MCPcopy Index your code
hub / github.com/GhostFrankWu/SAEG

github.com/GhostFrankWu/SAEG @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
144 symbols 411 edges 15 files 7 documented · 5%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

SAEG: Stateful Automatic Exploit Generation

SAEG is a framework uses angr as symbolic execution engine for Automatic Exploit Generation (AEG). Its purpose is to provide an efficient framework for handling multi-stage exploits that include information leakage. As a conceptual implementation, SAEG has implemented parts of stack exploitation and a prototype for heap exploitation.
We provide source code and a one-click deployment script for reproduction and reference of other studies. It also offers some benchmark test cases, and you can check the results of these test cases in the CI run results.
If you want to know more about SAEG, please refer to our article.


SAEG 是一个使用 angr 作为符号执行引擎的 AEG (Automatic Exploit Generation) 框架,旨在提供一个高效的处理包含信息泄露的多步利用的框架。作为概念验证,SAEG 实现了部分栈利用以及一个堆利用的原型,并提供了源码及一键部署环境以供复现研究,同时也提供了一些基准测试用例,你可以在 CI 中看到这些测试用例的运行结果
如果您希望了解更多关于SAEG的信息,请查看我们的文章

Demo video for SAEG(演示视频):

asciicast demo video

Installing & Testing on Docker

It is recommended to use Ubuntu20.04 or later on docker to run the test.
Example of Docker file is based on Ubuntu22.04. Also refer to CI file for more details.

docker build -t saeg:01 .
# Run stack testset
docker run -v /tmp:/test_res saeg:01 bash -c 'cd /aeg && python3 saeg.py -f x -t stack'
# Get result
cat /tmp/test_result.txt
# Interactively run SAEG 
docker run -it saeg:01 bash

如果您在中国大陆地区,Dockerfile 中有两行注释掉的源(apt和pip),您可以取消注释并以加速构建。

Extra Dataset

Beyond the paper benchmarks, this repository includes an additional dataset for broader research use, which is not part of CI.
除论文基准数据外,本仓库还提供了一组额外数据,以便更广泛的研究使用;该数据集不包含在 CI 中。

docker run -v /tmp:/test_res saeg:01 bash -c 'cd /aeg && python3 test_extra_dataset.py'
cat /tmp/extra_test_result.txt

SAEG-unsupported and resource-limited extra cases are kept in assets/extra_dataset/unsupported for researchers to evaluate with other methods.
Please feel free to improve or surpass SAEG!
SAEG 暂不支持以及资源受限的额外样例保存在 assets/extra_dataset/unsupported,供研究者使用其他方法进行测试。
这里面的许多测试样例 SAEG 都不支持,请尽情玩耍,拓展 AEG 的边界

Usage

pwn local file:

python3 saeg.py -f input_file

pwn remote with libc and ld specified:

python3 saeg.py -f input_file -l [LIBC.so] -d [LD.so] -i [ip:port]
# for example:
# python3 saeg.py -f ./vuln -l `pwd`/libc.so -d ./ld.so -i 192.168.1.1:1337

Get help message:

python3 saeg.py --help

Framework Structure

SAEG was designed with the concept of scalability. If you want to simply modify/expand the framework, you may start with files starting with mod_.

SAEG是基于易于扩展的理念设计的,如果您希望简单地修改/扩充框架,可以考虑从mod_开头的文件开始。

Additional Documentation

Citation

If you use this repository for research, please cite our paper:

@inproceedings{saeg,
    title = {SAEG: Stateful Automatic Exploit Generation},
    author = {Yifan Wu and Yinshuai Li and Hong Zhu and Yinqian Zhang},
    booktitle = {European Symposium on Research in Computer Security},
    year = {2024}
}

Publication

Link of the draft version of our paper (Neither a submitted version nor a preprint):
Paper PDF

Reference of open source projects

Zeratool is a traditional symbolic execution framework for binary analysis and (stack) exploitation:
https://github.com/ChrisTheCoolHut/Zeratool

BOF_AEG is a simple stack exploitation tool based on angr: (Not available now)
https://github.com/Kirito0/bof_aeg

Simple framework for stack exploitation and detection of memory corruption:
https://github.com/Hank0438/AEG

Framework for detection of memory corruption:
https://github.com/angr/heaphopper

Awsome kernel AEGs (with angr):
https://github.com/plummm/SyzScope
https://github.com/seclab-ucr/SyzBridge

Discussion

The performance of the CI server provided by Github is fluctuating, so there may be significant deviations even after two consecutive runs. Therefore it is more recommended to run performance tests locally.

Github提供的CI服务器性能较为波动,即使连续两次运行也会有较大的偏差,因此更推荐在本地运行性能测试。

This framework focuses on static analysis and dynamic verification, so its effectiveness is not precise enough for all protecting mechanisms (including system-level ASLR) are disabled scenarios and utilizing dangling pointers on the stack. Currently, other solutions for work include dynamically running and interacting with GDB, but these contents are not the aim of this work (information leakage).

该框架侧重于静态分析,动态验证,因此对于保护全关的并禁用系统ASLR的场景以及利用栈上悬垂指针的场景效果不够精确,目前其他工作的解决方案是动态调试,但这些内容并非本工作(信息泄露)的目标。

Core symbols most depended-on inside this repo

warped_io
called by 22
aeg_module/binary_interactive.py
dump_payload
called by 21
aeg_module/utils.py
get_flag
called by 17
aeg_module/binary_interactive.py
r2_op
called by 16
aeg_module/challenge.py
close
called by 11
aeg_module/binary_interactive.py
run
called by 6
aeg_module/mod_tricks.py
local_aeg
called by 5
saeg.py
get_r2
called by 4
aeg_module/challenge.py

Shape

Method 64
Function 51
Class 29

Languages

Python100%

Modules by API surface

aeg_module/mod_sim_procedure.py30 symbols
aeg_module/utils.py21 symbols
aeg_module/mod_exploit.py18 symbols
aeg_module/mod_technique.py16 symbols
aeg_module/mod_leak.py13 symbols
aeg_module/binary_interactive.py10 symbols
aeg_module/challenge.py9 symbols
test_extra_dataset.py7 symbols
aeg_module/mod_sim_procedure_heap.py5 symbols
aeg_module/aeg_main.py5 symbols
saeg.py4 symbols
aeg_module/mod_tricks.py4 symbols

For agents

$ claude mcp add SAEG \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact