11/26/2015

[SYSTEM HACKING] Peach Fuzzer를 통해 Application 분석 1 - Install Peach Fuzzer

on   in ,   with 2 comments
취약점을 찾기 위해서 Fuzzing 이라는 반복적이고 재미없는 작업을 해야하는데, 이를 도와는 Fuzzer 들로 인해 좀 더 쉽게 취약 포인트를 찾아나갈 수 있습니다.
여러 Fuzzer 중 이번엔는 약간 큰 Peach Fuzzer(Fuzzing Framework)에 대한 이야기를 할까 합니다.


Peach Fuzzer 다운로드(Download Peach Fuzzer) 


http://community.peachfuzzer.com/
 -> 각 OS에 맞는 peachfuzzer 다운로드 페이지 이동



다운로드 후 압축을 해제하면 여러 파일이 나타나고, linux 에서는 peach 파일이 Main 파일이 됩니다.

Peach Fuzzer 실행에 필요한 Package 설치(Install Package for Peach Fuzzer)


다운로드 후 바로 peach 파일 실행 시 mono 명령이 없다고 에러가 발생합니다.
제 pc에서 mono를 사용하지 않았기 때문에 에러가 발생한 것 같습니다. 일단 ./peach 파일의 코드를 확인해보면 아래와 같습니다.

#!/bin/bash

DIRNAME="`dirname ${0}`"
DEBUG=""
case "$*" in
  *--debug*)
    DEBUG="--debug"
    ;;
esac

mono --gc=sgen ${DEBUG} ${DIRNAME}/Peach.exe $@
mono를 통해 exe 를 실행하네요. 일단 mono가 필요하기 때문에 apt-get 을 통해 설치해줍니다.

# apt-get install mono-complete

설치하고 실행 시 정상적으로 작동합니다.

# ./peach 

[[ Peach v3.1.124.0
[[ Copyright (c) Michael Eddington
This is the Peach Runtime.  The Peach Runtime is one of the many ways
to use Peach XML files.  Currently this runtime is still in development
but already exposes several abilities to the end-user such as performing
simple fuzzer runs and performing parsing tests of Peach XML files.

Please submit any bugs to https://forums.peachfuzzer.com.

Syntax:

  peach -a channel
  peach -c peach_xml_file [test_name]
  peach [--skipto #] peach_xml_flie [test_name]
  peach -p 10,2 [--skipto #] peach_xml_file [test_name]
  peach --range 100,200 peach_xml_file [test_name]
  peach -t peach_xml_file

  -1                         Perform a single iteration
  -a,--agent                 Launch Peach Agent
  -c,--count                 Count test cases
  -t,--test xml_file         Validate a Peach XML file
  -p,--parallel M,N          Parallel fuzzing.  Total of M machines, this
                             is machine N.
  --debug                    Enable debug messages. Usefull when debugging
                             your Peach XML file.  Warning: Messages are very
                             cryptic sometimes.
  --trace                    Enable even more verbose debug messages.
  --seed N                   Sets the seed used by the random number generator
  --parseonly                Test parse a Peach XML file
  --makexsd                  Generate peach.xsd
  --showenv                  Print a list of all DataElements, Fixups, Monitors
                             Publishers and their associated parameters.
  --showdevices              Display the list of PCAP devices
  --analyzer                 Launch Peach Analyzer
  --skipto N                 Skip to a specific test #.  This replaced -r
                             for restarting a Peach run.
  --range N,M                Provide a range of test #'s to be run.
  -D/define=KEY=VALUE        Define a substitution value.  In your PIT you can
                             ##KEY## and it will be replaced for VALUE.
  --config=FILENAME          XML file containing defined values


Peach Agent

  Syntax: peach -a channel

  Starts up a Peach Agent instance on this current machine.  User must provide
  a channel/protocol name (e.g. tcp).

  Note: Local agents are started automatically.

Performing Fuzzing Run

  Syntax: peach peach_xml_flie [test_name]
  Syntax: peach --skipto 1234 peach_xml_flie [test_name]
  Syntax: peach --range 100,200 peach_xml_flie [test_name]

  A fuzzing run is started by by specifying the Peach XML file and the
  name of a test to perform.

