crashmon - A LLDB Based replacement for CrashWrangler

Overview

crashmon

crashmon - A CrashWrangler replacement based on LLDB

Crashmon, same as CrashWrangelr, is a LLDB wrapper together with Lisa.py that can be used to determine if a crash is an exploitable security issue, and if a crash is a duplicate of another known crash.

Usage

========= Build Instruction =========

macOSResearch ✗ git clone https://github.com/ant4g0nist/crashmon
macOSResearch ✗ cd crashmon
crashmon git:(main) ✗ make
crashmon git:(main) ✗ make install

example

For debugging macOS System Applications/Services, it is expected that you disable SIP as crashmon uses LLDB.

========= Environment Variable Reference =========

CW_CURRENT_CASE: Path of the test case file that is being open in the target application. If set, crashmon will read and save the content of the test case file to triaged crash folder. This will be handy while fuzzing!

CW_ATTACH_PID: If set, use this pid as the process to monitor for crashes.
e.g. env CW_ATTACH_PID=12313 CW_CURRENT_CASE=foo ./crashmon or sudo env CW_ATTACH_PID=12313 CW_CURRENT_CASE=foo ./crashmon

CW_LOG_DIR: (Default ./crashlogs) The directory to output crashlogs to.

CWE_*: If there are any environment variables prefixed with CWE_, delete the prefix and set the environment variable in the child. This does not apply when using CW_ATTACH_PID or CW_REGISTER_LAUNCHD_NAME.

========= crashmon return values =========

No crash = 0 Crash = 1 Timeout = 2

========= Exploitability algorithm =========

The algorithm for determining exploitability looks like this:

Exploitable if Crash on write instruction Crash executing invalid address Crash calling an invalid address Illegal instruction exception Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption detected Stack trace of crashing thread contains certain functions such as malloc, free, szone_error, objc_MsgSend, etc.

Not exploitable if Divide by zero exception Stack grows too large due to recursion Null dereference(read or write) Other abort Crash on read instruction

PS

This is meant to be used just as an initial triage system! Don't really 100% on the crashmon's output as there might be bugs in lisa.py. I appreciate pull requests.

So, it's recommended to run the test case again with libgmalloc(3) on, and see if the crash changes to one that is considered to be exploitable.

todo

  • add lisa.py exploitable checks
  • test moreeee
  • follow xpc services (target function -> 'xpc_connection_get_pid'. Usecase: Safari->WebContent)

thanks

  • @apple for crashwrangler
  • LLVM
Issues
  • [-] PROGRAM ABORT : error: the specified architecture 'arm64-apple-macosx11.1.0' is not compatible with 'x86_64-apple-macosx12.0.0'

    [-] PROGRAM ABORT : error: the specified architecture 'arm64-apple-macosx11.1.0' is not compatible with 'x86_64-apple-macosx12.0.0'

    Hi,

    I got an error when running the test case on macOS Monterey version 12.0.1 (intel chip)

    ➜ crashmon git:(main) ./bin/crashmon tests/binaries/malloc_abort 0000 [ crashmon - ant4g0nist ] 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2022-03-31 14:40:34.529 crashmon[28224:5786690] timeout: 60 [-] PROGRAM ABORT : error: the specified architecture 'arm64-apple-macosx11.1.0' is not compatible with 'x86_64-apple-macosx12.0.0' in '/Users/xxx/crashmon/tests/binaries/malloc_abort'

         Location : m1WranglerInit(), crashmon.mm:258
    

    ➜ crashmon git:(main)

    Could you fix this issue? Thanks!

    opened by k3vinlusec 0
Releases(0.0.2)
  • 0.0.2(Nov 7, 2021)

    Initial release of crashmon, a CrashWrangler replacement based on LLDB!

    Crashmon, same as CrashWrangelr, is a LLDB wrapper together with Lisa.py that can be used to determine if a crash is an exploitable security issue, and if a crash is a duplicate of another known crash.

    I appreciate pull requests for any bug fixes/trophies/usecases, well you get the idea!

    Happy Hacking 🤖🤖🤖🤖

    Source code(tar.gz)
    Source code(zip)
Owner
Chaithu
Vulnerability Researcher
Chaithu
The Sensor Watch is a board replacement for the classic Casio F-91W wristwatch.

