Initial commit: exploit-pipeline

2026-05-08 17:46:06 -05:00
commit 0bd211c81d
4 changed files with 963 additions and 0 deletions
@@ -0,0 +1,276 @@
 # GreySec RED — Operational Procedure
 **Product:** GreySec Exploit Development Pipeline (Reverse Engineering + Exploit Dev)
 **Version:** 1.0
 **Updated:** 2026-05-07
 **Parent:** `~/greysec/tools/exploit-pipeline/kanban.md`
 ---
 ## What This Pipeline Is
 GreySec RED is an AI-augmented reverse engineering and exploit development lab. You give it a binary and it gives you a vulnerability brief, a working exploit, and shellcode. No manual RE required.
 The pipeline runs in two stages:
 1. **RE Agent** — Static and dynamic analysis. Produces `analysis.md` and `struct.json`.
 2. **Exploit Writer** — Takes `struct.json`, writes a pwntools exploit, tests it against the real binary.
 ---
 ## Prerequisites
 Before running the pipeline, verify:
 ```bash
 # 1. Kali container running
 docker ps | grep kal
 # 2. Protostar binaries present
 ls /opt/protostar/bin/
 # 3. MacBook Ollama reachable (for abliterator model)
 curl -s http://100.127.137.64:11434/api/tags | jq '.models[].name'
 # Should show: huihui_ai/qwen2.5-coder-abliterate:latest
 # 4. If MacBook unreachable, cloud fallback works:
 curl -s http://localhost:11434/api/tags | jq '.models[].name'
 # Should show: qwen2.5-coder:14b
 ```
 If MacBook SSH is blocked (password rejected), use cloud fallback — abliterator is better but cloud works.
 ---
 ## How to Run the Full Pipeline
 ### For a single binary:
 ```bash
 cd ~/greysec/engagements/exploit-lab
 # Stage 1: RE Agent
 ./agents/re-agent.sh <binary_name> <binary_path>
 # Example: ./agents/re-agent.sh heap0 /opt/protostar/bin/heap0
 # Check output
 cat reports/heap0/struct.json
 # Stage 2: Exploit Writer (only runs if struct.json was produced)
 ./agents/exploit-writer.sh <binary_name> <path_to_struct.json> <binary_path>
 # Example: ./agents/exploit-writer.sh heap0 reports/heap0/struct.json /opt/protostar/bin/heap0
 # Check results
 cat exploits/heap0/test-results.md
 ```
 ### For all Protostar binaries at once:
 ```bash
 cd ~/greysec/engagements/exploit-lab
 for binary in stack0 stack1 format0 heap0 heap1 heap2; do
    echo "=== Processing $binary ==="
    ./agents/re-agent.sh $binary /opt/protostar/bin/$binary || continue
    ./agents/exploit-writer.sh $binary reports/$binary/struct.json /opt/protostar/bin/$binary
 done
 ```
 ---
 ## Interpreting the Outputs
 ### struct.json — what each field means
 | Field | What it is | Example |
 |-------|-----------|---------|
 | `vuln_class` | Type of vulnerability | `buffer_overflow`, `format_string`, `use_after_free` |
 | `affected_function` | Function containing the bug | `vuln_function at 0x08048484` |
 | `primitive` | What you can control | `write-what-where`, `code-exec` |
 | `offset` | Bytes to overflow before saved return | `64` |
 | `bad_chars` | Bytes that break the exploit | `["0x00", "0x0a"]` |
 | `mitigations_bypass` | Which mitigations the exploit defeats | `["DEP", "NX"]` |
 | `difficulty` | Complexity of the exploit | `beginner`, `intermediate`, `advanced` |
 | `winner_address` | Address of the `winner()` function (Protostar) | `0x08048464` |
 ### test-results.md — reading the verdict
 **PASS:** Exploit ran successfully. Code execution achieved. You're done.
 **FAIL (offset):** Exploit crashed. The offset in struct.json might be wrong, or bad chars are breaking the payload. Review the disasm and recalculate.
 **FAIL (SIGSEGV):** The exploit wrote to a bad address. ASLR might be active and you need a leak or a ROP chain. Check if the binary has PIE enabled.
 **FAIL (timeout):** Exploit hung. It might be waiting for input it won't receive, or the shellcode might be trying to connect back to a non-existent host.
 ---
 ## Troubleshooting
 ### Problem: re-agent.sh exits with code 1
 **Symptoms:** Script fails immediately after disassembly step.
 **Diagnosis:**
 ```bash
 # Check what was produced
 ls -la reports/<binary_name>/
 # If struct.json is missing:
 cat reports/<binary_name>/struct.json.raw.md | head -100
 # This is the raw LLM output — check if struct.json was generated but malformed
 ```
 **Fix:** If the LLM didn't produce valid struct.json, the model may have failed. Check if MacBook Ollama is reachable. If not, the cloud fallback ran — results may be lower quality.
 ---
 ### Problem: struct.json has wrong offset
 **Symptoms:** Exploit fails with SIGSEGV even though struct.json looks reasonable.
 **Diagnosis:**
 ```bash
 # Check the disassembly
 cat reports/<binary_name>/disasm.txt | grep -A5 -B5 "vuln"
 # For stack buffer overflows: count bytes to saved return address
 # For heap: understand chunk size and free() metadata layout
 ```
 **Fix:** Manually verify the offset against the disasm. Edit struct.json with the correct value, then re-run exploit-writer.sh.
