Automated exploit development: The future of exploitation is here
From Practical Software Verification
Methods used: Fuzzing, debugging
Working implementation: Yes
Open source/public demo: Neither
Contents |
Abstract
The notion of automated exploitation is something that has at one point or another crossed the mind of almost every information security researcher since the dawn of the science. However, due to the heavy requirement of developing the theory, as well as the software to implement the theoretical mechanisms required, software to perform this task has not been seen in the professional debugging arena.
Grayscale Research has changed this with the advent of the Prototype-8 software debugging suite. This whitepaper aims not to promote this software, but to provide the theory required to build such a system.
By utilizing the inherent native debugging libraries on the Windows and the Linux platform, it is possible to achieve the holy grail of exploit development for both platforms. Reliable exploits, that literally write themselves.
Main points
- Uses run time instrumentation of the program to detect erroneous conditions.
- Detects stack overflows by monitoring for segmentation faults and comparing the EIP to the fuzz data
- Implicitly assumes perfect conditions for exploit exist - data is written unmodified over the stack pointer, there is no damage to the shellcode and a trampoline is available
- Checks for heap corruption by comparing chunk->next->prevSize to chunk->size. Presumably an overflow will overrun chunk->next->prevSize
- Handles ASLR
Reader comments
- Basic techniques but functional. There is the assumption that replacing a valid fuzz input with complete garbage of the same size + JMP ESP address + shellcode will work. There are many conditions in which this could fail
Bibtex
@techreport{medeiros07,
author = {Medeiros,, Jason},
title = {Automated Exploit Development, The future of exploitation is here},
year = {2007},
institution = {Grayscale Research},
}