The Sensor Watch is a board replacement for the classic Casio F-91W wristwatch.

null 454 Jun 22, 2022
Commodore 64 VIC-II 6567/6569 Replacement Project

This is a WIP. Beta testing is underway on hardware. Check back later for updates. VIC-II Kawari What is VIC-II Kawari? VIC-II Kawari is a hardware re

null 26 May 17, 2022
Amiga 1200 keyboard MPU drop-in replacement pcb

A1200_keyb_MPU Amiga 1200 keyboard MPU drop-in replacement pcb As the 68HC05 (p/n 391508-01) used in the Amiga 1200 is getting to be very expensive, I

Oleg Mishin 15 Apr 29, 2022
ASUS services replacement for Zephyrus G14 laptops

G14ControlPP ASUS services replacement for Zephyrus G14 laptops Introduction Initially, main goal was to bring back PgUp/PgDown/Home/End keys function

null 9 Jun 22, 2022
An open-source replacement for Windows UAC

Custom UAC What is it It is an open source replacement of UAC. It was a successor of my previous project UAC Renderer. As the functionalities and usag

null 3 Mar 6, 2022
mold is a faster drop-in replacement for existing Unix linkers

mold: A Modern Linker mold is a faster drop-in replacement for existing Unix linkers. It is several times faster than LLVM lld linker, the second-fast

Rui Ueyama 7.8k Jun 28, 2022
Ccd - Edge first cd replacement tool for Windows cmd shell.

Cursorial CD Cursorial CD, or ccd for short, is a cd replacement for Window's cmd shell. Unlike cd, it operates on an edge first search, so you can qu

Scott Seligman 5 Feb 2, 2022
Tinygettext - A simple gettext replacement that works directly on .po files

tinygettext tinygettext is a minimal replacement for gettext written in C++. It can read .po files directly and doesn't need .mo files generated from

null 56 Jun 10, 2022
Notepad++ is a free source code editor and Notepad replacement that supports several programming languages and natural languages

Npp / Notepad++ is my customized text editor highly enhanced for coding such as insta-run, much more file extensions made self-recognizable, logically colored syntax highlighting for nearly every programming language and designed for very easy customizability -- from the toolbar, context menu, syntax coloring, plug-ins for optional increased capabilities and much more

SkyN9ne 1 Jan 23, 2022
A modern and functional replacement for the About Windows dialog

Modern Winver A modern and more functional replacement for the About Windows screen powered by UWP and RegistryRT, providing details on Windows and yo

Torch 119 Jun 20, 2022
FFF is a decentralized blockchain based on IPFS/RIPPLE, which integrates lua virtual machine-based smart contracts.

FFF is a decentralized blockchain based on IPFS/RIPPLE, which integrates lua virtual machine-based smart contracts. It is also a software platform designed to help coordinate voluntary free market operations amongst a set of social actors.

gen2600 5 May 31, 2022
An implementation of physically based shading & image based lighting in D3D11, D3D12, Vulkan, and OpenGL 4.

Physically Based Rendering (c) 2017 - 2018 Michał Siejak (@Nadrin) An implementation of physically based shading model & image based lighting in vario

Michał Siejak 995 Jun 10, 2022
Scrollytroller is a crank-based USB controller, initially inteneded for use with Playdate's Pulp web-based game development tool

Scrollytroller Scrollytroller is a crank-based USB controller, initially inteneded for use with Playdate's Pulp web-based game development tool. This

Scott Lawrence 4 Feb 17, 2022
A Navigator 2.0 based Flutter widget that automatically splits the screen into two views based on available space

A Navigator 2.0 based Flutter widget that automatically splits the screen into two views based on available space

null 3 Feb 8, 2022
A CUDA-accelerated cloth simulation engine based on Extended Position Based Dynamics (XPBD).

Velvet Velvet is a CUDA-accelerated cloth simulation engine based on Extended Position Based Dynamics (XPBD). Why another cloth simulator? There are a

Vital Chen 10 Jun 9, 2022
QtVerbalExpressions - This Qt lib is based off of the C++ VerbalExpressions library. [MIT]

QtVerbalExpressions Qt Regular Expressions made easy This Qt lib is based off of the C++ VerbalExpressions library by whackashoe. Testing if we have a

null 53 May 12, 2022
Updated version of Silicos-it's shape-based alignment tool

shape-it Description Code for shape-it with openbabel3 and rdkit INSTALL Following example is the basic way to install the tool: git clone https://git

RDKit 22 Apr 27, 2022
ESP32 based DIY word clock project

Wordclock ESP32 based DIY wordclock project TL;DR: check out this ✨ demo video ✨ Another take on the classic DIY word clock. This one requires a laser

null 35 Feb 14, 2022
A USB-PD sniffer/injector/sink based on Google's Twinkie, re-designed to be manufactured by mere mortals.

Twonkie - a USB-PD sniffer based on Google's Twinkie Twonkie is a USB-PD sniffer/injector/sink based on a Google project called Twinkie, re-engineered

Joachim Fenkes 93 Jun 22, 2022