I'm a developer

beebug

by invictus1306

invictus1306 / beebug

A tool for checking exploitability

210 Stars 33 Forks Last release: Not found GNU General Public License v3.0 25 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

beebug - A tool for checking exploitability

Description

beebug is a tool that can be used to verify if a program crash could be exploitable.

This tool was presented the first time at r2con 2018 in Barcelona.

Some implemented functionality are: * Stack overflow on libc * Crash on Program Counter * Crash on branch * Crash on write memory * Heap vulnerabilities * Read access violation (some exploitable cases) * Graph based on [functrace](https://github.com/invictus1306/functrace) (Dynamic Binary Instrumentation)

We can use beebug for: * Crash analysis (based on r2pipe) * Graph Generation (based on functrace) * Crash analysis + Graph Generation

Dependencies

  • r2pipe
  • pydot
  • graphviz
  • pyqtgraph

Installation

$ wget https://github.com/radare/radare2/archive/3.5.0.tar.gz
$ tar xvzf 3.5.0.tar.gz
$ cd radare2-3.5.0/
$ ./configure --prefix=/usr
$ make -j8


$ sudo make install
$ sudo apt-get install graphviz


$ git clone https://github.com/invictus1306/beebug
$ cd beebug
$ sudo pip3 install -r requirements.txt

Simple DEMO

beebug

Usage

help

$ python3 ./beebug.py -h
usage: beebug.py [-h] -t TARGET [-ta TARGETARGS] [-f FILE] [-g GRAPH] [-i]
                 [-a] [-r REPORT_FILE] [-v]


optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target program to analyze
  -ta TARGETARGS, --targetargs TARGETARGS
                        arguments for the target program
  -f FILE, --file FILE  input file
  -g GRAPH, --graph GRAPH
                        output graph name
  -i, --instrumentation
                        instrumentation option
  -a, --analyze         analyze crash
  -r REPORT_FILE, --report_file REPORT_FILE
                        DynamoRIO report file to parse
  -v, --version         show program's version number and exit

Crash analysis using r2 (no instrumentation)

$ python3 beebug.py -t ./tests/simple_crash -a
Process with PID 5047 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash  reopened in read-write mode
= attach 5047 5047
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 2
backtrace
0  0x400552           sp: 0x0                 0    [sym.vuln]   
1  0x400574           sp: 0x7fff635890c8      24   [main]  main+25 
2  0x7f34d4372830     sp: 0x7fff635890e8      32   [??]  sym.libc_start_main+240 
3  0x7f34d472c7cb     sp: 0x7fff63589178      144  [??]  sym.dl_rtld_di_serinfo+29051 
4  0x400459           sp: 0x7fff635891a8      48   [??]  entry0+41 


registers
rax = 0x00000000
rbx = 0x00000000
rcx = 0x7f34d4716b20
rdx = 0x01d85010
r8 = 0x01d85000
r9 = 0x0000000d
r10 = 0x7f34d4716b78
r11 = 0x00000000
r12 = 0x00400430
r13 = 0x7fff635891c0
r14 = 0x00000000
r15 = 0x00000000
rsi = 0x01d85020
rdi = 0x7f34d4716b20
rsp = 0x7fff635890b0
rbp = 0x7fff635890c0
rip = 0x00400552
rflags = 0x00010202
orax = 0xffffffffffffffff

configuration file for instrumentation

It is needed only of you want to use instrumentation

config file 

shell
[dynamorio]
drrun               = /your_path/DynamoRIO-Linux-7.0.0-RC1/bin64/drrun
client              = /your_path/functrace/build/libfunctrace.so
[instrumentation]
disassembly         = False
disas_func          = main
wrap_function       =
wrap_function_args  = 0
cbr                 = True
verbose             = False

Graph generation (no crash analysis)

$ python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 
$ xpdf grap1

simplecrash

Crash analysis + Graph generation

python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 -a
Process with PID 5081 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash  reopened in read-write mode
= attach 5081 5081
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 4
backtrace
0  0x400552           sp: 0x0                 0    [sym.vuln]   
1  0x400574           sp: 0x7fff5ec31f88      24   [main]  main+25 
2  0x7fb834795830     sp: 0x7fff5ec31fa8      32   [??]  sym.libc_start_main+240 
3  0x7fb834b4f7cb     sp: 0x7fff5ec32038      144  [??]  sym.dl_rtld_di_serinfo+29051 
4  0x400459           sp: 0x7fff5ec32068      48   [??]  entry0+41 


registers
rax = 0x00000000
rbx = 0x00000000
rcx = 0x7fb834b39b20
rdx = 0x00d15010
r8 = 0x00d15000
r9 = 0x0000000d
r10 = 0x7fb834b39b78
r11 = 0x00000000
r12 = 0x00400430
r13 = 0x7fff5ec32080
r14 = 0x00000000
r15 = 0x00000000
rsi = 0x00d15020
rdi = 0x7fb834b39b20
rsp = 0x7fff5ec31f70
rbp = 0x7fff5ec31f80
rip = 0x00400552
rflags = 0x00010202
orax = 0xffffffffffffffff

Limitation

  • If the program require user input at runtime, it is not possibile to add it (based on r2pipe)
  • graph view (based on pydot/graphiz) is limited to small target program

Future direction

  • Support different architectures
  • Graph improvement (based on graphviz)
  • Analyze core dumps (based on radare2)

Lead Developer

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.