🔥 To make use of this Peach pit you must have a commercial copy of the Peach Fuzzer. 🔥
Here at Duo Labs we believe that open sourcing security research tools helps the the greater research community push technology forward. If you find this release useful please consider joining us in sharing your tools which are typically considered proprietary with the public in the spirit of bettering security for everyone.
This peach pit implements the HTTP/2 protocol (RFC-7540) and is targetted at Microsoft Edge. It was developed as part of a Duo Labs research project and has been run through about 150,000 iterations. Traffic samples within this release were generated with the use of the h2o server. With a little bit of work and understanding of the protocol, it should be retargetable to Firefox/Chrome.
-- @sirus
Contains C# code implementing the HPACKInteger packed integer type and the HuffmanTransformer string transformer as laid out in RFC-7541.
As Peach currently does not support setting ALPNs on the SSlListener a pass through proxy was implemented. It must be run alongside the main Peach.exe instance. Also contains CA cert that must be installed on the target.
Contains binary samples to feed Peach. Exercises PUSH_PROMISE and related functionality.
Contains all the data models in the HTTP/2 protocol.
Contains Peach state model for driving testing of Edge.
Contains agent configurations and the fuzzer run configuration. Defaults to using MSCER-2 monitoring but direct WindowsDebugger monitors are available.
As Edge launches five separate processes per fuzzing iteration attaching to all of them takes a significant amount of time. As an alternative I've implemented a MSCER-2 monitor. MSCER-2 is the Windows Error Reporting protocol. Details on how to leverage this can be found here.
In this section SUT (system under test) will refer to a Windows 10 host that is to be running Edge with an IP of 10.23.1.74. Host will refer to the system running Peach.exe with the IP of 10.23.1.53.
Using the windows certificate manager install the TLSProxy/ca.crt in to the trusted CA cert store.
An entry pointing at the Host machine must be made in C:\windows\system32\drivers\etc\hosts under the name TARGET to for TLS to work:
10.23.1.53 TARGET
The easiest way to configure page heap is by utilizing the EdgeDbg package by Skylined and running EdgePageHeap.cmd ON otherwise manually configure through gflags.exe for the following five images:
- microsoftedge.exe
- microsoftedgecp.exe
- runtimebroker.exe
- browser_broker.exe
- applicationframehost.exe
To use the native crash collection facilities of Windows the following registry key must be imported:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting]
"CorporateWerPortNumber"=dword:000022b1
"CorporateWerServer"="TARGET"
"Disabled"=dword:00000000
"EnableZip"=dword:00000001
"DisableQueue"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent]
"DefaultConsent"=dword:00000004
Launch the PeachAgent.exe binary from an elevated command prompt and configure firewall settings to allow incoming connections from your Host machine.
Edit HTTP2_Client.xml and change the IP address of the remote agent to point to your SUT:
<Agent name="RemoteAgent" location="tcp://10.23.1.74:9001"> <!-- Change to IP of SUT-->
Further down, configure the interface that for the MS-CER2 monitor to bind to:
<Param name="Host" value="10.23.1.53" /> <!-- CHANGE TO IP TO HOST. -->
Start the TLS unwrapping proxy by executing:
python2 TLSProxy/h2unwrap.py
You will be able to monitor the traffic going to and from the SUT.
You should be good to go! Run a validation pass to make sure all the plumbing is working with:
mono Peach.exe --plugins=. -1 HTTP2_Client.xml
You should see Edge start, a page load and then edge close.
If all goes well you should be ready to start fuzzing by dropping the -1 argument:
mono Peach.exe --plugins=. HTTP2_Client.xml