Exploit自動生成引擎Rex的示例分析
Exploit自動生成引擎Rex的示例分析����,針對這個問題����,這篇文章詳細(xì)介紹了相對應(yīng)的分析和解答,希望可以幫助更多想解決這個問題的小伙伴找到更簡單易行的方法。
一���、概述
Exploit 自動生成引擎 Rex 在硬件模擬器 QEMU 與二進(jìn)制分析平臺 angr 的基礎(chǔ)上����,通過 Concolic Execution 實(shí)現(xiàn) Exploit 的自動生成���。將待分析的應(yīng)用程序及導(dǎo)致應(yīng)用程序崩潰的 Crash 作為系統(tǒng)輸入���,Rex 將復(fù)現(xiàn)崩潰路徑,并對崩潰時的寄存器狀態(tài)及內(nèi)存布局進(jìn)行分析����,判斷 Crash 的可利用性,并自動生成 Exploit���。
源碼中對漏洞類型的定義:
二���、安裝
安裝 Rex 存在兩種方式:1)安裝 Mechaphish,安裝文檔����;2)僅安裝 Rex���,安裝文檔����。二者的差別在于 Mechaphish 包含漏洞挖掘模塊 Driller、自動利用模塊 Rex����、自動補(bǔ)丁模塊 Patcherex 以及 ropchain 生成模塊 angrop。由于各模塊之間相互獨(dú)立����,因此本文選擇僅安裝自動利用模塊 Rex。本地環(huán)境采用 Ubuntu 16.04.5 Desktop(64 bit)����。部署過程中,Rex 所需依賴如下:
依賴過程中部分路徑需要調(diào)整���,根據(jù)提示信息修改即可����。各個依賴所承擔(dān)的功能如下:
| 組件名稱 | 功能 |
|---|
| angr | A powerful and user-friendly binary analysis platform! |
| tracer | Utilities for generating dynamic traces. |
| angrop | angrop is a rop gadget finder and chain builder. |
| compilerex | POV templates and compilation support for CGC binaries. compilerex is a hacky cgc binary compiler |
| shellphish-qemu | Shellphish's pip-installable package of QEMU |
| povsim | POV simulation for CGC. |
安裝完成后����,使用以下代碼對 Rex 的功能進(jìn)行測試����。
# triage a crash
>>> crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bto\x00t\x8b\xc7\xdd\x83\xc2t~n\xac\xe2\xff\xffk\x00t\x8b\xc7\xdd\x83\xc2t~n\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")
>>> crash.crash_types
['write_what_where']
>>> crash.explorable()
True
explore the crash by setting segfaulting pointers to sane values and re-tracing
>>> crash.explore()
now we can see that we control instruction pointer
>>> crash.crash_types
'ip_overwrite'
generate exploits based off of this crash
it may take several minutes
>>> arsenal = crash.exploit()
we generated a type 1 POV for every register
>>> len(arsenal.register_setters) # we generate one circumstantial register setter, one shellcode register setter
2
and one Type 2 which can leak arbitrary memory
>>> len(arsenal.leakers)
1
exploits are graded based on reliability, and what kind of defenses they can
bypass, the two best exploits are put into the 'best_type1' and 'best_type2' attributes
>>> arsenal.best_type1.register
'ebp'
exploits can be dumped in C, Python, or as a compiled POV
>>> arsenal.best_type2.dump_c('legit3_x.c')
>>> arsenal.best_type2.dump_python('legit3_x.py')
>>> arsenal.best_type2.dump_binary('legit3_x.pov')
also POVs can be tested against a simulation of the CGC architecture
>>> arsenal.best_type1.test_binary()
True測試結(jié)果如下:
三���、源碼分析
查看 Rex 源碼的目錄結(jié)構(gòu):
分析各類之間的依賴關(guān)系���,從邏輯上大致可分為四部分: 1)Exploit_factory:調(diào)用各模塊,負(fù)責(zé)自動生成 Exploit����; 2)Crash:復(fù)現(xiàn)崩潰路徑,判定 Crash 的可利用性���; 3)Technique:對于可利用的 Crash����,采用針對性的技術(shù)����,生成 Exploit; 4)Shellcode_factory:shellcode 倉庫����,根據(jù)需要選用合適的 Shellcode���。
下文重點(diǎn)對 Crash 可利用性判定部分進(jìn)行分析。
四����、Crash 可利用性判定
Rex 以 Concolic Execution 的方式復(fù)現(xiàn) crash 路徑����,分析崩潰時寄存器狀態(tài)及內(nèi)存布局,并對 crash 的可利用性進(jìn)行判定����,相關(guān)功能代碼集中在 Crash.py 中。對原理感興趣的同學(xué)可以參考論文《SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis》���,以下是對論文原文的引用:
Vulnerable States. Unlike AEG/Mayhem, but similar to AXGEN, we generate exploits by performing concolic execution on crashing program inputs using angr. We drive concolic execution forward, forcing it to follow the same path as a dynamic trace gathered by concretely executing the crashing input applied to the program. Concolic execution is stopped at the point where the program crashed, and we inspect the symbolic state to determine the cause of the crash and measure exploitability. By counting the number of symbolic bits in certain registers, we can triage a crash into a number of categories such as frame pointer overwrite, instruction pointer overwrite, or arbitrary write, among others.
1���、Concrete Execution
Concolic Execution 原理請感興趣的同學(xué)自行查閱。angr 在實(shí)現(xiàn) concolic execution 時����,需要提供 crash_addr����。
因此����,通過 QEMU 加載二進(jìn)制程序及 PoC,以獲取 crash_addr����。相關(guān)功能在 Tracer 模塊中實(shí)現(xiàn)。
Crash.py 中調(diào)用 Tracer 模塊的代碼如下:
tracer_args={
'ld_linux': os.path.join(bin_location, 'tests/i386/ld-linux.so.2'),'library_path': os.path.join(bin_location, 'tests/i386')}
r = tracer.QEMURunner(binary=binary, input=input_data, argv=argv, trace_timeout=trace_timeout, **tracer_args)2���、Concolic Execution
在獲取 crash_addr 之后����,對 angr 進(jìn)行配置���,并執(zhí)行 Concolic Execution����。 其中���,較為關(guān)鍵的配置包括:初始狀態(tài)設(shè)定���、State Plugin 選擇����、路徑探索策略����。
(1)初始狀態(tài)設(shè)定
配置 simulation_manager 中的 save_unconstrained 參數(shù)。 其中 r 為 tracer.QEMURunner() 返回值���,當(dāng) PoC 成功觸發(fā)崩潰時 r.crash_mode 為 True,失敗時為 False���。
通過 full_init_state()方法����,設(shè)置程序的初始狀態(tài):
設(shè)置 tracing 模式:mode = ‘tracing’
add_options:
| Option name | Description |
|---|
| so.MEMORY_SYMBOLIC_BYTES_MAP | Maintain a mapping of symbolic variable to which memory address it "really" corresponds to, at the paged memory level? |
| so.TRACK_ACTION_HISTORY | track the history of actions through a path (multiple states). This action affects things on the angr level |
| so.CONCRETIZE_SYMBOLIC_WRITE_SIZES | Concretize the sizes of symbolic writes to memory |
| so.CONCRETIZE_SYMBOLIC_FILE_READ_SIZES | Concreteize the sizes of file reads |
| so.TRACK_MEMORY_ACTIONS | Keep a SimAction for each memory read and write |
remove_options:
由于 ‘tracing’ 模式下預(yù)制了一些選項(xiàng)����,因此在優(yōu)化策略時,不僅需要add_options����,而且需要 remove_options���。定義在./angr/sim_options.py中:
| Option name | Description |
|---|
| so.TRACK_CONSTRAINT_ACTIONS | Keep a SimAction for each constraint added |
| so.LAZY_SOLVES | Don't check satisfiability until absolutely necessary |
| so.ALL_FILES_EXIST | Attempting to open an unkown file will result in creating it with a symbolic length |
| so.TRACK_REGISTER_ACTIONS | Keep a SimAction for each register read and write |
| so.TRACK_TMP_ACTIONS | Keep a SimAction for each temporary variable read and write |
| so.TRACK_JMP_ACTIONS | Keep a SimAction for each jump or branch |
| so.ACTION_DEPS | Track dependencies in SimActions |
| so.SIMPLIFY_MEMORY_WRITES | Run values stored to memory through z3's simplification |
設(shè)置約束條件:
(2) State Plugins
SimState 屬于 angr 核心概念之一,并被設(shè)計(jì)為插件式的架構(gòu)����,可以根據(jù)分析任務(wù)的不同,選用針對性的插件���。Rex 默認(rèn)選用了 'posix' 與 'preconstrainer'����。插件源碼位于./angr/state_plugins/目錄下���。
SimSystemPosix( ):
Data storage and interaction mechanisms for states with an environment conforming to posix.Available as state.posix.