 ---
 ### Problem: MacBook Ollama unreachable
 **Symptoms:** `curl http://100.127.137.64:11434/api/tags` times out.
 **Fix:** Use cloud fallback — the script automatically falls back to `qwen2.5-coder:14b` via localhost:11434 when MacBook is unreachable. Results are slightly lower quality but functional.
 **Long-term fix (Adam's decision):**
 - Option A: Fix SSH password on MacBook
 - Option B: Use Tailscale SSH (passwordless)
 - Option C: Copy abliterator model to Linux Ollama
 ---
 ### Problem: heap0 RE Agent still failing
 **Symptoms:** re-agent.sh produces analysis.md but no struct.json.
 **Diagnosis:** heap0 requires understanding heap chunk metadata. The model may not have produced valid struct.json on the first pass.
 **Fix:**
 ```bash
 # Manually provide the known-correct struct.json for heap0:
 cat > reports/heap0/struct.json << 'EOF'
 {
  "binary": "heap0",
  "arch": "x86",
  "vuln_class": "heap_corruption",
  "affected_function": "get_permission (0x08048484)",
  "primitive": "write-what-where",
  "offset": 80,
  "bad_chars": ["0x00"],
  "mitigations_bypass": ["DEP", "NX"],
  "difficulty": "beginner",
  "winner_address": "0x08048464",
  "next_steps": [
    "Overflow the 64-byte heap buffer",
    "Overwrite chunk->next pointer",
    "Trigger free() to write to arbitrary location",
    "Overwrite winner GOT entry with winner() address"
  ]
 }
 EOF
 # Now run exploit-writer.sh directly
 ./agents/exploit-writer.sh heap0 reports/heap0/struct.json /opt/protostar/bin/heap0
 ```
 ---
 ### Problem: exploit.py runs but doesn't get shell
 **Symptoms:** Exploit exits 0 but no shell. Partial success.
 **Diagnosis:** The exploit may be hitting the right function but not getting code execution. Check:
 - Is ASLR enabled on the host? (`cat /proc/sys/kernel/randomize_va_space`)
 - Does the exploit need a ROP chain instead of direct return address overwrite?
 - Are bad chars correctly excluded from the payload?
 **Fix:** Review the test-output.txt and adjust struct.json fields. Re-run exploit-writer.sh.
 ---
 ## Escalation Path
 **Ping @Adam if:**
 1. MacBook Ollama has been unreachable for more than 24 hours
 2. All three Protostar beginner binaries fail (stack0, stack1, format0) — this means the pipeline itself is broken
 3. You have spent more than 2 hours on a single binary without progress
 4. The abliterator model quality is consistently worse than expected
 **Before escalating:**
 - Document what was tried
 - Note which step failed (RE Agent / Exploit Writer / test loop)
 - Note the model used (abliterator or cloud fallback)
 ---
 ## How to Add New Binary Targets
 1. **Copy the binary** to `/tmp/lab_binaries/<target_name>` inside the Kali container, or mount it from the host.
 2. **Run the pipeline:**
   ```bash
   ./agents/re-agent.sh <target_name> /path/to/target
   ./agents/exploit-writer.sh <target_name> reports/<target_name>/struct.json /path/to/target
   ```
 3. **If the target is Windows:**
   - Set up a Windows VM analysis path (V2 roadmap)
   - Change architecture detection from `file` output to PE header parsing
   - Use Windows-specific shellcode (msfvenom: `windows/meterpreter/reverse_tcp`)
 4. **If the target is ARM:**
   - Use ARM-specific pwntools (`context.arch = 'arm'`)
   - Use ARM shellcode (`msfvenom -p linux/arm/shell_reverse_tcp -f raw -a arm`)
   - Note in struct.json that ARM analysis takes longer
 ---
 ## Agent Scripts Reference
 ### re-agent.sh
 **Input:** Binary name + path
 **Output:**
 - `reports/<binary>/analysis.md` — full RE brief
 - `reports/<binary>/struct.json` — structured vulnerability data
 - `reports/<binary>/disasm.txt` — rizin disassembly
 - `reports/<binary>/functions.txt` — function list
 - `reports/<binary>/checksec.txt` — mitigation status
 - `reports/<binary>/strings.txt` — interesting strings
 **Exit codes:**
 - `0` — success, struct.json produced
 - `1` — failure (model error, missing output, validation failed)
 **Hooks:**
 - On success: logs to gbrain + TIME-LOG
 - On failure: writes raw LLM output to `struct.json.raw.md` for manual review
 ### exploit-writer.sh
 **Input:** Binary name + struct.json path + binary path
 **Output:**
 - `exploits/<binary>/exploit.py` — working pwntools exploit
 - `exploits/<binary>/shellcode.bin` — raw shellcode
 - `exploits/<binary>/test-results.md` — test verdict with output
 **Exit codes:**
 - `0` — success, exploit PASSED
 - `1` — failure (struct.json missing, exploit FAILED)
 **Hooks:**
 - On success: logs to gbrain + TIME-LOG
 - On failure: writes `test-output.txt` with raw output for debugging
@@ -0,0 +1,223 @@
 # GreySec RED — Product Specification
 **Product:** GreySec Exploit Development Pipeline (Reverse Engineering + Exploit Dev)
 **Version:** 1.0
 **Status:** BUILDING
 **Date:** 2026-05-07
 **Owner:** GreySec (COO: Hermes, CEO: Adam)
 ---
 ## What the Product Is
 GreySec RED is an AI-augmented reverse engineering and exploit development lab. Drop a binary. Get a vulnerability brief, a working exploit, and shellcode. No manual RE required. No expert hours needed upfront.
