• Stars
    star
    634
  • Rank 70,925 (Top 2 %)
  • Language
    Python
  • License
    BSD 2-Clause "Sim...
  • Created over 8 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.

Rex

At the moment rex offers a couple of features, crash triaging, crash exploration, and exploitation for certain kinds of crashes.

In the example below, we take a crashing input for legit_00003 discovered by AFL. The vulnerability is a simple buffer overflow on the stack, however, before the vulnerable function returns it calls memcpy with a destination parameter which was overwritten during the stack smash. While rex doesn't know how to exploit an arbitrary memcpy call (yet), it can be told to explore the crash until it finds an exploitation primitive which it knows how to exploit.

Exploit objects can take a crashing input and will attempt to turn it into an exploit which can set every register and leak data from an arbitrary address.

# triage a crash
>>> crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")
>>> crash.crash_types
['write_what_where']
>>> crash.explorable()
True
# explore the crash by setting segfaulting pointers to sane values and re-tracing
>>> crash.explore()
# now we can see that we control instruction pointer
>>> crash.crash_types
'ip_overwrite'
# generate exploits based off of this crash
# it may take several minutes
>>> arsenal = crash.exploit()
# we generated a type 1 POV for every register
>>> len(arsenal.register_setters) # we generate one circumstantial register setter, one shellcode register setter
2
# and one Type 2 which can leak arbitrary memory
>>> len(arsenal.leakers)
1
# exploits are graded based on reliability, and what kind of defenses they can
# bypass, the two best exploits are put into the 'best_type1' and 'best_type2' attributes
>>> arsenal.best_type1.register
'ebp'
# exploits can be dumped in C, Python, or as a compiled POV
>>> arsenal.best_type2.dump_c('legit3_x.c')
>>> arsenal.best_type2.dump_python('legit3_x.py')
>>> arsenal.best_type2.dump_binary('legit3_x.pov')
# also POVs can be tested against a simulation of the CGC architecture
>>> arsenal.best_type1.test_binary()
True

Basic support of Linux ELF binaries also exists, exploits generated for ELF binaries will attempt to drop a shell.

More Repositories

1

angr

A powerful and user-friendly binary analysis platform!
Python
7,537
star
2

angr-management

The official angr GUI.
Python
892
star
3

angr-doc

Documentation for the angr suite
TeX
837
star
4

angrop

Python
597
star
5

cle

CLE Loads Everything (at least, many binary formats!)
Python
412
star
6

pyvex

Python bindings for Valgrind's VEX IR.
Python
337
star
7

claripy

An abstraction layer for constraint solvers.
Python
286
star
8

patcherex

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
Python
249
star
9

heaphopper

HeapHopper is a bounded model checking framework for Heap-implementations
Python
212
star
10

pypcode

Python bindings to Ghidra's SLEIGH library for disassembly and lifting to P-Code IR
C++
179
star
11

phuzzer

The new phuzzing framework!
Python
148
star
12

angr-dev

Some helper scripts to set up an environment for angr development.
Shell
115
star
13

vex

A patched version of VEX to work with PyVEX.
C
105
star
14

tracer

Utilities for generating dynamic traces
Python
88
star
15

archinfo

Classes with architecture-specific information useful to other projects.
Python
85
star
16

simuvex

[DEPRECATED] A symbolic execution engine for the VEX IR
Python
79
star
17

archr

Target-centric program analysis.
Python
72
star
18

angr-platforms

A collection of extensions to angr to handle new platforms
Python
66
star
19

binaries

A repository with binaries for angr tests and examples.
C
56
star
20

acsac-course

Python
47
star
21

fidget

A tool to add simple inline patches to a binary to rearrange its stack frames, and other things!
Python
45
star
22

pysoot

Python bindings for Shimple/Jimple IR from Soot.
Python
41
star
23

angr-targets

This repository contains the currently implemented angr concrete targets.
Python
32
star
24

ailment

AIL: The angr Intermediate Language.
Python
29
star
25

angr-examples

Example scripts using angr
Python
27
star
26

secdev-course

Python
20
star
27

identifier

[DEPRECATED] Using angr and prebuilt testcases to identify functions in statically-linked binaries.
9
star
28

wheels

Wheels for speeding up builds and helping people out.
7
star
29

angr.github.io

angry website
HTML
6
star
30

nixpkgs

angr related nixpkgs
Nix
4
star
31

flirt_signatures

4
star
32

angr.io

angr.io website source
HTML
3
star
33

syscall-agent

C
2
star
34

ci-settings

Docker image and azure templates for angr's CI
Python
2
star
35

library_docs

1
star
36

azure-runners

Docker stuff for self-hosted azure runners
Shell
1
star