greysec/exploit-pipeline
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
exploit-pipeline/PRODUCT-SPEC.md
T
ghstshdw 0bd211c81d Initial commit: exploit-pipeline
2026-05-08 17:46:06 -05:00

10 KiB
Raw Permalink Blame History

GreySec RED — Product Specification

Product: GreySec Exploit Development Pipeline (Reverse Engineering + Exploit Dev) Version: 1.0 Status: BUILDING Date: 2026-05-07 Owner: GreySec (COO: Hermes, CEO: Adam)

What the Product Is

GreySec RED is an AI-augmented reverse engineering and exploit development lab. Drop a binary. Get a vulnerability brief, a working exploit, and shellcode. No manual RE required. No expert hours needed upfront.

The core promise: Turn a binary into a working exploit in 20-90 minutes, depending on complexity. Validated against the real target, not a thought experiment.

What the Client Gets

Standard Deliverable Package

For every binary target, the client receives:

  1. analysis.md — Full vulnerability brief

    • Vulnerability class (buffer overflow, format string, UAF, heap corruption, etc.)
    • Affected function with offset
    • Root cause explanation
    • Attack constraints and mitigations bypassed
    • Recommended next steps

  2. struct.json — Structured vulnerability data

    • Machine-readable format for automation
    • Offset, bad chars, mitigations, difficulty rating
    • Integrates into CI/CD pipelines

  3. exploit.py — Working pwntools exploit

    • Targets the real binary via process() or remote()
    • Passes test loop against actual binary
    • Commented and readable
    • No pseudocode — this is runnable

  4. shellcode.bin — Position-independent shellcode

    • Architecture-appropriate (x86, x64, ARM, MIPS)
    • Ready to use in the exploit or independently

  5. test-results.md — Validation proof

    • Exit code, output, and PASS/FAIL verdict
    • Confirms the exploit was run against the real target
    • If FAIL: diagnostic information on what went wrong

Optional Add-Ons

  • Full disassembly dump (.md or .txt) — rizin output for manual review
  • ROP chain analysis — for ASLR/DEP-enabled targets requiring chained gadgets
  • Libc database lookup — for targets requiring libc address leaks
  • Multi-stage shellcode — stageless vs. staged payload selection

Target Buyer

Primary: Security Team Building Internal Red Team Toolchains

Pain point: They run internal red team engagements and spend significant time manually analyzing targets before building exploits. Every hour spent on RE is an hour not spent on the actual engagement.

Current workaround: Metasploit module development (slow, requires expert), manual RE (slow), or just skipping binary analysis entirely. CTF teams and training environments also use manual RE, which doesn't scale.

What they'd pay: $500-1,500/month for a tool that turns binary analysis from a 4-hour manual task into a 20-minute automated pipeline.

Buying trigger: After a red team engagement where they spent more time REing targets than actually testing controls.

Secondary: Exploit Developers and CTF Players

Pain point: Competitive hacking (CTF) requires solving dozens of binary challenges under time pressure. Manual RE is the bottleneck, not creativity or offensive thinking.

Current workaround: Using existing solvers for known challenge types, manually writing exploits for new types. High-skill individuals doing low-skill repetitive work.

What they'd pay: $100-300/month (individual or team subscription). CTF teams are price-sensitive but high-volume.

Buying trigger: Losing a CTF competition by 15 minutes because RE took too long on one challenge.

Tertiary: Security Researchers Analyzing Third-Party Binaries for CVEs

Pain point: Analyzing a third-party binary for a potential CVE requires fast turnaround. They need to understand the vulnerability class, affected function, and whether an exploit is feasible before committing to a full disclosure process.

Current workaround: Manual RE + writing a PoC from scratch. Takes days for a single binary. High opportunity cost.

What they'd pay: $1,000-3,000/month if it speeds up their CVE research by 50%.

Buying trigger: After a missed disclosure deadline because RE took too long.

SLA (Target)

Metric Target Notes
Beginner binary (stack/heap/format) 20-30 minutes Protostar difficulty
Intermediate binary (ROP/enabled ASLR) 40-60 minutes Requires gadget finding
Advanced binary (real-world binary) 60-120 minutes May require human review
Expert/0-day research Not committed Pipeline assists, not autonomous research
Exploit test pass/fail Immediate Test loop runs automatically

What we do not commit to:

  • Guaranteeing exploit development for binaries with novel mitigations
  • Research-level RE for obfuscated/packed binaries (V1 — see V2 roadmap for future)
  • Automated bypass of state-of-the-art EDR evasion techniques

Limitations

  • Novel 0-day research: The abliterator model is trained on existing knowledge. Novel exploitation techniques (post-May 2026) may not be in context. Use this for known vulnerability classes against known binary types, not for discovering unknown vulnerabilities.

