Vulnerabilities findings

[ronakdborad]

Hi,

Can you please tell what can used for vulnerability findings in the binaries from the shellphish since the driller does not have methods for it.

Thanks.

[zardus]

Do you mean which tool finds crashing inputs? Driller is the right tool...

[ronakdborad]

I mean what we should be using to test the vulnerability finding abilities of the Shellphish team. Does driller have the right abilities to do it apart from finding the crashing inputs.

[zardus]

Ahh. So there are at least two parts of this:

1. The crashing input discovery. That's driller (this repository)
2. Crash triaging. There are two different triaging approaches (a quick triage and a slow triage) in rex, our exploitation component (https://github.com/shellphish/rex/blob/master/rex/crash.py).
3. The exploitation component. There are several projects that fall into this:
   • Specifically for the CGC, there's a "fast-path" exploitation component that attempts to fuzz for an exploit: https://github.com/mechaphish/pov_fuzzing
   • Specifically for the CGC, there is an information disclosure exploitation system: https://github.com/mechaphish/colorguard
   • Slightly more general, there our automatic exploitation system: https://github.com/shellphish/rex

We recently published a write-up of the whole system. It might be helpful to your efforts: http://phrack.org/papers/cyber_grand_shellphish.html

[ronakdborad]

Thanks a lot.