Advanced Fuzzing

Table of Content
Write the sample application................................................................................................................2

tear down the ssl layer..........................................................................................................................8
Communication flow between the client and server..........................................................................22
Process of connection....................................................................................................................22
Client message sending..................................................................................................................24
Server message delivery................................................................................................................25
Server Send Satus..........................................................................................................................26
Creation of LUA script.......................................................................................................................27
Protocol creation............................................................................................................................27
init function....................................................................................................................................27
Dissector Function.........................................................................................................................27
Register Protocol............................................................................................................................27
Whole Code at this milestone........................................................................................................27
set protocol name...........................................................................................................................29
Write the dissector.........................................................................................................................29
cycle to analyze the actual part of the packet................................................................................29
The whole script until now............................................................................................................31
extend the dissector with missing packet types.............................................................................32
The whole script.............................................................................................................................34
fuzzing................................................................................................................................................36
Autogenerate the datamodel by struct2peach................................................................................36
Autogenerate the datamodel by peachshark..................................................................................36
Create the peach .xml file..............................................................................................................39
Create the datamodel.....................................................................................................................44
Create the state model....................................................................................................................55
Create the Agent.............................................................................................................................55
Create the Test section...................................................................................................................56
Create the Run section...................................................................................................................56
Whole chat.xml file........................................................................................................................56
Run the fuzzer................................................................................................................................60
Fuzz the message sending..............................................................................................................61
Write the sample application
Create a new project
Select the Win32 \ Win32 project, and give it a name
on the welcome screen of the wizard click to the next button

select the "Windows Application", then click to the finish button.
Right click on the new project and from the popup menu select the properties command:
Go to the "Configuration Properties", and within that the C/C++. There select the "Additional
Include Directories", and click on the "..." icon at the right side
click on the new line icon, and click to the "..." icon.
Select the openssl install directory, within that the include directory: "C:\OpenSSL-Win32\include"
Click to the OK button

Then go to the "Configuration Properties \ General" and set the "Character Set" to Use Multi-Byte
Character Set.
Then go to the "Configuration Properties \ Linker \ Input". Then select "Additional Dependencies",
and click on the "..." icon at the right side of it.
At the new windows add the libeay32MD.lib and ssleay32MD.lib files from the openssl install
directory \ lib \ VC \ static, then click to the OK button.
We will get the next:
then right click to the Solution and from the popup menu select the Add \ New Project ... command.
Select the Win32 \ Win32 Console Application. Give it a name, and click to the OK button.
On the Welcome screen click to the next button

Then click to the finish button
right click to the "Header Files" of this new project, and select the Add \ Existing item
Add the mychatsrv.h from the previous project.
Right click again to the "Source Files" of this project, and select the Add \ New Item ... command
Select the C++ file from the dialog box, and give a name to the file:
Then right click to this project, and select the properties command from the popup menu.
peel the ssl layer
Unfortunately the traffic is ssl encrypted. If we were just try to fuzz it in this way we were fuzz only
the openssl layer, but we want to fuzz the encrypted data within the ssl tunnel. To do it we must peel
the ssl layer.
To do it we need a certificate (we will use now the openssl to generate one, but any other method
can be used). The windows version can be downloaded for example from the next URL:
http://www.openssl.org
And we need the Stunnel application. The Stunnel is able to create an ssl tunnel for us.
First we capture the traffic, to see the communication
Encrypted traffic
chatclient.exe chatclient.exe
Stunnel at 0.0.0.0:9999 („chatserver“)
Stunnel at 0.0.0.0:1234
Decrypted traffic. We watch it („chatserver“)
with network monitor. We send it
to other machine, because most
network monitor not capable to
listen at 127.0.0.1
Real chatserver 0.0.0.0::9999
Install Openssl on the usual way, then go to the new openssl directory:
cd C:\OpenSSL-Win32\bin
Create a key to your certificate server:

openssl genrsa -des3 -out ca.key 1024
Then create a public certificate from the keyfile:
openssl req -config openssl.cfg -new -x509 -days 1001 -key ca.key
-out ca.cer
answer to the questions aproprietry
openssl x509 -in ca.cer -outform DER -out ca.der
by default the openssl want to use the demoCA directory so we crate it:
cd \OpenSSL-Win32\bin
md demoCA
cd demoCA
md newcerts
cd ..
Create an empty file called c:\OpenSSL-Win32\bin\demoCA\index.txt

Create file called c:\OpenSSL-Win32\bin\demoCA\serial (without extension). The
content of it should be 01
Add the CA certificate to our trusted root certificate store.
Start an mmc console
select file \ add Remove snapin:
from the popup window select certificate then press the add button
in the new window select computer account then click on the next button
Select local computer, then click to the finish button:
then click to the ok button

naviget in the tree to the certificates \ trusted root certificate authorities \ certificates:
right click on it and from the popup menu select All tasks \ import
on the welcome screen of the import wizard click to next button:
click to the browse button:

and select the C:\OpenSSL-Win32\bin\ca.cer file, then click to the next button
in the other window click to the next button again
Then click to the finis button

the computer imports the certificate click to the OK button:
The root certificate will be added:

close the mmc console:
Create a server certificate
now our root certificate is created and accepted by the computer, we has to create the two
certificates for the two stunnel. For this we must create a request, it can be done by openssl as well,
but in that case you should edit the openssl.cnf file, to use the webserver template, so I used the IIS,
to generate a request, and only signed that with the openssl.
To do this start the IIS management console Startmenu \ control panel \ Administrative tools
Sign the certificate request:

