CRAXplusplus (CRAX++)

current version: 0.2.1

Being inspired by AFL++, the exploit generator CRAX++ is CRAX with x86_64 ROP techniques, s2e 2.0 upgrade, code selection, I/O states, dynamic ROP, and more. Given a x86_64 binary program and a PoC input, our system leverages dynamic symbolic execution (i.e. concolic execution) to collect the path constraints determined by the PoC input, add exploit constraints to the crashing states, and query the constraint solver for exploit script generation. Our system supports custom exploitation techniques and modules with the aim of maximizing its extensibility. We implement several binary exploitation techniques in our system, and design two ROP payload chaining algorithms to build ROP payload from multiple techniques.

Conference Talk

• HITCON 2022 [YouTube] [Slides]

System Architecture

Evaluation

Experimental Environment

• Binaries are compiled as 64-bit x86_64 ELF with gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
• Binaries are concolically executed in S2E guest (Debian 9.2.1 x86_64, 4.9.3-s2e) using libc/ld 2.24
• All generated exploit scripts are verified in host (Ubuntu 20.04.1 x86_64, 5.11.0-46-generic) using libc/ld 2.24

Quick Start [WIP]

Introduction

• Building CRAX++
• Usage
• Reproducing experiments from the examples directory
• What is a Module?
• What is a Technique?

Extending CRAX++

• Register API
• Memory API
• Virtual Memory Map API
• Disassembler API
• Logging API
• Instruction hooks
• Syscall hooks
• How to add a Module
• How to add a Technique

Special Thanks (Listed Lexicographically)

This project is impossible without:

• Balsn CTF Team and Network Security Lab, NTU
• S2E: Vitaly Chipounov and all the S2E authors/contributors
• Software Quality Lab, NYCU

Reference

[1] Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. “S2E: A platform for in-vivo multi-path analysis of software systems”. Acm Sigplan Notices 46.3 (2011), pp. 265–278. [Paper] [Repo] [Docs]

[2] Shih-Kun Huang et al. “Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations”. In: 2012 IEEE Sixth International Conference on Software Security and Reliability. IEEE. 2012, pp. 78–87. [Paper] [Repo] [Article]

[3] W.-L. Mow, S.-K. Huang, H.-C. Hsiao. "LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR". In The 6th International Workshop on Privacy, data Assurance, Security Solutions for Internet of Things, June 2022. [Paper]

[4] Wang Guan-Zhong and Huang Shih-Kun. "CRAXplusplus: Modular Exploit Generator using Symbolic Execution" (2022). [Thesis] [Slides]

License

Licensed under MIT. Copyright 2021-2022 Software Quality Laboratory, NYCU.