Below is the Peach pit for fuzzing the ELF32 file format with use in IDA Pro. Thanks to the Peach mailing list for their help in troubleshooting some issues! You will need Peach (http://peachfuzzer.com/), IDA Pro and Debugging Tools for Windows (http://www.microsoft.com/whdc/devtools/debugging/default.mspx).
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://phed.org/2008/Peach ../peach.xsd" version="1.0"
author="J. Brett Cunningham">
<!-- Import defaults for Peach instance -->
<Include ns="default" src="file:defaults.xml" />
<!-- Define our file format DDL -->
<DataModel name="FileData">
<!-- Elf Magic Number in the Header (e_ident), static and non-configurable -->
<Blob name="MagicNumber" valueType="hex" value="7F 45 4C 46" token="true" />
<!-- Rest of e_ident -->
<Blob name="EI_CLASS" valueType="hex" value="02" />
<Number name="EI_DATA" valueType="hex" value="01" />
<Number name="EI_VERSION" valueType="hex" value="01" />
<Number name="EI_PAD" valueType="hex" value="00 00 00 00 00 00 00 00 00" />
<!-- End of e_ident -->
<!-- Rest of Elf Header -->
<Number name="e_type" size="16" signed="false" endian="little" />
<Number name="e_machine" size="16" signed="false" endian="little" />
<Number name="e_version" size="32" signed="false" endian="little" />
<Number name="e_entry" size="32" signed="false" endian="little" />
<Number name="e_phoff" size="32" signed="false" endian="little" />
<Number name="e_shoff" size="32" signed="false" endian="little" />
<Number name="e_flags" size="32" signed="false" endian="little" />
<Number name="e_ehsize" size="16" signed="false" endian="little" />
<Number name="e_phentsize" size="16" signed="false" endian="little" />
<Number name="e_phnum" size="16" signed="false" endian="little" />
<Number name="e_shentsize" size="16" signed="false" endian="little" />
<Number name="e_shnum" size="16" signed="false" endian="little" />
<Number name="e_shstrndx" size="16" signed="false" endian="little" />
</DataModel>
<!-- Define a simple state machine that will write the file and
then launch a program using the FileWriterLauncher publisher -->
<StateModel name="State" initialState="Initial">
<State name="Initial">
<Action type="open" />
<!-- Write out contents of file -->
<Action name="WriteFile" type="output" publisher="file" >
<DataModel ref="FileData" />
</Action>
<!-- Close file -->
<Action type="close" publisher="file" />
<!-- Launch the file consumer -->
<Action type="call" method="ida.exe" publisher="launch"/>
</State>
</StateModel>
<Agent name="LocalAgent" location="http://127.0.0.1:9000">
<Monitor class="debugger.WindowsDebugEngine">
<Param name="ProcessName" value="idag.exe" />
</Monitor>
</Agent>
<Test name="TheTest">
<Agent ref="LocalAgent" />
<StateModel ref="State"/>
<!-- Configure our publisher with correct filename to write too -->
<Publisher class="file.FileWriter" name="file">
<Param name="fileName" value="fuzzedfile" />
</Publisher>
<Publisher class="process.DebuggerLauncherGui" name="launch">
<Param name="windowName" value="IDA" />
</Publisher>
</Test>
<Run name="DefaultRun">
<Test ref="TheTest" />
<!-- TODO: Change log path if needed -->
<Logger class="logger.Filesystem">
<Param name="path" value="logs"/>
</Logger>
</Run>
</Peach>
<!-- end -->
Subscribe to:
Post Comments (Atom)
Sometimes you have to look after yourself (Monitor) #watchyour6
#coding #Monitor #myopinionnotyours During my day today I was asked about how coding is relevant on a cyber detection team. This is a goo...
-
Live Linux forensics in a KVM based environment (part 1) Most of this blog will be based on a image that I created that I will be walking...
-
#coding #Monitor #myopinionnotyours During my day today I was asked about how coding is relevant on a cyber detection team. This is a goo...
-
Background Recently, I wanted to perform some basic fuzzing against a target application. I chose Sulley because it's Python-based and...
No comments:
Post a Comment