Shulou(Shulou.com)06/02 Report--

Exploit automatic generation engine Rex example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. Overview

Exploit automatic generation engine Rex realizes the automatic generation of Exploit through Concolic Execution on the basis of hardware simulator QEMU and binary analysis platform angr. Taking the application to be analyzed and the Crash that causes the application to crash as the system input, Rex will reproduce the crash path, analyze the register state and memory layout at the time of crash, judge the availability of Crash, and automatically generate Exploit.

The definition of vulnerability type in the source code:

II. Installation

There are two ways to install Rex: 1) install Mechaphish, install documentation; 2) install only Rex, installation documentation. The difference between the two is that Mechaphish includes vulnerability mining module Driller, automatic exploitation module Rex, automatic patch module Patcherex and ropchain generation module angrop. Because the modules are independent of each other, this paper chooses to install only the automatic utilization module Rex. The local environment uses Ubuntu 16.04.5 Desktop (64 bit). During deployment, Rex requires the following dependencies:

Some of the paths need to be adjusted in the process of dependency, which can be modified according to the prompt. The functions undertaken by each dependency are as follows:

Component name function angrA powerful and user-friendly binary analysis platforms tracerUtilities for generating dynamic traces.angropangrop is a rop gadget finder and chain builder.compilerexPOV templates and compilation support for CGC binaries. Compilerex is a hacky cgc binary compilershellphish-qemuShellphish's pip-installable package of QEMUpovsimPOV simulation for CGC.

After the installation is complete, use the following code to test the functionality of Rex.

# triage a crash > > crash = rex.Crash (". / legit_00003" B "\ X00\ x0b1\ xc1\ X00\ X0c\ xeb\ xe4\ xf1\ xf1\ X14\ r\ rM\ r\ xf3\ X1b\ r\ r\ X7f\ xe3\ x0c` _ 222\ r\ rM\ r\ xf3\ X1b\ r\ x7f\ xff\ x7f\ xff\ xff\ xc7\ xc9\ x83\ x8b\ X0c\ xeb\ X80\ X002\ xac\ xe2\ xff\ xff\ X00t\ x8bt\ x8bto\ X00t\ xdd\ x83 \ xc2t~n\ xac\ xe2\ xff\ xffk\ X00t\ X8b\ xc7\ xdd\ X83\ xc2t~n\ xac\ xff\ xff\ x8bt\ X8b\ xf1\ x83\ xc2t~c\ X00\ x00x 7f\ xe2\ xff\ X00t\ X9e\ xe2\ xf1\ xf2@\ x83\ xc3t ") > crash.crash_types ['write_what_where'] > > crash.explorable () Trueexplore the crash by setting segfaulting pointers to sane values and re-tracing > > crash.explore () now we can See that we control instruction pointer > crash.crash_types'ip_overwrite'generate exploits based off of this crashit may take several minutes > arsenal = crash.exploit () we generated a type 1 POV for every register > len (arsenal.register_setters) # we generate one circumstantial register setter One shellcode register setter2and one Type 2 which can leak arbitrary memory > > len (arsenal.leakers) 1exploits are graded based on reliability, and what kind of defenses they canbypass, the two best exploits are put into the 'best_type1' and' best_type2' attributes > arsenal.best_type1.register'ebp'exploits can be dumped in C, Python Or as a compiled POV > arsenal.best_type2.dump_c ('legit3_x.c') > arsenal.best_type2.dump_python (' legit3_x.py') > arsenal.best_type2.dump_binary ('legit3_x.pov') also POVs can be tested against a simulation of the CGC architecture > arsenal.best_type1.test_binary () True

The test results are as follows:

III. Source code analysis

Check the directory structure of the Rex source code:

The analysis of the dependency relationship between various types can be logically divided into four parts: 1) Exploit_factory: calling each module, responsible for automatically generating Exploit; 2) Crash: reproducing the crash path to determine the availability of Crash; 3) Technique: for the available Crash, using targeted technology to generate Exploit; 4) Shellcode_factory:shellcode warehouse, choose the appropriate Shellcode according to the need.

The following focuses on the analysis of the decision part of Crash availability.

IV. Determination of Crash availability

Rex reproduces the crash path in the way of Concolic Execution, analyzes the register status and memory layout during the crash, and determines the availability of crash, and the related functional codes are concentrated in Crash.py. Students who are interested in the principle can refer to the paper "SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis". The following is a citation of the original paper:

Vulnerable States. Unlike AEG/Mayhem, but similar to AXGEN, we generate exploits by performing concolic execution on crashing program inputs using angr. We drive concolic execution forward, forcing it to follow the same path as a dynamic trace gathered by concretely executing the crashing input applied to the program. Concolic execution is stopped at the point where the program crashed, and we inspect the symbolic state to determine the cause of the crash and measure exploitability. By counting the number of symbolic bits in certain registers, we can triage a crash into a number of categories such as frame pointer overwrite, instruction pointer overwrite, or arbitrary write, among others.

1 、 Concrete Execution

Please refer to the principle of Concolic Execution for yourself. Angr needs to provide crash_addr when implementing concolic execution.

Therefore, the binary program and PoC are loaded through QEMU to obtain crash_addr. The related functions are implemented in the Tracer module.

The code to call the Tracer module in Crash.py is as follows:

Tracer_args= {'ld_linux': os.path.join (bin_location,' tests/i386/ld-linux.so.2'), 'library_path': os.path.join (bin_location,' tests/i386')} r = tracer.QEMURunner (binary=binary, input=input_data, argv=argv, trace_timeout=trace_timeout, * * tracer_args) 2, Concolic Execution

After getting the crash_addr, configure the angr and execute the Concolic Execution. Among them, the key configuration includes: initial state setting, State Plugin selection, path exploration strategy.