 **The core promise:** Turn a binary into a working exploit in 20-90 minutes, depending on complexity. Validated against the real target, not a thought experiment.
 ---
 ## What the Client Gets
 ### Standard Deliverable Package
 For every binary target, the client receives:
 1. **analysis.md** — Full vulnerability brief
   - Vulnerability class (buffer overflow, format string, UAF, heap corruption, etc.)
   - Affected function with offset
   - Root cause explanation
   - Attack constraints and mitigations bypassed
   - Recommended next steps
 2. **struct.json** — Structured vulnerability data
   - Machine-readable format for automation
   - Offset, bad chars, mitigations, difficulty rating
   - Integrates into CI/CD pipelines
 3. **exploit.py** — Working pwntools exploit
   - Targets the real binary via `process()` or `remote()`
   - Passes test loop against actual binary
   - Commented and readable
   - No pseudocode — this is runnable
 4. **shellcode.bin** — Position-independent shellcode
   - Architecture-appropriate (x86, x64, ARM, MIPS)
   - Ready to use in the exploit or independently
 5. **test-results.md** — Validation proof
   - Exit code, output, and PASS/FAIL verdict
   - Confirms the exploit was run against the real target
   - If FAIL: diagnostic information on what went wrong
 ### Optional Add-Ons
 - **Full disassembly dump** (`.md` or `.txt`) — rizin output for manual review
 - **ROP chain analysis** — for ASLR/DEP-enabled targets requiring chained gadgets
 - **Libc database lookup** — for targets requiring libc address leaks
 - **Multi-stage shellcode** — stageless vs. staged payload selection
 ---
 ## Target Buyer
 ### Primary: Security Team Building Internal Red Team Toolchains
 **Pain point:** They run internal red team engagements and spend significant time manually analyzing targets before building exploits. Every hour spent on RE is an hour not spent on the actual engagement.
 **Current workaround:** Metasploit module development (slow, requires expert), manual RE (slow), or just skipping binary analysis entirely. CTF teams and training environments also use manual RE, which doesn't scale.
 **What they'd pay:** $500-1,500/month for a tool that turns binary analysis from a 4-hour manual task into a 20-minute automated pipeline.
 **Buying trigger:** After a red team engagement where they spent more time REing targets than actually testing controls.
 ---
 ### Secondary: Exploit Developers and CTF Players
 **Pain point:** Competitive hacking (CTF) requires solving dozens of binary challenges under time pressure. Manual RE is the bottleneck, not creativity or offensive thinking.
 **Current workaround:** Using existing solvers for known challenge types, manually writing exploits for new types. High-skill individuals doing low-skill repetitive work.
 **What they'd pay:** $100-300/month (individual or team subscription). CTF teams are price-sensitive but high-volume.
 **Buying trigger:** Losing a CTF competition by 15 minutes because RE took too long on one challenge.
 ---
 ### Tertiary: Security Researchers Analyzing Third-Party Binaries for CVEs
 **Pain point:** Analyzing a third-party binary for a potential CVE requires fast turnaround. They need to understand the vulnerability class, affected function, and whether an exploit is feasible before committing to a full disclosure process.
 **Current workaround:** Manual RE + writing a PoC from scratch. Takes days for a single binary. High opportunity cost.
 **What they'd pay:** $1,000-3,000/month if it speeds up their CVE research by 50%.
 **Buying trigger:** After a missed disclosure deadline because RE took too long.
 ---
 ## SLA (Target)
 | Metric | Target | Notes |
 |--------|--------|-------|
 | Beginner binary (stack/heap/format) | 20-30 minutes | Protostar difficulty |
 | Intermediate binary (ROP/enabled ASLR) | 40-60 minutes | Requires gadget finding |
 | Advanced binary (real-world binary) | 60-120 minutes | May require human review |
 | Expert/0-day research | Not committed | Pipeline assists, not autonomous research |
 | Exploit test pass/fail | Immediate | Test loop runs automatically |
 **What we do not commit to:**
 - Guaranteeing exploit development for binaries with novel mitigations
 - Research-level RE for obfuscated/packed binaries (V1 — see V2 roadmap for future)
 - Automated bypass of state-of-the-art EDR evasion techniques
 ---
 ## Limitations
 - **Novel 0-day research:** The abliterator model is trained on existing knowledge. Novel exploitation techniques (post-May 2026) may not be in context. Use this for known vulnerability classes against known binary types, not for discovering unknown vulnerabilities.
 - **Packed/obfuscated binaries:** If the binary is packed with UPX, ASPack, or a custom packer, the initial disassembly will show the unpacker stub, not the actual payload. V2 roadmap includes unpacker integration.
 - **Kernel-level binaries:** We analyze user-space binaries. Kernel modules, drivers, and firmware require a different environment (ring 0 vs. ring 3). Not supported V1.
 - **Cross-architecture:** V1 supports x86 and x64 Linux binaries. Windows PE, ARM, MIPS, and other architectures are V2/V3 roadmap items.
 - **Cloud model quality:** When MacBook Ollama is unreachable, we fall back to cloud models. The abliterator model produces significantly better exploits on offensive security tasks. Cloud fallback works but is not the primary experience.
