Refploit:利用代码智能体轨迹修复辅助漏洞利用构建

Refploit: Facilitating Exploit Construction via Code-Agent Trajectory Repair

精选理由

Refploit能自动修复代码智能体生成漏洞利用时出错的部分,用DeepSeek-V4-Flash在143个Java漏洞上做到80.2%成功率,比PoCGen和GPT-5.4驱动的Codex都强。搞漏洞研究的人可以关注。

AI 摘要

Refploit是一个基于LLM的轨迹恢复框架,用于从公开漏洞利用参考中重现漏洞利用。它通过差异化执行验证智能体生成的漏洞利用,当无效时分析重现进度、定位轨迹片段并推导约束以指导恢复。在三个开源Java漏洞数据集(172个漏洞引用,143个漏洞)上,使用DeepSeek-V4-Flash时,Refploit成功重现138个漏洞利用,重现率达80.2%。相比初始轨迹提升64.3%,超过现有方法PoCGen及基于GPT-5.4的Codex等高级代码智能体。

原文 · arXiv: DeepSeek

Refploit: Facilitating Exploit Construction via Code-Agent Trajectory Repair

Vulnerability exploits play a crucial role in assessing the downstream impact of Java library vulnerabilities. While some vulnerabilities are accompanied by disclosed exploit references, automatically reproducing such references into runnable exploits remains challenging because they are often incomplete, unstructured, or only describe partial reproduction steps. Recent code agents provide a promising way to automate this process, but our study shows that their generated exploits often appear successful without triggering the actual vulnerable logic, such as replacing vulnerable APIs with self-implemented functions. To address this, we propose Refploit, an LLM-based trajectory recovery framework for facilitating vulnerability reproduction from public exploit references. The key insight is that a failed agent trajectory is not entirely useless. It may have already completed some reproduction subtasks while also revealing misleading directions that should be avoided. Refploit first validates an agent-generated exploit through differential execution. When the exploit is ineffective, Refploit analyzes its reproduction progress, locates the trajectory segments associated with the reproduction progress, and derives constraints to guide focused recovery. We evaluate Refploit on three open-source Java vulnerability datasets, covering 172 exploit references for 143 vulnerabilities. Under DeepSeek-V4-Flash, Refploit successfully reproduces 138 exploits, achieving a reproduction rate of 80.2%. It achieves a 64.3% relative improvement over the initially generated trajectories and outperforms both the SOTA exploit-generation method PoCGen and advanced code agents such as Codex with GPT-5.4. We further adapt Refploit to another code agent and observe consistent improvements, demonstrating its generality.