后台小程序开发的全方位指南
688
2022-10-27
beebug - 一个用于验证程序崩溃是否可被利用的工具
beebug - A tool for checking exploitability
Description
beebug is a tool that can be used to verify if a program crash could be exploitable.
This tool was presented the first time at r2con 2018 in Barcelona.
Some implemented functionality are:
Stack overflow on libcCrash on Program CounterCrash on branchCrash on write memoryHeap vulnerabilitiesRead access violation (some exploitable cases)Graph based on [functrace](https://github.com/invictus1306/functrace) (Dynamic Binary Instrumentation)
We can use beebug for:
Crash analysis (based on r2pipe)Graph Generation (based on functrace)Crash analysis + Graph Generation
Dependencies
r2pipepydotgraphvizpyqtgraph
Installation
$ wget https://github.com/radare/radare2/archive/3.5.0.tar.gz$ tar xvzf 3.5.0.tar.gz$ cd radare2-3.5.0/$ ./configure --prefix=/usr$ make -j8$ sudo make install$ sudo apt-get install graphviz$ git clone https://github.com/invictus1306/beebug$ cd beebug$ sudo pip3 install -r requirements.txt
Simple DEMO
Usage
help
$ python3 ./beebug.py -husage: beebug.py [-h] -t TARGET [-ta TARGETARGS] [-f FILE] [-g GRAPH] [-i] [-a] [-r REPORT_FILE] [-v]optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET target program to analyze -ta TARGETARGS, --targetargs TARGETARGS arguments for the target program -f FILE, --file FILE input file -g GRAPH, --graph GRAPH output graph name -i, --instrumentation instrumentation option -a, --analyze analyze crash -r REPORT_FILE, --report_file REPORT_FILE DynamoRIO report file to parse -v, --version show program's version number and exit
Crash analysis using r2 (no instrumentation)
$ python3 beebug.py -t ./tests/simple_crash -aProcess with PID 5047 started...File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode= attach 5047 5047ptrace (PT_ATTACH): Operation not permittedchild stopped with signal 11[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0ptrace (PT_ATTACH): Operation not permittedptrace (PT_ATTACH): Operation not permittedInvalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 2backtrace0 0x400552 sp: 0x0 0 [sym.vuln] 1 0x400574 sp: 0x7fff635890c8 24 [main] main+25 2 0x7f34d4372830 sp: 0x7fff635890e8 32 [??] sym.libc_start_main+240 3 0x7f34d472c7cb sp: 0x7fff63589178 144 [??] sym.dl_rtld_di_serinfo+29051 4 0x400459 sp: 0x7fff635891a8 48 [??] entry0+41 registersrax = 0x00000000rbx = 0x00000000rcx = 0x7f34d4716b20rdx = 0x01d85010r8 = 0x01d85000r9 = 0x0000000dr10 = 0x7f34d4716b78r11 = 0x00000000r12 = 0x00400430r13 = 0x7fff635891c0r14 = 0x00000000r15 = 0x00000000rsi = 0x01d85020rdi = 0x7f34d4716b20rsp = 0x7fff635890b0rbp = 0x7fff635890c0rip = 0x00400552rflags = 0x00010202orax = 0xffffffffffffffff
configuration file for instrumentation
It is needed only of you want to use instrumentation
config file
[dynamorio]drrun = /your_path/DynamoRIO-Linux-7.0.0-RC1/bin64/drrunclient = /your_path/functrace/build/libfunctrace.so[instrumentation]disassembly = Falsedisas_func = mainwrap_function =wrap_function_args = 0cbr = Trueverbose = False
Graph generation (no crash analysis)
$ python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 $ xpdf grap1
Crash analysis + Graph generation
python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 -aProcess with PID 5081 started...File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash reopened in read-write mode= attach 5081 5081ptrace (PT_ATTACH): Operation not permittedchild stopped with signal 11[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0ptrace (PT_ATTACH): Operation not permittedptrace (PT_ATTACH): Operation not permittedInvalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 4backtrace0 0x400552 sp: 0x0 0 [sym.vuln] 1 0x400574 sp: 0x7fff5ec31f88 24 [main] main+25 2 0x7fb834795830 sp: 0x7fff5ec31fa8 32 [??] sym.libc_start_main+240 3 0x7fb834b4f7cb sp: 0x7fff5ec32038 144 [??] sym.dl_rtld_di_serinfo+29051 4 0x400459 sp: 0x7fff5ec32068 48 [??] entry0+41 registersrax = 0x00000000rbx = 0x00000000rcx = 0x7fb834b39b20rdx = 0x00d15010r8 = 0x00d15000r9 = 0x0000000dr10 = 0x7fb834b39b78r11 = 0x00000000r12 = 0x00400430r13 = 0x7fff5ec32080r14 = 0x00000000r15 = 0x00000000rsi = 0x00d15020rdi = 0x7fb834b39b20rsp = 0x7fff5ec31f70rbp = 0x7fff5ec31f80rip = 0x00400552rflags = 0x00010202orax = 0xffffffffffffffff
Limitation
If the program require user input at runtime, it is not possibile to add it (based on r2pipe)graph view (based on pydot/graphiz) is limited to small target program
Future direction
Support different architecturesGraph improvement (based on graphviz)Analyze core dumps (based on radare2)
Lead Developer
Andrea Sindoni - Twitter
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~