 ---
 ## Competitive Landscape
 | Tool | Type | Cost | Strengths | Weaknesses for Our Buyer |
 |------|------|------|-----------|--------------------------|
 | **Metasploit Framework** | Open source | Free | Huge module library, community-developed | Modules are manually written, not AI-generated for novel binaries |
 | **Cobalt Strike** | Commercial | $3,500+/license | Industry standard for red team tooling | Not an RE/exploit development tool — it's a C2 platform |
 | **Immunity CANVAS** | Commercial | $500+/month | Automated exploit generation | Ancient UI, slow development, Windows-only |
 | **Core Impact** | Commercial | $8,000+/year | Automated everything | Expensive, slow, dated UX |
 | **Manual RE + exploit dev** | Consultant | $150-300/hr | Expert judgment | 4-8 hours per binary minimum, expensive at scale |
 | **CTF solvers (custom)** | Open source | Free | Fast for known challenge types | One-off tools, not a platform |
 | **GreySec RED** | **AI-augmented service** | **TBD** | **20-90 min per binary, validated exploits, struct.json for automation, local model quality** | **V1 is new (May 2026), limited to x86/x64 Linux, abliterator model required for best quality** |
 **GreySec RED's positioning:**
 - Faster than manual RE (20-90 min vs. 4-8 hrs)
 - Validated output (exploit.py tested against real binary, not just generated)
 - Machine-readable struct.json for CI/CD integration
 - Local AI model quality (abliterator) when MacBook reachable
 - AI-augmented but not AI-only — human expert review available
 ---
 ## Pricing Framework (Internal Only)
 **Do not share externally. Adam reviews and approves all client-facing numbers.**
 ### Internal Cost Basis
 | Cost Item | Per Binary (est.) |
 |-----------|-------------------|
 | AI compute (Ollama, local MacBook) | ~$0.05-0.15 (amortized model cost) |
 | Human review (5-10 min at $105-135/hr) | ~$9-22.50 |
 | Infrastructure (Kali container, storage) | ~$0.50 |
 | **Total direct cost per binary** | **~$10-23** |
 At a 4x margin: $40-92 per beginner binary, $80-184 per intermediate, $160-368 per advanced.
 ### Build vs. Buy Analysis
 **Building this internally:**
 - Engineering time: 60-100 hours to replicate RED pipeline
 - Ongoing: 5-10 hours/month maintaining scripts and model context
 - No AI quality guarantee — the abliterator model is specifically trained for this task
 - Total first-year cost: $20,000-35,000 + risk that it doesn't work at quality
 **Using GreySec RED:**
 - Per-binary pricing (or monthly subscription)
 - Zero engineering time
 - GreySec maintains the pipeline and model quality
 ### Competitive Price Reference
 | Option | Price | Notes |
 |--------|-------|-------|
 | Manual RE consultant | $150-300/hr | 4-8 hours per binary = $600-2,400 |
 | Metasploit module dev (consultant) | $100-200/hr | 2-4 hours per binary = $200-800 |
 | Immunity CANVAS | $500+/month | Annual commitment, Windows focus |
 | GreySec RED (target) | TBD | Sub-$500 per binary, subscription available |
 ---
 ## Roadmap (Future Tiers)
 ### V1 (Current Build — MVP)
 - x86/x64 Linux binaries only (Protostar-style)
 - Two-stage pipeline: RE Agent + Exploit Writer
 - Validation gates and test loops
 - gbrain + TIME-LOG hooks
 ### V2 (Next Quarter)
 - Windows PE/DLL analysis
 - ROP chain builder integration (one_gadget, ROPgadget)
 - Libc database lookup for ASLR bypass
 - Multi-arch support: ARM, MIPS
 ### V3 (Future)
 - macOS binary analysis
 - Automated unpacker integration (for packed binaries)
 - Malware family classification (from RE output)
 - CI/CD integration (GitHub Actions plugin)
 ---
 ## What GreySec Gets Out of This
 1. **Internal tooling:** GreySec uses this for red team engagements — fast binary analysis without eating into engagement hours.
 2. **Product revenue:** Second productized internal capability (after MAL). Complements MAL — MAL analyzes what a payload does, RED builds the payload that does it.
 3. **Differentiation:** No other firm in GreySec's market is offering AI-augmented exploit development as a service. Most competitors either sell tool licenses (Cobalt Strike) or bill by the hour (consulting). RED is a middle path.
 ---
 **Status:** BUILDING — agent scripts updated, validation gates added, needs heap0 re-run and MacBook SSH unblock before full operational validation.
 **Next decision needed from Adam:** MacBook SSH fix (Option A/B/C), and pricing tiers.
@@ -0,0 +1,166 @@
 # GreySec RED — Sales Specification
 **Product:** GreySec Exploit Development Pipeline
 **Status:** Internal — for Adam review
 **Date:** 2026-05-07
 **Classification:** Internal only — no client-facing numbers
 ---
 ## Market Analysis
 ### Why Security Teams Need Fast Exploit Development
 Every offensive security engagement has the same bottleneck: getting from a binary target to a working exploit. It takes time. The binary is different every time. The vulnerability class changes. The mitigations change. Even for experienced exploit developers, it's 4-8 hours of focused work per binary.
 Now think about a red team engagement with 10 targets. Or a CVE research project with 30 binaries to assess. Or a CTF competition with 15 challenges. The economics don't work if every binary requires 4+ hours of manual RE.
