GDB ‘exploitable’ plugin
The ‘exploitable’ plugin (exploitable/exploitable.py)
‘exploitable’ is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for an attacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first.
The extension implements a GDB command called ‘exploitable’. The command uses heuristics to describe the exploitability of the state of the application that is currently being debugged in GDB. The command is designed to be used on Linux platforms and versions of GDB that include the GDB Python API. Note that the command will not operate correctly on core file targets at this time.
WARNING: This is an engineering tool. It has not been exhaustively tested, and has not been executed on many flavours of Linux! Please read and understand the classification rules (lib/rules.py) before use and modify the source code to suit your specific testing needs if necessary.
exploitable runs in GDB’s Python interpreter (which depends on the Python C API) and uses GDB’s Python API. For details, see here.
exploitable iterates over a list of ordered “rules” (lib/rules.py) to generate a Classification (lib/classifier.py). If the state of the application running in GDB matches a rule, exploitable adds a corresponding “tag” to the Classification. The result of an exploitable invocation is a Classification– either printed to the GDB’s stdout or stored to a pickle file, depending on command parameters.
The entry point for the GDB command is defined in exploitable.py. Iteration over the rules is implemented by a Classifier object (lib/classifier.py). The methods that determine whether a rule matches or not are contained in per-platform “analyzers” (lib/analyzers/). The state of the application is queried via a set of GDB API wrapper objects and methods (see lib/gdb_wrapper/x86.py for details). A Classification (lib/classifier.py) retains attributes for the “most exploitable” (lowest ordered) tag (matching rule), but it also includes an ordered list of all other matching tags.
Classification rule definitions, located in lib/rules.py, can be re-prioritized by simple cut/paste.
Copyright (c) 2013 Jonathan Foote