(1) initial state setting

Configure the save_unconstrained parameter in simulation_manager. Where r is the return value of tracer.QEMURunner (). R.crash_mode is True when PoC successfully triggers a crash and False when it fails.

Through the full_init_state () method, set the initial state of the program:

Set tracing mode: mode = 'tracing'

Add_options:

Option nameDescriptionso.MEMORY_SYMBOLIC_BYTES_MAPMaintain a mapping of symbolic variable to which memory address it "really" corresponds to, at the paged memory level?so.TRACK_ACTION_HISTORYtrack the history of actions through a path (multiple states). This action affects things on the angr levelso.CONCRETIZE_SYMBOLIC_WRITE_SIZESConcretize the sizes of symbolic writes to memoryso.CONCRETIZE_SYMBOLIC_FILE_READ_SIZESConcreteize the sizes of file readsso.TRACK_MEMORY_ACTIONSKeep a SimAction for each memory read and write

Remove_options:

Because some options are prefabricated in the 'tracing' mode, not only add_options but also remove_options are required to optimize the strategy. Defined in. / angr/sim_options.py:

Option nameDescriptionso.TRACK_CONSTRAINT_ACTIONSKeep a SimAction for each constraint addedso.LAZY_SOLVESDon't check satisfiability until absolutely necessaryso.ALL_FILES_EXISTAttempting to open an unkown file will result in creating it with a symbolic lengthso.TRACK_REGISTER_ACTIONSKeep a SimAction for each register read and writeso.TRACK_TMP_ACTIONSKeep a SimAction for each temporary variable read and writeso.TRACK_JMP_ACTIONSKeep a SimAction for each jump or branchso.ACTION_DEPSTrack dependencies in SimActionsso.SIMPLIFY_MEMORY_WRITESRun values stored to memory through z3prags simplification

Set constraints:

(2) State Plugins

SimState is one of the core concepts of angr and is designed as a plug-in architecture, which can be selected according to different analysis tasks. Rex defaults to 'posix' and' preconstrainer'. The plug-in source code is located in the. / angr/state_plugins/ directory.

SimSystemPosix ():

Data storage and interaction mechanisms for states with an environment conforming to posix.Available as state.posix.

SimStatePreconstrainer ():

This state plugin manages the concept of preconstraining-adding constraints which you would like to remove later.:param constrained_addrs: SimActions for memory operations whose addresses should be constrained during crash analysis

(3) path exploration strategy

The choice of path search strategy plays an important role in symbol execution. Because Rex is using Concolic Execution, two path search strategies of 'Tracer'' and 'Oppologist' are set.

Angr's built-in path search method is stored in the. / angr/exploration_techniques/ directory. The calling code in Crash.py is as follows:

3 、 Crash Triage

In _ triage_crash (), the Crash type is determined according to the number of symbolic variables in eip and ebp, and the operation when a crash occurs.

Def _ triage_crash (self): ip = self.state.regs.ip bp = self.state.regs.bp # any arbitrary receives or transmits # TODO: receives zp = self.state.get_plugin ('zen_plugin') if self.os = =' cgc' else None if zp is not None and len (zp.controlled_transmits): l.debug ("detected arbitrary transmit vulnerability") self.crash_types.append (Vulnerability.ARBITRARY_TRANSMIT) # we assume a symbolic eip is always exploitable if self.state.solver.symbolic (ip): # how much control of ip do we have? If self._symbolic_control (ip) > = self.state.arch.bits: l.info ("detected ip overwrite vulnerability") self.crash_types.append (Vulnerability.IP_OVERWRITE) else: l.info ("detected partial ip overwrite vulnerability") self.crash_types.append (Vulnerability.PARTIAL_IP_OVERWRITE) return if self.state.solver.symbolic (bp): # how much control of bp do we have if self._symbolic_control (bp) > = self.state.arch.bits: l.info ("detected bp overwrite vulnerability") self.crash_types.append (Vulnerability.BP_OVERWRITE) else: l.info ("detected partial bp overwrite vulnerability") self.crash_types.append (Vulnerability.PARTIAL_BP_OVERWRITE) Return # if nothing obvious is symbolic let's look at actions # grab the all actions in the last basic block symbolic_actions = [] if self._t is not None and self._t.last_state is not None: recent_actions = reversed (self._t.last_state.history.recent_actions) state = self._t.last_state # TODO: this is a dead assignment! What was this supposed to be? Else: recent_actions = reversed (self.state.history.actions) state = self.state for an in recent_actions: if a.type = = 'mem': if self.state.solver.symbolic (a.addr): symbolic_actions.append (a) # TODO: pick the crashing action based off the crashing instruction address, # crash fixup attempts will break on this # import ipdb Ipdb.set_trace () for sym_action in symbolic_actions: if sym_action.action = = "write": if self.state.solver.symbolic (sym_action.data): l.info ("detected write-what-where vulnerability") self.crash_types.append (Vulnerability.WRITE_WHAT_WHERE) else: l.info (detected write-x-where vulnerability) self.crash_types.append (Vulnerability.WRITE_X_WHERE) self.violating_action = sym_action break if sym_action.action = = "read": # special vulnerability type If this is detected we can explore the crash further l.info ("detected arbitrary-read vulnerability") self.crash_types.append (Vulnerability.ARBITRARY_READ) self.violating_action = sym_action break return the answers to the sample analysis questions about the Exploit automatic generation engine Rex are shared here. I hope the above content can help you to a certain extent, if you still have a lot of doubts to be solved, you can follow the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.