SAEG: Stateful Automatic Exploit Generation

The field of Automatic Exploit Generation (AEG) plays a pivotal role in the assessment of software vulnerabilities, automating the analysis for exploit creation. Although AEG systems are instrumental in probing for vulnerabilities, they often lack the capability to contend with defense mechanisms such as vulnerability mitigation, which are commonly deployed in target environments. This shortfall presents significant challenges in exploitation. Additionally, most frameworks are tailored to specific vulnerabilities, rendering their extension a complex process that necessitates in-depth familiarity with their architectures. To overcome these limitations, we introduce the SAEG framework, which streamlines the repetitious aspects of existing exploit templates through a modular and extensible state machine that builds upon the concept of an Exploit Graph. SAEG can methodically filter out impractical exploitation paths by utilizing current information and the target program’s state. Additionally, it simplifies the integration of new information leakage methods with minimal overhead and handles multi-step exploitation procedures, including those requiring the leakage of sensitive data. We demonstrate a prototype of SAEG founded on symbolic execution that can simultaneously explore heap and stack vulnerabilities. This prototype can explore and combine leakage and exploitation effectively, generating complete exploits to obtain shell access for binary files across i386 and x86_64 architectures.