haxsys.net

Often times when fuzzing obscure targets one finds a need to trigger a fault from within a publisher. Peach itself does not provide a direct facility to do this but extending Peach to provide this functionality is simple.

As Publishers are designed to function as independent entities tasked with only getting mutated data to and from a target they have no direct ability outside of the PublisherSoftException to communicate exceptional conditions. However, a facility exists that allows Publishers to raise events with any attached Monitors directly using the OnPublisherCall method.

This facility allows us to raise specific signals within Monitors which we in-turn can use to raise faults once the Monitor is queried:

from Peach.Engine.engine import Engine
from Peach.agent import Monitor

class PublisherMonitor(Monitor):
	def __init__(self, args):
		self._name = "PublisherMonitor"
		self._fault = False

	def OnTestStarting(self):
		self._fault = False
		pass

	def DetectedFault(self):
		return self._fault

	def PublisherCall(self, method):
		if method == "TriggerFault"
			self._fault = True
		pass

Given this monitor we can simply invoke the following call to trigger a fault from within a Publisher:

Engine.context.agent.OnPublisherCall("TriggerFault")

Peach being the monolith that it is, breaks most python debugging tools. As such it makes debugging pit files extremely difficult. I came across the RC of the IPython interactive shell and found that it can actually handle breaking in the middle of cracking input in peach!

Download and install IPython 0.10.1.rc1.

Create a code-behind file for peach with this simple function:

import inspect,IPython
def db():
    uframe = inspect.currentframe().f_back
    return eval('IPython.Shell.IPShellEmbed([])()', dict(globals().items() + uframe.f_globals.items()),uframe.f_locals)

Now anywhere you have an evaluated field you can execute a db() call and break into a python shell with the full context so you have access to the cracker and the DataEmelent! A great feature of IPython is that is also has tab autocompletion and element inspection.

And here is some example usage:

<Import import="*" from="peach_debug"/>
...
<DataModel name="SampleModel">
     <Number name="foo">
        <!-- always break -->
        <Relation type="when" when="db() or True" />
     </Number>

     <Blob name="bar">
       <!-- always break but maintain a conditional so parsing continues -->
        <Relation type="when" when="( db() and False) or int(self.find('foo').getInternalValue()) & 0x1 == 0x1" />
     </Blob>

     <Blob name="bas">
       <!-- break only on specific conditional -->
        <Relation type="when" when="( int(self.find('foo').getInternalValue()) == 0x03 and db()) or True" />
     </Blob>

</DataModel>

Once you are in the IPython shell try the following:

self?
self??
self.getInternalValue()
self.parent?
self.find('foo')
self.find('foo').getInternalValue()

To break out of the shell and resume execution of peach press Ctrl+Z.