首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 二进制漏洞
    3. 发新帖
[原创]文件Fuzz教程之二:Peach语法实战
发表于: 2013-7-31 16:45 9395

[原创]文件Fuzz教程之二:Peach语法实战

dragonltx 活跃值
6
2013-7-31 16:45
9395

RT
文件Fuzz教程第二篇

文件 Fuzz 教程之二:Peach 语法实战
Author:dragonltx

经过教程一的介绍,大家已经对 Peach 语法有了大致的了解,本篇文章将用那些语法进行实战。

实例一

typedef union {
    uint32  ctype <format=hex>; // Chunk Type
    char     cname[4];                  // character representation
} CTYPE ;


typedef struct {
    uint32  length;  // Number of data bytes (not including length,type, or crc)
    CTYPE  type;  // Type of chunk
    ubyte  data[length];  // Data (or not present)
    uint32  crc <format=hex>;  // CRC type and data (not including length or crc)
} CHUNK ;

<Block name = "Chunk" minOccurs = "1" maxOccurs = "1024">
    <Number name = "Length" size = "32" endian="big" signed = "false">
        <Relation type = "size" of = "Data" />
    </Number>
    <Block name = "TypeAndData">
         <Blob name = "Type" length = "4" mutable="false"/>
        <Blob name = "cname" length="4"/>
    </Block>
    <Blob name = "Data" />
    <Number name = "CRC" size = "32">
        <Fixup class = "checksums.Crc32Fixup">
            <Param name = "ref" value = "TypeAndData" />
        </Fixup>
    </Number>
</Block>

typedef struct
{
    char id[4];
    uint32 datalen;
    if (datalen % 2)
        char data[datalen+1];
    else
        char data[datalen];
} strfHEADER;

<DataModel name="StrfHeader">
    <Blob name="StreamFormatFourCC" value="strf" length="4" token="true" mutable="false"/>
    <Number name="cbFileSize" size="32" endian="little" signed="false"/>
    <Block name = "IsOdd" minOccurs="0" maxOccurs="1">
        <Relation type="when" when="(int(self.find('cbFileSize').getInternalValue())%2) == 1"/>
        <Blob lengthType="calc" length="int(self.find('cbFileSize').getInternalValue())+1" />
    </Block>
    <Block name = "IsEven" minOccurs="0" maxOccurs="1">
        <Relation type="when" when="(int(self.find('cbFileSize').getInternalValue())%2) == 0"/>
        <Blob lengthType="calc" length="int(self.find('cbFileSize').getInternalValue())" />
    </Block>
</DataModel>

while ( !FEof())
{
    ReadBytes( tag, FTell(), 4 );
        tag[4] = 0;
    count++;
    if ( header.object_version==0)
        if ( count >header.num_headers)
    break;
    switch ( tag)
    {
        case "DATA":
    DATA_CHUNKS data_chunk;
    break;
        case "PROP":
    PROP_CHUNK prop_chunk;
    break;
        case "MDPR":
    MDPR_CHUNK mdpr_chunk;
    break;
        case "CONT":
    CONT_CHUNK cont_chunk;
    break;
        case "INDX":
    INDX_CHUNKS indx_chunk;
    break;
        default:
    DEFAULT_CHUNK d_chunk;
    break;
    }
}

<DataModel name = "Rm">
    <Block ref="RmHeader"/>
    <Choice maxOccurs="100">
        <Block ref="data_chunks"/>
        <Block ref="mdpr_chunk"/>
        <Block ref="indx_chunks"/>
        <Block ref="prop_chunk"/>
        <Block ref="cont_chunk"/>
        <Block ref="default_chunk"/>
    </Choice>
</DataModel>

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 5
支持
分享
最新回复 (3)
linhanshi
雪    币: 97697
活跃值: (200824)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
+1
2013-8-1 13:14
0
Membered
雪    币: 86
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
3
<Block name = "Chunk" minOccurs = "1" maxOccurs = "1024">
<Number name = "Length" size = "32" endian="big" signed = "false">
<Relation type = "size" of = "Data" />
</Number>
<Block name = "TypeAndData">    ----->有问题吧,<Blob name = "Data" /> 应该在这个块里面!估计lz马虎了一下下.....
<Blob name = "Type" length = "4" mutable="false"/>
<Blob name = "cname" length="4"/>
</Block>
<Blob name = "Data" />
<Number name = "CRC" size = "32">
<Fixup class = "checksums.Crc32Fixup">
<Param name = "ref" value = "TypeAndData" />
</Fixup>
</Number>
</Block>
2013-8-1 17:07
0
TechForBad
雪    币: 4094
活跃值: (4205)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
4
实例一确定是这么写的吗?TypeAndData里的内容是union类型,总共大小是4字节,文中成了struct类型,总共大小变8字节
2020-8-11 15:47
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//