Giving Automated Fuzzing a Trial Run with Peach

I’ve never found my own bugs and written my own exploits and that’s a skill I’d like to develop. In that vain, I’ve been trying out the Peach 3 Fuzzer. Here are some of the tutorials I tried out:

Fuzzing with Peach – Part 1

Fuzzing with Peach – Part 2

I also started writing a Peach Pit (incomplete code below) for the RAR file format using the following sources:

The RAR File Format

RAR File Format – Acritum Software

I even discovered someone had already written a Peach Pit albeit for an older version of Peach.

I used to work for a guy who swore by manual fuzzing and after the experience I’m starting to see why. Peach version 3 seems to have broken some things in version 2 that were just fine. You’ll notice in my code below an assortment of flags. Version 2 provided an easy method to include or exclude additional data from your data model based on whether a flag was set or not in the form of a “when” relation. It looked something like this:

<Relation type="when" when="self.find('FLAG_HERE').getInternalValue() != 0"/>

In version 3, the when relation was removed and the replacement as far as I can find is far less intuitive. I also had trouble finding clear documentation and examples for a lot of functionality for version 3 (custom fixups in particular). General ideas or barebones examples were available, but nothing that made it particularly newcomer friendly.

This is my first foray into find my own bugs and write my own exploits, but at the moment manual fuzzing sounds like an enticing alternative to manually defining an entire file specification. I certainly think Peach could be a useful tool, but I think I’ll explore the manual approach to bug finding before I come back to Peach.

<?xml version="1.0" encoding="utf-8"?>


  <PythonPath path="X:\Programming\winrar_exploit\peach\peach\"/>
  <!--Add resources for the custom fixup-->
  <!--<Import import=""/>-->

  <!-- Data model for the RAR file format -->
  <DataModel name="RARFileFormat">

    <!--The MARK_HEAD -->
    <!--Always the same sequence-->
    <String name="Signature" valueType="hex" value="0x526172211A0700" token="true" mutable="false"/>
    <!--The MAIN_HEAD -->
    <Block name="MAIN_HEAD">
      <Number name="MAIN_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
      <Number name="MAIN_HEAD_TYPE" signed="false" value="0x73" token="true" size="8" mutable="false"/>
      <Flags name="MAIN_HEAD_FLAGS" size="16">
        <Flag name="MHD_VOLUME" position="0" size="1"/>
        <Flag name="MHD_COMMENT" position="1" size="1"/>
        <Flag name="MHD_LOCK" position="2" size="1"/>
        <Flag name="MHD_SOLID" position="3" size="1"/>
        <Flag name="MHD_PACK_COMMENT" position="4" size="1"/>
        <Flag name="MHD_AV" position="5" size="1"/>
        <Flag name="MHD_PROTECT" position="6" size="1"/>
        <Flag name="MHD_PASSWORD" position="7" size="1"/>
        <Flag name="MHD_FIRSTVOLUME" position="8" size="1"/>
        <Flag name="MHD_ENCRYPTVER" position="9" size="1" value="0"/>
        <Flag name="UNKNOWN10" position="10" size="1" />
        <Flag name="UNKNOWN11" position="11" size="1" />
        <Flag name="UNKNOWN12" position="12" size="1" />
        <Flag name="UNKNOWN13" position="13" size="1" />
        <Flag name="UNKNOWN14" position="14" size="1" />
        <Flag name="UNKNOWN15" position="15" size="1" />
      <Number name="MAIN_HEAD_SIZE" size="16" signed="false">
        <Relation type="size" of="MAIN_HEAD"/>
      <Number name="HighPosAv" size="16" signed="false"/>
      <Number name="PosAV" size="32" signed="false"/>
    <Block name="FILE_HEAD">
      <Number name="FILE_HEAD_CRC" size="16" endian="little" signed="false" mutable="false">
        <!--<Fixup class="">
      <Number name="FILE_HEAD_TYPE" signed="false" value="0x74" token="true" size="8" mutable="false"/>
      <Flags name="FILE_HEAD_FLAGS" size="16">
        <Flag name="LHD_SPLIT_BEFORE" position="0" size="1"/>
        <Flag name="LHD_SPLIT_AFTER" position="1" size="1"/>
        <Flag name="LHD_PASSWORD" position="2" size="1"/>
        <Flag name="LHD_COMMENT" position="3" size="1"/>
        <Flag name="LHD_SOLID" position="4" size="1"/>
        <Flag name="DIC_SIZE" position="5" size="3"/>
        <Flag name="LHD_LARGE" position="8" size="1"/>
        <Flag name="LHD_UNICODE" position="9" size="1"/>
        <Flag name="LHD_SALT" position="10" size="1"/>
        <Flag name="LHD_VERSION" position="11" size="1"/>
        <Flag name="LHD_EXTTIME" position="12" size="1"/>
        <Flag name="LHD_EXTFLAGS" position="13" size="1"/>
        <Flag name="OldVersionIgnore" position="14" size="1"/>
        <Flag name="AddSizePresent" position="15" size="1" value="1"/> <!--SOURCE SAYS THIS IS ALWAYS 1-->
      <Number name="FileHeadSize" size="16" signed="false">
        <Relation type="size" of="FILE_HEAD"/>
      <Number name="PackSize" size="32" signed="false">
        <Relation type="size" of="RawData"/> <!--TODO: I DO NOT HAVE A RAWDATA YET-->
      <Number name="UnpSize" size="32" signed="false"/>
      <Number name="HostOS" size="8" signed="false"/>
      <Number name="FileCRC" size="32" mutable="false"/> <!--CRC of decompressed file-->
      <Number name="FileTime" size="32" signed="false"/>
      <Number name="UnpVer" size="8" signed="false"/>
      <Number name="Method" size="8" signed="false"/>
      <Number name="NameSize" size="16" signed="false">
        <Relation type="size" of="FileName"/>
      <Number name="FileAttr" size="32" signed="false"/>
      <Block name="OptionalPackSize">
        <Relation type="when" 
        <Number name="HighPackSize" size="32" signed="false"/>
        <Number name="HighUnpSize" size="32" signed="false"/>
      <String name="FileName"/>

  <!--<StateModel name="State" initialState="Initial">


  <Agent name="WinAgent">


  <Test name="Default">


Leave a Reply