  • Packed/obfuscated binaries: If the binary is packed with UPX, ASPack, or a custom packer, the initial disassembly will show the unpacker stub, not the actual payload. V2 roadmap includes unpacker integration.

  • Kernel-level binaries: We analyze user-space binaries. Kernel modules, drivers, and firmware require a different environment (ring 0 vs. ring 3). Not supported V1.

  • Cross-architecture: V1 supports x86 and x64 Linux binaries. Windows PE, ARM, MIPS, and other architectures are V2/V3 roadmap items.

  • Cloud model quality: When MacBook Ollama is unreachable, we fall back to cloud models. The abliterator model produces significantly better exploits on offensive security tasks. Cloud fallback works but is not the primary experience.

Competitive Landscape

Tool Type Cost Strengths Weaknesses for Our Buyer
Metasploit Framework Open source Free Huge module library, community-developed Modules are manually written, not AI-generated for novel binaries
Cobalt Strike Commercial $3,500+/license Industry standard for red team tooling Not an RE/exploit development tool — it's a C2 platform
Immunity CANVAS Commercial $500+/month Automated exploit generation Ancient UI, slow development, Windows-only
Core Impact Commercial $8,000+/year Automated everything Expensive, slow, dated UX
Manual RE + exploit dev Consultant $150-300/hr Expert judgment 4-8 hours per binary minimum, expensive at scale
CTF solvers (custom) Open source Free Fast for known challenge types One-off tools, not a platform
GreySec RED AI-augmented service TBD 20-90 min per binary, validated exploits, struct.json for automation, local model quality V1 is new (May 2026), limited to x86/x64 Linux, abliterator model required for best quality

GreySec RED's positioning:

  • Faster than manual RE (20-90 min vs. 4-8 hrs)
  • Validated output (exploit.py tested against real binary, not just generated)
  • Machine-readable struct.json for CI/CD integration
  • Local AI model quality (abliterator) when MacBook reachable
  • AI-augmented but not AI-only — human expert review available

Pricing Framework (Internal Only)

Do not share externally. Adam reviews and approves all client-facing numbers.

Internal Cost Basis

Cost Item Per Binary (est.)
AI compute (Ollama, local MacBook) ~$0.05-0.15 (amortized model cost)
Human review (5-10 min at $105-135/hr) ~$9-22.50
Infrastructure (Kali container, storage) ~$0.50
Total direct cost per binary ~$10-23

At a 4x margin: $40-92 per beginner binary, $80-184 per intermediate, $160-368 per advanced.

Build vs. Buy Analysis

Building this internally:

  • Engineering time: 60-100 hours to replicate RED pipeline
  • Ongoing: 5-10 hours/month maintaining scripts and model context
  • No AI quality guarantee — the abliterator model is specifically trained for this task
  • Total first-year cost: $20,000-35,000 + risk that it doesn't work at quality

Using GreySec RED:

  • Per-binary pricing (or monthly subscription)
  • Zero engineering time
  • GreySec maintains the pipeline and model quality

Competitive Price Reference

Option Price Notes
Manual RE consultant $150-300/hr 4-8 hours per binary = $600-2,400
Metasploit module dev (consultant) $100-200/hr 2-4 hours per binary = $200-800
Immunity CANVAS $500+/month Annual commitment, Windows focus
GreySec RED (target) TBD Sub-$500 per binary, subscription available

Roadmap (Future Tiers)

V1 (Current Build — MVP)

  • x86/x64 Linux binaries only (Protostar-style)
  • Two-stage pipeline: RE Agent + Exploit Writer
  • Validation gates and test loops
  • gbrain + TIME-LOG hooks

V2 (Next Quarter)

  • Windows PE/DLL analysis
  • ROP chain builder integration (one_gadget, ROPgadget)
  • Libc database lookup for ASLR bypass
  • Multi-arch support: ARM, MIPS

V3 (Future)

  • macOS binary analysis
  • Automated unpacker integration (for packed binaries)
  • Malware family classification (from RE output)
  • CI/CD integration (GitHub Actions plugin)

What GreySec Gets Out of This

  1. Internal tooling: GreySec uses this for red team engagements — fast binary analysis without eating into engagement hours.

  2. Product revenue: Second productized internal capability (after MAL). Complements MAL — MAL analyzes what a payload does, RED builds the payload that does it.

  3. Differentiation: No other firm in GreySec's market is offering AI-augmented exploit development as a service. Most competitors either sell tool licenses (Cobalt Strike) or bill by the hour (consulting). RED is a middle path.

Status: BUILDING — agent scripts updated, validation gates added, needs heap0 re-run and MacBook SSH unblock before full operational validation.

Next decision needed from Adam: MacBook SSH fix (Option A/B/C), and pricing tiers.

Reference in New Issue View Git Blame Copy Permalink