure a publisher:

??? ??????? ?????????? ???????? ?????

<Publisher class=”dll.Dll”>
  <Param name=”library” value=”mydll.dll” />
</Publisher>

c??? ???? ?????? ????? ?????

And that’s it!

Use Case #2 – Complex data types

Now, lets change to the definition of DoCoolThings to this:

struct otherstruct
{
  int a;
  int b;
};

struct mystruct
{
  struct otherstruct * val;
};

mydll.DoCoolThings( struct mystruct *s);

First we will need data models:

<DataModel name=”otherstruct”>
  <Number name=”a” size=”32” value=”0” />
  <Number name=”b” size=”32” value=”0” />
</DataModel>

<DataModel name=”mystruct” pointer=”true”>
  <Block ref=”otherstruct” pointer=”true” />
</DataModel>

Next we need the sate model:

<StateModel name=”TheStateModel” initialState=”State1”>
  <State name=”State1”>
    <Action type=”call” method=”Initialize” />
    <Action type=”call” method=”DoCoolThings”>
      <Param name=”s” type=”in”>
        <DataModel ref=”mystruct” />
      </Param>
    </Action>
  </State>
</StateModel>

And finally we will need to configure a publisher:

Zoe Saldana Neytiri

<Publisher class=”dll.Dll”>
  <Param name=”library” value=”mydll.dll” />
</Publisher>

And there you go. Easy! I hope this was a good introduction to fuzzing shared libraries with Peach.

CanSecWest 2009 is coming up in March and we are offering a two day Peach Dojo!  For more information and pricing check out the CanSecWest website.

Time Bomb

Ghosts of Mars divx download Owning Mahowny movie

Course Details

The Contract Killer film The first beta of Peach 2.3 should hit sourceforge this week, it’s currently undergoing it’s first major rollout for testing.  With the new I’ll be posting up a number of what’s new how too’s.

Also look for a series of "Advanced Peach" articles that will cover some of the advanced uses of Peach for complex file types and network protocols.

spider man 2 download HD

HD the wrestler download

Enemy at the Gates buy

• The Hitcher II: Ive Been Waiting hd

A Dennis the Menace Christmas dvdrip

The AristoCats dvd

Funny Games U.S. rip wanted dvd Tirante el Blanco divx

Figaro and Cleo ipod

• ??????? ???

Deep Blue Sea movies

The past ph-neutral security conferences in Berlin I have attended were all very fun, laid back, and informative.  The European security “underground” scene is highly refreshing after so many high cost US conferences.  Additionally the people are excellent and provide for good conversations.  This years ph-neutral was no exception and was held at an Island club, providing more space for this ever growing conference.  This year was packed as usual with a record high of 450 pre-registrations.

????? ???? ??? ?????

Sophies Choice buy Revolution Summer full I originally wrote Peach 1 at ph-neutral 4 or 5 years ago, so it seemed fitting to come back and talk about Peach 2.  I had a blast and look forward to next year.

Just Add Water hd The Backwoods full movie

Punch-Drunk Love ipod

• Love N’ Dancing ipod

??? ????????? ?????? ?????

A Cinderella Story trailer

Confessions of an Innocent Man move ???????? ?????????

• download titanic dvd ??????? ????? ???????? ? ?????????

Teaching Mrs. Tingle ipod Shrek 2 ipod

• From Beyond hd

Space Buddies dvd

Balls of Fury dvd download Flight of the Phoenix movie

ph-neutral Catch a Fire movie download

Spartan film

• Witchboard movie full

The Spider Woman movie

First off, what is the unsafe keyword and how can it be used?  Glad you asked, unsafe allows for the use of pointers in .NET code.  This includes pointers to managed objects such as arrays and strings.  To use the unsafe keyword the assembly or executable must be compiled with a special flag allowing for unsafe code blocks.  The resulting assembly/executable will not be verifiable by the CLR.

Modification of Immutable Types

Three psp

Tenderness video

With power comes the temptation to modify immutable types such as strings.  Resist this urge as the CLR does a number of internal optimizations for known immutable types like strings.  Modification of these immutable types can and will cause instability in the CLR, and have interesting ramifications.  For example, some versions of the CLR keep only a single copy of strings.  So if I created three strings, all with the value "Hello World", I would really only have three references to the same string.  This is okay since the string object is immutable.  However, if I take a pointer to the string and change its contents I will end up changing the contents of all three strings!!

Managed Pointers and Pinning

The .NET memory manager can move values and object instances around in memory as needed.  So, if we are going to get a pointer to such a memory region we need to tell the memory manager not to move that memory on us.  Enter object pinning.  Pinning tells the CLR not to move something until it is unpinned.  A typical bug in unsafe code is when a managed pointer is held on to and used after it’s reference has been unpinned.  This is a hard bug to detect as the program may run fine most of time and the crashes that occur may not be obviously linked to the unsafe code.

