Click here to Skip to main content
13,053,531 members (56,054 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


Posted 2 Aug 2014

Giving Automated Fuzzing a Trial Run with Peach

, 2 Aug 2014
Rate this:
Please Sign up or sign in to vote.
I’ve never found my own bugs and written my own exploits and that’s a skill I’d like to develop. In that vain, I’ve been trying out the Peach 3 Fuzzer.

I’ve never found my own bugs and written my own exploits and that’s a skill I’d like to develop. In that vain, I’ve been trying out the Peach 3 Fuzzer. Here are some of the tutorials I tried out:

Fuzzing with Peach – Part 1

Fuzzing with Peach – Part 2

I also started writing a Peach Pit (incomplete code below) for the RAR file format using the following sources:

The RAR File Format

RAR File Format – Acritum Software

I even discovered someone had already written a Peach Pit albeit for an older version of Peach.

I used to work for a guy who swore by manual fuzzing and after the experience I’m starting to see why. Peach version 3 seems to have broken some things in version 2 that were just fine. You’ll notice in my code below an assortment of flags. Version 2 provided an easy method to include or exclude additional data from your data model based on whether a flag was set or not in the form of a “when” relation. It looked something like this:

<Relation type="when" when="self.find('FLAG_HERE').getInternalValue() != 0"/>

In version 3, the when relation was removed and the replacement as far as I can find is far less intuitive. I also had trouble finding clear documentation and examples for a lot of functionality for version 3 (custom fixups in particular). General ideas or barebones examples were available, but nothing that made it particularly newcomer friendly.

This is my first foray into find my own bugs and write my own exploits, but at the moment manual fuzzing sounds like an enticing alternative to manually defining an entire file specification. I certainly think Peach could be a useful tool, but I think I’ll explore the manual approach to bug finding before I come back to Peach.

<?xml version="1.0" encoding="utf-8"?>


  <PythonPath path="X:\Programming\winrar_exploit\peach\peach\"/>
  <!--Add resources for the custom fixup-->
  <!--<Import import=""/>-->

  <!-- Data model for the RAR file format -->
  <DataModel name="RARFileFormat">

    <!--The MARK_HEAD -->
    <!--Always the same sequence-->
    <String name="Signature" valueType="hex" value="0x526172211A0700" token="true" mutable="false"/>
    <!--The MAIN_HEAD -->
    <Block name="MAIN_HEAD">
      <Number name="MAIN_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
      <Number name="MAIN_HEAD_TYPE" signed="false" value="0x73" token="true" size="8" mutable="false"/>
      <Flags name="MAIN_HEAD_FLAGS" size="16">
        <Flag name="MHD_VOLUME" position="0" size="1"/>
        <Flag name="MHD_COMMENT" position="1" size="1"/>
        <Flag name="MHD_LOCK" position="2" size="1"/>
        <Flag name="MHD_SOLID" position="3" size="1"/>
        <Flag name="MHD_PACK_COMMENT" position="4" size="1"/>
        <Flag name="MHD_AV" position="5" size="1"/>
        <Flag name="MHD_PROTECT" position="6" size="1"/>
        <Flag name="MHD_PASSWORD" position="7" size="1"/>
        <Flag name="MHD_FIRSTVOLUME" position="8" size="1"/>
        <Flag name="MHD_ENCRYPTVER" position="9" size="1" value="0"/>
        <Flag name="UNKNOWN10" position="10" size="1" />
        <Flag name="UNKNOWN11" position="11" size="1" />
        <Flag name="UNKNOWN12" position="12" size="1" />
        <Flag name="UNKNOWN13" position="13" size="1" />
        <Flag name="UNKNOWN14" position="14" size="1" />
        <Flag name="UNKNOWN15" position="15" size="1" />
      <Number name="MAIN_HEAD_SIZE" size="16" signed="false">
        <Relation type="size" of="MAIN_HEAD"/>
      <Number name="HighPosAv" size="16" signed="false"/>
      <Number name="PosAV" size="32" signed="false"/>
    <Block name="FILE_HEAD">
      <Number name="FILE_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
        <!--<Fixup class="">
      <Number name="FILE_HEAD_TYPE" signed="false" value="0x74" token="true" size="8" mutable="false"/>
      <Flags name="FILE_HEAD_FLAGS" size="16">
        <Flag name="LHD_SPLIT_BEFORE" position="0" size="1"/>
        <Flag name="LHD_SPLIT_AFTER" position="1" size="1"/>
        <Flag name="LHD_PASSWORD" position="2" size="1"/>
        <Flag name="LHD_COMMENT" position="3" size="1"/>
        <Flag name="LHD_SOLID" position="4" size="1"/>
        <Flag name="DIC_SIZE" position="5" size="3"/>
        <Flag name="LHD_LARGE" position="8" size="1"/>
        <Flag name="LHD_UNICODE" position="9" size="1"/>
        <Flag name="LHD_SALT" position="10" size="1"/>
        <Flag name="LHD_VERSION" position="11" size="1"/>
        <Flag name="LHD_EXTTIME" position="12" size="1"/>
        <Flag name="LHD_EXTFLAGS" position="13" size="1"/>
        <Flag name="OldVersionIgnore" position="14" size="1"/>
        <Flag name="AddSizePresent" position="15" size="1" value="1"/> <!--SOURCE SAYS THIS IS ALWAYS 1-->
      <Number name="FileHeadSize" size="16" signed="false">
        <Relation type="size" of="FILE_HEAD"/>
      <Number name="PackSize" size="32" signed="false">
        <Relation type="size" of="RawData"/> <!--TODO: I DO NOT HAVE A RAWDATA YET-->
      <Number name="UnpSize" size="32" signed="false"/>
      <Number name="HostOS" size="8" signed="false"/>
      <Number name="FileCRC" size="32" mutable="false"/> <!--CRC of decompressed file-->
      <Number name="FileTime" size="32" signed="false"/>
      <Number name="UnpVer" size="8" signed="false"/>
      <Number name="Method" size="8" signed="false"/>
      <Number name="NameSize" size="16" signed="false">
        <Relation type="size" of="FileName"/>
      <Number name="FileAttr" size="32" signed="false"/>
      <Block name="OptionalPackSize">
        <Relation type="when" 

        <Number name="HighPackSize" size="32" signed="false"/>
        <Number name="HighUnpSize" size="32" signed="false"/>
      <String name="FileName"/>

  <!--<StateModel name="State" initialState="Initial">


  <Agent name="WinAgent">


  <Test name="Default">



This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)


About the Author

Grant Curell
United States United States
Grant is a specialist in computer security and networking. He holds a bachelors degree in Computer Science and Engineering from the Ohio State University. Certs: CCNA, CCNP, CCDA, CCDP, Sec+, and GHIH. More info at

You may also be interested in...


Comments and Discussions

Questiondead links! Pin
Member 568844325-Apr-17 3:41
memberMember 568844325-Apr-17 3:41 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170713.1 | Last Updated 2 Aug 2014
Article Copyright 2014 by Grant Curell
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid