Locked History Actions

FrontPage

Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.

Peach requires the creation of PeachPit files that define the structure, type information, and relationships in the data to be fuzzed. It additionally allows for the configuration of a fuzzing run including selecting a data transport (Publisher), logging interface, etc.

Peach has been under active development since 2004 and is in its second major version with the third currently under development. Peach was created and is actively developed by Michael Eddington of Deja Vu Security

News

Black Hat Vegas 2010 Training

We will once again be offering Peach training at Black Hat Vegas this summer. This is a two day course with a heavy focus on creating working smart fuzzers.

Course Information

Peach v2.3.6 Released [4/26/2010]

Two releases in one month, crazy! This is mainly a bug fix release, but there are a couple improvements. First, a patch to support multiple Publishers has been added. You can now configure multiple Publishers per Test and reference them by name at the Action level in your state model. Second, I have improved the speed of fuzzing, at least for file fuzzing by improving the communication between Windows Debugger and the Publisher.

  • New: Multiple Publishers are now supported by adding a "name" attribute

    • to the <Publisher> element and a "publisher" attribute to <Action>.

  • Changed: Improved Agent to Publisher communication, increasing fuzzing speed

  • Changed: Improved osx.CrashReporter monitor. More reliable now.

  • Bug: Fixed issue were Peach Validator would not always run analyzers

  • Bug: Updated WireShark Analyzer to use <DataModel> instead of <Template>

  • Bug: Fixed bug with ASCII strings containing char values over 127

  • Bug: Fixed bug in <Choice> fast checking.

  • Bug: Fixed minor issue with <Result> cracking (marked data as haveAll).

  • Bug: Fixed two bugs in UdpListener

  • Bug: StringMutator changed to set currentValue instead of finalValue.

    • fixes bugs related to NULL termination or Unicode encodings.
  • Bug: Windows Debugger module didn't have CRLF line feeds causing
    • notepad to display stacktrace wrong.
  • Bug: Random freeze while calculating frames in stack trace
  • Bug: Strings loose NULL termination when being mutated

Peach v2.3.5 Released [4/8/2010]

I finally got cut the v2.3.5 build. This build has one of the longer change lists in the 2 series and should probably be called 2.4 :) A number of new features have been added, including beta support for OS X Crash Reporter instead of a debugger (see samples/DebuggerCrashReporter.xml). This release also includes a copy of the !exploitable, so it is no longer necessary to download it separately when you install windbg.

Also with this release, I have posted a cut of the source along with the binary installers.

  • New: minset promoted to first tier tool, now compiled
  • New: Action when attribute has a new method available, 'getXml()'
    • to allow for using xpaths in when expressions.
  • New: Action when attribute has access to the 'random' module

  • New: Windows Debugger now has IgnoreSecondChanceGardPage option

  • New: New reproduction strategy for running pre-fuzzed files.
  • New: New default strategy is deterministic and random
  • New: New more agressive Blob mutator
  • New: Data fileName attribute can now specify multiple files.
    • This will only work with the random mutation strategy. Files will be switched every 100 iterations by default, but switchCount attribute can change that. Unix glob support ("folder/*/*.gif"), filename, or folder path.
  • New: Tcp publisher has new "throttle" parameter to specify wait
    • time between connections.
  • New: Windows debugger module now suppoerts attaching by PID
  • New: !exploitable windbg module included in distribution
  • New: Flags now supported enabling padding to behave like structs
  • New: Cracking optimizations for Choice blocks added
  • Changed: Updated minset.py to use pydbgeng
  • Changed: Use random filename to move data between debugger threads
  • Changed: Xml Analyzer, default string type now utf8
  • Changed: Windows Debugger no longer takes mini-dump

  • Changed: Enabled mutator ValidValuesMutator by default

  • Changed: UnixDebugger updated to support new file fuzzing model

  • Changed: Cracker will throw exception if it cannot size a Blob
  • Changed: Optmized test cases for small Numbers
  • Changed: Binary analyzer changes how it locates strings as needed
  • Changed: Random mutation strategy more agressive

  • Changed: Data loaded by <Data fileName=""/> failes we will exit

  • Changed: Improved accuracy of count vs. actual rounds
  • Changed: Unix Debugger now uses multiprocessing module
  • Bug: Fixed a couple odd bugs in Flags/Flag
  • Bug: Fixed bug in Memory agent
  • Bug: Fixed bug in Network Pcap agent
  • Bug: Fixed checksum fixup to alwasy return positive crc32
  • Bug: Fixed bug were sequencial mutator strategy would throw an exception
  • Bug: Cracker updated to better handle Choices inside of Choices

  • Bug: Fixed bug in UnixDebugger & vtrace where threads are not

    • being released.

