CAEG: crash-based automatic exploit generation

In this paper, CAEG (Crash-based Automatic Exploit Generation) is proposed to automatically generate binary program exploits based on known crash inputs. In CAEG we analyze the input causing a program crash and address two main challenges: how to reproduce the crash state and how to automatically generate control flow hijacking exploits. Firstly, a path-oriented algorithm is proposed to find the crash path using symbolic execution techniques by treating the crash input as a symbolic value. Secondly, we summarize the principle of multiple control flow hijacking vulnerability exploits. In addition, consider bypassing the vulnerability mitigation mechanism by using springboard instructions to bypass Address Space Layout Randomization (ASLR) and return-to-libc to bypass Non-executable bit (NX). We tested 11 open source software with vulnerabilities (8 from the test sets of AEG and MAYHEM, and 3 from the CVE and EDB vulnerability repositories). The experimental results show that our scheme is more efficient than AEG and MAYHEM.