Is it possible to easily modify Peach so it can be used for mutation based fuzzing too? I would like to be able to just tell Peach where in a file to apply some mutators without writing a pit file to describe the contents of it, just tell peach to take a file and use a mutator between the 1 and the 4th byte. Right now I have a python script using the python-bitstring module but it would be great to use Peach instead.
Sure, if you just use a blob type you will get dumb fuzzing, eg bit flips, dword slide, etc. I recommend using the binary analyzer as it can locate strings sizes etc and auto fuzz them. See web site for details on analyzers, a link under whats new in 2.3.
-----Original Message-----
From: Radu Stanca <rstanca.li...@gmail.com>
Sent: Saturday, June 27, 2009 5:55 AM
To: peachfuzz@googlegroups.com
Subject: [Peach] More support for mutation based fuzzing?
Hello
Is it possible to easily modify Peach so it can be used for mutation based
fuzzing too? I would like to be able to just tell Peach where in a file to
apply some mutators without writing a pit file to describe the contents of
it, just tell peach to take a file and use a mutator between the 1 and the
4th byte. Right now I have a python script using the python-bitstring
module but it would be great to use Peach instead.
> Sure, if you just use a blob type you will get dumb fuzzing, eg bit > flips, dword slide, etc. I recommend using the binary analyzer as it > can locate strings sizes etc and auto fuzz them. See web site for > details on analyzers, a link under whats new in 2.3.
Is there something I'm missing here? How can I tell Peach to take an existing binary file as input? The binary analyzer can't be run from the command line according to wiki. I just want something like this:
-----Original Message-----
From: Radu Stanca <rstanca.li...@gmail.com>
Sent: Saturday, June 27, 2009 2:34 PM
To: peachfuzz@googlegroups.com
Subject: [Peach] Re: More support for mutation based fuzzing?
On Sat, 27 Jun 2009 22:24:30 +0300, Michael Eddington
<medding...@gmail.com> wrote:
> Sure, if you just use a blob type you will get dumb fuzzing, eg bit
> flips, dword slide, etc. I recommend using the binary analyzer as it
> can locate strings sizes etc and auto fuzz them. See web site for
> details on analyzers, a link under whats new in 2.3.
Is there something I'm missing here? How can I tell Peach to take an
existing binary file as input? The binary analyzer can't be run from the
command line according to wiki. I just want something like this:
I finally had time to play around with this but it does not behave as I want it to. Here's the data model and the state model, I'm using FilePerIteration as a publisher, the sample.bin file is a 157 kbytes in size
The problem is that the BitFlipperMutator will run through the whole file and not only on those 4 bytes specified by the Blob "Header". If I add the the binary.Binary analyzer, Peach will add 4 bytes to the end of every generate file and that's it. I also noticed that adding more than 2 Blob fields to the data model will significantly increase the cracking of the data, in my case with 3 Blob fields and that 157kbytes file it takes more than 10 minutes(I cancelled it after, not sure how long it would take) on a quad core processor.
On Fri, Jul 17, 2009 at 10:07 AM, Radu Stanca<rstanca.li...@gmail.com> wrote: > <DataModel name="TheDataModel"> > <Blob name="Header" lenght="4"/> > <Blob name="TheRest" mutable="false" /> > </DataModel>
try length instead of lenght :)
> generate file and that's it. I also noticed that adding more than 2 Blob > fields to the data model will significantly increase the cracking of the > data, in my case with 3 Blob fields and that 157kbytes file it takes more
Unless two out of the three blobs are sized with a length field then, yes, things will be VERY slow. Why? Because Peach is trying to figure out how large the Blobs should be (it assumes you had a good reason for specifying three unsized blobs).
|
