peachfuzz-code
peachfuzz-code copied to clipboard
asudhak
Issue running dumb fuzzing tutorial
I tried running the peachfuzzer on the png.xml from dumb fuzzing tutorial.
However, when starting to fuzz, I receive an Unhandled Exception error, any advice would be helpful:
- Validate XML file
$ ./peach -t png.xml
[[ Peach v0.0.0.0
[[ Copyright (c) Michael Eddington
[*] Validating file [png.xml]... File parsed successfully, but XSD validation is not supported on the Mono runtime.
- Run peach for a single iteration
$ ./peach -1 png.xml
[[ Peach v0.0.0.0
[[ Copyright (c) Michael Eddington
Unhandled Exception:
System.ArgumentException: Expression of type 'System.Nullable`1[System.Boolean]' cannot be used for parameter of type 'System.Object' of method 'Void SetValue(System.Object, System.Object)'
Parameter name: arg0
at System.Dynamic.Utils.ExpressionUtils.ValidateOneArgument (System.Reflection.MethodBase method, System.Linq.Expressions.ExpressionType nodeKind, System.Linq.Expressions.Expression arguments, System.Reflection.ParameterInfo pi, System.String methodParamName, System.String argumentParamName, System.Int32 index) [0x00091] in <b5b8f552f9484fab8c19a20c404b4624>:0
at System.Linq.Expressions.Expression.ValidateOneArgument (System.Reflection.MethodBase method, System.Linq.Expressions.ExpressionType nodeKind, System.Linq.Expressions.Expression arg, System.Reflection.ParameterInfo pi, System.String methodParamName, System.String argumentParamName) [0x00000] in <b5b8f552f9484fab8c19a20c404b4624>:0
at System.Linq.Expressions.Expression.Call (System.Linq.Expressions.Expression instance, System.Reflection.MethodInfo method, System.Linq.Expressions.Expression arg0, System.Linq.Expressions.Expression arg1) [0x00032] in <b5b8f552f9484fab8c19a20c404b4624>:0
at Peach.Core.ObjectCopier.AssignField (System.Reflection.FieldInfo fieldInfo, System.Linq.Expressions.Expression clone, System.Linq.Expressions.Expression value) [0x000bc] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CopyComplexType (System.Type type, System.Linq.Expressions.Expression original, System.Linq.Expressions.Expression clone, System.Collections.Generic.List`1[T] exprs) [0x0004b] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CopyComplexType (System.Type type, System.Linq.Expressions.Expression original, System.Linq.Expressions.Expression clone, System.Collections.Generic.List`1[T] exprs) [0x00075] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CloneComplexType (System.Type type, System.Collections.Generic.List`1[T] vars, System.Collections.Generic.List`1[T] exprs) [0x000cb] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier..ctor (System.Type type) [0x000f5] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.findOrCreateCloner (System.Type type) [0x00012] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at Peach.Core.ObjectCopier.Clone[T] (T obj, System.Object ctx) [0x0002e] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Dom.DataElement.Clone (System.String name) [0x00008] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Dom.DataModel.PitParser (Peach.Core.Analyzers.PitParser context, System.Xml.XmlNode node, Peach.Core.Dom.DataElementContainer parent) [0x00089] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleDataModel (System.Xml.XmlNode node, Peach.Core.Dom.DataModel old) [0x00099] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleActionData (System.Xml.XmlNode node, Peach.Core.Dom.ActionData data, System.String type, System.Boolean hasData) [0x00026] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleActionOutput (System.Xml.XmlNode node, Peach.Core.Dom.Actions.Output action) [0x0001c] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleAction (System.Xml.XmlNode node, Peach.Core.Dom.State parent) [0x001a2] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleState (System.Xml.XmlNode node, Peach.Core.Dom.StateModel parent) [0x0007f] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleStateModel (System.Xml.XmlNode node, Peach.Core.Dom.Dom parent) [0x00060] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handlePeach (Peach.Core.Dom.Dom dom, System.Xml.XmlNode node, System.Collections.Generic.Dictionary`2[TKey,TValue] args) [0x00562] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.IO.Stream data, System.Boolean doValidatePit) [0x0006c] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.IO.Stream data) [0x00000] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzer.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.String fileName) [0x0000a] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Runtime.Program..ctor (System.String[] args) [0x00655] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Program.Main (System.String[] args) [0x00005] in <d4d7a17a5173497ab1ff38f3bb6e9a6c>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentException: Expression of type 'System.Nullable`1[System.Boolean]' cannot be used for parameter of type 'System.Object' of method 'Void SetValue(System.Object, System.Object)'
Parameter name: arg0
at System.Dynamic.Utils.ExpressionUtils.ValidateOneArgument (System.Reflection.MethodBase method, System.Linq.Expressions.ExpressionType nodeKind, System.Linq.Expressions.Expression arguments, System.Reflection.ParameterInfo pi, System.String methodParamName, System.String argumentParamName, System.Int32 index) [0x00091] in <b5b8f552f9484fab8c19a20c404b4624>:0
at System.Linq.Expressions.Expression.ValidateOneArgument (System.Reflection.MethodBase method, System.Linq.Expressions.ExpressionType nodeKind, System.Linq.Expressions.Expression arg, System.Reflection.ParameterInfo pi, System.String methodParamName, System.String argumentParamName) [0x00000] in <b5b8f552f9484fab8c19a20c404b4624>:0
at System.Linq.Expressions.Expression.Call (System.Linq.Expressions.Expression instance, System.Reflection.MethodInfo method, System.Linq.Expressions.Expression arg0, System.Linq.Expressions.Expression arg1) [0x00032] in <b5b8f552f9484fab8c19a20c404b4624>:0
at Peach.Core.ObjectCopier.AssignField (System.Reflection.FieldInfo fieldInfo, System.Linq.Expressions.Expression clone, System.Linq.Expressions.Expression value) [0x000bc] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CopyComplexType (System.Type type, System.Linq.Expressions.Expression original, System.Linq.Expressions.Expression clone, System.Collections.Generic.List`1[T] exprs) [0x0004b] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CopyComplexType (System.Type type, System.Linq.Expressions.Expression original, System.Linq.Expressions.Expression clone, System.Collections.Generic.List`1[T] exprs) [0x00075] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.CloneComplexType (System.Type type, System.Collections.Generic.List`1[T] vars, System.Collections.Generic.List`1[T] exprs) [0x000cb] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier..ctor (System.Type type) [0x000f5] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.ObjectCopier.findOrCreateCloner (System.Type type) [0x00012] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,System.Collections.Hashtable,object,object)
at Peach.Core.ObjectCopier.Clone[T] (T obj, System.Object ctx) [0x0002e] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Dom.DataElement.Clone (System.String name) [0x00008] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Dom.DataModel.PitParser (Peach.Core.Analyzers.PitParser context, System.Xml.XmlNode node, Peach.Core.Dom.DataElementContainer parent) [0x00089] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleDataModel (System.Xml.XmlNode node, Peach.Core.Dom.DataModel old) [0x00099] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleActionData (System.Xml.XmlNode node, Peach.Core.Dom.ActionData data, System.String type, System.Boolean hasData) [0x00026] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleActionOutput (System.Xml.XmlNode node, Peach.Core.Dom.Actions.Output action) [0x0001c] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleAction (System.Xml.XmlNode node, Peach.Core.Dom.State parent) [0x001a2] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleState (System.Xml.XmlNode node, Peach.Core.Dom.StateModel parent) [0x0007f] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handleStateModel (System.Xml.XmlNode node, Peach.Core.Dom.Dom parent) [0x00060] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.handlePeach (Peach.Core.Dom.Dom dom, System.Xml.XmlNode node, System.Collections.Generic.Dictionary`2[TKey,TValue] args) [0x00562] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.IO.Stream data, System.Boolean doValidatePit) [0x0006c] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzers.PitParser.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.IO.Stream data) [0x00000] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Analyzer.asParser (System.Collections.Generic.Dictionary`2[TKey,TValue] args, System.String fileName) [0x0000a] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Core.Runtime.Program..ctor (System.String[] args) [0x00655] in <945a2fc8975f4112b9c95a088f9cb53e>:0