openssl ca -policy policy_anything -config openssl.cfg -cert
ca.cer -in request1.txt -keyfile ca.key -days 360 -out iis1.cer
type the password of your ca.key file
Open a command prompt, and convert the cer and pfx file to the format required by stunnel:
cd \OpenSSL-Win32\bin
openssl x509 -inform der -in iis1.cer -out iis1.pem
openssl pkcs12 -in iis1.pfx -out iis1.key -nodes -nocerts
Enter Import Password:
copy iis1.pem "c:\Program Files\stunnel"

copy iis1.key "c:\Program Files\stunnel"
Start the Stunnel to listen on port 6789 and forward what it get to 192.168.168.101:1234
After it we should create two config files for the Stunnel, the first on the machine where the chat
server runs save save it to the (c:\Program Files\stunnel).
stunnel.conf:
fips = no
cert = iis1.pem
key = iis1.key
[mylistener]
accept = 6789
connect = 192.168.168.101:1234
Then we must start the stunnel:
stunnel.exe
then check, if it really listens on port 6789
netstat /na
search for the next line:
TCP 0.0.0.0:6789 0.0.0.0:0 LISTENING
Also the two Stunnel icon must be seen next to the clock on the notification area.
We should create another conf file for the other machine (because our sample application is quite
simple, we should allow all chiphers, including the anonymous ones):
stunnel.conf:
ciphers = ALL:eNULL
fips = no
[masik]
client = yes
accept = 1234
connect = 127.0.0.1:9999
Start the stunnel:
stunnel.exe
then check, if it really listens on port 1234

netstat /na
search for the next line:
TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING
Encrypted traffic
chatclient.exe
Stunnel at 0.0.0.0:9999 („chatserver“)

chatclient.exe
Decrypted traffic. We watch it
with network monitor. We send it
Stunnel at 0.0.0.0:1234
to other machine, because most
(„chatserver“)
network monitor not capable to
listen at 127.0.0.1
Real chatserver 0.0.0.0::9999
Machine 1 Machine 2
Start the chatserver at machine 1:
now start the wireshark, to captore the traccic toing to or comming from the tcp port 1234:
Start the client application at two machines, and send some text from one to the other.
The stop the capture, and close the chat clints and server. We will capture the uncrypted data.
But as we can see the wireshark does not understand our protocol. In this way it is quite difficult, to
analyze what is going on. So our first task (it is not mandatory, just makes our later job easier). To
use the wireshark we should write a custom dissector. It can be written in C or in LUA languages.
Now we will do it in LUA, because that is a bit easier than the C.
Communication flow between the client and server
Process of connection
Client Server
4 byte size of message little endian

Header
1 byte message type (0x01)
4 byte version little endian

2 byte username offset little endian
Message
? byte MAGIC value string
? byte User Name string

Header
4 byte flags little endian (1 accept, 0 reject)

Message
4 byte PeerID little endian
Client message sending
Client Server

Header
4 byte message length little endian
? byte message string
4 byte senderID little endian

4 byte TargetID little endian
Message
4 byteMetadata Size little endian
4 byteFlags
4 byte Color little endian
4 byte Font Size little endian
8 byte Time little endian

Header
4 byte flags little endian (1 accept, 0 reject) Message

Server message delivery
Client Server

Header
4 byte message length little endian
? byte message string
4 byte senderID little endian

4 byte TargetID little endian
Message
4 byteMetadata Size little endian
4 byteFlags
4 byte Color little endian
4 byte Font Size little endian
8 byte Time little endian

Header

Server Send Satus
Client Server

Header
4 byte Number of client blocks little endian
4 byte User Name length little endian
4 byte ClientID little endian
Message
4 byte User Name length little endian
4 byte ClientID little endian

Header

Creation of LUA script
Protocol creation
To create a dissector first we must register a new protocol to the wireshark. To do it we create a
Protocol object. It requires two input parameters, a protocol name, and a description. Also we can
define the fields of the protocol for filtering an other purposes. I did not need it so I left the field list
empty. It is done by the next two lines, it will be the first two lines of our dissector:
p_myproto = Proto ("myproto","MY Potocol")

p_myproto.fields = {}
init function
If we create a protocol we must define two functions the init function, and the dissector function.
The init function is called once when the protocol first called, and it has no input parameters. Now I
do not want to do anything at the initialization state so it will be an empty function, and it remains
that:
function p_myproto.init()
end
Dissector Function
The dissector function has three input variables, the packet itself, now I will call it as buf. The
packet metadata now I will call it as pkt. And finally the root shows, where are we in the protocol
tree.
function p_myproto.dissector (buf, pkt, root)

end
Register Protocol
After created we should register the protocol in wireshark. We will register it to the TCP port 8000
because I started to use that one to see the decrypted traffic. Before we register our protocol to that
port we save the original protocol connected to that TCP port (most probably there is nothing, and
we do not want to use it, but who knows what need later, better to have it). It can be done with the
next code segment:
local tcp_dissector_table = DissectorTable.get("tcp.port")

original_dissector = tcp_dissector_table:get_dissector(1234)
tcp_dissector_table:add(1234, p_myproto)
Whole Code at this milestone
the code until this point looks like as:

end
end
Open the LUA console, by clicking the Tools \ LUA \ Evaluate
Copy the code, then click to the evaluate button

The evaluate LUA window change:
This script does not do anything yet, so we can start to develop the dissector part.
set protocol name
Set the protocol name to our protocols name in the Protocol column
pkt.cols.protocol = p_myproto.name
Write the dissector

