Beebug - A Tool For Checking Exploitability
beebug is a tool that tin hold upward used to verify if a plan crash could hold upward exploitable.
This tool was presented the showtime fourth dimension at r2con 2018 inward Barcelona.
Some implemented functionality are:
- Stack overflow on libc
- Crash on Program Counter
- Crash on branch
- Crash on write memory
- Heap vulnerabilities
- Read access violation (some exploitable cases)
- Help to analyze a crash (graph view)
Dependencies
- r2pipe
- pydot
- graphviz
- pyqtgraph
Installation
$ wget https://github.com/radare/radare2/archive/2.7.0.tar.gz $ tar xzvf 2.7.0.tar.gz $ cd radare2-2.7.0/ /radare2-2.7.0 $ ./configure --prefix=/usr /radare2-2.7.0 $ brand -j8 /radare2-2.7.0 $ sudo brand install # apt-get install graphviz # pip3 install -r requirements.txt
Usage
help
$ python3 ./beebug.py -h usage: beebug.py [-h] [-t TARGET] [-a TARGETARGS] [-f FILE] [-g GRAPH] [-i] [-r REPORT_FILE] [-v] optional arguments: -h, --help exhibit this assistance message as well as move out -t TARGET, --target TARGET target plan to analyze -a TARGETARGS, --targetargs TARGETARGS arguments for the target plan -f FILE, --file FILE input file -g GRAPH, --graph GRAPH generate the graph -i, --instrumentation instrumentation pick -r REPORT_FILE, --report_file REPORT_FILE DynamoRIO written report file to parse
Simple usage
# python3 ./beebug.py -t tests/crash_on_pc Process amongst PID 7691 started... File dbg:///home/invictus1306/Documents/r2conf/beebug/beebug/tests/crash_on_pc reopened inward read-write agency = attach 7691 7691 nestling stopped amongst quest xi [+] SIGNAL xi errno=0 addr=0x00601038 code=2 ret=0 Crash on PC - Generally it is exploitable, the PC could hold upward tainted backtrace 0 0x601038 sp: 0x0 0 [??] obj.foo obj.foo0 i 0x4004f1 sp: 0x7ffdfa75d8e8 0 [sym.main] main+27 two 0x7f2669d00830 sp: 0x7ffdfa75d908 32 [??] r11+240 three 0x7f266a0ba7cb sp: 0x7ffdfa75d998 144 [??] sym.dl_rtld_di_serinfo+29051 four 0x400409 sp: 0x7ffdfa75d9c8 48 [??] entry0+41 registers rax = 0x00601038 rbx = 0x00000000 rcx = 0x00000000 rdx = 0x7ffdfa75d9f8 r8 = 0x00400570 r9 = 0x7f266a0baab0 r10 = 0x00000846 r11 = 0x7f2669d00740 r12 = 0x004003e0 r13 = 0x7ffdfa75d9e0 r14 = 0x00000000 r15 = 0x00000000 rsi = 0x7ffdfa75d9e8 rdi = 0x0000000a rsp = 0x7ffdfa75d8e8 rbp = 0x7ffdfa75d900 rip = 0x00601038 rflags = 0x00010206 orax = 0xffffffffffffffff
Graph generation
# python3 ./beebug.py -t tests/crash_on_pc -g crash_on_pc ... $ display crash_on_pc.png
Report parsing
Parse the written report produced past times functrace, as well as graph generation.
Generate written report using libtrace
$ drrun -c libfunctrace.so -report_file ./tests/reports/report1 -disas_func master copy -- ./tests/reports/simple_test Please larn inward a message: AAAA Hello! This is the default message, the release is 22
Run beebug for graph generation
$ python3 beebug.py -i -r ./tests/reports/report1 -g tests/reports/report1
Future direction
- Support unlike architectures
- Improvement of the graph stance (based on radare2)
- Analyze center dumps (based on radare2)
- Use instrumentation for the graph stance generation
Lead Developer
- Andrea Sindoni - Twitter