-
功能:自动生成UAF类型漏洞exp文件的工具,目前缺少文档介绍,可以参考test文件下的使用实例,但是源码中缺少dataflowanalyzer模块
-
相关内容:源码路径https://github.com/ww9210/Linux_kernel_exploits
-
论文:
title={FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities},
author={Wu, Wei and Chen, Yueqi and Xu, Jun and Xing, Xinyu and Gong, Xiaorui and Zou, Wei},
booktitle={27th USENIX Security Symposium (USENIX Security 18)},
organization={USENIX Association}
}
-
测试环境:Ubuntu16.04 + python2
- 安装需要
pwntools,colorama,ROPgadget,angr,claripy,pyvex angr,qemu-system-x86_64, ROPGadget, pwntools, GDB, gef, capstone, KASAN, ftrace
- 安装需要
-
主要内容fuze,包含'fuze.vminstance','fuze.concolicexecutor','fuze.statebroker', 'fuze.kernelrop'
其中vminstance用于管理虚拟机,concolicexecutor用于执行 -
安装方法:
pip install networkx==2.2 cle==7.8.2.21 archinfo==7.8.2.21 pyvex==7.8.2.21 claripy==7.8.2.21 angr==7.8.2.21 pip install tox python setup.py install --user
修改python2.7/dist-packages/pwntools-3.14.0.dev0-py2.7.egg/pwnlib/elf/elf.py中的55行1749行的ENUM_P_TYPE,改为ENUM_P_TYPE_BASE -
查看测试用例
-
需要在测试前配置qemu_config(包含vmlinux_path、monitor_port等),function_call_to_disable列表,callbacks_to_monitor列表,expected_start_rip,extra_bp列表(可以为空),obj_base(rdx的值)
-
qemuConfig包含的选项参考
fuze/vminstance/qemuconfig/__init__.py
-
, 'kernel_path' : '/home/ww9210/kernels/4.14-rc1-no-kasan/arch/x86/boot/bzImage'
, 'append':'console=ttyS0 root=/dev/sda debug earlyprintk=serial oops=panic'
, 'hda':'/home/ww9210/develop/kuafffp/test/15649_test/img/wheezy.img'
, 'ssh_port':10021
, 'ram_size':'1G'
, 'monitor_port':9210
, 'gdb_port':1234
, 'ssh_keyfile':'/home/ww9210/develop/kuafffp/test/15649_test/img/ssh/id_rsa'
, 'vmlinux_file':'/home/ww9210/kernels/4.14-rc1-no-kasan/vmlinux'
}```