First we initialize some variable necessary to us. We define an actualpos variable, what shows us
from which position we want to decode the packet. It need because more then one message can be
sent in one packet, if the TCP stack or openssl compacts the messages. At first we start from 0
position so the initial value of it should be 0. Then we create a branch represents our protocol,
because we do not want to pour everything into the root. It is done by root:add command. Now we
do not give it description and the buf(0) without length means all data in the packet.
actualpos=0
outertree = root:add(p_myproto, buf(0))
now we can start to analyze the packet. The header length is 5 bytes so we start a cycle until there is
more than 5 byte unprocessed data in the packet.
while (buf:len()-actualpos) > 5 do

end
cycle to analyze the actual part of the packet

• we define a length variable, and set it to 0, we will store the length of the message in it.
• Define a cmdstr variable, it will contain the type of the message. We give it a default value "
= UNKNOWN"
• Define a cmd variable, it contains the message type in numerical format. The message type
can be read from the fourth byte and it has one bytes length the :uint() convert it to number.
• the length can be read from the 0 position and it is a 4 byte little endian number, the
:le_uint() converts it to number
length=0
cmdstr = " = UNKNOWN"
cmd=0
cmd = buf(actualpos+4,1):uint()
length = buf(actualpos+0,4):le_uint()
Now we should check if there is every data in the buffer (the TCP can break the data to more
packets, and it may be only a part of it). If the length in the packet is more than the remaining part
of the packet then we should read the next packet as well. To do it we set the pkt. desegment_offset
to the actual position because we want to continue the dissection process from that position. And we
tell in the pkt.desegment_len variable how many bytes missing. Then we return, and pass back the
pkt structure, to sign to the wireshark we want to read more data.
if length > buf:len()-actualpos-5 then

pkt.desegment_offset = actualpos
pkt.desegment_len = length - (buf:len()-actualpos-5)
return pkt
end
We create a new branch within our tree to this message. It is done by the outertree:add command,
the outertree variable stores our subtree created not long ago, it will contain our protocol, and it
represents the bytes from actual position till the end of the message we must add 5 because the
message size does not contains the header size what 5 bytes. Then within this branch we create a
leaf by the subtree:add command. The first four bytes represent the length of the message and as
description we give it “Length: “ concatenated with the length we read (the two points are
concatenation)
subtree = outertree:add(p_myproto, buf(actualpos,length+5))

subtree:add(buf(actualpos+0,4)," Length: " .. length)
unfortunately there is no case in LUA so we must examine the value of cmd by lot of ifs to print out
the internal message structure based on the message type.
- We check if the value of cmd is 0x01 what means Client Connect Request.
- We set the cmdstr to “ Client Connect Request”
- add a new leaf 1 bytes from the position 4 represents the command, we highlight it, and type as
description the byte code of the message, and the meaning of it. As we already know this type of
message contains the following fields:
-- Version 4 bytes number,
-- offset of the username 2 bytes little endian data,
-- magic value a string,
-- username string starts from the offset position was given in the offset
if cmd == 0x01 then

cmdstr = " Client Connect Request"
subtree:add(buf(actualpos+4,1)," Command : " .. cmd ..
cmdstr)
subtree:add(buf(actualpos+5,4)," version : " ..
buf(actualpos+5,4):le_uint())
offset = buf(actualpos+9,2):le_uint()
subtree:add(buf(actualpos+9,2)," username offset : " ..
offset)
subtree:add(buf(actualpos+11,offset-6)," Magic : " ..
buf(actualpos+11,offset-6):string())
subtree:add(buf(actualpos+5+offset,length-offset)," Username
: " .. buf(actualpos+5+offset,length-offset):string())
end
Finally we add to the outer subtree the message type to be nicer, and we move the actualpos to the
end of this block.
subtree:append_text(cmdstr)
actualpos=actualpos+5+length
The whole script until now

end
actualpos=0
length=0
cmd=0
return pkt
end
if cmd == 0x01 then
cmdstr)
offset)
end
end
end
Now save the previous capture, and restart the wireshark. Then evaluate this LUA script as already
described. Then load the previously saved capture.
Now when you check the first packet you can see, instead of the previous TCP data the meaning of
the different bytes are nicely visible.
extend the dissector with missing packet types
if cmd == 0x02 then

cmdstr = " Server Connect Response"
cmdstr)
subtree:add(buf(actualpos+5,4)," flags : " ..
subtree:add(buf(actualpos+9,4)," PeerID : " ..
end
if cmd == 0x10 then

cmdstr = " Client Send Message"
cmdstr)
messagelength = buf(actualpos+5,4):le_uint()
subtree:add(buf(actualpos+5,4)," message Length : " ..
messagelength)
subtree:add(buf(actualpos+9,messagelength)," Message : " ..
buf(actualpos+9,messagelength):string())
subtree:add(buf(actualpos+9+messagelength,4)," SenderID :
" .. buf(actualpos+9+messagelength,4):le_uint())
subtree:add(buf(actualpos+13+messagelength,4)," TargetID : "
.. buf(actualpos+13+messagelength,4):le_uint())
subtree:add(buf(actualpos+17+messagelength,4)," MetadataSize
: " .. buf(actualpos+17+messagelength,4):le_uint())
subtree:add(buf(actualpos+21+messagelength,4)," Flags : " ..
buf(actualpos+21+messagelength,4):le_uint())
subtree:add(buf(actualpos+25+messagelength,4)," Color : " ..
subtree:add(buf(actualpos+29+messagelength,4)," FontSize : "
subtree:add(buf(actualpos+33+messagelength,8)," Time : " ..
buf(actualpos+33+messagelength,8):le_uint64())
end
if cmd == 0x20 then
cmdstr)
messagelength)
end
The whole script

end
actualpos=0
length=0
cmd=0
return pkt
end
if cmd == 0x01 then
cmdstr)
offset)
end
if cmd == 0x02 then
cmdstr = " Server Connect Response"
cmdstr)
subtree:add(buf(actualpos+5,4)," flags : " ..
subtree:add(buf(actualpos+9,4)," PeerID : " ..
end
if cmd == 0x10 then
cmdstr)
messagelength)
end
if cmd == 0x20 then
cmdstr)
messagelength)
end
end
end
fuzzing
Autogenerate the datamodel by struct2peach
To create the whole datamodel from nothing can be a bit time consuming, but fortunately the peach
fuzzer has a small tool at the C:\peach\tools directory called struct2peach.pl, what is able to create
the data models from a C++ header file. Of course this have some limitations:
• The struct2peach does not handle the enum type fields.

• The data model logic for example that one filed is the size of a block, or offset of some data
block is not described in the header file, so it will not be in the created model obviously, it
must be added manually.
• If non standard data types are used the perl code should be modified, to handle them (see a
bit later)
We need the following command:
cd c:\peach\tools
struct2peach.pl little < c:\test\test\mychatsrv.h > out.xml
Autogenerate the datamodel by peachshark
Another method what is effective, if we want to fuzz data included in one network packet. In this
case we can export the packet from wireshark in xml format, and use the peachshark included in the
peach fuzzer, to generate the data model from it. It requires that, the wireshark should have a
dissector to the protocoll (but we just created one, so it is fine now). See an example to this as well.
We already captured a traffic when the client sent message. It was the 18th packet, and our dissector
compiled shows the details of it.
now select the file \ export \ file command
in the next window select the place where you want to save the packet, the format should be PDML
XML packet detail, and it should contain only ONE packet, because the peachshark is only capable
to decode one packet a time. And select "selected packet" Packet Range.
Open the exported pdml (xml) file, you will see something like this:
from here you can read the name of the protocol we want to create the datamodel from is the
"myproto" (we already knew it, because we created the dissector, but we checked it to be sure).
Now use the following command, to create the datamodel:
peach --analyzer=shark.WireSharkAnalyzer in=out2.pdml

out=pdml_pit.xml proto=myproto
Create the peach .xml file
We want to simulate us a bad client tries toattack the other clients and server. In drawing it is the
following:
Encrypted traffic
Stunnel at chatclient.exe
0.0.0.0:9999
(„chatserver“) WinDBG
Dencrypted traffic
Peach agent
Peach fuzzer
WinDBG
Stunnel at Real chatserver 0.0.0.0::9999

0.0.0.0:1234
(„chatserver“)
Machine 1 Machine 2
Because we have a lot of different packets we will use the file generated by the struct2peach. It
looks like as:
<?xml version="1.0" encoding="utf-8"?>

<Peach version="1.0" author="struct2peach"
description="Autogenerated from header files">


<Include ns="default" src="file:defaults.xml" />

<Include ns="pt" src="file:PeachTypes.xml" />

<DataModel name="ChatClientStatusAck">


</DataModel>
<DataModel name="ChatClientSendMsgFoot">

<Number name="SenderID" size="32" endian="little"
signed="true" />

<Number name="TargetID" size="32" endian="little"
signed="true" />

<Number name="MetadataSize" size="32" endian="little"
signed="true" />



<Number name="Color" size="32" endian="little"
signed="true" />

<Number name="FontSize" size="32" endian="little"
signed="true" />


</DataModel>
<DataModel name="ChatClientDeliverAck">
</DataModel>
<DataModel name="ChatServerStatusMsg">


signed="true" />
</DataModel>
<DataModel name="ChatServerDeliverMsgFoot">
signed="true" />
signed="true" />
signed="true" />
signed="true" />
signed="true" />

</DataModel>
<DataModel name="ChatServerConnectResponse">



<Number name="PeerID" size="32" endian="little"
signed="true" />
</DataModel>
<DataModel name="ChatClientConnectRequest">

<Number name="ClientVer" size="32" endian="little"
signed="true" />


</DataModel>
<DataModel name="ChatServerDeliverMsgHead">

<Number name="MsgLength" size="32" endian="little"
signed="true" />
</DataModel>
<DataModel name="ChatClientSendMsgHead">

signed="true" />
</DataModel>
<DataModel name="ChatServerSendAck">
</DataModel>
<DataModel name="ChatHeader">

<Number name="MsgSize" size="32" endian="little"
signed="true" />


</DataModel>

</Peach>
The result looks like as follows:

<datamodel name="something">

<translated line>
...
</datamodel>
So we always see the original line in the header file, and the translated line. Sometimes we can find
something like:
<datamodel name="something">


...
</datamodel>
it means, that data type is not a nativ C data type, so it is not included in the struct2peach, so it
could not translate it. We has to do it by hand, and we shouldadd the logical connections between
the elements.
To demonstrate this process I describe in detail how the "ChatClientSendMsgFoot" datamodel

should be modified. First of all, I recommend to copy the c:\peach\template.xml as a new file for
example chat.xml.
Now open a command line, and enter to the peach directory, then test the chat.xml file:
cd c:\peach
peach -t chat.xml
As we can see we get a nice error message. First we correct the peach file, to be able to test, if we
do any systax error.
We should find the

