KitPloitKITPLOIT:1373460246636191844Functrace - A Function Tracer
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.5%
functrace is a tool that helps to analyze a binary file with dynamic instrumentation using DynamoRIO (<http://dynamorio.org/>).
These are some implemented features (based on DynamoRIO):
- disassemble all the executed code
- disassemble a specific function (dump if these are addresses)
- get arguments of a specific function (dump if these are addresses)
- get return value of a specific function (dump if this is an address)
- monitors application signals
- generate a report file
- ghidra(<https://ghidra-sre.org/>) coverage script (based on the functrace report file)
Setup
$ wget https://github.com/DynamoRIO/dynamorio/releases/download/release_7_0_0_rc1/DynamoRIO-Linux-7.0.0-RC1.tar.gz
$ tar xvzf DynamoRIO-Linux-7.0.0-RC1.tar.gz
OR
$ wget https://github.com/DynamoRIO/dynamorio/releases/download/cronbuild-7.91.18047/DynamoRIO-x86_64-Linux-7.91.18047-0.tar.gz
$ tar xvzf DynamoRIO-x86_64-Linux-7.91.18047-0.tar.gz
You can also clone and compile directly DynamoRIO
$ git clone https://github.com/invictus1306/functrace
$ mkdir -p functrace/build
$ cd functrace/build
$ cmake .. -DDynamoRIO_DIR=/full_DR_path/cmake/
$ make -j4
Using functrace
$ drrun -c libfunctrace.so -report_file report -- target_program [args]
Options
The following [functrace](<https://github.com/invictus1306/functrace>) options are supported:
-disassembly -> disassemble all the functions
-disas_func function_name -> disassemble only the function function_name
-wrap_function function_name -> wrap the function function_name
-wrap_function_args num_args -> number of arguments of the wrapped function
-cbr -> remove the bb from the cache (in case of conditional jump)
-report_file file_name -> report file name (required)
-verbose -> verbose
Simple usage
Option -verbose
$ drrun -c libfunctrace.so -report_file report -verbose -- target_program [args]
Option -disassemby
$ drrun -c libfunctrace.so -report_file report -disassembly -- target_program [args]
Option -disas_func
$ drrun -c libfunctrace.so -report_file report -disas_func name_function -- target_program [args]
Option -wrap_function and -wrap_function_args
$ drrun -c libfunctrace.so -report_file report -wrap_function name_function -wrap_function_args num_args -- target_program [args]
Option -cbr
$ drrun -c libfunctrace.so -report_file report -cbr -- target_program [args]
CVE-2018-4013 - Vulnerability Analysis
A vulnerability on the LIVE555 RTSP server library. This is the description.
Working enviroment
Tested on Ubuntu 16.04.5 LTS 64 bit
Future features
- Ghidra plugin
- Visual setup interface
- Store and compare different coverage analysis
- Run DR directy from ghidra
- Add more functionality to functrace
- Support for Android
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
61.5%