.. currentmodule:: netzob .. _tutorial_peach: Auto generation of Peach pit files/fuzzers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Principle ^^^^^^^^^ `Peach `_ is an open-source framework of fuzzing. It provides API to create smart fuzzers adapted to the tester's needs through XML configuration files called `*Peach pit files* `_. Making such files needs knowledge of the format message and state machine of the targeted protocol as well as the actor Peach has to fuzz. Fortunately, Netzob provides means for reverse engineering of undocumented and proprietary protocols from provided traces in a semi-automatic way. Netzob provides an exporter plugin for Peach that can transform the inferred data model and state machine of a targeted protocol into a Peach pit file automatically. This tutorial shows how to take advantage of the Peach exporter plugin provided in Netzob to automatically construct Peach pit configuration files. Prerequisite ^^^^^^^^^^^^ You need Netzob in version 0.4.1 or above. This tutorial assumes that the user have previously followed the `Getting started with Netzob `_ tutorial and have a complete Netzob project (or at least some format messages). The protocol implementation contains several vulnerabilities that should be detected during fuzzing. Moreover it assumes that the user has Peach 2.3.8 installed. Export ^^^^^^ To export the project go in ``File`` > ``Export the project`` > ``Peach pit file``. The window below should appears : .. figure:: https://dev.netzob.org/attachments/download/134 :align: center :alt: The window is composed of three panels. The left one lists all fuzzer available. They differ on the state representation. There are three kinds of fuzzer available: - "Randomized state order fuzzer": one state is created for each symbols of Netzob and at each step, the fuzzer changes of state for a randomly chosen one. - "Randomized transitions stateful fuzzer": one state is created for each symbols of Netzob and the transitions between these states are based on those Netzob allows, weight by their probability. - "One-state fuzzer": one state is created corresponding to the chosen symbol. When the fuzzer is on a particular state, it sends fuzzed data that corresponds to the associated symbol to the target. Choose one of them. The right panel shows the fuzzer. It gives the user a small idea of what he is doing and what changes between two configurations. The bottom panel has two options: - The first options ``Fuzzing based on`` tells on which Netzob data model the fuzzing is based: - "Variable": use the Netzob variables to make Peach data models. It makes more fuzzy but less smart fuzzer. - "Regex": use the Netzob Regex (which are displayed on the top of the symbol visualization), it is the simplest solution. - The second options ``Mutate static fields`` tells if the static fields in the Netzob data model are fuzzed or not. The ``Export`` button exports the fuzzer into a user defined file. Use this fuzzer into Peach\ `ΒΆ <#Use-this-fuzzer-into-Peach>`_ Export this fuzzer directly through the ``Export`` button to a file named "test.xml" into the directory of Peach. It should create a PeachzobAddons.py file, which is essential for Peach to leverage Netzob capabilities as "fixup". The "test.xml" file should look like this. Look closely to the few XML comments. :: This tutorial will not talk about Peach agents but configuring one of them could be useful. In the Test block, there is as many publishers as the Netzob simulator has actors. One publisher is needed, remove the others. If there is no publishers, create one according to the model above. On this example, the tester remove the second publisher. Launch the fuzzing ^^^^^^^^^^^^^^^^^^ You first have to start the targeted server: :: ./server Assuming that the user exports the "test.xml" file into the Peach directory, you can now start the fuzzer: :: python peach.py test.xml After few seconds, you should trigger a segfault or a stack smashing detection. :: -> Read: api_identify#fred Command: api_identify Arg: fred <- Send: Return value: 0 Size of data buffer: 13 Data buffer: DATA: 72 65 73 70 5f 69 64 65 6e 74 69 66 79 "resp_identify" -> Read: api_identify#f Command: api_identify Arg: f *** stack smashing detected ***: ./server terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xcec045] /lib/i386-linux-gnu/libc.so.6(+0x103ffa)[0xcebffa] ./server[0x8048a3c] ./server[0x8048eb4] ./server[0x8048985] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xc014d3] ./server[0x8048831] ======= Memory map: ======== 00289000-0028a000 r-xp 00000000 00:00 0 [vdso] 002fb000-00317000 r-xp 00000000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.1 00317000-00318000 r--p 0001b000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.1 00318000-00319000 rw-p 0001c000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.1 00bb4000-00bd4000 r-xp 00000000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so 00bd4000-00bd5000 r--p 0001f000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so 00bd5000-00bd6000 rw-p 00020000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so 00be8000-00d8b000 r-xp 00000000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so 00d8b000-00d8c000 ---p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so 00d8c000-00d8e000 r--p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so 00d8e000-00d8f000 rw-p 001a5000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so 00d8f000-00d92000 rw-p 00000000 00:00 0 08048000-0804a000 r-xp 00000000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server 0804a000-0804b000 r--p 00001000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server 0804b000-0804c000 rw-p 00002000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server 09e0d000-09e2e000 rw-p 00000000 00:00 0 [heap] b778b000-b778c000 rw-p 00000000 00:00 0 b77a8000-b77ac000 rw-p 00000000 00:00 0 bf90f000-bf930000 rw-p 00000000 00:00 0 [stack] Abandon (core dumped)