<Test name="The Test">
element and within that find the
<Publisher class=""/>
Then modify it to:
<Publisher class="tcp.Tcp">
<Param name="host" value="192.168.168.101"/>
<Param name="port" value="1234"/>
</Publisher>
Now we will not got any error message:

Create the datamodel
Now we will start to do the datamodel.
Then copy the original version inside it after the <datamodel name="thedatamodel">...</datamodel
section>. I recommend it, because now if you have a good xml editor the schema is validated, and
it helps you in the typing. You will get something like:

<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://phed.org/2008/Peach
/peach/peach.xsd">
<Include ns="default" src="file:defaults.xml"/>

<DataModel name="TheDataModel">
<String value="Hello World!" />
</DataModel>
signed="true" />
signed="true" />
signed="true" />
signed="true" />
signed="true" />

</DataModel>

<StateModel name="TheState" initialState="Initial">
<State name="Initial">
<Action type="output">
<DataModel ref="TheDataModel"/>

</Action>
</State>
</StateModel>

<Agent name="TheAgent">
</Agent>
<Test name="TheTest">


<StateModel ref="TheState"/>

<Publisher class="" />


</Test>

<Run name="DefaultRun">

<Logger class="logger.Filesystem">
<Param name="path" value="logs"/>
</Logger>
<Test ref="TheTest"/>
</Run>
</Peach>

As we can see the MsgTime, and the Flags has unknown data types, so correct those ones, and
delete the unnecessery comment line. The MsgTime is 8 bytes (64 bit) long. So we can write it as:
<Number name="MsgTime" size="64" endian="little" signed="true" />
The flags are 4 byte (32 bit) long, so it can be written as:
<Number name="Flags" size="32" endian="little" signed="true" />
Now this part looks like as:
<Number name="SenderID" size="32" endian="little" signed="true" />
<Number name="TargetID" size="32" endian="little" signed="true" />
signed="true" />
<Number name="Color" size="32" endian="little" signed="true" />
<Number name="FontSize" size="32" endian="little" signed="true" />
</DataModel>
We know from the protokoll diagram, the "MetadataSize" is nothing else, but the size of the next
four elements (flags, color, fontsize, and msgtime) together. To be able to add the size reference we
shuold put these four elements into a block, then the model will change to:
signed="true" />
<Number name="FontSize" size="32" endian="little" signed="true" />
</DataModel>
This part is modified as:
signed="true">
<Relation type="size" of="Metadata"/>
</Number>
<Block name="Metadata">
signed="true" />
<Number name="MsgTime" size="64" endian="little"
signed="true" />
</Block>
</DataModel>
One might recognized, we just defined the Flags as a simple 4 byte (32 bit) integer value, but in
reality those are flags, so every bit has some meaning. The meaning itself is defined in the header
file (in the MsgFlags type). The question, if we want to define the meaning of every bit, or
enough, to handle the flags as a four byte number. It depends on your decision. I write that version
as well:
signed="true">
</Number>
<Flags name="Flags" size="32" endian="little">
<Flag name="colorincluded" size="1" position="0"></Flag>
<Flag name="fontsizeincluded" size="1" position="1"></Flag>
<Flag name="timeincluded" size="1" position="2"></Flag>
</Flags>
signed="true" />
</Block>
</DataModel>
If you similarly copy and modify all the datamodels you by in the struct2peach you will get
something like the next chat.xml file:

/peach/peach.xsd">
</DataModel>
signed="true" />
<Number name="MsgType" size="8" signed="false"></Number>
</DataModel>
<DataModel name="ChatServerSendAck">
<Flags name="AckFlags" size="32" endian="little">
<Flag name="accept" size="1" position="0"></Flag>
</Flags>
</DataModel>
<DataModel name="ChatServerConnectResponse">
</Flags>
<Number name="PeerID" size="32" endian="little"
signed="true" />
</DataModel>
<DataModel name="ChatClientConnectRequest">
<Number name="ClientVer" size="32" endian="little"
signed="true" />
<Number name="UsernameOffset" size="16" endian="little"
signed="true">
<Relation type="offset" of="UserName"/>
</Number>
<String name="Magic" value="CHAT" nullTerminated="false"
type="char"></String>
<String name="UserName" nullTerminated="false"
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
<Flag name="fontsizeincluded" size="1"
position="1"></Flag>
</Flags>
<Number name="Color" size="32" endian="little" signed="true"
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
</Flags>
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
<DataModel name="ChatClientStatusAck">
</Flags>
</DataModel>
<DataModel name="ChatClientDeliverAck">
</Flags>
</DataModel>
<DataModel name="ChatServerStatusMsg">
<Flags name="ServerStatusFlags" size="32" endian="little">
</Flags>
signed="true" />
</DataModel>

</Action>
</State>
</StateModel>
</Agent>
</Publisher>
</Test>
</Logger>
</Run>
</Peach>