  • Bug: Fixed bug in UnixDebugger were vtrace file handles were not

    • being released.
  • Bug: Fixed bug with relations and complex Choice blocks

Peach Training @ CanSecWest 2010 in Vancouver, CA

A two day Peach training class is being offered at CanSecWest 2010 in Vancouver, CA. For additional information please see the course description here.

Peach v2.3.4 Released [1/9/2010]

This is primarily a bugfix release.

  • New: Pech Validator now runs Analyzers
  • Changed: Moved Flags to use a bit buffer class

  • Changed: Listening for ExitProcess event in Debugger

  • Changed: Improved random mutation weighting system

  • Changed: Improved paired token support in StringTokenizer

Peach v2.3.3 Released [11/3/2009]

  • Bug: Fixed bug with Numerical mutators and Flags
  • Bug: Flags parsing backwards
  • Changed: Console output now shows element being modified

Peach v2.3.2 Released

  • Change: Windows debugger runs in seprate process
  • Change: Patch for Linux Ping Monitor support

Peach v2.3.1 Released [10/21/2009]

Peach v2.3.1 has been released. There is finally a fully working binary only distribution for Windows in both 32bit and 64bit flavors. This is now the preferred method for installing and using Peach as it does not require Python or any module dependencies.

  • New: All binary Windows release!
  • New: Added --range parameter to commandline
  • New: Improved start time of mutators
  • New: SMTP Publisher

  • New: AirPcap publisher

  • New: Generate fault log when agent connection fails.
  • Change: Estimated complete time updated every 20 iterations instead of 40.
  • Depricated: Peach Builder -- To far out of date currently

  • Bug: Fixed memory leaks in WindowsDebugger code

  • Bug: Fixed memory leaks in PyDbgEng

  • Bug: Fixed memory leaks in comtypes
  • Bug: Fixed command line parsing for -p from batch files
  • Bug: Win32 Dependencies batch files, fixed broken names
  • Bug: Removed assert checks from mutators
  • Bug: Reset debugger log buffer on each test
  • Bug: Misc bugs found testing with complex fuzzer definitions
  • Bug: Unicode bug fixes
  • Bug: self.find('element') failed when inside of two sized Blocks.
  • Bug: Fixed off-by-one error on --skipto

Peach v2.3 Released

Peach v2.3 has finally been released after adding more features than intended :)

Peach Training @ Blackhat Vegas 2009

A two day hands on training class on Peach is being offered at Blackhat Vegas 2009.

Course information and registration.

Peach and bang-exploitable (!exploitable) Support

I'm happy to announce Peach v2.3 has full support for the Microsoft !exploitable windbg module. Just drop the extension DLL into your "winexts" folder and Peach will automatically use it to perform crash analysis. Support in all v2.3 releases including BETA 1.

More information about !exploitable can be found here.

Peach v2.3 BETA 1 Released

The first beta of Peach v2.3 has been released! This version includes a number of new features and lots of bug fixes and speed improvements.

Peach Training @ CanSecWest 2009 in Vancouver, CA

A two day Peach training class is being offered at CanSecWest 2009 in Vancouver, CA. For additional information please see the course description here.

Peach 2.2 Released

Peach 2.2 has finally gone golden! Head over to PeachInstallation for download links and installation instructions.

Whats new:

  • Win32: Binary distribution with no dependencies
  • State model paths
  • Enable/disable mutations by node
  • Offset support via:
    • Offset-of relation
    • Seek element
    • Placement element
  • Peach Validator hex view
  • Updated and new mutators
  • Improved App Verifier support
    • Exclude specific stop codes
    • Custom check model list
  • Major speed improvements
  • New/updated supporting tools:
    • minset - Find the minimum set of files
    • missing - Gap analysis between files and pit
    • struct2peach - Convert 010 Templates to Peach
  • Numerouse bug fixes

Peach 2.2 BETA 2 Released

I'm pleased to announce the release of Peach 2.2 BETA2, hopefully the last release before Peach 2.2 is released. This release contains numerous bug fixes from beta 1, along with a few new features such as the Hex view in the Peach Validation UI. Is it strongly suggested that all users of Peach 2.2 BETA1 upgrade to BETA2.

Please report any bugs directly to myself or the Peach mailing list.

Download from here

Peach Training @ PacSec 2008 in Tokyo, JP

A two day Peach training class is being offered at PacSec 2008 in Tokyo, JP. This will be the first time Peach training has been offered in Asia. For additional information please see the course description here.

Peach Training @ BA-Con 2008 in Buenos Aires, AR

The two day Peach 101 training is being offered at BA-Con in Buenos Aires, AR. We are happy to be a part of this new South American security conference. For additional information please see the course description here.

last edited 2010-07-15 23:57:08 by MichaelEddington