vulnerability-analysis

amattas/vulnerability-analysis

Productivity

About

SKILL.md

Vulnerability Analysis

Systematic identification and analysis of vulnerabilities in binary targets.

Vulnerability Classes

Class	Signals	Typical Cause
Stack BOF	No bounds check on input	`gets()`, `strcpy()`, `sprintf()`
Format String	User input as format arg	`printf(buf)` instead of `printf("%s", buf)`
Heap Corruption	Dynamic allocation + free	UAF, double-free, heap overflow
Integer Overflow	Arithmetic on user input	Size calculations, array indexing
Race Condition	Multi-threaded or file ops	TOCTOU, signal handlers
Logic Bug	Unexpected program state	Auth bypass, incorrect checks

Analysis Process

Trace user input - Where does it enter? Where does it go?
Find sinks - Dangerous functions that consume input
Check bounds - Are there size limits? Are they enforced?
Check protections - What mitigations affect exploitation?

Dangerous Function Patterns

// Stack BOF
gets(buf);                    // No bounds
strcpy(dst, src);             // No bounds
sprintf(buf, fmt, ...);       // No bounds
scanf("%s", buf);             // No bounds

// Format String
printf(user_input);           // User controls format

// Command Injection
system(user_input);           // Direct command exec
popen(user_input, "r");       // Command exec

Mitigation Bypass Planning

Have	Need	Strategy
BOF + NX	Code exec	ROP chain, ret2libc
BOF + Canary	Bypass	Leak canary first
BOF + PIE	Fixed addr	Leak code address
Format + No write	Write primitive	Use %n specifier
Heap + no leak	Info leak	Heap feng shui

Output

Produce context/vulnerability-analysis.md using the template.

Vulnerability Analysis

Systematic identification and analysis of vulnerabilities in binary targets.

Vulnerability Classes

Class	Signals	Typical Cause
Stack BOF	No bounds check on input	`gets()`, `strcpy()`, `sprintf()`
Format String	User input as format arg	`printf(buf)` instead of `printf("%s", buf)`
Heap Corruption	Dynamic allocation + free	UAF, double-free, heap overflow
Integer Overflow	Arithmetic on user input	Size calculations, array indexing
Race Condition	Multi-threaded or file ops	TOCTOU, signal handlers
Logic Bug	Unexpected program state	Auth bypass, incorrect checks

Analysis Process

Trace user input - Where does it enter? Where does it go?
Find sinks - Dangerous functions that consume input
Check bounds - Are there size limits? Are they enforced?
Check protections - What mitigations affect exploitation?

Dangerous Function Patterns

// Stack BOF
gets(buf);                    // No bounds
strcpy(dst, src);             // No bounds
sprintf(buf, fmt, ...);       // No bounds
scanf("%s", buf);             // No bounds

// Format String
printf(user_input);           // User controls format

// Command Injection
system(user_input);           // Direct command exec
popen(user_input, "r");       // Command exec

Mitigation Bypass Planning

Have	Need	Strategy
BOF + NX	Code exec	ROP chain, ret2libc
BOF + Canary	Bypass	Leak canary first
BOF + PIE	Fixed addr	Leak code address
Format + No write	Write primitive	Use %n specifier
Heap + no leak	Info leak	Heap feng shui

Output

Produce context/vulnerability-analysis.md using the template.