一键导入
aibugs
Find bugs and vulnerabilities in C code for radare2
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Find bugs and vulnerabilities in C code for radare2
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when Codex needs to start, discover, or communicate with a radare2 or iaito HTTP webserver and run stateful radare2 commands over POST /cmd with curl, especially to replace r2mcp or one-shot r2 command lines during long binary analysis.
Use the bundled r2mcp MCP server for binary analysis, disassembly, and reverse-engineering tasks.
Create a commit message to use for the currently unstaged changes
When planning tasks or reviewing code is important to extend the reasoning of the unstaged changes, commits in the current non-master branch and todo roadmap of the ongoing work.
Clean and refactor code with a focus on unnecessary complexity, reducing lines of code, improving readability, and preferring radare2-native portable APIs.
Find logic bugs in C code for radare2 by analyzing control flow, state transitions, and silent assumptions.
| name | aibugs |
| description | Find bugs and vulnerabilities in C code for radare2 |
There are several classic vulnerabilities misusing libc apis or just plain C. But you are an expert in radare2, so you must focus on understanding missuses of the libr apis and scripts instead.
r_core_cmd apis parse special characters, which if the user or the binary loaded have controlr_core_call functionscall_at if a temporal seek is needed* command suffix, will force the output to contain a script for radare2.r_cons_printf calls used in those subcommands to find out anyIt's recommended, to run r2 oneliners to confirm the vulnerabilities are real before fixing them.
The single quote commands syntax permits temporal seeks too, for example this command is the safe equivocalent of x@0x123. Also, an important hint for single quote commands
'@0x123'x
The double quote commands are also vulnerable to command injection if data is not filtered properly for example:
"echo hello";"echo "world"
In the code above, if hello was controlled by the user they can include a quote to close the command and inject a semicolon to run a separate command.
When running a command that starts with "'", the command parser will ignore all the special characters and just run the command with given arguments.
! there can be still code injection bugs, see the sanitize for sh in this caser_str_sanitize_sh and the r_sys_cmd apisr_sandbox settingsSee r_name_filter, and all the r_str_sanitize apis to understand their purpose and use them wisely, do not reduce the.
Some commands accept base64: arguments. Use them if we really need raw data accepting any characters.