HAEPG: An Automatic Multi-hop Exploitation Generation Framework [chapter]

Zixuan Zhao, Yan Wang, Xiaorui Gong
2020 Lecture Notes in Computer Science  
Automatic exploit generation for heap vulnerabilities is an open challenge. Current studies require a sensitive pointer on the heap to hijack the control flow and pay little attention to vulnerabilities with limited capabilities. In this paper, we propose HAEPG, an automatic exploit framework that can utilize known exploitation techniques to guide exploit generation. We implemented a prototype of HAEPG based on the symbolic execution engine S2E [15] and provided four exploitation techniques for
more » ... it as prior knowledge. HAEPG takes crashing inputs, programs, and prior knowledge as input, and generates exploits for vulnerabilities with limited capabilities by abusing heap allocator's internal functionalities. We evaluated HAEPG with 24 CTF programs, and the results show that HAEPG is able to accurately reason about the type of vulnerability for 21 (87.5%) of them, and generate exploits that spawn a shell for 16 (66.7%) of them. All the exploits could bypass NX [25] and Full RELRO [28] security mechanisms.
doi:10.1007/978-3-030-52683-2_5 fatcat:qz4u3hb63negtlsbjzvuecwiye