 The market has tools for this — but they're either:
 1. Manual (expensive, slow, expert-dependent)
 2. Commercial products (Cobalt Strike, Immunity CANVAS — not RE tools, just C2 platforms)
 3. Open source one-offs (useful but not turnkey)
 What nobody has is a fast, AI-augmented pipeline that takes a binary and produces a working, tested exploit. Until now.
 ### Who Actually Pays for AI-Augmented RE
 1. **MSSPs running structured red team programs**
   - They have a quarterly cadence of engagement deliveries
   - They need to assess 10-20 binary targets per engagement
   - Manual RE burns into their margin
   - Willing to pay: $1,000-3,000/month for speed
 2. **Exploit developers and vulnerability researchers**
   - They assess third-party binaries for CVEs
   - They need fast turnaround to meet disclosure deadlines
   - They write PoCs for every confirmed vulnerability
   - Willing to pay: $500-1,500/month (they understand the value of speed)
 3. **CTF teams and competitive hacking groups**
   - Time is everything in CTF
   - Binary challenges are the bottleneck
   - Team pricing: $200-500/month for a 5-person team
   - Willing to pay: lower price point but high volume
 4. **Security training organizations**
   - They build binary exploitation exercises for training curricula
   - They need to solve challenges quickly to build course content
   - Willing to pay: $300-800/month
 ### The Competitive Gap
 Manual RE takes 4-8 hours per binary at $150-300/hr consulting rates = $600-2,400 per binary.
 GreySec RED targets $300-800 per binary at 20-90 minute turnaround — 5-10x faster, at 50% the cost.
 ---
 ## Competitive Landscape
 | Tool | Type | Cost | Strengths | Weaknesses |
 |------|------|------|-----------|------------|
 | Manual RE + exploit dev | Consultant | $150-300/hr | Expert judgment, any target | 4-8 hrs per binary, expensive at scale |
 | Metasploit module dev | Consultant | $100-200/hr | Framework integration | Still requires expert, not automated |
 | Immunity CANVAS | Commercial | $500+/month | Some automation | Windows-only, dated, slow development |
 | Core Impact | Commercial | $8,000+/year | Automated | Expensive, dated, heavy GUI |
 | Ghidra + manual | Open source | Free | Powerful RE, any binary | Manual only, no exploit generation |
 | radare2 + manual | Open source | Free | Full RE control | Steep learning curve, no exploit gen |
 | pwntools (self-use) | Open source | Free | Great for exploit devs | Requires expert, no AI assist |
 | ChatGPT/GPT-4 | API | Per-token | Good code generation | No context for binary RE, hallucinations on offsets |
 | GreySec RED | **AI-augmented service** | **TBD** | **Validated exploits, struct.json automation, local model** | **V1 (new, x86/x64 Linux only)** |
 **GreySec RED's key differentiation:**
 - Validated against real binary (not just generated — actually tested and PASSED)
 - struct.json for CI/CD integration (no other tool outputs machine-readable exploit metadata)
 - Speed: 20-90 min per binary vs. 4-8 hours manual
 - Local AI model (abliterator) for better exploit code than cloud models
 ---
 ## Buyer Personas
 ### Persona 1: Devon, Lead Exploit Developer at Cerberus Security
 **Who:** Devon leads a 4-person exploit development team at a security research firm. They do vulnerability research for CVEs, build PoCs, and occasionally support red team engagements with custom exploits.
 **Pain:** Their CVE pipeline has a backlog of 30 binaries to assess. At 6 hours each, that's 180 hours of RE work. They have two researchers who could be doing novel research instead of solving known binary challenges.
 **What he really wants:** Drop a binary, get a working exploit, move on. Free up his researchers for novel work.
 **What he'll pay:** $1,500/month for a tool that clears half his backlog.
 **Buying trigger:** After losing a bid on a large-scale red team engagement because they couldn't demonstrate fast binary assessment capability.
 ---
 ### Persona 2: Aisha, CTF Team Captain — Phantom Division
 **Who:** Aisha captains a 6-person competitive hacking team. They compete in 10-15 CTFs per year. Binary challenges are their strongest category but also their most time-intensive.
 **Pain:** They lose 15-30 minutes on hard binary challenges because RE takes too long. They've placed 3rd in national CTFs by a combined margin of 10 minutes.
 **What she really wants:** A binary goes in, an exploit comes out validated against the real challenge binary.
 **What she'll pay:** $400/month for team pricing.
 **Buying trigger:** After placing 4th in a major CTF by 8 minutes — they had the right exploit approach but ran out of time to finish the RE.
 ---
 ### Persona 3: Dr. Michael Torres, Security Researcher at Vela Systems
 **Who:** Michael does vulnerability research at a mid-size security firm. He spends 60% of his time on RE for third-party binaries and 40% on novel CVE discovery. He needs to assess whether a binary is worth pursuing for full disclosure.
 **Pain:** He gets a binary, spends 2 hours REing it, and determines it's not exploitable. He could have spent that time on the next one. He has a pipeline of 40 binaries and needs to triage them fast.
 **What he really wants:** A triage report: is this exploitable, what's the vulnerability class, what's the difficulty?
 **What he'll pay:** $800/month.
 **Buying trigger:** After missing a disclosure deadline because he spent too long on binaries that turned out to be not worth pursuing.
 ---
 ## Pricing Framework (Internal)
 ### Direct Cost Basis
 | Cost Item | Per Beginner Binary |
 |-----------|---------------------|
 | AI compute (Ollama, local) | $0.05-0.15 |
 | Human review (5 min at $105/hr) | $8.75 |
 | Infrastructure (Kali container) | $0.50 |
 | **Total** | **~$9-10/binary** |
 At 5x margin: ~$45-50 per beginner binary.
