HTTP/2 Peach Pit for Microsoft Edge
Here at Duo Labs we believe that open sourcing security research tools helps the the greater research community push technology forward. If you find this release useful please consider joining us in sharing your tools which are typically considered proprietary with the public in the spirit of bettering security for everyone.
This peach pit implements the HTTP/2 protocol (RFC-7540) and is targetted at Microsoft Edge. It was developed as part of a Duo Labs research project and has been run through about 150,000 iterations. Traffic samples within this release were generated with the use of the h2o server. With a little bit of work and understanding of the protocol, it should be retargetable to Firefox/Chrome.
Contains C# code implementing the
HPACKInteger packed integer type and the
HuffmanTransformer string transformer as laid out in RFC-7541.
As Peach currently does not support setting ALPNs on the
SSlListener a pass through proxy was implemented. It must be run alongside the main Peach.exe instance. Also contains CA cert that must be installed on the target.
Contains binary samples to feed Peach. Exercises PUSH_PROMISE and related functionality.
Contains all the data models in the HTTP/2 protocol.
Contains Peach state model for driving testing of Edge.
Contains agent configurations and the fuzzer run configuration. Defaults to using MSCER-2 monitoring but direct
WindowsDebugger monitors are available.
As Edge launches five separate processes per fuzzing iteration attaching to all of them takes a significant amount of time. As an alternative I've implemented a MSCER-2 monitor. MSCER-2 is the Windows Error Reporting protocol. Details on how to leverage this can be found here.
In this section SUT (system under test) will refer to a Windows 10 host that is to be running Edge with an IP of
10.23.1.74. Host will refer to the system running Peach.exe with the IP of
Install CA Cert
Using the windows certificate manager install the
TLSProxy/ca.crt in to the trusted CA cert store.
An entry pointing at the Host machine must be made in
C:\windows\system32\drivers\etc\hosts under the name
TARGET to for TLS to work:
The easiest way to configure page heap is by utilizing the EdgeDbg package by Skylined and running
EdgePageHeap.cmd ON otherwise manually configure through
gflags.exe for the following five images:
To use the native crash collection facilities of Windows the following registry key must be imported:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting] "CorporateWerPortNumber"=dword:000022b1 "CorporateWerServer"="TARGET" "Disabled"=dword:00000000 "EnableZip"=dword:00000001 "DisableQueue"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent] "DefaultConsent"=dword:00000004
Start Peach Agent
Launch the PeachAgent.exe binary from an elevated command prompt and configure firewall settings to allow incoming connections from your Host machine.
HTTP2_Client.xml and change the IP address of the remote agent to point to your SUT:
<Agent name="RemoteAgent" location="tcp://10.23.1.74:9001"> <!-- Change to IP of SUT-->
Further down, configure the interface that for the MS-CER2 monitor to bind to:
<Param name="Host" value="10.23.1.53" /> <!-- CHANGE TO IP TO HOST. -->
Start the TLS unwrapping proxy by executing:
You will be able to monitor the traffic going to and from the SUT.
You should be good to go! Run a validation pass to make sure all the plumbing is working with:
mono Peach.exe --plugins=. -1 HTTP2_Client.xml
You should see Edge start, a page load and then edge close.
If all goes well you should be ready to start fuzzing by dropping the
mono Peach.exe --plugins=. HTTP2_Client.xml