취약점을 찾기 위해서 Fuzzing 이라는 반복적이고 재미없는 작업을 해야하는데, 이를 도와는 Fuzzer 들로 인해 좀 더 쉽게 취약 포인트를 찾아나갈 수 있습니다. 여러 Fuzzer 중 이번엔는 약간 큰 Peach Fuzzer(Fuzzing Framework)에 대한 이야기를 할까 합니다.
Peach Fuzzer 다운로드(Download Peach Fuzzer)
http://community.peachfuzzer.com/ -> 각 OS에 맞는 peachfuzzer 다운로드 페이지 이동
다운로드 후 압축을 해제하면 여러 파일이 나타나고, linux 에서는 peach 파일이 Main 파일이 됩니다.
Peach Fuzzer 실행에 필요한 Package 설치(Install Package for Peach Fuzzer)
다운로드 후 바로 peach 파일 실행 시 mono 명령이 없다고 에러가 발생합니다. 제 pc에서 mono를 사용하지 않았기 때문에 에러가 발생한 것 같습니다. 일단 ./peach 파일의 코드를 확인해보면 아래와 같습니다.
#!/bin/bash
DIRNAME="`dirname ${0}`"
DEBUG=""
case "$*" in
*--debug*)
DEBUG="--debug"
;;
esac
mono --gc=sgen ${DEBUG} ${DIRNAME}/Peach.exe $@
mono를 통해 exe 를 실행하네요. 일단 mono가 필요하기 때문에 apt-get 을 통해 설치해줍니다.
apt-get install mono-complete
설치하고 실행 시 정상적으로 작동합니다.
./peach
[[ Peach v3.1.124.0 [[ Copyright (c) Michael Eddington This is the Peach Runtime. The Peach Runtime is one of the many ways to use Peach XML files. Currently this runtime is still in development but already exposes several abilities to the end-user such as performing simple fuzzer runs and performing parsing tests of Peach XML files.
Please submit any bugs to https://forums.peachfuzzer.com.
Syntax:
peach -a channel peach -c peach_xml_file [test_name] peach [–skipto #] peach_xml_flie [test_name] peach -p 10,2 [–skipto #] peach_xml_file [test_name] peach –range 100,200 peach_xml_file [test_name] peach -t peach_xml_file
-1 Perform a single iteration -a,–agent Launch Peach Agent -c,–count Count test cases -t,–test xml_file Validate a Peach XML file -p,–parallel M,N Parallel fuzzing. Total of M machines, this is machine N. –debug Enable debug messages. Usefull when debugging your Peach XML file. Warning: Messages are very cryptic sometimes. –trace Enable even more verbose debug messages. –seed N Sets the seed used by the random number generator –parseonly Test parse a Peach XML file –makexsd Generate peach.xsd –showenv Print a list of all DataElements, Fixups, Monitors Publishers and their associated parameters. –showdevices Display the list of PCAP devices –analyzer Launch Peach Analyzer –skipto N Skip to a specific test #. This replaced -r for restarting a Peach run. –range N,M Provide a range of test #’s to be run. -D/define=KEY=VALUE Define a substitution value. In your PIT you can ##KEY –config=FILENAME XML file containing defined values
Peach Agent
Syntax: peach -a channel
Starts up a Peach Agent instance on this current machine. User must provide a channel/protocol name (e.g. tcp).
Note: Local agents are started automatically.
Performing Fuzzing Run
Syntax: peach peach_xml_flie [test_name] Syntax: peach –skipto 1234 peach_xml_flie [test_name] Syntax: peach –range 100,200 peach_xml_flie [test_name]
A fuzzing run is started by by specifying the Peach XML file and the name of a test to perform.
If a run is interupted for some reason it can be restarted using the –skipto parameter and providing the test # to start at.
Additionally a range of test cases can be specified using –range.
Performing A Parellel Fuzzing Run
Syntax: peach -p 10,2 peach_xml_flie [test_name]
A parallel fuzzing run uses multiple machines to perform the same fuzzing which shortens the time required. To run in parallel mode we will need to know the total number of machines and which machine we are. This information is fed into Peach via the “-p” command line argument in the format “total_machines,our_machine”.
Validate Peach XML File
Syntax: peach -t peach_xml_file
This will perform a parsing pass of the Peach XML file and display any errors that are found.
Debug Peach XML File
Syntax: peach -1 –debug peach_xml_file
This will perform a single iteration (-1) of your pit file while displaying alot of debugging information (–debug). The debugging information was origionally intended just for the developers, but can be usefull in pit debugging as well.
[SYSTEM HACKING] Peach Fuzzer를 통해 Application 분석 1 - Install Peach Fuzzer [SYSTEM HACKING] Peach Fuzzer를 통해 Application 분석 2 - Application Fuzzing for Exploit [SYSTEM HACKING] Peach Fuzzer의 GUI 모드 - Peach3 Fuzz Bang(Run Peach Fuzzer on GUI Interface)
Reference
http://community.peachfuzzer.com