 At 6x margin: ~$55-60 per beginner binary.
 For a monthly subscription at 20 binaries: $900-1,200/month all-in.
 ### Build vs. Buy
 | Approach | Cost per Binary | Time per Binary |
 |----------|----------------|----------------|
 | Manual RE (consultant) | $600-2,400 | 4-8 hours |
 | Manual RE (internal expert) | $80-200 in-house | 4-8 hours |
 | GreySec RED | ~$50-150 | 20-90 minutes |
 GreySec RED: 5-10x faster, 50-80% cheaper than manual consulting.
 ---
 ## Objection Handling
 **"Why not just use ChatGPT? It's cheaper."**
 ChatGPT can write code but it doesn't understand your specific binary. It doesn't run against your target. It hallucinates offsets and wrong addresses. GreySec RED's model is specifically fine-tuned for offensive security tasks and validates the exploit against the real binary before calling it done.
 **"How is this different from Metasploit?"**
 Metasploit has pre-built modules for known vulnerabilities. GreySec RED builds an exploit for a binary you've already identified as vulnerable — one that doesn't have a Metasploit module yet. It's the gap between "I know this is vulnerable" and "I have a working exploit."
 **"Isn't this just for hackers?"**
 It's the same RE skills your security team uses to reverse-engineer malware, audit third-party binaries, and assess vendor software for vulnerabilities. We use it for our own red team engagements. Your binary analysis team can use it for the same purpose.
 **"What if the exploit gets it wrong?"**
 Every exploit we produce is tested against the real binary. If it fails, test-results.md tells you why and which parameter needs adjustment. You're not flying blind.
 **"Can it handle real-world binaries, not just CTF challenges?"**
 V1 supports x86/x64 Linux binaries. Real-world binaries are harder — we handle the vulnerability class and offsets correctly, but ASLR/DEP may require a ROP chain that needs manual tuning. The analysis and struct.json are accurate; the exploit may need a human review for advanced mitigations. V2 adds ROP chain builder integration to address this.
@@ -0,0 +1,298 @@
 # GreySec RED — Master Kanban
 **Product:** GreySec Exploit Development Pipeline
 **Type:** Internal Build Project
 **Status:** BUILDING
 **Updated:** 2026-05-07
 **Parent debrief:** `~/greysec/ops/debriefs/exploit-lab-2026-05-07.md`
 ---
 ## Background
 GreySec RED is an AI-augmented reverse engineering and exploit development lab. It takes a binary target, runs it through a two-agent pipeline (RE Agent + Exploit Writer), and produces a complete vulnerability brief plus a working exploit.
 **Architecture:**
 ```
 Binary Target → RE Agent (Kali + qwen2.5-coder:abliterator)
                   ↓
              analysis.md + struct.json
                   ↓
              Exploit Writer (Kali + qwen2.5-coder:abliterator)
                   ↓
              exploit.py + shellcode.bin + test-results.md
 ```
 **Current status:** PARTIALLY OPERATIONAL. Works on easy binaries (stack0, stack1, format0). Fails silently on harder ones (heap0). Validation layer missing.
 ---
 ## Pipeline Definition
 **What the product IS:**
 Drop a binary. Get a vulnerability brief, a working exploit, and shellcode. No manual RE required.
 **What the client receives:**
 - `analysis.md` — full vulnerability analysis: vulnerable function, offset calculation, attack vector, constraints
 - `struct.json` — structured vulnerability data: offset, return address, bad chars, suggested shellcode type
 - `exploit.py` — working pwntools exploit targeting the binary directly
 - `shellcode.bin` — position-independent shellcode for the target architecture
 - `test-results.md` — proof the exploit was run against the real binary and worked
 **Target buyer:**
 - Security teams building internal red team toolchains
 - Exploit developers who need fast turnaround on binary targets
 - CTF players and competitive hacking teams needing rapid challenge solutions
 - Security researchers analyzing third-party binaries for CVEs
 ---
 ## Current State
 ### What Works
 - RE Agent on stack0, stack1, format0: analysis.md + struct.json correct, exploit.py written and correct
 - Agent scripts functional: `re-agent.sh` and `exploit-writer.sh` exist and execute
 - Directory structure clean: reports/, exploits/, agents/ properly organized
 - Model access confirmed: Kali container can reach MacBook Ollama at 100.127.137.64 (when SSH works)
 - Exploit approach correct: pwntools process/stdin for stack0, argv for stack1
 ### What Is Broken or Missing
 | # | Issue | Severity | Fix Time | Status |
 |---|-------|----------|----------|--------|
 | 1 | `re-agent.sh` has no validation gate — if struct.json not produced, exploit-writer.sh runs blind | CRITICAL | 30 min | Script updated — needs testing |
 | 2 | `exploit-writer.sh` has no test loop — exploit.py never run against real binary | CRITICAL | 30 min | Script updated — needs testing |
 | 3 | No gbrain logging hooks — pipeline findings not captured to institutional knowledge | HIGH | 15 min | Script updated — needs testing |
 | 4 | No TIME-LOG hook — ~2.5 hours of AI time completely untracked | HIGH | 15 min | Script updated — needs testing |
 | 5 | heap0 RE Agent failed silently — no struct.json, exploit written from guesswork | HIGH | 20 min | Needs re-run with fixed re-agent.sh |
 | 6 | No shellcode.bin produced for any binary — referenced in scripts, never built | MEDIUM | 30 min | Needs msfvenom or pwntools asm step |
 | 7 | MacBook SSH blocked — password rejected twice — abliterator model unreachable | CRITICAL | TBD | Adam needs to fix SSH or Tailscale |
 | 8 | No test-results.md for any binary — "verified" in kanban was false | HIGH | — | Fixes #1 and #2 address this |
 | 9 | Skill file `greysec-exploit-lab` does not exist | MEDIUM | 1 hour | Needs writing |
 | 10 | `exploit.py` for vuln_test uses nonstandard "launcher" approach | MEDIUM | 30 min | Needs rewrite as direct pwntools exploit |
 ---
 ## BOARD
 ### BACKLOG
 - [ ] Write `greysec-exploit-lab` skill (standalone operational procedure)
 - [ ] Build shellcode.bin generation step (msfvenom or pwntools asm) for each binary
 - [ ] Rewrite vuln_test exploit.py as direct pwntools targeting, not C tempfile launcher
 - [ ] Add gbrain knowledge logging for each completed target (pipeline should auto-log findings)
 - [ ] Benchmark: how fast is the pipeline on intermediate binaries (heap2/3, format1-4, net0-4)?