SimStatePreconstrainer( ):
This state plugin manages the concept of preconstraining - adding constraints which you would like to remove later.:param constrained_addrs : SimActions for memory operations whose addresses should be constrained during crash analysis
(3) 路徑探索策略
路徑搜索策略的選擇����,對符號執(zhí)行來說舉足輕重���。由于 Rex 在采用 Concolic Execution����,因此設(shè)置了 'Tracer'、'Oppologist' 兩種路徑搜索策略����。
angr 內(nèi)置的路徑搜索方法存儲于 ./angr/exploration_techniques/ 目錄下。Crash.py 中調(diào)用代碼如下:
3����、Crash Triage
_triage_crash() 中根據(jù) eip、ebp 中符號變量的個數(shù)����,及發(fā)生崩潰時的操作,對 Crash 類型進(jìn)行判定���。
def _triage_crash(self):
ip = self.state.regs.ip
bp = self.state.regs.bp
# any arbitrary receives or transmits
# TODO: receives
zp = self.state.get_plugin('zen_plugin') if self.os == 'cgc' else None
if zp is not None and len(zp.controlled_transmits):
l.debug("detected arbitrary transmit vulnerability")
self.crash_types.append(Vulnerability.ARBITRARY_TRANSMIT)
# we assume a symbolic eip is always exploitable
if self.state.solver.symbolic(ip):
# how much control of ip do we have?
if self._symbolic_control(ip) >= self.state.arch.bits:
l.info("detected ip overwrite vulnerability")
self.crash_types.append(Vulnerability.IP_OVERWRITE)
else:
l.info("detected partial ip overwrite vulnerability")
self.crash_types.append(Vulnerability.PARTIAL_IP_OVERWRITE)
return
if self.state.solver.symbolic(bp):
# how much control of bp do we have
if self._symbolic_control(bp) >= self.state.arch.bits:
l.info("detected bp overwrite vulnerability")
self.crash_types.append(Vulnerability.BP_OVERWRITE)
else:
l.info("detected partial bp overwrite vulnerability")
self.crash_types.append(Vulnerability.PARTIAL_BP_OVERWRITE)
return
# if nothing obvious is symbolic let's look at actions
# grab the all actions in the last basic block
symbolic_actions = [ ]
if self._t is not None and self._t.last_state is not None:
recent_actions = reversed(self._t.last_state.history.recent_actions)
state = self._t.last_state
# TODO: this is a dead assignment! what was this supposed to be?
else:
recent_actions = reversed(self.state.history.actions)
state = self.state
for a in recent_actions:
if a.type == 'mem':
if self.state.solver.symbolic(a.addr):
symbolic_actions.append(a)
# TODO: pick the crashing action based off the crashing instruction address,
# crash fixup attempts will break on this
#import ipdb; ipdb.set_trace()
for sym_action in symbolic_actions:
if sym_action.action == "write":
if self.state.solver.symbolic(sym_action.data):
l.info("detected write-what-where vulnerability")
self.crash_types.append(Vulnerability.WRITE_WHAT_WHERE)
else:
l.info("detected write-x-where vulnerability")
self.crash_types.append(Vulnerability.WRITE_X_WHERE)
self.violating_action = sym_action
break
if sym_action.action == "read":
# special vulnerability type, if this is detected we can explore the crash further
l.info("detected arbitrary-read vulnerability")
self.crash_types.append(Vulnerability.ARBITRARY_READ)
self.violating_action = sym_action
break
return關(guān)于Exploit自動生成引擎Rex的示例分析問題的解答就分享到這里了����,希望以上內(nèi)容可以對大家有一定的幫助���,如果你還有很多疑惑沒有解開,可以關(guān)注億速云行業(yè)資訊頻道了解更多相關(guān)知識���。