at Peach.Program.Main (System.String[] args) [0x00005] in <d4d7a17a5173497ab1ff38f3bb6e9a6c>:0
- The XML file derived from the tutorial:
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://peachfuzzer.com/2012/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://peachfuzzer.com/2012/Peach peach.xsd">
<!-- TODO: Create data model -->
<DataModel name="TheDataModel">
<Blob/>
</DataModel>
<!-- TODO: Create state model -->
<StateModel name="TheState" initialState="Initial">
<State name="Initial">
<Action type="output">
<DataModel ref="TheDataModel"/>
<Data name="data" fileName="samples_png/*.png" />
</Action>
<Action type="close"/>
<Action type="call" method="LaunchViewer" publisher="Peach.Agent"/>
</State>
</StateModel>
<Agent name="LinAgent">
<!-- Register for core file notifications. -->
<Monitor class="LinuxDebugger" >
<!-- This is the program we're going to run inside of the debugger -->
<Param name="Executable" value="feh"/>
<!-- These are arguments to the executable we want to run -->
<Param name="Arguments" value="fuzzed.png"/>
<!-- This parameter will cause the monitor to terminate the process
once the CPU usage reaches zero.
-->
<Param name="CpuKill" value="true"/>
</Monitor>
</Agent>
<Test name="Default">
<Agent ref="LinAgent" platform="linux"/>
<StateModel ref="TheState"/>
<Publisher class="File">
<Param name="FileName" value="fuzzed.png"/>
</Publisher>
<Strategy class="Random"/>
<Logger class="Filesystem">
<Param name="Path" value="logs" />
</Logger>
</Test>
</Peach>
<!-- end -->
- System Info:
- Ubuntu 18.04
- gcc 4.8
- Mono 6.0.0.313
I am having this same issue, with the same build environment. I followed the tutorial from the peach 3 community website for wav files and came to the same error.
The only thing I would add is tacking on --debug and --trace to the command provides 1 additional line of output:
[[ Peach v0.0.0.0 [[ Copyright (c) Michael Eddington Peach.Core.Analyzers.PitParser finalUpdateRelations
Unhandled Exception: System.ArgumentException: Expression of type 'System.Nullable`1[System.Boolean]' cannot be used for parameter of type 'System.Object' of method 'Void SetValue(System.Object, System.Object)' Parameter name: arg0 ....
I installed gcc-multilib and g++-multlib initially, but eventually came back to gcc/g++4.8 to actually build the binaries.
I have not either. I tried to update pin, but that caused a different set of errors. I can post the errors/updated pin version once I recreate the environment.
@fouzhe thanks! Will probably just switch over to that; looks to be more actively developed/maintained.
Have all of you solved this issue?
I have not had time to look into it further. I've talked to a few people who have it working on Windows platforms so that might be something to try. I will probably be moving over to the MozillaSecurity branch however.
I found the solution to this problem. Just switch mono version <= 5.16, then peach can successfully run on Linux(Validating XML file still not support). I guess that some APIs have changed in mono. @lbodner @Instructor123 @fouzhe @KmhlYXJ0 @LLVMnakefile
@ReeceNee Thanks, and it works fine with mono version 5.14 on Mac OS too.
@ReeceNee Thanks, and it works fine with mono version 5.14 on Mac OS too.
@silvervalley I have a similar problem with mono-5.14 and peach-3.1.124 on Mac OS. Can you provide some other system info?
@ReeceNee Thanks, and it works fine with mono version 5.14 on Mac OS too.
@silvervalley I have a similar problem with mono-5.14 and peach-3.1.124 on Mac OS. Can you provide some other system info?
Mono JIT compiler version 5.14.0.177 on macOS 10.14.6