Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Zhehui Liu,Zhongru Wang,Yuntao Zhang,Tong Liu,Binxing Fang,Zhengyuan Pang

DOI: https://doi.org/10.1109/dsc55868.2022.00017

2022-01-01

Abstract:Recently, more and more software vulnerabilities are disclosed and researchers tend to study on automatically discover and exploit the vulnerabilities. However, the main challenges of automated exploit generation are: 1) it is hard to analyze the program failure and extract useful information, 2) the scenario of the vulnerability too complex to successfully exploit. Therefore, This paper proposes a vulnerability exploit generation framework AEG-E. AEG-E can extract the control flow graph from the target program and employ the crash reproduce algorithm in symbolic execution to reduce the problem of path explosion. To adapt to complex vulnerability scenarios, we design the extendable and user-configurable exploit model to generate different exploit. Finally, we used the binaries from Robo Hacking Games and real world program to demonstrate the validity and efficiency of AEG-E. The experiment results shows that AEG-E is 2.913 times more efficient than previous exploit generation tool, REX.

Minghua Wang,Purui Su,Qi Li,Lingyun Ying,Yi Yang,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-04283-1_14

2013-01-01

Abstract:Generating exploits from the perspective of attackers is an effective approach towards severity analysis of known vulnerabilities. However, it remains an open problem to generate even one exploit using a program binary and a known abnormal input that crashes the program, not to mention multiple exploits. To address this issue, in this paper, we propose PolyAEG, a system that automatically generates multiple exploits for a vulnerable program using one corresponding abnormal input. To generate polymorphic exploits, we fully leverage different trampoline instructions to hijack control flow and redirect it to malicious code in the execution context. We demonstrate that, given a vulnerable program and one of its abnormal inputs, our system can generate polymorphic exploits for the program. We have successfully generated control flow hijacking exploits for 8 programs in our experiment. Particularly, we have generated 4,724 exploits using only one abnormal input for Irfan View, a widely used picture viewer.

Chao Zhang,Zhongyuan Qin,Liquan Chen,Xin Sun,Wen Wang

DOI: https://doi.org/10.1109/icsip57908.2023.10271009

2023-01-01

Abstract:The rapid growth of program complexity and the development of security mitigation for program have brought serious challenges to program security research. It is more difficult to evaluate program security efficiently by analyzing vulnerabilities manually. Therefore, an automatic method of detecting vulnerabilities and generating exploit is in critical demand. This paper proposes AutoExploit, which is an automatic scheme to detect various vulnerabilities and generate exploit in binary programs after bypassing the security mitigation. The method detects potential vulnerabilities including format string vulnerability and buffer overflow vulnerability using symbolic execution and dynamic analysis at the dangerous functions. For the potential buffer overflow vulnerability, this method generates exploit automatically by constructing constraints expressions and solving constraints after bypassing the security mitigation through code reuse. The effectiveness of our method is demonstrated using the datasets from CTF competition.

Yu Wang,You Zhai,Zhoujun Li,Yipeng Zhang

DOI: https://doi.org/10.2139/ssrn.4632938

2023-01-01

Abstract:Automatic exploit generation (AEG) refers to the process of automatically finding the path in the program that can trigger vulnerabilities and generate exploits. The existing AEG usually sets the preset environment ideally, which does not enable all protection mechanisms. In response to this situation, we propose an exploit generation system Protection Bypass Automatic Exploit Generator (PBAEG) which automatically detects stack overflow vulnerabilities and format string vulnerabilities. Then PBAEG combines the above two vulnerabilities to generate exploits. PBAEG uses symbolic execution and dynamic binary analysis to find the above two vulnerabilities, adopts different exploit generation strategies for different protection mechanisms, and defeats Non-Executable (NX), Position-Independent Executable (PIE), Canary, and Address Space Layout Randomization (ASLR) protection mechanisms. At the same time, for some difficult-to-exploit situations, advanced stack overflow exploitation methods are applied to generate exploits. Finally, we also use docker to simulate the remote environment to test the ability of PBAEG to attack the remote environment. Experiments show that PBAEG can complete the vulnerability detection and exploitation generation of 124 binary files, 22 capture-the-flag (CTF) binary files, and 10 public softwares, which takes a shorter time than the existing AEG and covers more types of vulnerabilities.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Yan Wang,Wei Wu,Chao Zhang,Xinyu Xing,Xiaorui Gong,Wei Zou

DOI: https://doi.org/10.1186/s42400-019-0028-9

2019-01-01

Abstract:Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities. We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.

YANG Song-Tao,CHEN Kai-Xiang,WANG Zhun,ZHANG Chao

DOI: https://doi.org/10.21655/ijsi.1673-7288.00290

2022-01-01

International Journal of Software and Informatics

Abstract:PDF HTML XML Export Cite reminder Exploit-oriented Automated Information Leakage DOI: 10.21655/ijsi.1673-7288.00290 Author: Affiliation: Clc Number: Fund Project: Article | Figures | Metrics | Reference | Related | Cited by | Materials | Comments Abstract:Automatic Exploit Generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). This paper presents the automatic solution EoLeak that can exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the Proof-Of-Concept (POC) input that triggers the heap vulnerabilities, characterizes the memory profile from the trace, locates sensitive data (e.g., code pointers), constructs leakage primitives that disclose sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of Capture The Flag (CTF) binary programs and several real-world applications. Evaluation results reveal that EoLeak is effective at leaking data and generating exploits. Reference Related Cited by

Luhang Xu,Weixi Jia,Wei Dong,Yongjun Li

DOI: https://doi.org/10.1109/qrs-c.2018.00085

2018-01-01

Abstract:Buffer overflow vulnerabilities are widely found in software. Finding these vulnerabilities and identifying whether these vulnerabilities can be exploit is very important. However, it is not easy to find all of the buffer overflow vulnerabilities in software programs, and it is more difficult to find and exploit these vulnerabilities in binary programs. This paper proposes a method and a corresponding tool that automatically finds buffer overflow vulnerabilities in binary programs, and then automatically generate exploit for the vulnerability. The tool uses symbolic execution to search the target software and find potential buffer overflow vulnerabilities, then try to bypass system protection by choosing different exploiting method according to the different level of protections. Finally, the exploit of software vulnerability is generated using constraint solver. The method and tool can automatically find vulnerabilities and generate exploits for three kinds of protection: without system protection, with address space layout randomization protection, and with stack non-executable protection.

Ruipeng Wang,Kaixiang Chen,Zulie Pan,Yuwei Li,Qianyu Li,Yang Li,Min Zhang,Chao Zhang

DOI: https://doi.org/10.1016/j.cose.2022.102995

2023-01-01

Abstract:Assessing the exploitability of vulnerabilities is critical for defenders. But the vulnerability-triggering samples available for analysts often do not trigger exploitable states, making it hard to accurately assess whether the underlying vulnerabilities are exploitable. Several customized fuzzing solutions have been proposed to address this problem, by searching for new vulnerability-triggering test cases that can enter exploitable program states. However, such solutions are inefficient and in general take an overwhelmingly long time to find exploitable states, due to the large number of program paths to explore and complicated path constraints to satisfy. In this paper, we present a new automated solution Tunter to assess the exploitability of vulnerabilities. It could explore exploitable program states and generate working exploits, even if only non-exploitable vulnerability-triggering samples are given. It adopts two novel techniques: (1) a taint-guided exploration procedure to explore candidate exploitable states; and (2) a pruning mechanism to prune unwanted states for exploitation to alleviate the state explosion issue faced by symbolic execution. We have implemented a prototype of Tunter and evaluated it on 14 capture-the-flag (CTF) programs and two real-world applications. The experimental results demonstrate that it has significant performance than state-of-the-art solution Revery (Wang et al., 2018). Specifically, it finds exploitable states for these 16 programs with a 75% recall and an 88.9% precision, and eventually generates working exploits for 11 out of these 16 programs. Moreover, Tunter is 41.02 times faster than Revery.