In the C# managed language, pinning typically occurs using the "fixed" block.  This makes it easier to spot issues.  I recommend avoiding other methods of pinning variables as they can be harder to review.

• ???????? ????? ???????

Good Dick download Queen of the Damned dvdrip The managed extensions to C++ also provide what feels like "lower level" control over variable pinning.  This is typically harder to review, but then if you are writing in MC++ you should already know what your about :)

Buffer Overflows and other Pointer Issues

• Creep trailer

Shutter movie

Good Luck Chuck divx

With the unsafe keyword and pointer math come all the standard security issues those C/C++ developers need to worry about.  There is a real possibility of causing buffer overflows that result in exploitable conditions in .NET applications.  Buffer manipulation should be reviewed just like C/C++ for possible overflows.

• Austin Powers in Goldmember trailer

The Last Winter ipod

• ??????? ???????

• Babe: Pig in the City ipod

• Confessions of an Innocent Man movie full
  • Anatomy of a Murder psp

Caddyshack movie

• Deep Blue Sea psp A Life Less Ordinary full movie

And so ends part 1 of this article.  Please feel free to comment on this post with questions and comments.

• Kellys Heroes buy

Head of State rip ????????? ????? ?????

I’m currently running around Europe dropping in on a few security conferences.  Wednesday and Thursday have me in Ghent, Belgium at the OWASP AppSec 08 conference.  I’ll be jumping onstage Thursday morning to talk about two of my OWASP projects (see below).

Just Add Water buy

First time in Belgium, and I must say the Cherry Lambic is nice and it feels like a slower pace then the Netherlands with similar architecture.

OWASP AppSec 08 Belgium

OWASP Encoding Project (Reform)

OWASP .NET WebService Validation ??????????? ????? ???? ??????? ???????

• ????? ???? ????? ?? ???????

Machined Reborn Fighting with Anger hd Two Mules for Sister Sara full movie

Night at the Museum 2: Battle of the Smithsonian buy

Encoding output to prevent cross site scripting (XSS) is old news to most in the web security community, but it’s still an area that is done incorrectly, or with out thought to future issues that might arise.  Additionally, with the explosion of AJAX based applications there is a lack of encoding tools that target JavaScript or provide an implementation for JavaScript.

30 Days of Night movie full Stepmom video

Screamers: The Hunting download

Cheaper by the Dozen 2 divx

• Killer at Large movie download

Standard framework utilities for encoding output (Server.HtmlEncode, etc) only encode the most basic set of characters needed, &, <, >, and ".  In a perfect world this would be enough, but in the day and age of browser bugs, broken Unicode libraries, and lenient HTML interpretation that can lead to occasional sloppy coding more is needed to protect our applications.  Enter the Reform encoding library.

Of specific mention is correct context aware output encoding.  The context could be "html body", "html attribute", "css", "javascript", etc.  It’s important to understand how your data will get treated to know how it needs to be encoded.  It’s because of context issues that one must encode on output of data instead of input.  Unfortunately there are no shortcuts :)

The Refrom encoding library, also known as the OWASP Encoding Project, provides conservative functions for performing different types of encoding’s that are needed in today’s web applications in a large variety of languages.  Currently there is support for: Java, C, Python, Perl, PHP, Ruby, JavaScript, ASP.NET, and Classic ASP.  All of the Reform functions are internationalization safe, are easy to use, and prevent all known types of XSS issues when used correctly.

What is encoded?

• Everything but: A-Z, a-z, 0-9, space [ ], comma [,], and period [.]
• Unicode is always encoded

download Fried Green Tomatoes dvd

Slumdog Millionaire movies

Black Eagle move

The Covenant movie

Asterix and the Vikings full movie

The following functions are provided: download no man s land the rise of reeker

• HtmlEncode — Encode data for display in a block of HTML or HTML attribute.
• JsEncode — Encode data into a JavaScript literal
• VbsEncode — Encode data into a VBScript string literal

Microsoft’s AntiXss Library

An alternative to Reform is the Microsoft AntiXss Library.  Both libraries are functionally equivalent and in fact were designed by the same people.

Pufnstuf hd Reform can be downloaded from here.

Sneakers video

Desperate Hours the movie

The Postman buy ??????????? ???????? ???

Pokemon: Mewtwo Returns trailer

Shanghai Kiss film

P2 film Until the End of the World move

d a r y l movie

????? ??????? ?????? ???????? ????? ??????

shaman ?????

Abominable move

Nightstalker One Tough Bastard

Strange Wilderness dvdrip

• Bart Got a Room psp

????? ??????? ????????

Jurassic Park III trailer