Now we let us think over what we have done until now. We created all the data models separately,
but in the commonication flow we see that, some of them are connetced. The best example is the
header. It is at the beginning of every sent or received packet. We can copy the ChatHeader
datamodel to the beginning of every other datamodel, but that is obviously a very inefficient
solution, if something chages the modification will be difficult. So we do something else. We can
reference in a datamodel to another one, then the content of the referenced thatamodel will be
included in the new one, and obviously new elements can be added, or existing in the referenced
one could be overdefined. I do again the ChatClientSendMsgFoot as an example.
Copy the ChatHeader datamodel, and let us start to modify (we copy it, because we will need
sometimes the not modified version, as I will show)
<Number name="MsgSize" size="32" endian="little" signed="true" />
</DataModel>
Now modify it. First rename it to ChatHeaderWithBlock. Then add to the end of it a new Block
element, After it we are able to add the logical constraint, the MsgSize should be equal to the size of
the MsgData:
<DataModel name="ChatHeaderWithBlock">
<Number name="MsgSize" size="32" endian="little" signed="true">
<Relation type="size" of="MsgData" />
</Number>
<Block name="MsgData">
</Block>
</DataModel>
As we can see the MsgData block is left empty. Obviously, because it will contain different element
in different cases.
Now Create a new ChatClientSendMsg datamodel (we have a ChatClientSendMsgHead, and

ChatClientSendMsgFoot model, because in the header file it was divided to two parts), Then add
this new ChatHeaderWithBlock to the ChatClientSendMsg datamodel as reference. Within this new
datamodel we define a block, and the content of it shoud be the content of
ChatClientSendMsgHead datamodel, so we simply add it as a reference. But in the
ChatClientSendMsgHead there is a number, and that number should be the size of the Message,
what we are going to define only now, so we must overdefine it. Also we should add the string
contains the message, and we should add the Foot Block, it should contain the
ChatClientSendMsgFoot, so we add it as reference. There is one more, but a crutial point, in the
ChatHeaderWithBlock there is block called MsgData, and we should add all these new elements
into that Block, because the MsgSize should containt the size of the message. The addition of an
element to a referenced datamodel is very easy, you only should name it properly. The name must
be in the format parentobject.elementname. From this one can deduce, the name tag otherwise must
not contain the point as a valid character, we can use it only in case of referencing. We will get
something like:
<DataModel name="ChatClientSendMsg" ref="ChatHeaderWithBlock">

<Block name="MsgData.Head" ref="ChatClientSendMsgHead">
signed="true">
<Relation type="size" of="MsgData.Message"/>
</Number>
</Block>
<String name="MsgData.Message" nullTerminated="false"
<Block name="MsgData.Foot" ref="ChatClientSendMsgFoot">
</Block>
</DataModel>
Again I recommend to test it after the modification, it helps to find if one do a syntax or other error.
After the modification of the other datamodels the chat.xml file looks like about this:

/peach/peach.xsd">
</DataModel>
<Number name="MsgSize" size="32" endian="little" signed="true"
/>
</DataModel>
signed="true">
</Number>
</Block>
</DataModel>
<DataModel name="ChatServerSendAck" ref="ChatHeaderWithBlock">

<Flags name="MsgData.AckFlags" size="32" endian="little">
</Flags>
</DataModel>
<DataModel name="ChatServerConnectResponse"
ref="ChatHeaderWithBlock">
</Flags>
<Number name="MsgData.PeerID" size="32" endian="little"
signed="true" />
</DataModel>
<DataModel name="ChatClientConnectRequest"
<Number name="MsgData.ClientVer" size="32" endian="little"
signed="true" />
<Number name="MsgData.UsernameOffset" size="16"
endian="little" signed="true">
</Number>
<String name="MsgData.Magic" value="CHAT"
nullTerminated="false" type="char"></String>
<String name="MsgData.UserName" nullTerminated="false"
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
</Flags>
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
signed="true">
</Number>
</Block>
</Block>
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
</Flags>
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
<DataModel name="ChatServerDeliverMsg"
<Block name="MsgData.Head" ref="ChatServerDeliverMsgHead">
signed="true">
</Number>
</Block>
<Block name="MsgData.Foot" ref="ChatServerDeliverMsgFoot">
</Block>
</DataModel>
<DataModel name="ChatClientStatusAck" ref="ChatHeaderWithBlock">

</Flags>
</DataModel>
<DataModel name="ChatClientDeliverAck"
</Flags>
</DataModel>
<DataModel name="ChatServerStatusMsg" ref="ChatHeaderWithBlock">

<Flags name="MsgData.ServerStatusFlags" size="32"
endian="little">
</Flags>
<Number name="MsgData.TargetID" size="32" endian="little"
signed="true" />
</DataModel>

</Action>
</State>
</StateModel>
</Agent>
</Publisher>
</Test>
</Logger>
</Run>
</Peach>

Create the state model
Now we finished the datamodels so we can start to create the state model. It controls the order of
messages we send and receive.
We can create a lot of different state model depending on which part of the communication we want
tot test. First we creaete a simple state model to fuzz only the connection request, and later we
extend it.
The connection is quite easy, we just do the TCP connection, and after that we send a
ChatClientConnectRequest message. And this is all, practically we are even not interested about the
answer of the server. If there is any error it will freeze, what we will detect by the debugger..
To do it we write the following state model:

<Action type="connect"></Action>
<DataModel ref="ChatClientConnectRequest"/>
</Action>
</State>
</StateModel>
Create the Agent
The job of the agent is to monitor the server, and the other client, what is a real one. To do a clear
test we want to restart both the server and the real client at every test circle. Because of it we have
to use the process.Process monitor class (the debugger.WindowsDebugEngine monitor is also
capable to start a new process, if you give it the CommandLine parameter, but that is not capable to
restart the process for every test circle).
We should start the server process, then the client process, it means two monitosr, then we should
attach to the started processes by the debugger.WindowsDebugEngine monitor. It can be done on
the following way:
If we want to monitor the Heap in more detail then we can use the process.PageHeap monitor as
well, I added it to this example too.
The agent definition looks like as follows:
<Monitor class="process.Process">
<Param name="Command" value="C:\test\Release\server.exe"/>
<Param name="RestartOnEachTest" value="true"/>
</Monitor>
<Monitor class="debugger.WindowsDebugEngine">
<Param name="ProcessName" value="Server.exe"/>
</Monitor>
<Monitor class="process.PageHeap">
<Param name="Executable" value="Server.exe"/>
</Monitor>
<Param name="Command" value="C:\test\Release\Client.exe"/>
</Monitor>
<Param name="ProcessName" value="Client.exe"/>
</Monitor>
<Param name="Executable" value="Client.exe"/>
</Monitor>
</Agent>
Create the Test section
The last step is to create the test itself, it does nothing else, but start to call the previously defined
state model, and use the Agent. The default written in the template.xml is almost good, the only
thing we should do is to enable the usage of the agent
This section looks like as follows:
<Agent ref="TheAgent"/>
</Publisher>
</Test>
Create the Run section
This is the last part of the xml file, if one want to modify the logging behaviour, shold modify it, for
me now the default in the template.xml is good, so I do not modify it.
Whole chat.xml file

/peach/peach.xsd">
</DataModel>
<Number name="MsgSize" size="32" endian="little" signed="true"
/>
</DataModel>
signed="true">
</Number>
</Block>
</DataModel>
<DataModel name="ChatServerSendAck" ref="ChatHeaderWithBlock">

</Flags>
</DataModel>
<DataModel name="ChatServerConnectResponse"
</Flags>
<Number name="MsgData.PeerID" size="32" endian="little"
signed="true" />
</DataModel>
<DataModel name="ChatClientConnectRequest"
<Number name="MsgData.ClientVer" size="32" endian="little"
signed="true" />
<Number name="MsgData.UsernameOffset" size="16"
endian="little" signed="true">
</Number>
<String name="MsgData.Magic" value="CHAT"
nullTerminated="false" type="char"></String>
<String name="MsgData.UserName" nullTerminated="false"
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
</Flags>
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
signed="true">
</Number>
</Block>
</Block>
</DataModel>
signed="true" />
</DataModel>
signed="true" />
signed="true" />
signed="true">
</Number>
</Flags>
/>
signed="true" />
signed="true" />
</Block>
</DataModel>
<DataModel name="ChatServerDeliverMsg"
<Block name="MsgData.Head" ref="ChatServerDeliverMsgHead">
signed="true">
</Number>
</Block>
<Block name="MsgData.Foot" ref="ChatServerDeliverMsgFoot">
</Block>
</DataModel>
<DataModel name="ChatClientStatusAck" ref="ChatHeaderWithBlock">

</Flags>
</DataModel>
<DataModel name="ChatClientDeliverAck"
</Flags>
</DataModel>
<DataModel name="ChatServerStatusMsg" ref="ChatHeaderWithBlock">

<Flags name="MsgData.ServerStatusFlags" size="32"
endian="little">
</Flags>
<Number name="MsgData.TargetID" size="32" endian="little"
signed="true" />
</DataModel>

<DataModel ref="ChatClientConnectRequest"/>
</Action>
</State>
</StateModel>
<Param name="Command" value="C:\test\Release\server.exe"/>
</Monitor>
<Param name="ProcessName" value="Server.exe"/>
</Monitor>
<Param name="Executable" value="Server.exe"/>
</Monitor>
<Param name="Command" value="C:\test\Release\Client.exe"/>
</Monitor>
<Param name="ProcessName" value="Client.exe"/>
</Monitor>
<Param name="Executable" value="Client.exe"/>
</Monitor>
</Agent>
<Agent ref="TheAgent"/>
</Publisher>
</Test>
</Logger>
</Run>
</Peach>

Run the fuzzer
Start the peach fuzzer in agent mode. It can be done by the

Then start the fuzzer
Then wait.
Fuzz the message sending
This state model fuzz only the login process of the chat client, but most probably we want to fuzz as
the client sends the message.
To do it we mnodify the state model. After we sent the ChatClientConnectRequest we should wait
for a ChatServerConnectResponse packet.
When we got the ChatServerConnectResponse packet we should check in it, if the server accepted
the connect request or not. If not we should go to the end, and start a new test cycle. If the server
accepted the connection we should send a message. To do it we should examine the received packet.
It can be done by the changestate action. This action jumps to another state, and it has a when
attribute, where we can write the condition of the jump.
But to jump to another state we should define more states. Now I define the following one:
• Initial: it will do the TCP connection, and immediately after the commection jump to the
next (doconnection) state without any condition:
<Action name="changetodoconnection" type="changeState"
ref="doconnection"></Action>
</State>
• doconnection: this state will send the ChatClientConnectRequest. To be able to really

connect we must define acceptable default data, it can be done by the data element. Then in
this state we wait for the ChatServerConnectResponse data type. After we got it we should
examine the content, now need the changestate, and the condition. In one condition we
examine if we got a ServerConnectResponse packet. If not we jump to the last state (End).
Otherwise we examine the next condition, if the server accepted our connection attempt, if
not we jump again to the last state (End). And finally (non of the previous comditions were
true) we jump to the next state (dosendmessage)
<State name="doconnection">
<DataModel ref="ChatClientConnectRequest">
</DataModel>
<Data DataModel="ChatClientConnectRequest">
<Field name="MsgType" value="0x01" valueType="hex"/>
<Field name="MsgData.ClientVer" value="0x00000001"
valueType="hex"/>
<Field name="MsgData.Magic" value="CHAT"/>
<Field name="MsgData.UserName" value="USER00"/>
</Data>
</Action>
<Action name="ReceiveServerConnectResponse" type="input">
<DataModel ref="ChatServerConnectResponse"/>
</Action>
<Action name="CheckIfServerConnectResponse" type="changeState"
ref="End" when="int(StateModel['doconnection']
['ReceiveServerConnectResponse']['ChatServerConnectResponse']
['MsgType'].getInternalValue()) != 2"></Action>
<Action name="CheckIfConnectionRejected" type="changeState"
['MsgData']['AckFlags']['accept'].getInternalValue()) !=
1"></Action>
<Action name="changetodosendmessage" type="changeState"
ref="dosendmessage"></Action>
</State>
• dosendmessage: we must create the the message, but again we have a probem, the server
just sent us a peerID, and we should set the senderID exactly to this value. To do this we use
another action type, what is called slurp. This element is capable to copy a value from one
element to another element. In case of slurp one must define the source, and the destination
in the format of //State//actionname//valuename. If the valuename contains point ve shoud
separate those.instead of point by a // (practically we should define the path to the element
we want to copy and every level is separated by //).
<State name="dosendmessage">
<Action type="slurp"
valueXpath="//doconnection//ReceiveServerConnectResponse//MsgData/
/PeerID" setXpath="//doChatClientSendMsg//SenderID" />
<Action name="doChatClientSendMsg" type="output">
<DataModel ref="ChatClientSendMsg"></DataModel>
<Data DataModel="ChatClientSendMsg">
</Data>
</Action>
ref="End"></Action>
</State>
• End: this is the last state, it close the TCP connection, and we can step to the next iteration
<State name="End">
<Action type="close"></Action>
</State>
All these these modifications together will give the next state model:

<Action name="changetodoconnection" type="changeState"
ref="doconnection"></Action>
</State>
<State name="doconnection">
<DataModel ref="ChatClientConnectRequest">
</DataModel>
<Data DataModel="ChatClientConnectRequest">
<Field name="MsgData.ClientVer" value="0x00000001"
valueType="hex"/>
<Field name="MsgData.Magic" value="CHAT"/>
<Field name="MsgData.UserName" value="USER00"/>
</Data>
</Action>
<Action name="ReceiveServerConnectResponse" type="input">
<DataModel ref="ChatServerConnectResponse"/>
</Action>
<Action name="CheckIfServerConnectResponse" type="changeState"
['MsgType'].getInternalValue()) != 2"></Action>
<Action name="CheckIfConnectionRejected" type="changeState"
['MsgData']['AckFlags']['accept'].getInternalValue()) !=
1"></Action>
ref="dosendmessage"></Action>
</State>
<State name="dosendmessage">
<Action type="slurp"
valueXpath="//doconnection//ReceiveServerConnectResponse//MsgData/
/PeerID" setXpath="//doChatClientSendMsg//SenderID" />
<Action name="doChatClientSendMsg" type="output">
<DataModel ref="ChatClientSendMsg"></DataModel>
<Data DataModel="ChatClientSendMsg">
</Data>
</Action>
ref="End"></Action>
</State>
<State name="End">
<Action type="close"></Action>
</State>
</StateModel>

Advanced Fuzzing

Uploaded by

Copyright:

Available Formats

Advanced Fuzzing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Fuzzing

Uploaded by

Copyright:

Available Formats

Table of Content

Write the sample application................................................................................................................2

Create a new project

Select the Win32 \ Win32 project, and give it a name

on the welcome screen of the wizard click to the next button

Click to the OK button

On the Welcome screen click to the next button

First we capture the traffic, to see the communication

Stunnel at 0.0.0.0:9999 („chatserver“)

Real chatserver 0.0.0.0::9999

Create a key to your certificate server:

answer to the questions aproprietry

openssl x509 -in ca.cer -outform DER -out ca.der

Create an empty file called c:\OpenSSL-Win32\bin\demoCA\index.txt

Start an mmc console

select file \ add Remove snapin:

then click to the ok button

on the welcome screen of the import wizard click to next button:

click to the browse button:

Then click to the finis button

The root certificate will be added:

Create a server certificate

Sign the certificate request:

type the password of your ca.key file

copy iis1.pem "c:\Program Files\stunnel"

Then we must start the stunnel:

then check, if it really listens on port 6789

search for the next line:

TCP 0.0.0.0:6789 0.0.0.0:0 LISTENING

Start the stunnel:

then check, if it really listens on port 1234

search for the next line:

TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING

Stunnel at 0.0.0.0:9999 („chatserver“)

Real chatserver 0.0.0.0::9999

Start the chatserver at machine 1:

4 byte size of message little endian

4 byte version little endian

4 byte size of message little endian

4 byte flags little endian (1 accept, 0 reject)

4 byte size of message little endian

4 byte message length little endian

? byte message string

4 byte senderID little endian

4 byte size of message little endian

4 byte flags little endian (1 accept, 0 reject) Message

4 byte size of message little endian

4 byte message length little endian

? byte message string

4 byte senderID little endian

4 byte size of message little endian

4 byte flags little endian (1 accept, 0 reject) Message

4 byte size of message little endian

4 byte Number of client blocks little endian

4 byte User Name length little endian

? byte User Name string

4 byte ClientID little endian

4 byte User Name length little endian

? byte User Name string