Skip to content
/ vulnerability_detection Public

Module for discovering vulnerabilities in executables 🧨

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

open-crs/vulnerability_detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
argv_adapter
argv_adapter
 
 
docker
docker
 
 
vulnerability_detection
vulnerability_detection
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

vulnerability_detection 🧨

Description

vulnerability_detection is a module in OpenCRS for finding vulnerabilities in executables. At the moment, the only implemented technique is fuzzing.

Limitations

  • ELF format
  • x86 architecture

How It Works

All implemented fuzzers automate AFL++, starting from the official Docker container. The standard input and the files one use the off-the-shelf functionality.

The arguments fuzzer adapts the standard input fuzzer using a custom C adapter. The latter received the generated input and instantiate a format string that is passed as argument. The result is then injected in the argv of the fuzzed program.

Setup

  1. Ensure you have Docker installed.
  2. Install the required Python 3 packages via poetry install --no-dev.
  3. Build the Docker image: sudo docker build --build-arg USER_ID=<uid> --build-arg GROUP_ID=<guid> --tag aflplusplus -f docker/Dockerfile.aflplusplus ., where <uid> and <guid> are the individual and group IDs of the current user.
  4. Ensure the Docker API is accessible by:
    • Running the module as root; or
    • Changing the Docker socket permissions (unsecure approach) via chmod 777 /var/run/docker.sock.
  5. Build the arguments' adapter via cd argv_adapter && make.

Usage

As a CLI Tool

Fuzzing Files

➜ poetry run vulnerability_detection fuzz --fuzzer FILES_AFLPLUSPLUS --stream FILES --elf file_bof.elf --samples samples --arguments "--file"
New proof of vulnerability was generated with the following payloads:

- For FILES:

00000000: 79 80 80                                          y..

Fuzzing Standard Input

➜ poetry run vulnerability_detection fuzz --fuzzer STDIN_AFLPLUSPLUS --stream STDIN --elf stdin_bof.elf --samples samples                     
New proof of vulnerability was generated with the following payloads:

- For STDIN:

00000000: 70 00 00 00 00 00 00 00  00 00 00 00 E5 00 00 CF  p...............
00000010: 6B 6D                                             km

Fuzzing Arguments

➜ poetry run vulnerability_detection fuzz --fuzzer ARGS_AFLPLUSPLUS --stream ARGUMENTS --elf argv_null_deref.elf --samples samples --arguments "--string %s"
New proof of vulnerability was generated with the following payloads:

- For ARGUMENTS:

00000000: 73 1D 0A AC 61 20 0A 00                           s...a ..

Help

➜ poetry run vulnerability_detection            
Usage: vulnerability_detection [OPTIONS] COMMAND [ARGS]...

  Discovers vulnerabilities in executables.

Options:
  --help  Show this message and exit.

Commands:
  fuzz  Find vulnerabilities by using a fuzzer.

As a Python Module

from vulnerability_detection.fuzzing import (
    PoVConsumer,
    StdinAFLPlusPlus,
    InputStreams,
    ProofOfVulnerability
)

class CustomPoVConsumer(PoVConsumer):
    def notify_new_pov(self, pov: ProofOfVulnerability) -> None:
        # Process the ProofOfVulnerability object

fuzzer = StdinAFLPlusPlus()
fuzzer.set_input_stream(InputStreams.STDIN)
fuzzer.set_target(target_elf, samples_folder)

consumer = CustomPoVConsumer()
fuzzer.attach_consumer(consumer)

fuzzer.start_fuzzing()

About

Module for discovering vulnerabilities in executables 🧨

Topics

symbolic-execution fuzzing

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Contributors 2

  •  
  •  

Languages