computer science, information systems

Yu Wang,Yipeng Zhang,Zhoujun Li

DOI: https://doi.org/10.3390/sym15122197

2023-01-01

Symmetry

Abstract:Automatic Exploit Generation (AEG) involves automatically discovering paths in a program that trigger vulnerabilities, thereby generating exploits. While there is considerable research on heap-related vulnerability detection, such as detecting Heap Overflow and Use After Free (UAF) vulnerabilities, among contemporary heap-automated exploit techniques, only certain automated exploit techniques can hijack program control flow to the shellcode. An important limitation of this approach is that it cannot effectively bypass Linux’s protection mechanisms. To solve this problem, we introduced Automatic Advanced Heap Exploit Generation (AAHEG). It first applies symbolic execution to analyze heap-related primitives in files and then detects potential heap-related vulnerabilities without a source code. After identifying these vulnerabilities, AAHEG builds an exploit abstract syntax tree (AST) to identify one or more successful exploit strategies, such as fast bin attack and Safe-unlink. AAHEG then selects exploitable methods via an abstract syntax tree (AST) and performs final testing to produce the final exploit. AAHEG chose to generate advanced heap-related exploits because the exploits can bypass Linux protections. Basically, AAHEG can automatically detect heap-related vulnerabilities in binaries without source code, build an exploit AST, choose from a variety of advanced heap exploit methods, bypass all Linux protection mechanisms, and generate final file-form exploit based on pwntools which can pass local and remote testing. Experimental results show that AAHEG successfully completed vulnerability detection and exploit generation for 20 Capture The Flag (CTF) binary files, 11 of which have all protection mechanisms enabled.

Yun-Peng WAN,Yi DENG,Dong-Hui SHI,Liang CHENG,Yang ZHANG

DOI: https://doi.org/10.15888/j.cnki.csa.005991

2017-01-01

Abstract:In this paper we present BAEG,a system to automatically look for exploitable bugs in the binary program.Every bug reported by BAEG is accompanied by the control flow hijacking exploit.The working exploits ensure robustness that each bug report is security-critical and exploitable.Giving BAEG a vulnerable program and an input crash,the challenges are:1) how to replay crash and get the state of crash;2) how to automatically generate exploit.For the first challenge,we present a path-guided algorithm,take crash input as symbolic data,and replay crash path.For the second challenge,we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model.Besides,BAEG can explore deep code especially for invalid symbolic read and symbolic write,which can help us decide whether there still are exploits at deeper code.

Ling Jin,Yinzhi Cao,Yan Chen,Di Zhang,Simone Campanoni

DOI: https://doi.org/10.1109/tdsc.2022.3141396

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Smart contracts, just like other computer programs, are prone to a variety of vulnerabilities, which lead to severe consequences including massive token and coin losses. Prior works have explored automated exploit generation for vulnerable Ethereum contracts. However, the scopes of prior works are limited in both vulnerability types and contract platforms. In this paper, we propose a cross-platform framework, called EXGEN, to generate multiple transactions as exploits to given vulnerable smart contracts. EXGEN first translates either Ethereum or EOS contracts to an intermediate representation (IR). Then, EXGEN generates symbolic attack contracts with transactions in a partial order and then symbolically executes the attack contracts together with the target to find and solve all the constraints. Lastly, EXGEN concretizes all the symbols, generates attack contracts with multiple transactions, and verifies the generated contracts' exploitability on a private chain with values crawled from the public chain. We implemented a prototype of EXGEN and evaluated it on Ethereum and EOS benchmarks. EXGEN successfully exploits 1,258/1,399 (89.9%) Ethereum and 126/130 (96.9%) EOS vulnerabilities. EXGEN is also able to exploit zero-day vulnerabilities on EOS.

