-
Payload Improvements
- Shellcode splitting, if there isn't one buffer where we can fit all our shellcode, but multiple small buffers, split the shellcode into chunks which jump between each other
- Smarter shellcode, doesn't waste space setting registers which can be set circumstantially.
- Shellcode which compactly reads in a stage-2 payload
- state aware rop gadget finder, won't set arguments which are already controlled
- can identify libcgc functions which are helpful for chain building
-
Improvements
- When exploring a crash, start from the same basic block as the original crash instead of retracing the entire input again
- call rop func_call with a more controlled returned address in the cases where we can't get to an unconstrained successor
- detect actual stack smashing more easily to avoid using 'stack changing gadgets' which only do a 'ret'
- the fourth argument to CGC's transmit system call can be the address of an writeable page, let's support this
- test constraint dependencies between bits when setting registers circumstantially, the current method of bit testing doesn't support testing whether null bytes or newlines can exist for example
-
Testcases
- testcases to test dumped exploit scripts
-
Basics
- use register trampolines, when calling shellcode see if any registers are pointing to our payload, if so call those registers with gadgets
- Recover randomness and challenge-response during exploit generation