peach PDF fuzzer

1. <?xml version="1.0" encoding="utf-8"?>
2. <Peach version="1.0" author="RLS2PEACH" description="PDF file fuzzer">
3. <!--this will give you a good start on a PDF fuzzer
4. bigger PDFs have more PDFObj blocks. You could also play with the values and change from blob to number or string
5. inside of PDFObj to get more coverage. each PDFObj will have a different amount of bytes for each different file fuzzed
6. use 010 editor or hachoir(free) to look at the struct of your files-->
7.  
8.     <Include ns="default" src="file:defaults.xml" />
9.    
10.  <DataModel name="PDF">
11.   <Block name="PDFHeader">
12.      <String name="Header" lentgth="9" value="%PDF-1.6 " token="true" />
13.  
14.   </Block>
15.  
16.     <Block name="PDFComment">
17.         <Blob name="Comment" length="14" />
18.     </Block>
19.  
20.    <Block name="PDFObj0">
21.         <Blob name="Index" length="6"  /> <!--lengths can be adjusted to fit the file you are fuzzing-->
22.         <Blob name="WhiteSpace1" length="64"  />
23.         <Blob name="Version" length="2"  />
24.         <Blob name="WhiteSpace2" length="64"  />
25.         <Blob name="Object" length="3" value="obj" />
26.         <Blob name="Data" length="64"  />
27.         <Blob name="EndObject" length="6" value="endobj" />
28.         <Blob name="WhiteSpace3" length="64"  />
29.     </Block>   
30.    <Block name="PDFObj1">
31.         <Blob name="Index" length="6"  />
32.         <Blob name="WhiteSpace1" length="64"  />
33.         <Blob name="Version" length="2"  />
34.         <Blob name="WhiteSpace2" length="64"  />
35.         <Blob name="Object" length="3" value="obj"  />
36.         <Blob name="Data" length="64"  />
37.         <Blob name="EndObject" length="6" value="endobj" />
38.         <Blob name="WhiteSpace3" length="64"  />           
39.     </Block>
40.        <Block name="PDFObj2">
41.         <Blob name="Index" length="6"  />
42.         <Blob name="WhiteSpace1" length="64"  />
43.         <Blob name="Version" length="2"  />
44.         <Blob name="WhiteSpace2" length="64"  />
45.         <Blob name="Object" length="3" value="obj"  />
46.         <Blob name="Data" length="64"  />
47.         <Blob name="EndObject" length="6" value="endobj" />
48.         <Blob name="WhiteSpace3" length="64"  />           
49.     </Block>
50.        <Block name="PDFObj3">
51.         <Blob name="Index" length="6"  />
52.         <Blob name="WhiteSpace1" length="64"  />
53.         <Blob name="Version" length="2"  />
54.         <Blob name="WhiteSpace2" length="64"  />
55.         <Blob name="Object" length="3" value="obj"  />
56.         <Blob name="Data" length="64"  />
57.         <Blob name="EndObject" length="6" value="endobj" />
58.         <Blob name="WhiteSpace3" length="64"  />           
59.     </Block>
60.        <Block name="PDFObj4">
61.         <Blob name="Index" length="6"  />
62.         <Blob name="WhiteSpace1" length="64"  />
63.         <Blob name="Version" length="2"  />
64.         <Blob name="WhiteSpace2" length="64"  />
65.         <Blob name="Object" length="3" value="obj"  />
66.         <Blob name="Data" length="64"  />
67.         <Blob name="EndObject" length="6" value="endobj" />
68.         <Blob name="WhiteSpace3" length="64"  />           
69.     </Block>
70.        <Block name="PDFObj5">
71.         <Blob name="Index" length="6"  />
72.         <Blob name="WhiteSpace1" length="64"  />
73.         <Blob name="Version" length="2"  />
74.         <Blob name="WhiteSpace2" length="64"  />
75.         <Blob name="Object" length="3" value="obj"  />
76.         <Blob name="Data" length="64"  />
77.         <Blob name="EndObject" length="6" value="endobj" />
78.         <Blob name="WhiteSpace3" length="64"  />           
79.     </Block>
80.        <Block name="PDFObj6">
81.         <Blob name="Index" length="6"  />
82.         <Blob name="WhiteSpace1" length="64"  />
83.         <Blob name="Version" length="2"  />
84.         <Blob name="WhiteSpace2" length="64"  />
85.         <Blob name="Object" length="3" value="obj"  />
86.         <Blob name="Data" length="64"  />
87.         <Blob name="EndObject" length="6" value="endobj" />
88.         <Blob name="WhiteSpace3" length="64"  />           
89.     </Block>
90.  
91.     <Block name="PDFUnknown">
92.         <Blob name="Data" length="19" value="startxref  105022.." />
93.     </Block>
94.  
95.     <Block name="PDFTrailer">
96.         <String name="Trailer" length="5" value="%%EOF" token="true"/>
97.     </Block>
98.  </DataModel>
99.     <DataModel name="Param">
100.         <String name="Value" isStatic="true" />
101. </DataModel>
102.    
103. <Publisher class="file.FileWriterLauncher">
104.         <Param name="fileName" value="fuzzed.pdf"/>
105. </Publisher>
106.  
107. <Agent name="LocalAgent">
108.    <Monitor class="debugger.WindowsDebugEngine">
109.  
110.         <!-- The command line to run.  Notice the filename provided matched up
111.             to what is provided below in the Publisher configuration -->
112.         <Param name="CommandLine" value="C:\Program Files\Foxit Software\Foxit Reader\Reader.exe fuzzed.pdf" />
113.  
114.         <!-- This parameter will cause the debugger to wait for an action-call in
115.             the state model with a method="ScoobySnacks" before running
116.             program.
117.  
118.             Note: You will also need to add a parameter to the publisher called
119.                   "debugger" and set it to "true"!
120.        -->
121.         <Param name="StartOnCall" value="ScoobySnacks" />
122.  
123.     </Monitor>
124.  
125. </Agent>
126. <!-- This is our simple wave state model -->
127. <StateModel name="TheState" initialState="Initial">
128.         <State name="Initial">
129.                
130.                 <!-- Write out our wave file -->
131.                 <Action type="output">
132.                         <DataModel ref="PDF"/>
133.                         <!-- This is our sample file to read in -->
134.                         <Data name="data" fileName="sample.pdf"/>
135.                 </Action>
136.                
137.                 <Action type="close"/>
138.                
139.                 <!-- Launch the target process -->
140.                 <Action type="call" method="ScoobySnacks" />
141.         </State>
142. </StateModel>
143. <Test name="TheTest">
144.     <Agent ref="LocalAgent"/>
145.     <StateModel ref="TheState"/>
146.    
147.     <Publisher class="file.FileWriterLauncher">
148.         <Param name="fileName" value="fuzzed.pdf"/>
149.         <Param name="debugger" value="true"/>      
150.     </Publisher>
151.             <Publisher class="process.DebuggerLauncherGui" name="launch">
152.             <Param name="windowName" value="fuzzed.pdf" />
153.         </Publisher>
154. </Test>
155.  
156. <Logger class="logger.Filesystem">
157.     <Param name="path" value="logs" />
158. </Logger>
159.  
160. <Run name="DefaultRun">
161.    
162.     <Test ref="TheTest" />
163.  
164.     <Logger class="logger.Filesystem">
165.         <Param name="path" value="logs" />
166.     </Logger>
167.    
168. </Run>
169.    
170. </Peach>