Danjun Liu,Pengfei Wang,Xu Zhou,Baosheng Wang

DOI: https://doi.org/10.3390/app122311925

2022-01-01

Applied Sciences

Abstract:Since a large number of Linux kernel vulnerabilities are discovered every year, many vulnerabilities cannot be patched in time. Security vendors often prioritize patching high-risk vulnerabilities, and the ratings of vulnerabilities need to be evaluated based on factors such as exploitability and the scope of influence. However, evaluating exploitability is challenging and time-consuming, especially for race vulnerabilities, whose exploitation process is complicated and the success rate of exploitation is low, making them more likely to be overlooked. In this paper, we propose a new framework, called ERACE, to facilitate the process of exploiting kernel race vulnerabilities. Given a program called a proof of concept (PoC) that can trigger a race vulnerability, ERACE first applies a combination of dynamic and static analysis techniques to locate the instruction that causes the race. Then, it applies code instrumentation and static analysis to determine the timing relationship between the race instructions and the triggering type of the vulnerability and records the vulnerability context information. Next, it uses backward taint analysis to identify checkpoints that can be used to determine whether the race condition and heap spraying are satisfied and records the system calls to which the checkpoints belong. Finally, we can generate exploits based on the information collected above. To demonstrate the utility of ERACE, we tested it on 23 real-world vulnerabilities. As a result, we successfully detected the race points of 19 vulnerabilities, the timing relationship among the race instructions, and the triggering types of 17 vulnerabilities and succeeded in generating exploits for 13 vulnerabilities. ERACE can effectively help security researchers simplify the analysis process of kernel race vulnerabilities, select appropriate exploitation methods, and use checkpoints to increase the success rates of exploitations.

Ruipeng Wang,Zulie Pan,Fan Shi,Min Zhang

DOI: https://doi.org/10.3390/app11209727

2021-01-01

Applied Sciences

Abstract:Modern operating systems set exploit mitigations to thwart the exploit, which has also become a barrier to automated exploit generation (AEG). Many current AEG solutions do not fully account for exploit mitigations, and as a result, they are unable to accurately assess the exploitability of vulnerabilities in such settings.This paper proposes AEMB, an automated solution for bypassing exploit mitigations and generating useable exploits (EXPs). Initially, AEMB identifies exploit mitigations in the system based on characteristics of the program execution environment. Then, AEMB implements exploit mitigations bypassing the payload generation by modeling expert experience and constructs the corresponding constraints. Next, during the program’s execution, AEMB uses symbol execution to collect symbol information and create exploit constraints. Finally, AEMB utilizes a solver to solve the constraints, including payload constraints and exploit constraints, to generate the EXP. In this paper, we evaluated a prototype of AEMB on six test programs and seven real-world applications. Furthermore, we conducted 54 sets of experiments on six different combinations of exploit mitigations. Experiment results indicate that AEMB can automatically overcome exploit mitigations and produce successful exploits for 11 out of 13 applications.

Shenglin Xu,Zhiyuan Jiang,Yongjun Wang,Peidai Xie

DOI: https://doi.org/10.1093/comjnl/bxae069

2024-01-01

Abstract:The format string vulnerability is a common software vulnerability. A well-constructed format string can read and modify arbitrary memory addresses, causing serious system problems. Existing automated exploit generation solutions for format string vulnerability are unable to cope with the limitations imposed by the vulnerability defense mechanism Address Space Layout Randomization (ASLR) and the program itself on vulnerability exploitation. In this paper, to address the above challenges, we propose FormatAEG, the first automatic exploitation framework for format string vulnerabilities that can bypass ASLR defense and the program's own constraints. Specifically, we first proposed an arbitrary address reading and writing method based on a format string vulnerability, which can modify the target address data by directly arranging the target address or automatically searching and utilizing the pointer chain in the stack. Then, we propose a vulnerability reentry method based on global offset table (GOT) hijacking, which hijacks the program control flow by modifying function addresses in the GOT, making the vulnerability reentrant. In the experimental section, we evaluated FormatAEG using 20 Capture The Flag programs from top international tournaments and two real-world programs with format string vulnerabilities. The evaluation results show that with ASLR defense turned on, FormatAEG successfully detects format string vulnerability in 19 of these programs and generates exploit code for 15 of them. Compared with existing tools, FormatAEG detected 11 more format string vulnerabilities and generated 13 more exploit codes.

