/vulnerability_detection

Module for discovering vulnerabilities in executables 🧨

Primary LanguagePython

vulnerability_detection 🧨

Description

vulnerability_detection is a module in OpenCRS for finding vulnerabilities in executables. At the moment, the only implemented technique is fuzzing.

Limitations

  • ELF format
  • x86 architecture

How It Works

All implemented fuzzers automate AFL++, starting from the official Docker container. The standard input and the files one use the off-the-shelf functionality.

The arguments fuzzer adapts the standard input fuzzer using a custom C adapter. The latter received the generated input and instantiate a format string that is passed as argument. The result is then injected in the argv of the fuzzed program.

Setup

  1. Ensure you have Docker installed.
  2. Install the required Python 3 packages via poetry install --no-dev.
  3. Build the Docker image: sudo docker build --build-arg USER_ID=<uid> --build-arg GROUP_ID=<guid> --tag aflplusplus -f docker/Dockerfile.aflplusplus ., where <uid> and <guid> are the individual and group IDs of the current user.
  4. Ensure the Docker API is accessible by:
    • Running the module as root; or
    • Changing the Docker socket permissions (unsecure approach) via chmod 777 /var/run/docker.sock.
  5. Build the arguments' adapter via cd argv_adapter && make.

Usage

As a CLI Tool

Fuzzing Files

➜ poetry run vulnerability_detection fuzz --fuzzer FILES_AFLPLUSPLUS --stream FILES --elf file_bof.elf --samples samples --arguments "--file"
New proof of vulnerability was generated with the following payloads:

- For FILES:

00000000: 79 80 80                                          y..

Fuzzing Standard Input

➜ poetry run vulnerability_detection fuzz --fuzzer STDIN_AFLPLUSPLUS --stream STDIN --elf stdin_bof.elf --samples samples                     
New proof of vulnerability was generated with the following payloads:

- For STDIN:

00000000: 70 00 00 00 00 00 00 00  00 00 00 00 E5 00 00 CF  p...............
00000010: 6B 6D                                             km

Fuzzing Arguments

➜ poetry run vulnerability_detection fuzz --fuzzer ARGS_AFLPLUSPLUS --stream ARGUMENTS --elf argv_null_deref.elf --samples samples --arguments "--string %s"
New proof of vulnerability was generated with the following payloads:

- For ARGUMENTS:

00000000: 73 1D 0A AC 61 20 0A 00                           s...a ..

Help

➜ poetry run vulnerability_detection            
Usage: vulnerability_detection [OPTIONS] COMMAND [ARGS]...

  Discovers vulnerabilities in executables.

Options:
  --help  Show this message and exit.

Commands:
  fuzz  Find vulnerabilities by using a fuzzer.

As a Python Module

from vulnerability_detection.fuzzing import (
    PoVConsumer,
    StdinAFLPlusPlus,
    InputStreams,
    ProofOfVulnerability
)

class CustomPoVConsumer(PoVConsumer):
    def notify_new_pov(self, pov: ProofOfVulnerability) -> None:
        # Process the ProofOfVulnerability object

fuzzer = StdinAFLPlusPlus()
fuzzer.set_input_stream(InputStreams.STDIN)
fuzzer.set_target(target_elf, samples_folder)

consumer = CustomPoVConsumer()
fuzzer.attach_consumer(consumer)

fuzzer.start_fuzzing()