Click here to Skip to main content
Click here to Skip to main content
Technical Blog

Tagged as

Giving Automated Fuzzing a Trial Run with Peach

, 2 Aug 2014 GPL3
Rate this:
Please Sign up or sign in to vote.
I’ve never found my own bugs and written my own exploits and that’s a skill I’d like to develop. In that vain, I’ve been trying out the Peach 3 Fuzzer. Here are some of the tutorials I tried out: Fuzzing with Peach – Part 1 Fuzzing with Peach – Part 2 I also start

I’ve never found my own bugs and written my own exploits and that’s a skill I’d like to develop. In that vain, I’ve been trying out the Peach 3 Fuzzer. Here are some of the tutorials I tried out:

Fuzzing with Peach – Part 1

Fuzzing with Peach – Part 2

I also started writing a Peach Pit (incomplete code below) for the RAR file format using the following sources:

The RAR File Format

RAR File Format – Acritum Software

I even discovered someone had already written a Peach Pit albeit for an older version of Peach.

I used to work for a guy who swore by manual fuzzing and after the experience I’m starting to see why. Peach version 3 seems to have broken some things in version 2 that were just fine. You’ll notice in my code below an assortment of flags. Version 2 provided an easy method to include or exclude additional data from your data model based on whether a flag was set or not in the form of a “when” relation. It looked something like this:

<Relation type="when" when="self.find('FLAG_HERE').getInternalValue() != 0"/>

In version 3, the when relation was removed and the replacement as far as I can find is far less intuitive. I also had trouble finding clear documentation and examples for a lot of functionality for version 3 (custom fixups in particular). General ideas or barebones examples were available, but nothing that made it particularly newcomer friendly.

This is my first foray into find my own bugs and write my own exploits, but at the moment manual fuzzing sounds like an enticing alternative to manually defining an entire file specification. I certainly think Peach could be a useful tool, but I think I’ll explore the manual approach to bug finding before I come back to Peach.

<?xml version="1.0" encoding="utf-8"?>

<Peach>

  <PythonPath path="X:\Programming\winrar_exploit\peach\peach\"/>
  
  <!--Add resources for the custom fixup-->
  <!--<Import import=""/>-->

  <!-- Data model for the RAR file format -->
  <DataModel name="RARFileFormat">

    <!--The MARK_HEAD -->
    <!--Always the same sequence-->
    <String name="Signature" valueType="hex" value="0x526172211A0700" token="true" mutable="false"/>
    
    <!--The MAIN_HEAD -->
    <Block name="MAIN_HEAD">
      <Number name="MAIN_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
        <!--
          
        </Fixup>-->
      </Number>
      <Number name="MAIN_HEAD_TYPE" signed="false" value="0x73" token="true" size="8" mutable="false"/>
      <Flags name="MAIN_HEAD_FLAGS" size="16">
        <Flag name="MHD_VOLUME" position="0" size="1"/>
        <Flag name="MHD_COMMENT" position="1" size="1"/>
        <Flag name="MHD_LOCK" position="2" size="1"/>
        <Flag name="MHD_SOLID" position="3" size="1"/>
        <Flag name="MHD_PACK_COMMENT" position="4" size="1"/>
        <Flag name="MHD_AV" position="5" size="1"/>
        <Flag name="MHD_PROTECT" position="6" size="1"/>
        <Flag name="MHD_PASSWORD" position="7" size="1"/>
        <Flag name="MHD_FIRSTVOLUME" position="8" size="1"/>
        <Flag name="MHD_ENCRYPTVER" position="9" size="1" value="0"/>
        <Flag name="UNKNOWN10" position="10" size="1" />
        <Flag name="UNKNOWN11" position="11" size="1" />
        <Flag name="UNKNOWN12" position="12" size="1" />
        <Flag name="UNKNOWN13" position="13" size="1" />
        <Flag name="UNKNOWN14" position="14" size="1" />
        <Flag name="UNKNOWN15" position="15" size="1" />
      </Flags>
      <Number name="MAIN_HEAD_SIZE" size="16" signed="false">
        <Relation type="size" of="MAIN_HEAD"/>
      </Number>
      <Number name="HighPosAv" size="16" signed="false"/>
      <Number name="PosAV" size="32" signed="false"/>
      <!--TODO: ADD ENCRYPTVER-->
    </Block>
    
    <!--FILE_HEAD-->
    <Block name="FILE_HEAD">
      <Number name="FILE_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
        <!--<Fixup class="">
          
        </Fixup>-->
      </Number>
      <Number name="FILE_HEAD_TYPE" signed="false" value="0x74" token="true" size="8" mutable="false"/>
      <Flags name="FILE_HEAD_FLAGS" size="16">
        <Flag name="LHD_SPLIT_BEFORE" position="0" size="1"/>
        <Flag name="LHD_SPLIT_AFTER" position="1" size="1"/>
        <Flag name="LHD_PASSWORD" position="2" size="1"/>
        <Flag name="LHD_COMMENT" position="3" size="1"/>
        <Flag name="LHD_SOLID" position="4" size="1"/>
        <Flag name="DIC_SIZE" position="5" size="3"/>
        <Flag name="LHD_LARGE" position="8" size="1"/>
        <Flag name="LHD_UNICODE" position="9" size="1"/>
        <Flag name="LHD_SALT" position="10" size="1"/>
        <Flag name="LHD_VERSION" position="11" size="1"/>
        <Flag name="LHD_EXTTIME" position="12" size="1"/>
        <Flag name="LHD_EXTFLAGS" position="13" size="1"/>
        <Flag name="OldVersionIgnore" position="14" size="1"/>
        <Flag name="AddSizePresent" position="15" size="1" value="1"/> <!--SOURCE SAYS THIS IS ALWAYS 1-->
      </Flags>
      <Number name="FileHeadSize" size="16" signed="false">
        <Relation type="size" of="FILE_HEAD"/>
      </Number>
      <Number name="PackSize" size="32" signed="false">
        <Relation type="size" of="RawData"/> <!--TODO: I DO NOT HAVE A RAWDATA YET-->
      </Number>
      <Number name="UnpSize" size="32" signed="false"/>
      <Number name="HostOS" size="8" signed="false"/>
      <Number name="FileCRC" size="32" mutable="false"/> <!--CRC of decompressed file-->
      <Number name="FileTime" size="32" signed="false"/>
      <Number name="UnpVer" size="8" signed="false"/>
      <Number name="Method" size="8" signed="false"/>
      <Number name="NameSize" size="16" signed="false">
        <Relation type="size" of="FileName"/>
      </Number>
      <Number name="FileAttr" size="32" signed="false"/>
      <Block name="OptionalPackSize">
        <Relation type="when" 
        <Number name="HighPackSize" size="32" signed="false"/>
        <Number name="HighUnpSize" size="32" signed="false"/>
      </Block>
      <String name="FileName"/>
      
    </Block>
    
  </DataModel>

  <!--<StateModel name="State" initialState="Initial">

  </StateModel>

  <Agent name="WinAgent">

  </Agent>

  <Test name="Default">

  </Test>-->
</Peach>

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

Grant Curell

United States United States
Grant is a specialist in computer security and networking. He holds a bachelors degree in Computer Science and Engineering from the Ohio State University. Certs: CCNA, CCNP, CCDA, Sec+, and GHIH. More info at grantcurell.com.

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.1411022.1 | Last Updated 2 Aug 2014
Article Copyright 2014 by Grant Curell
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid