vulnerability_analytics is the CRS module that explores a identified crash in order to gether more data in order to be used further by the CRS.
- ELF format
- Limited vulnerability support - See Here
This module executes the following steps for each given binary:
- Creates a new Docker image containing that binary, this image will have a tag of form
{binaryName}:crash - Sets up the EntryPoint of that new image to be the executable with user provided arguments (from the CLI).
- Uses rex and archr in order to trace execution of the binary inside the Docker container.
- Returns a JSON containing information at the moment of the crash like stackPointer, coreRegisters, crashType, etc.
We highly encourage you to use docker as this module has lots of dependencies and it helps to keep your machine as clean as possible.
- Ensure that you have
dockerinstalled. - Build the Docker image from the project root:
sudo docker build . -t vulnerability_analytics:1.0.0-alpha -f ./docker/Dockerfile - Start a new container and give it access to the docker engine running on your machine:
sudo docker run -it -v /var/run/docker.sock:/var/run/docker.sock vulnerability_analytics:1.0.0-alpha bash - Run the module using poetry:
/root/.local/bin/poetry vulnerability_analytics get --help
Note: You can change the $PATH variable in order to acces poetry faster by running export PATH="/root/.local/bin:$PATH"
➜ /root/.local/bin/poetry run python vulnerability_analytics get --binary-path=./test_binary/source.bin --binary-arguments="--string,santa"
INFO | 2022-12-20 02:52:50,013 | rex.Crash | Filtering memory writes.
INFO | 2022-12-20 02:52:50,019 | rex.Crash | Triaging the crash.
INFO | 2022-12-20 02:52:50,023 | rex.Crash | Identifying bad_bytes
INFO | 2022-12-20 02:52:50,032 | crs.vulnerability_analytics | []
Press Enter to continue...
{"crashTypes": [], "functionAddress": "0x401136", "basicBlockAddress": "0x401136", "returnAddress": "0x500060", "stackPointer": "0x4000800ed8", "jumpKind": "Ijk_Call", "coreRegisters": {"r15": 274886537280, "r14": 0, "r13": 4198710, "r12": 274886299080, "rbp": 274886298800, "rbx": 0, "r11": 274886540016, "r10": 274886297952, "r9": 274886324288, "r8": 274888769296, "rax": 0, "rcx": 0, "rdx": 8, "rsi": 4202500, "rdi": 274886299495, "orig_rax": 0, "rip": 4198802, "cs": 51, "eflags": 582, "rsp": 274886298768, "ss": 43, "fs_base": 0, "gs_base": 0, "ds": 0, "es": 0, "fs": 0, "gs": 0}}➜ /root/.local/bin/poetry run python vulnerability_analytics get --binary-path=./test_binary/hammer_controller.bin --binary-arguments="himinbjörg_is_home,loki_sucks_ass" --binary-input="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
INFO | 2022-12-20 03:00:01,956 | rex.Crash | Preconstraining file stream <rex.preconstrained_file_stream.SimPreconstrainedFileStream object at 0x7f3d6040ee80> upon the first read().
WARNING | 2022-12-20 03:00:06,500 | angr.engines.successors | Exit state has over 256 possible solutions. Likely unconstrained; skipping. <BV64 aeg_input_default_5f_95_8 .. aeg_input_default_5e_94_8 .. aeg_input_default_5d_93_8 .. aeg_input_default_5c_92_8 .. aeg_input_default_5b_91_8 .. aeg_input_default_5a_90_8 .. aeg_input_default_59_89_8 .. aeg_input_default_58_88_8>
INFO | 2022-12-20 03:00:06,513 | rex.Crash | Filtering memory writes.
INFO | 2022-12-20 03:00:06,539 | rex.Crash | Triaging the crash.
INFO | 2022-12-20 03:00:06,548 | rex.Crash | detected ip overwrite vulnerability
INFO | 2022-12-20 03:00:06,551 | rex.Crash | Identifying bad_bytes
INFO | 2022-12-20 03:00:07,478 | crs.vulnerability_analytics | ['ip_overwrite']
Press Enter to continue...
{"crashTypes": ["ip_overwrite"], "functionAddress": "0x400086adc0", "basicBlockAddress": "0x400086adc0", "returnAddress": "0x40059a", "stackPointer": "0x4000800ed8", "jumpKind": "Ijk_Call", "coreRegisters": {"r15": 274886537280, "r14": 0, "r13": 4195927, "r12": 274886299032, "rbp": 4702111234474983745, "rbx": 0, "r11": 0, "r10": 0, "r9": 2147483647, "r8": 65535, "rax": 0, "rcx": 1, "rdx": 0, "rsi": 4196442, "rdi": 274886297280, "orig_rax": 0, "rip": 4702111234474983745, "cs": 51, "eflags": 518, "rsp": 274886298768, "ss": 43, "fs_base": 0, "gs_base": 0, "ds": 0, "es": 0, "fs": 0, "gs": 0}}➜ poetry run vulnerability_analytics
Usage: vulnerability_analytics [OPTIONS] COMMAND [ARGS]...
Displays information about a binary crash for given input.
Options:
--help Show this message and exit.
Commands:
get Displays information about the crash.➜ poetry run vulnerability_analytics get --help
Usage: vulnerability_analytics get [OPTIONS]
Displays information about the crash.
Options:
--binary-path TEXT Desired binary path. [required]
--binary-arguments TEXT Arguments provided to the binary, each argument
must be separated by comma and have no spaces if
none are required.
--binary-input TEXT Input to be provided to the binary after the
execution has started.
--base64 Marks that binary arguments and inpus are encoded
in base64.
--help Show this message and exit.from vulnerability_analytics.rex_api.DockerBuilder import DockerBuilder
from vulnerability_analytics.rex_api.VunlerabilityAnalysis import VulnerabilityAnalysis
image = DockerBuilder()
# image.build_custom_image(path_to_the_binary_to_be_analyzed, image_tag, binary_args - given at startup)
image.build_custom_image(
'{binary_path}', '{binary_name}' + ":crash", ['arg1', 'arg2'])
# VulnerabilityAnalysis(previouslt built image, provided_input_after_binary_has_started in bytes)
analyzer = VulnerabilityAnalysis(
image, bytes("{input}", 'utf-8')).start()
print(analyzer.export2JSON())