beebug - 一个用于验证程序崩溃是否可被利用的工具

beebug - 一个用于验证程序崩溃是否可被利用的工具

beebug - A tool for checking exploitability

Description

beebug is a tool that can be used to verify if a program crash could be exploitable.

This tool was presented the first time at r2con 2018 in Barcelona.

Some implemented functionality are:

Stack overflow on libcCrash on Program CounterCrash on branchCrash on write memoryHeap vulnerabilitiesRead access violation (some exploitable cases)Graph based on [functrace](https://github.com/invictus1306/functrace) (Dynamic Binary Instrumentation)

We can use beebug for:

Crash analysis (based on r2pipe)Graph Generation (based on functrace)Crash analysis + Graph Generation

Dependencies

r2pipepydotgraphvizpyqtgraph

Installation

$ wget https://github.com/radare/radare2/archive/3.5.0.tar.gz$ tar xvzf 3.5.0.tar.gz$ cd radare2-3.5.0/$ ./configure --prefix=/usr$ make -j8$ sudo make install$ sudo apt-get install graphviz$ git clone https://github.com/invictus1306/beebug$ cd beebug$ sudo pip3 install -r requirements.txt

Simple DEMO

Usage

help

$ python3 ./beebug.py -husage: beebug.py [-h] -t TARGET [-ta TARGETARGS] [-f FILE] [-g GRAPH] [-i] [-a] [-r REPORT_FILE] [-v]optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET target program to analyze -ta TARGETARGS, --targetargs TARGETARGS arguments for the target program -f FILE, --file FILE input file -g GRAPH, --graph GRAPH output graph name -i, --instrumentation instrumentation option -a, --analyze analyze crash -r REPORT_FILE, --report_file REPORT_FILE DynamoRIO report file to parse -v, --version show program's version number and exit

Crash analysis using r2 (no instrumentation)

$ python3 beebug.py -t ./tests/simple_crash -aProcess with PID 5047 started...File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode= attach 5047 5047ptrace (PT_ATTACH): Operation not permittedchild stopped with signal 11[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0ptrace (PT_ATTACH): Operation not permittedptrace (PT_ATTACH): Operation not permittedInvalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 2backtrace0 0x400552 sp: 0x0 0 [sym.vuln] 1 0x400574 sp: 0x7fff635890c8 24 [main] main+25 2 0x7f34d4372830 sp: 0x7fff635890e8 32 [??] sym.libc_start_main+240 3 0x7f34d472c7cb sp: 0x7fff63589178 144 [??] sym.dl_rtld_di_serinfo+29051 4 0x400459 sp: 0x7fff635891a8 48 [??] entry0+41 registersrax = 0x00000000rbx = 0x00000000rcx = 0x7f34d4716b20rdx = 0x01d85010r8 = 0x01d85000r9 = 0x0000000dr10 = 0x7f34d4716b78r11 = 0x00000000r12 = 0x00400430r13 = 0x7fff635891c0r14 = 0x00000000r15 = 0x00000000rsi = 0x01d85020rdi = 0x7f34d4716b20rsp = 0x7fff635890b0rbp = 0x7fff635890c0rip = 0x00400552rflags = 0x00010202orax = 0xffffffffffffffff

configuration file for instrumentation

It is needed only of you want to use instrumentation

config file

[dynamorio]drrun = /your_path/DynamoRIO-Linux-7.0.0-RC1/bin64/drrunclient = /your_path/functrace/build/libfunctrace.so[instrumentation]disassembly = Falsedisas_func = mainwrap_function =wrap_function_args = 0cbr = Trueverbose = False

Graph generation (no crash analysis)

$ python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 $ xpdf grap1

Crash analysis + Graph generation

python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 -aProcess with PID 5081 started...File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode= attach 5081 5081ptrace (PT_ATTACH): Operation not permittedchild stopped with signal 11[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0ptrace (PT_ATTACH): Operation not permittedptrace (PT_ATTACH): Operation not permittedInvalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 4backtrace0 0x400552 sp: 0x0 0 [sym.vuln] 1 0x400574 sp: 0x7fff5ec31f88 24 [main] main+25 2 0x7fb834795830 sp: 0x7fff5ec31fa8 32 [??] sym.libc_start_main+240 3 0x7fb834b4f7cb sp: 0x7fff5ec32038 144 [??] sym.dl_rtld_di_serinfo+29051 4 0x400459 sp: 0x7fff5ec32068 48 [??] entry0+41 registersrax = 0x00000000rbx = 0x00000000rcx = 0x7fb834b39b20rdx = 0x00d15010r8 = 0x00d15000r9 = 0x0000000dr10 = 0x7fb834b39b78r11 = 0x00000000r12 = 0x00400430r13 = 0x7fff5ec32080r14 = 0x00000000r15 = 0x00000000rsi = 0x00d15020rdi = 0x7fb834b39b20rsp = 0x7fff5ec31f70rbp = 0x7fff5ec31f80rip = 0x00400552rflags = 0x00010202orax = 0xffffffffffffffff

Limitation

If the program require user input at runtime, it is not possibile to add it (based on r2pipe)graph view (based on pydot/graphiz) is limited to small target program

Future direction

Support different architecturesGraph improvement (based on graphviz)Analyze core dumps (based on radare2)

Lead Developer

Andrea Sindoni - Twitter

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。