{"id":13539161,"url":"https://github.com/jfoote/exploitable","last_synced_at":"2025-04-02T06:30:24.379Z","repository":{"id":4136557,"uuid":"5249053","full_name":"jfoote/exploitable","owner":"jfoote","description":"The 'exploitable' GDB plugin","archived":false,"fork":false,"pushed_at":"2022-08-13T22:05:36.000Z","size":316,"stargazers_count":674,"open_issues_count":8,"forks_count":119,"subscribers_count":36,"default_branch":"master","last_synced_at":"2024-11-03T04:32:18.472Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfoote.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-07-31T17:22:16.000Z","updated_at":"2024-10-21T20:42:59.000Z","dependencies_parsed_at":"2022-07-20T07:17:01.992Z","dependency_job_id":null,"html_url":"https://github.com/jfoote/exploitable","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfoote%2Fexploitable","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfoote%2Fexploitable/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfoote%2Fexploitable/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfoote%2Fexploitable/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfoote","download_url":"https://codeload.github.com/jfoote/exploitable/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767478,"owners_count":20830497,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:20.922Z","updated_at":"2025-04-02T06:30:24.108Z","avatar_url":"https://github.com/jfoote.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Python","\u003ca id=\"975d9f08e2771fccc112d9670eae1ed1\"\u003e\u003c/a\u003eGDB"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","\u003ca id=\"5f4381b0a90d88dd2296c2936f7e7f70\"\u003e\u003c/a\u003e工具"],"readme":"GDB 'exploitable' plugin\n====\n\nJonathan Foote\n\njmfoote@loyola.edu\n\n15 April 2015\n\nRequirements \n====\n\n- Compatible x86/x86_64/ARM/MIPS Linux\n- Compatible GDB 7.2 or later\n- Python 2.7 or later (for triage.py)\n\n      \nThe 'exploitable' plugin (exploitable/exploitable.py)\n====\n\n'exploitable' is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for an attacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first. \n\nThe extension implements a GDB command called 'exploitable'. The command uses heuristics to describe the exploitability of the state of the application that is currently being debugged in GDB. The command is designed to be used on Linux platforms and versions of GDB that include the GDB Python API. Note that the command will not operate correctly on core file targets at this time.\n\nWARNING: This is an engineering tool. It has not been exhaustively tested, and has not been executed on many flavors of Linux! Please read and understand the classification rules (lib/rules.py) before use and modify the source code to suit your specific testing needs if necessary.\n\nUsage\n----\n\n### Global installation and usage\n\n1. Optionally, run integration tests:\n\n        $ python setup.py test\n\n2. Install script to GDB data directory (probably as root)\n\n        # python setup.py install\n\n3. Run the command\n\n        (gdb) exploitable\n\n### Local usage\n1. Copy all files in this directory and its sub-directories to a sub-directory that is accessible from GDB\n\n2. Source the exploitable file as a script and run a command\n\n        (gdb) source my-exploitable-dir/exploitable.py\n        (gdb) exploitable\n       \nIn many cases exploitable makes guesses and calculates values based on GDB's stack unwind. The extension will work best if GDB can find the debug symbols for binaries, especially libc. \n\nNote that the extension's classification capability is significantly degraded when run in a GDB session with a core file target. When GDB is run against a core file, much of the information that the extension uses for classification is not present via conventional GDB APIs.\n\nTesting \n----\n\n### Smoke testing\n\nThis project includes test cases (tests/) that can be used as a starting point for testing the 'exploitable' command on new Linux platforms. A Makefile is included. Note that test case filenames generally correspond to the most exploitabile tag that should be applied to the test case, however, because Linux platforms handle errors differently, an exact correspondence will not exist for all of the test cases on most Linux platforms. \n\nA few unit tests have been implemented in lib/gdb_wrapper/tests/x86\\_unit\\_tests.py. unit\\_tests.py is  meant to be invoked from GDB -- see comments in the file for details.\n\n### Integration testing\n\nIntegration tests for x86 and ARM platforms are located in test/x86.sh and test/arm.sh, respectively. These tests are designed for use with travis-ci.org, but can (and should) be run locally on an up-to-date Ubuntu x86_64 any time functional changes are made to the code. Note that, if not modified, arm.sh requires access to a private AWS S3 bucket to install dependencies. Please contact the author if you require access to the S3 bucket.