Skip to content

ant4g0nist/crashmon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

imgs

imgs

 
 

includes/lldb

includes/lldb

 
 

tests

tests

 
 

.DS_Store

.DS_Store

 
 

.gitignore

.gitignore

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

config.h

config.h

 
 

crashmon.h

crashmon.h

 
 

crashmon.mm

crashmon.mm

 
 

helpers.h

helpers.h

 
 

lisa.py

lisa.py

 
 

main.mm

main.mm

 
 

tracer.h

tracer.h

 
 

Repository files navigation

crashmon

crashmon - A CrashWrangler replacement based on LLDB

Crashmon, same as CrashWrangelr, is a LLDB wrapper together with Lisa.py that can be used to determine if a crash is an exploitable security issue, and if a crash is a duplicate of another known crash.

Usage

========= Build Instruction =========

macOSResearch ✗ git clone https://github.com/ant4g0nist/crashmon
macOSResearch ✗ cd crashmon
crashmon git:(main) ✗ make

Setup lisa.py

Please use lisa.py provided in crashmon folder as it has a modified version of exploitable command to pass the output as json.

cp crashmon/lisa.py ~/lisa.py

Usage

CW_LISA_PY=~/lisa.py/lisa.py •/bin/crashmon tests/binaries/crashexec

example

For debugging macOS System Applications/Services, it is expected that you disable SIP as crashmon uses LLDB.

========= Environment Variable Reference =========

CW_LISA_PY: Path of the lisa.py on your system.

CW_CURRENT_CASE: Path of the test case file that is being open in the target application. If set, crashmon will read and save the content of the test case file to triaged crash folder. This will be handy while fuzzing!

CW_ATTACH_PID: If set, use this pid as the process to monitor for crashes.
e.g. env CW_ATTACH_PID=12313 CW_CURRENT_CASE=foo ./crashmon or sudo env CW_ATTACH_PID=12313 CW_CURRENT_CASE=foo ./crashmon

CW_LOG_DIR: (Default ./crashlogs) The directory to output crashlogs to.

CW_JSON_STDOUT: (Default false) Write exploitable output as json to stdout.

CWE_*: If there are any environment variables prefixed with CWE_, delete the prefix and set the environment variable in the child. This does not apply when using CW_ATTACH_PID or CW_REGISTER_LAUNCHD_NAME.

========= crashmon return values =========

No crash = 0 Crash = 1 Timeout = 2

========= Exploitability algorithm =========

The algorithm for determining exploitability looks like this:

Exploitable if Crash on write instruction Crash executing invalid address Crash calling an invalid address Illegal instruction exception Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption detected Stack trace of crashing thread contains certain functions such as malloc, free, szone_error, objc_MsgSend, etc.

Not exploitable if Divide by zero exception Stack grows too large due to recursion Null dereference(read or write) Other abort Crash on read instruction

PS

This is meant to be used just as an initial triage system! Don't really 100% on the crashmon's output as there might be bugs in lisa.py. I appreciate pull requests.

So, it's recommended to run the test case again with libgmalloc(3) on, and see if the crash changes to one that is considered to be exploitable.

todo

  • add lisa.py exploitable checks
  • test moreeee
  • follow xpc services (target function -> 'xpc_connection_get_pid'. Usecase: Safari->WebContent)

thanks

  • @apple for crashwrangler
  • LLVM

About

crashmon - A LLDB Based replacement for CrashWrangler

Topics

macos fuzzing lldb triage crashwrangler

Resources

Readme
Activity

Stars

47 stars

Watchers

4 watching

Forks

9 forks
Report repository

Releases 1

Crashmon-0.0.2 Latest
Nov 7, 2021

Packages

No packages published

Languages