[SOLVED] Trying to write a simple fuzzer with Peach to detect a buffer overflow

watchintv · 10-23-2016, 12:50 AM

I'm trying to write a simple fuzzer that detects a buffer overflow. The code I want to fuzz is below:

Code:

#include <stdio.h>

int main(int argc, char *argv[])
{
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}

And my current Peach Pit is the following:

Code:

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://peachfuzzer.com/2012/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://peachfuzzer.com/2012/Peach /peach/peach.xsd">

    <!-- Fuzzing the Extract program with a malformed parameter -->
    <DataModel name="program">
        <String value="./test " />
    </DataModel>


    <DataModel name="parameter">
        <String value="" >
            <Analyzer class="StringToken"/>
        </String>
    </DataModel>


    <StateModel name="TheState" initialState="Initial">
        <State name="Initial">
            <!-- we write a batch file which Peach calls -->
            <!-- for example, a test run would have the contents "Extract.exe C:\output_dir" in the batch file -->
            <!-- subsequent runs will have the contents "Extract.exe [fuzzed data goes here]" -->
            <Action type="output">
                <DataModel ref="program"/>
            </Action>

            <Action type="output">
                <DataModel ref="parameter"/>
            </Action>

            <Action type="close" />

            <Action type="call" method="Runprogram" publisher="Peach.Agent"/>
        </State>
    </StateModel>

<Agent name="LinAgent">

                <Monitor class="LinuxDebugger">
       <!-- This is the program we're going to run inside of the debugger -->
<Param name="Executable" value="./call_program.bat"/>

		</Monitor>

</Agent>

    <Test name="Default">
        <!-- We only want to fuzz the Extract program's parameter, hence the following line -->
        <Exclude xpath="//program" />

        <StateModel ref="TheState"/>

        <Strategy class="Sequential"/>

        <Publisher class="File">
            <Param name="FileName" value="call_program.bat" />
        </Publisher>

           <Logger class="File">
                        <!-- save crash information in the Logs directory -->
                        <Param name="Path" value="Logs"/>
                </Logger>


    </Test>

</Peach>
<!-- end -->

ow can I make this work? Any help would be greatly appreciated. Thank you. I've found a few references to this exact thing but I can't get the files to work correctly.

watchintv · 10-24-2016, 07:22 AM

Doesn't anyone know? Any advice where I can get help with this. The Peach Community forum is moderated and none of my posts go through.

ondoho · 10-25-2016, 11:05 AM

now you brought your post out of zero reply status, which is not a desirable thing to do on LQ, if you really need help, because now it won't float up to the top anymore. duh.
i cannot help with your problem at all.
all i see is some very specialized verbiage ("fuzzer" "peach pit") and no links to anything that might shed more light at the whole problem.
well ok, i can clearly see "peachfuzzer.com" there at the top, so i went to have a look: "Peach’s revolutionary fuzzing engine outperforms its competitors, discovering unknown system vulnerabilities like no other testing method can." - i have no idea how that would relate to those few lines of C code.
sorry.
maybe by keeping the rant going, someone knowledgeable will eventually see this, or you provide more info.

ntubski · 10-29-2016, 11:10 AM

Quote:

Originally Posted by ondoho

well ok, i can clearly see "peachfuzzer.com" there at the top, so i went to have a look: "Peach’s revolutionary fuzzing engine outperforms its competitors, discovering unknown system vulnerabilities like no other testing method can." - i have no idea how that would relate to those few lines of C code.

There's a bit more info here: http://community.peachfuzzer.com/v3/...uickStart.html, but the docs aren't exactly friendly; maybe, if you'll forgive my cynicism, because they want to sell more training sessions.

watchintv · 10-29-2016, 01:22 PM

I actually solved this by writing a custom Monitor. Wasn't too hard. So this is solved.