beebug - A tool for checking exploitability
Description
beebug is a tool that can be used to verify if a program crash could be exploitable.
This tool was presented the first time at r2con 2018 in Barcelona.
Some implemented functionality are:
- Stack overflow on libc
- Crash on Program Counter
- Crash on branch
- Crash on write memory
- Heap vulnerabilities
- Read access violation (some exploitable cases)
- Graph based on [functrace](https://github.com/invictus1306/functrace) (Dynamic Binary Instrumentation)
We can use beebug for:
- Crash analysis (based on r2pipe)
- Graph Generation (based on functrace)
- Crash analysis + Graph Generation
Dependencies
- r2pipe
- pydot
- graphviz
- pyqtgraph
Installation
$ wget https://github.com/radare/radare2/archive/3.5.0.tar.gz
$ tar xvzf 3.5.0.tar.gz
$ cd radare2-3.5.0/
$ ./configure --prefix=/usr
$ make -j8
$ sudo make install
$ sudo apt-get install graphviz
$ git clone https://github.com/invictus1306/beebug
$ cd beebug
$ sudo pip3 install -r requirements.txt
Simple DEMO
Usage
help
$ python3 ./beebug.py -h
usage: beebug.py [-h] -t TARGET [-ta TARGETARGS] [-f FILE] [-g GRAPH] [-i]
[-a] [-r REPORT_FILE] [-v]
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
target program to analyze
-ta TARGETARGS, --targetargs TARGETARGS
arguments for the target program
-f FILE, --file FILE input file
-g GRAPH, --graph GRAPH
output graph name
-i, --instrumentation
instrumentation option
-a, --analyze analyze crash
-r REPORT_FILE, --report_file REPORT_FILE
DynamoRIO report file to parse
-v, --version show program's version number and exit
Crash analysis using r2 (no instrumentation)
$ python3 beebug.py -t ./tests/simple_crash -a
Process with PID 5047 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode
= attach 5047 5047
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 2
backtrace
0 0x400552 sp: 0x0 0 [sym.vuln]
1 0x400574 sp: 0x7fff635890c8 24 [main] main+25
2 0x7f34d4372830 sp: 0x7fff635890e8 32 [??] sym.libc_start_main+240
3 0x7f34d472c7cb sp: 0x7fff63589178 144 [??] sym.dl_rtld_di_serinfo+29051
4 0x400459 sp: 0x7fff635891a8 48 [??] entry0+41
registers
rax = 0x00000000
rbx = 0x00000000
rcx = 0x7f34d4716b20
rdx = 0x01d85010
r8 = 0x01d85000
r9 = 0x0000000d
r10 = 0x7f34d4716b78
r11 = 0x00000000
r12 = 0x00400430
r13 = 0x7fff635891c0
r14 = 0x00000000
r15 = 0x00000000
rsi = 0x01d85020
rdi = 0x7f34d4716b20
rsp = 0x7fff635890b0
rbp = 0x7fff635890c0
rip = 0x00400552
rflags = 0x00010202
orax = 0xffffffffffffffff
configuration file for instrumentation
It is needed only of you want to use instrumentation
config file
[dynamorio]
drrun = /your_path/DynamoRIO-Linux-7.0.0-RC1/bin64/drrun
client = /your_path/functrace/build/libfunctrace.so
[instrumentation]
disassembly = False
disas_func = main
wrap_function =
wrap_function_args = 0
cbr = True
verbose = False
Graph generation (no crash analysis)
$ python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1
$ xpdf grap1
Crash analysis + Graph generation
python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 -a
Process with PID 5081 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode
= attach 5081 5081
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 4
backtrace
0 0x400552 sp: 0x0 0 [sym.vuln]
1 0x400574 sp: 0x7fff5ec31f88 24 [main] main+25
2 0x7fb834795830 sp: 0x7fff5ec31fa8 32 [??] sym.libc_start_main+240
3 0x7fb834b4f7cb sp: 0x7fff5ec32038 144 [??] sym.dl_rtld_di_serinfo+29051
4 0x400459 sp: 0x7fff5ec32068 48 [??] entry0+41
registers
rax = 0x00000000
rbx = 0x00000000
rcx = 0x7fb834b39b20
rdx = 0x00d15010
r8 = 0x00d15000
r9 = 0x0000000d
r10 = 0x7fb834b39b78
r11 = 0x00000000
r12 = 0x00400430
r13 = 0x7fff5ec32080
r14 = 0x00000000
r15 = 0x00000000
rsi = 0x00d15020
rdi = 0x7fb834b39b20
rsp = 0x7fff5ec31f70
rbp = 0x7fff5ec31f80
rip = 0x00400552
rflags = 0x00010202
orax = 0xffffffffffffffff
Limitation
- If the program require user input at runtime, it is not possibile to add it (based on r2pipe)
- graph view (based on pydot/graphiz) is limited to small target program
Future direction
- Support different architectures
- Graph improvement (based on graphviz)
- Analyze core dumps (based on radare2)
Lead Developer
- Andrea Sindoni - Twitter