\n\nTo run the integration x86 tests, try this from the project root directory:\n\n        $ ./tests/x86.sh\n\nNote that these tests are quite fragile and will (hopefully improve over time).\n\n#### Tested platforms\n\nAt the time of this writing integration tests pass on the following platforms:\n\n- Ubuntu 13.10 32-bit, GDB 7.2\n- Ubuntu 13.10 64-bit, GDB 7.4\n- Ubuntu 13.10 64-bit, GDB 7.6\n- Travis-ci Ubuntu 64-bit, GDB 7.4\n\nThe authors of the GDB Python API tend to break backwards compatibility regularly, so beware.\n\nInternals Overview \n----\n\nexploitable runs in GDB's Python interpreter (which depends on the Python C API) and uses GDB's Python API. For details, see:\nhttp://sourceware.org/gdb/onlinedocs/gdb/Python-API.html\n\nexploitable iterates over a list of ordered \"rules\" (lib/rules.py) to generate a Classification (lib/classifier.py). If the state of the application running in GDB matches a rule, exploitable adds a corresponding \"tag\" to the Classification. The result of an exploitable invocation is a Classification-- either printed to the GDB's stdout or stored to a pickle file, depending on command parameters. \n\nThe entry point for the GDB command is defined in exploitable.py. Iteration over the rules is implemented by a Classifier object (lib/classifier.py). The methods that determine whether a rule matches or not are contained in per-platform \"analyzers\" (lib/analyzers/). The state of the application is queried via a set of GDB API wrapper objects and methods (see lib/gdb_wrapper/x86.py for details). A Classification (lib/classifier.py) retains attributes for the \"most exploitable\" (lowest ordered) tag (matching rule), but it also includes an ordered list of all other matching tags.\n\nClassification rule definitions, located in lib/rules.py, can be re-prioritized by simple cut/paste.\n\nContributing\n----\n\nPlease contribute your changes, fixes, and issues to the master branch at https://github.com/jfoote/exploitable ! To help things go smoothly, please ensure that the integration tests (see test/ in the home directory) pass before you submit your code. Feel free to change the integration tests themselves if you are fixing bugs or adding features. Feel free to contact the author (jmfoote@loyola.edu) if you have any questions or feedback.\n\ntriage.py\n====\n\nThis package consists of a triage script and a GNU Debugger (GDB) extension named 'exploitable'. The triage script is a simple batch wrapper for the 'exploitable' GDB extension. The triage script is designed to prioritize bugs for software developers so that they can address the most severe ones first. For more information on the 'exploitable' GDB extension, see the 'exploitable' section below.\n\nThe triage script automates invocations of GDB and the 'exploitable' GDB extension. The script invokes a target application one or more times via GDB. Each invocation includes execution of the exploitable command. Results of the exploitable command are accumulated and a summary is printed to stdout.  \n\nWARNING: The triage script was written to address some specific testing needs, so it is not particularly robust or extensible. The script is being distributed as a starting point and example for writing a custom wrapper for the 'exploitable' extension.\n\nIn practice the triage script is meant to run an application with a set of crashing inputs that have been discovered via other means. If an application invocation does not cause GDB to break, the triage script will hang (CTRL-C to stop). \n\nNote that some output from the application under test may be printed to the console as the triage script runs (particularly output from libc_message). Also note that the 'exploitable' extension will not operate correctly on core file targets at this time.\n\nUsage \n----\n\nThe triage script is designed to be invoked from this directory.\n\n### Print help\n\n1. From this directory, invoke triage\n\n        python triage.py --help\n\n### Running included exploitable tests (Hello exploitable!)\n\n1. Build exploitable tests\n\n        cd exploitable/tests \u0026\u0026 make \u0026\u0026 cd ../..\n\n2. Invoke triage with the tests as arguments\n\n        python triage.py \\$sub `find exploitable/tests/bin -type f`\n\n3. Cleanup test binaries\n\n        cd exploitable/tests \u0026\u0026 make clean \u0026\u0026 cd ../..\n\n### Example application usage\n\n1. Invoke triage with application and crashing inputs as arguments. For example:\n\n        python triage.py \"jasper --input \\$sub --output /dev/null\" `find /mnt/foo/crashers -type f`\n\nThis example will invoke japser for each file in /mnt/foo/crashers. \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfoote%2Fexploitable","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfoote%2Fexploitable","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfoote%2Fexploitable/lists"}