Zheyue Jiang,Yuan Zhang,Jun Xu,Xinqian Sun,Zhuang Liu,Min Yang

DOI: https://doi.org/10.1109/sp46215.2023.10179286

2023-01-01

Abstract:This paper studies the problem of cross-version exploitability assessment for Linux kernels. Specifically, given an exploit demonstrating the exploitability of a vulnerability on a specific kernel version, we aim to understand the exploitability of the same vulnerability on other kernel versions. To tackle crossversion exploitability assessment, automated exploit generation (AEG), a recently popular topic, is the only existing, applicable solution. However, AEG is not well-suited due to its templatedriven nature and ignorance of the capabilities offered by the available exploit. In this work, we introduce a new method, automated exploit migration (AEM), to facilitate cross-version exploitability assessment for Linux kernels. The key insight of AEM is the observation that the strategy adopted by the exploit is often applicable to other exploitable kernel versions. Technically, we consider the kernel version where the exploit works as a reference and adjust the exploit to force the other kernel versions to align with the reference. This way, we can reproduce the exploiting behaviors on the other versions. To reduce the cost and increase the feasibility, we strategically identify execution points that truly affect the exploitation and only enforce alignment at those points. We have designed and implemented a prototype of AEM. In our evaluation of 67 cases where exploit migration is needed, our prototype successfully migrates the exploit for 56 cases, producing a success rate of 83.5%.

Guang Yang,Yu Zhou,Xiang Chen,Xiangyu Zhang,Tingting Han,Taolue Chen

DOI: https://doi.org/10.1016/j.jss.2022.111577

IF: 3.5

2023-01-01

Journal of Systems and Software

Abstract:Exploit code is widely used for detecting vulnerabilities and implementing defensive measures. However, automatic generation of exploit code for security assessment is a challenging task. In this paper, we propose a novel template-augmented exploit code generation approach ExploitGen based on CodeBERT. Specifically, we first propose a rule-based Template Parser to generate template-augmented natural language descriptions (NL). Both the raw and template-augmented NL sequences are encoded to context vectors by the respective encoders. For better learning semantic information, ExploitGen incorporates a semantic attention layer, which uses the attention mechanism to extract and calculate each layer’s representational information. In addition, ExploitGen computes the interaction information between the template information and the semantics of the raw NL and designs a residual connection to append the template information into the semantics of the raw NL. Comprehensive experiments on two datasets show the effectiveness of ExploitGen after comparison with six state-of-the-art baselines. Apart from the automatic evaluation, we conduct a human study to evaluate the quality of generated code in terms of syntactic and semantic correctness. The results also confirm the effectiveness of ExploitGen.

Peng Xu,Liangze Yin,Jiantong Ma,Dong Yang,Wei Dong

DOI: https://doi.org/10.1145/3609437.3609461

2023-01-01

Abstract:Buffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these vulnerabilities, which in turn become obstacles for automatic exploit generation (AEG). Many current AEG solutions do not fully consider security mitigation bypassing and the exploitation of vulnerabilities in special cases, resulting in an inability to accurately assess the exploitability of vulnerabilities in such scenarios. In this paper, we propose a feature-driven buffer overflow vulnerability automatic exploit generation method - FAEG, which uses optimized symbolic execution to search target software for potential buffer overflow vulnerabilities, constructs complete vulnerability models, and then adaptively selects appropriate exploitation techniques based on vulnerability type and features, bypassing system protection and generating effective exploit program. In this paper, we use FAEG to test 15 open-source Capture The Flag (CTF) challenges, successfully identifying vulnerabilities in all 15 applications and automatically generating exploitation schemes for 14 of these vulnerabilities. The results demonstrate that FAEG performs well in automatically detecting and exploiting vulnerabilities, achieving better bypassing of system security mitigation compared to existing AEG solutions, and offers higher success rates and flexibility.