  If a run is interupted for some reason it can be restarted using the
  --skipto parameter and providing the test # to start at.

  Additionally a range of test cases can be specified using --range.

Performing A Parellel Fuzzing Run

  Syntax: peach -p 10,2 peach_xml_flie [test_name]

  A parallel fuzzing run uses multiple machines to perform the same fuzzing
  which shortens the time required.  To run in parallel mode we will need
  to know the total number of machines and which machine we are.  This
  information is fed into Peach via the "-p" command line argument in the
  format "total_machines,our_machine".

Validate Peach XML File

  Syntax: peach -t peach_xml_file

  This will perform a parsing pass of the Peach XML file and display any
  errors that are found.

Debug Peach XML File

  Syntax: peach -1 --debug peach_xml_file

  This will perform a single iteration (-1) of your pit file while displaying
  alot of debugging information (--debug).  The debugging information was
  origionally intended just for the developers, but can be usefull in pit
  debugging as well.

[SYSTEM HACKING] Peach Fuzzer를 통해 Application 분석 1 - Install Peach Fuzzer
[SYSTEM HACKING] Peach Fuzzer를 통해 Application 분석 2 - Application Fuzzing for Exploit 
[SYSTEM HACKING] Peach Fuzzer의 GUI 모드 - Peach3 Fuzz Bang(Run Peach Fuzzer on GUI Interface) 

Reference

http://community.peachfuzzer.com

HAHWUL

Security engineer, Gopher and H4cker!
Share: | Coffee Me:

2 comments:

  1. ALI6/20/2019 12:06 AM

    Hi how are you SER!

    I am a beginner in software testing area. I installed two different fuzzer ZZUF and PEACH fuzzers. Unfortunately, my lack of knowledge I could not test C++ binaries by both fuzzers. Testing binaries process is not given PEACH and ZZUF tutorials.

    For example abc.c
    `int main(void) { char login[16]; char password[16];

    printf("Login : ");
    scanf("%s",login);
    printf("Password : ");
    scanf("%s",password);

    if(strcmp(login,"root") == 0){
    if(strcmp(password,"toor") == 0){
    printf("Success.\n");
    return 0;
    }
    }
    printf("Fail.\n");
    return 1;
    }`
    How can I fuzz binary or C code by ZZUF and PEACH fuzzers?
    Is it possible to test LAVA-M data binaries (base64, uniq, md5sum, who) or OpenSSL 1.1.0f?
    I strongly believe that your help will increase my knowledge. Thank you

    ReplyDelete
  2. HAHWUL6/23/2019 1:16 AM

    Hi friend!
    Have you ever made xml for testing? For example ... this. If you have not, please refer to this link.

    [ linke ]
    https://www.hahwul.com/2015/11/system-hacking-peach-fuzzer-application_26.html

    [ test xml ]
    <?xml version="1.0" encoding="utf-8"?>
    <Peach xmlns="http://peachfuzzer.com/2012/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://peachfuzzer.com/2012/Peach ../peach.xsd">

    <DataModel name="TestTemplate">
    <String name="TheString" value="Hello World!" />
    </DataModel>

    <StateModel name="State" initialState="Initial">
    <State name="Initial">

    <Action name="SendValue1" type="output">
    <DataModel ref="TestTemplate" />
    </Action>

    <Action name="SendValue2" type="output">
    <DataModel ref="TestTemplate" />
    </Action>

    </State>
    </StateModel>

    <Agent name="LocalAgent">
    <Monitor class="LinuxDebugger">
    <Param name="Executable" value="./CrashableServer" />
    <Param name="Arguments" value="127.0.0.1 4244" />
    </Monitor>
    </Agent>

    <Test name="Default">
    <Agent ref="LocalAgent" />

    <StateModel ref="State"/>
    <Publisher class="Tcp">
    <Param name="Host" value="127.0.0.1" />
    <Param name="Port" value="8080" />
    </Publisher>
    <Logger class="Filesystem">
    <Param name="Path" value="Logs" />
    </Logger>
    </Test>
    </Peach>
    <!-- end -->

    I do not know how the translation result will come out because the language of my writing is Hangul. If you have other problems, give me some more information.

    ReplyDelete