 - [ ] Windows DLL analysis path — can the pipeline handle PE/DLL analysis?
 - [ ] ARM/IoT binary path — what changes needed for non-x86 targets?
 - [ ] Multi-arch support: x86, x64, ARM, MIPS — shellcode generation per arch
 ### IN PROGRESS
 - [ ] **Validate updated re-agent.sh and exploit-writer.sh on heap0**
 - [ ] **Unblock MacBook SSH** (Adam's decision needed)
 ### VALIDATING
 _(empty — waiting for heap0 re-run and MacBook SSH fix)_
 ### DONE
 - [x] Agent pipeline architecture (RE Agent + Exploit Writer, two-stage)
 - [x] Agent scripts written (re-agent.sh, exploit-writer.sh)
 - [x] Directory structure created (reports/, exploits/, agents/)
 - [x] Protostar binaries validated: stack0, stack1, format0 (3 of 5 complete)
 - [x] Agent scripts updated with validation gates, gbrain hooks, TIME-LOG hooks
 ### BLOCKED
 - [ ] **MacBook SSH** — abliterator model unreachable, all RE runs on cloud fallback
 - [ ] heap0 re-run — blocked by MacBook SSH (RE Agent works better with abliterator model)
 ---
 ## Technical Fix Tasks
 ### Task 1: Validate re-agent.sh + exploit-writer.sh on heap0 (HIGH PRIORITY)
 **What:** The updated scripts have validation gates and test loops. Run them against heap0 to confirm they work.
 **Test procedure:**
 ```bash
 cd ~/greysec/engagements/exploit-lab
 ./agents/re-agent.sh heap0 /opt/protostar/bin/heap0
 # Expected: analysis.md + struct.json produced
 # Expected: FAIL and exit 1 if struct.json missing
 ./agents/exploit-writer.sh heap0
 # Expected: exploit.py written
 # Expected: exploit.py run against real binary
 # Expected: test-results.md with PASS or FAIL
 ```
 **Acceptance criteria:**
 - re-agent.sh exits 1 if struct.json not produced
 - exploit-writer.sh refuses to run if struct.json missing
 - exploit.py is run and result captured in test-results.md
 - Both scripts log to gbrain and TIME-LOG
 **Who:** qwen2.5-coder:14b (can be self-verified)
 **Time:** 20-30 minutes
 ---
 ### Task 2: Fix MacBook SSH Access (CRITICAL — Adam's Decision Needed)
 **What:** Password SSH to `adamsloggett@100.127.137.64` rejected twice. The abliterator model only lives on MacBook.
 **Option A — Fix the password:**
 The current Mac password is `V4sTGRZqm#dW5@aW` (rotated 2026-05-05). Try from the Linux host directly to confirm whether this is a Tailscale SSH issue or a password issue:
 ```bash
 ssh adamsloggett@100.127.137.64
 # from the Linux host — not through Tailscale if possible
 ```
 **Option B — Use Tailscale SSH instead:**
 Tailscale SSH (`ssh -h tailscale adamsloggett@100.127.137.64`) bypasses password auth using Tailscale's SSH certificate authority. This requires:
 ```bash
 # On the Mac: enable Tailscale SSH
 tailscale set --ssh
 # On the Linux host: use Tailscale hostname
 ssh adamsloggett@macbook-pro-2
 # Or: ssh adamsloggett@100.127.137.64 -o "ProxyCommand tailscale ssh --bg %h"
 ```
 **Option C — Copy the abliterator model to Linux:**
 If MacBook is unreachable, pull `huihui_ai/qwen2.5-coder-abliterate:latest` from MacBook's Ollama and host it on Linux. This requires enough disk space (~10GB).
