Locked History Actions

Methodology

Fuzzer Development Methodology

Here is the super quick development methodology I use for creating fuzzers. In the case of network protocols Wireshark is substituted for 010 Hex Editor typically.

The Tools

XML Editor

  • Visual Studio (Express editions are free)
  • oXygen XML Editor ($$)

010 Hex Editor

Best hex editor around. Chosen for the ease of creating templates.

The Process

Locate specification or parser code

The first step is to locate a complete specification of the target format or protocol. Additionally it is suggested that the parser logic be reviewed to see if there are any deviations from the specifications. For example, some FTP implementations have custom FTP commands that are not in the RFC. Additionally, you might find hints on additional mutations that could be done to better test the protocol.

010 Editor/Wireshark

This next step is optional, but I've found it extremely useful when creating pit files for semi complex formats. Creating an 010 Template or a Wireshark parser will allow you to explore sample formats or the protocol to help build and debug the pit file.

There is a repository of 010 Templates located at http://www.sweetscape.com/010editor/templates/, check here first for common formats.

Write and Debug the Peach Pit

Create the pit file based on the specifications, parsing logic, and the 010 Editor/Wireshark parsing of the samples.

TODO: Fill in hints on how to build the pit files

One of the most difficult and important tasks of building the pit file is debugging it to verify it works as intended. Peach has four tools/methods that will assist in debugging and validating the pit files.

Parse Testing

The first tool at your disposal will verify if the Peach pit file parser correctly. Getting the pit file to parse properly is the first and possibly easier step if debugging and validating your fuzzer.

To test the pit file simply run the command line tool with the -t argument as shown below the output will indicate success or failure and provide information on how to resolve any issues. 

peach.py -t mypit.xml

Peach Validator

The next tool is the graphical Peach Validator, this program will allow you to load a pit file, select a data model and load sample data into the data model. It will allow you to explore the resulting data model, the values it contains and the locations that it read from.

You can run the tool as follows: 

peachvalidator.pyw

Peach Debug Output

If unable to debug your pit file using the prior tools the last option is to review the debug output from Peach as it parses the pit file and data. This information is verbose but sometimes cryptic in nature as it was origionally intended for the author to debug the Peach internals.

TODO: Provide examples an explanation on reading output 

peach.py --debug mypit.xml

Configure agents and monitors for target

TODO

Commence fuzzing!

Finally you are all set to run the fuzzer and collect bugs!

last edited 2008-10-06 10:08:38 by MichaelEddington