beebug

by invictus1306

invictus1306 / beebug

A tool for checking exploitability

210 Stars 33 Forks Last release: Not found GNU General Public License v3.0 25 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

beebug - A tool for checking exploitability

Description

beebug is a tool that can be used to verify if a program crash could be exploitable.

This tool was presented the first time at r2con 2018 in Barcelona.

Some implemented functionality are: * Stack overflow on libc * Crash on Program Counter * Crash on branch * Crash on write memory * Heap vulnerabilities * Read access violation (some exploitable cases) * Graph based on [functrace](https://github.com/invictus1306/functrace) (Dynamic Binary Instrumentation)

We can use beebug for: * Crash analysis (based on r2pipe) * Graph Generation (based on functrace) * Crash analysis + Graph Generation

Dependencies

  • r2pipe
  • pydot
  • graphviz
  • pyqtgraph

Installation

$ wget https://github.com/radare/radare2/archive/3.5.0.tar.gz
$ tar xvzf 3.5.0.tar.gz
$ cd radare2-3.5.0/
$ ./configure --prefix=/usr
$ make -j8

$ sudo make install $ sudo apt-get install graphviz

$ git clone https://github.com/invictus1306/beebug $ cd beebug $ sudo pip3 install -r requirements.txt

Simple DEMO

beebug

Usage

help

$ python3 ./beebug.py -h
usage: beebug.py [-h] -t TARGET [-ta TARGETARGS] [-f FILE] [-g GRAPH] [-i]
                 [-a] [-r REPORT_FILE] [-v]

optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET target program to analyze -ta TARGETARGS, --targetargs TARGETARGS arguments for the target program -f FILE, --file FILE input file -g GRAPH, --graph GRAPH output graph name -i, --instrumentation instrumentation option -a, --analyze analyze crash -r REPORT_FILE, --report_file REPORT_FILE DynamoRIO report file to parse -v, --version show program's version number and exit

Crash analysis using r2 (no instrumentation)

$ python3 beebug.py -t ./tests/simple_crash -a
Process with PID 5047 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash  reopened in read-write mode
= attach 5047 5047
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 2
backtrace
0  0x400552           sp: 0x0                 0    [sym.vuln]   
1  0x400574           sp: 0x7fff635890c8      24   [main]  main+25 
2  0x7f34d4372830     sp: 0x7fff635890e8      32   [??]  sym.libc_start_main+240 
3  0x7f34d472c7cb     sp: 0x7fff63589178      144  [??]  sym.dl_rtld_di_serinfo+29051 
4  0x400459           sp: 0x7fff635891a8      48   [??]  entry0+41 

registers rax = 0x00000000 rbx = 0x00000000 rcx = 0x7f34d4716b20 rdx = 0x01d85010 r8 = 0x01d85000 r9 = 0x0000000d r10 = 0x7f34d4716b78 r11 = 0x00000000 r12 = 0x00400430 r13 = 0x7fff635891c0 r14 = 0x00000000 r15 = 0x00000000 rsi = 0x01d85020 rdi = 0x7f34d4716b20 rsp = 0x7fff635890b0 rbp = 0x7fff635890c0 rip = 0x00400552 rflags = 0x00010202 orax = 0xffffffffffffffff

configuration file for instrumentation

It is needed only of you want to use instrumentation

config file

shell
[dynamorio]
drrun               = /your_path/DynamoRIO-Linux-7.0.0-RC1/bin64/drrun
client              = /your_path/functrace/build/libfunctrace.so
[instrumentation]
disassembly         = False
disas_func          = main
wrap_function       =
wrap_function_args  = 0
cbr                 = True
verbose             = False

Graph generation (no crash analysis)

$ python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 
$ xpdf grap1

simplecrash

Crash analysis + Graph generation

python3 beebug.py -t ./tests/simple_crash -i -r report1 -g graph1 -a
Process with PID 5081 started...
File dbg:///home/invictus1306/Documents/warcon_demo/beebug/tests/simple_crash  reopened in read-write mode
= attach 5081 5081
ptrace (PT_ATTACH): Operation not permitted
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00000000 code=1 ret=0
ptrace (PT_ATTACH): Operation not permitted
ptrace (PT_ATTACH): Operation not permitted
Invalid write crash - Generally it is exploitable, the write value/address could be tainted - Invalid write of size 4
backtrace
0  0x400552           sp: 0x0                 0    [sym.vuln]   
1  0x400574           sp: 0x7fff5ec31f88      24   [main]  main+25 
2  0x7fb834795830     sp: 0x7fff5ec31fa8      32   [??]  sym.libc_start_main+240 
3  0x7fb834b4f7cb     sp: 0x7fff5ec32038      144  [??]  sym.dl_rtld_di_serinfo+29051 
4  0x400459           sp: 0x7fff5ec32068      48   [??]  entry0+41 

registers rax = 0x00000000 rbx = 0x00000000 rcx = 0x7fb834b39b20 rdx = 0x00d15010 r8 = 0x00d15000 r9 = 0x0000000d r10 = 0x7fb834b39b78 r11 = 0x00000000 r12 = 0x00400430 r13 = 0x7fff5ec32080 r14 = 0x00000000 r15 = 0x00000000 rsi = 0x00d15020 rdi = 0x7fb834b39b20 rsp = 0x7fff5ec31f70 rbp = 0x7fff5ec31f80 rip = 0x00400552 rflags = 0x00010202 orax = 0xffffffffffffffff

Limitation

  • If the program require user input at runtime, it is not possibile to add it (based on r2pipe)
  • graph view (based on pydot/graphiz) is limited to small target program

Future direction

  • Support different architectures
  • Graph improvement (based on graphviz)
  • Analyze core dumps (based on radare2)

Lead Developer

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.