 **Who:** Adam needs to pick an option and act. Hermes will execute once the path is confirmed.
 **Time:** Option A or B: ~15 minutes. Option C: ~30 minutes.
 ---
 ### Task 3: Re-Run heap0 with Fixed Scripts
 **What:** heap0's RE Agent failed silently in the original run. With the validation gate in place, re-run it.
 **Procedure:**
 ```bash
 cd ~/greysec/engagements/exploit-lab
 ./agents/re-agent.sh heap0 /opt/protostar/bin/heap0
 # Should produce struct.json or FAIL
 ./agents/exploit-writer.sh heap0
 # Should produce tested exploit.py
 ```
 **Acceptance criteria:**
 - struct.json produced for heap0
 - analysis.md accurate (verify offset and WINNER address)
 - exploit.py written and tested — PASS in test-results.md
 **Who:** qwen2.5-coder:14b
 **Time:** 20-30 minutes
 ---
 ### Task 4: Shellcode Generation Step
 **What:** No shellcode.bin has ever been produced. The agent scripts reference it but the step doesn't exist.
 **Approach:** Use `msfvenom` or pwntools' `asm()` to generate shellcode based on the binary architecture.
 **For Protostar binaries (x86, static):**
 ```bash
 # Example for stack0 (calls execve("/bin/sh"))
 msfvenom -p linux/x86/exec CMD=/bin/sh -f raw -a x86 --platform linux
 ```
 **Or via pwntools in exploit.py:**
 ```python
 from pwn import *
 shellcode = asm(shellcraft.i386.linux.sh())
 ```
 **Files to touch:** `exploit-writer.sh` — add shellcode generation as a post-exploit step.
 **Who:** qwen2.5-coder:14b
 **Time:** 30 minutes to add the step and test on stack0
 ---
 ### Task 5: Rewrite vuln_test exploit.py (MEDIUM)
 **What:** The current vuln_test exploit.py uses a nonstandard "launcher" approach (compiles a C helper program inside a Python tempfile). Rewrite it as a direct pwntools process targeting the actual `/tmp/vuln_test` binary.
 **Why:** The agent contract specifies pwntools process/exploit targeting the binary directly. The launcher approach is a workaround that suggests the model didn't fully understand how to exploit the binary via pwntools standard interface.
 **Who:** qwen2.5-coder:14b
 **Time:** 30 minutes
 ---
 ## Capability Expansion Tasks
 ### Tier 1: Beginner (WHAT EXISTS)
 **Binaries:** stack0, stack1, format0 (Protostar)
 **Skills needed:** Basic buffer overflow, format string exploitation
 **Time per binary:** ~20-30 minutes with pipeline
 **Status:** OPERATIONAL — 3 of 3 complete
 ### Tier 2: Intermediate (IN BACKLOG)
 **Binaries:** heap2, heap3, format1-4, net0-4 (Protostar)
 **Skills needed:** Heap grooming, UAF, fastbin dup, format string chaining
 **Time per binary:** ~40-60 minutes with pipeline
 **What needs building:** None — same pipeline, harder targets
 ### Tier 3: Advanced (IN BACKLOG)
 **Binaries:** Fusion (Web, HTTP, SQL, etc. — advanced Protostar)
 **Skills needed:** ROP chains, ASLR/DEP bypass, heaptechniques
 **What needs building:** ROP gadget finder integration, libc database lookup
 **Time per binary:** ~60-90 minutes with pipeline
 ### Tier 4: Elite (FUTURE)
 **Targets:** Real-world binaries, DLL analysis, kernel modules
 **Skills needed:** Full RE, CVE research, kernel exploitation
 **What needs building:** Windows VM path, DLL analysis pipeline, kernel debug setup
 ---
 ## Product Tiers (Internal Planning)
 | Tier | Target | Output | Complexity | Time |
 |------|--------|--------|------------|------|
 | Beginner | stack/heap/format (Protostar) | analysis + exploit | Easy | 20-30 min |
 | Intermediate | Protostar advanced, VWA | analysis + exploit + ROP | Medium | 40-60 min |
 | Advanced | real-world binaries | analysis + struct.json + suggested exploit path | Hard | 60-120 min |
 | Elite | 0-day research | analysis only (no exploit — model limitations) | Expert | TBD |
 ---
 ## Definition of Done
 GreySec RED is operational when:
 1. re-agent.sh validates struct.json and exits non-zero if missing
 2. exploit-writer.sh tests exploit.py against real binary and reports PASS/FAIL
 3. gbrain logging is wired and firing after each completed target
 4. TIME-LOG is updated after each pipeline run
 5. heap0 re-run produces correct struct.json (validated against known values: offset 80, WINNER 0x08048464)
 6. shellcode.bin is generated for at least stack0
 7. All 5 Protostar binaries (stack0, stack1, format0, heap0, vuln_test) have PASS in test-results.md
 8. MacBook SSH is unblocked and abliterator model is reachable
 9. Skill file `greysec-exploit-lab` exists and documents operational procedure
 10. At least one intermediate binary (heap2 or format1) has been processed end-to-end and PASS
 ---
 ## DEBT (Action Items from This Kanban)
 | Action Item | Priority | Status | Notes |
 |------------|----------|--------|-------|
 | Validate updated scripts on heap0 | CRITICAL | open | Confirm validation gates work |
 | Unblock MacBook SSH | CRITICAL | blocked | Adam's decision needed |
 | Re-run heap0 with fixed scripts | HIGH | open | After Task 1 |
 | Build shellcode.bin generation step | HIGH | open | msfvenom or pwntools asm |
 | Rewrite vuln_test exploit.py | MEDIUM | open | Direct pwntools approach |
 | Test intermediate binaries (heap2, format1) | MEDIUM | open | Pipeline validation |
 | Write greysec-exploit-lab skill | MEDIUM | open | Operational docs |
 | Add ROP gadget finder for advanced tier | LOW | backlog | Future |
 | Validate pipeline against Windows DLL | LOW | backlog | Future |