Friday, February 25, 2011

Fuzzing the ELF32 file format with Peach, part 2

Below is the Peach pit for fuzzing the ELF32 file format with use in IDA Pro. Thanks to the Peach mailing list for their help in troubleshooting some issues! You will need Peach (, IDA Pro and Debugging Tools for Windows (

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="" xmlns:xsi=""
xsi:schemaLocation=" ../peach.xsd" version="1.0"
author="J. Brett Cunningham">

<!-- Import defaults for Peach instance -->
<Include ns="default" src="file:defaults.xml" />

<!-- Define our file format DDL -->
<DataModel name="FileData">

<!-- Elf Magic Number in the Header (e_ident), static and non-configurable -->
<Blob name="MagicNumber" valueType="hex" value="7F 45 4C 46" token="true" />

<!-- Rest of e_ident -->
<Blob name="EI_CLASS" valueType="hex" value="02" />
<Number name="EI_DATA" valueType="hex" value="01" />
<Number name="EI_VERSION" valueType="hex" value="01" />
<Number name="EI_PAD" valueType="hex" value="00 00 00 00 00 00 00 00 00" />
<!-- End of e_ident -->

<!-- Rest of Elf Header -->
<Number name="e_type" size="16" signed="false" endian="little" />
<Number name="e_machine" size="16" signed="false" endian="little" />
<Number name="e_version" size="32" signed="false" endian="little" />
<Number name="e_entry" size="32" signed="false" endian="little" />
<Number name="e_phoff" size="32" signed="false" endian="little" />
<Number name="e_shoff" size="32" signed="false" endian="little" />
<Number name="e_flags" size="32" signed="false" endian="little" />
<Number name="e_ehsize" size="16" signed="false" endian="little" />
<Number name="e_phentsize" size="16" signed="false" endian="little" />
<Number name="e_phnum" size="16" signed="false" endian="little" />
<Number name="e_shentsize" size="16" signed="false" endian="little" />
<Number name="e_shnum" size="16" signed="false" endian="little" />
<Number name="e_shstrndx" size="16" signed="false" endian="little" />

<!-- Define a simple state machine that will write the file and
then launch a program using the FileWriterLauncher publisher -->
<StateModel name="State" initialState="Initial">
<State name="Initial">
<Action type="open" />

<!-- Write out contents of file -->
<Action name="WriteFile" type="output" publisher="file" >
<DataModel ref="FileData" />

<!-- Close file -->
<Action type="close" publisher="file" />

<!-- Launch the file consumer -->
<Action type="call" method="ida.exe" publisher="launch"/>

<Agent name="LocalAgent" location="">

<Monitor class="debugger.WindowsDebugEngine">
<Param name="ProcessName" value="idag.exe" />


<Test name="TheTest">
<Agent ref="LocalAgent" />

<StateModel ref="State"/>

<!-- Configure our publisher with correct filename to write too -->
<Publisher class="file.FileWriter" name="file">
<Param name="fileName" value="fuzzedfile" />

<Publisher class="process.DebuggerLauncherGui" name="launch">
<Param name="windowName" value="IDA" />

<Run name="DefaultRun">
<Test ref="TheTest" />
<!-- TODO: Change log path if needed -->
<Logger class="logger.Filesystem">
<Param name="path" value="logs"/>

<!-- end -->

No comments:

Post a Comment

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...