Point FOUNDRY at an AI inference service. It fingerprints the target, fuzzes it with AFL++, reasons over a vulnerability with DeepSeek R1:32b, generates shellcode variants with full AV/EDR evasion, tests them in an auto-provisioned Docker sandbox, chains multiple exploits, and executes. All without the operator writing a line of code.
SPECTER FOUNDRY is an autonomous exploit code generation engine targeting AI inference infrastructure. The operator provides a target host and port. FOUNDRY handles the rest: service fingerprinting across 11 AI-specific ports, AFL++-based fuzzing with crash triage and exploitability estimation, DeepSeek R1:32b reasoning against 6 named CVE templates (vLLM / Ollama / LiteLLM / llama.cpp / MLflow / Ray), variant generation with full AV/EDR evasion, Docker sandbox testing, adaptive feedback loops, 5 named exploit chains, and live execution under the UNLEASHED gate.
Sessions are SQLite WAL-mode persisted under FND-{hex12} IDs — resumable across reboots. GPU thermal monitoring (warn 85°C / pause 90°C) prevents hardware damage during prolonged R1:32b sessions. All reports are Ed25519+ML-DSA-65 dual-signed (HMAC-SHA3-256 simulation when liboqs is unavailable, prefixed "SIM-").
| Template | CVE | CVSS | Service |
|---|---|---|---|
vllm_ssrf | CVE-2024-5483 | 9.0 | vLLM / OpenAI-compatible endpoint |
ollama_lfi | CVE-2024-37032 | 9.8 | Ollama localhost:11434 |
litellm_jwt_bypass | CVE-2024-5480 | 9.8 | LiteLLM proxy / gateway |
llamacpp_rce | CVE-2024-34359 | 9.6 | llama.cpp HTTP server |
mlflow_pickle_rce | CVE-2023-6709 | 9.8 | MLflow tracking server |
ray_unauth_rce | CVE-2023-48022 | 9.8 | Ray dashboard port 8265 |
| Chain | Description |
|---|---|
ssrf_to_iam | SSRF via inference endpoint → cloud metadata → IAM credential harvest |
rce_to_gpu_pivot | RCE on inference server → lateral movement to GPU cluster via CUDA IPC |
mcp_to_payload | MCP error-path injection → arbitrary tool call → payload delivery |
ollama_to_registry | Ollama LFI → model registry credential harvest → model poisoning |
litellm_jwt_to_corruption | JWT none-alg bypass → admin API → model weight corruption |
Banner grab + HTTP fingerprint across 11 AI service ports: Ollama:11434, vLLM:8000, LiteLLM:8080, MLflow:5000, Ray:8265, Gradio:7860, Flowise:3000, Qdrant:6333, Triton:8001, llama.cpp:8080, Streamlit:8501. CVE surface mapping by service name + version. Attack surface score 0–1.0. Defence profile: ASLR/NX/stack canary/PIE detection.
AFL++ fuzzing (afl-fuzz binary detection + auto-instrument). Boofuzz-style protocol mutations for network services. Boundary inputs: 0/1/127/128/255/256/65535/65536 + struct-packed integers. Format string inputs: %s/%n/%p/AAAA%p%p%p. Crash triage: ASAN/UBSAN output, register dump, exploitability estimate EXPLOITABLE / PROBABLY_EXPLOITABLE / UNKNOWN.
Three-path search: ARMORY DB keyword match, NVD CVE lookup via API, local exploit filesystem scan. Confidence scoring: NVD result → 0.5 + CVSS/20, local exploit → 0.9. Returns highest-confidence result. All results stored in SQLite session.
DeepSeek R1:32b via Ollama (localhost:11434). Strips <think>...</think> tags from reasoning output. Selects from 6 AI inference templates by CVE/service name match. Builds prompt from target profile + fuzz result + search result. GPU thermal guard: warn 85°C / pause 90°C. FOUNDRY_GENERATE_KEY required.
5 mutation strategies: alternate_encoding, rop_chain_variant, different_injection_technique, syscall_direct, heap_spray. Full AV/EDR evasion pipeline applied per variant: encoding (XOR/AES-CTR/AES-CBC), null-byte removal, Windows direct syscalls + process hollowing + early-bird APC + ETW patch + AMSI bypass, Linux GOT overwrite + LD_PRELOAD constructor + x86_64 XOR decoder stub. SHELLCODE_PLACEHOLDER: 30-byte x86_64 execve("/bin/sh").
Docker SDK auto-provisions sandbox matching target OS, service libraries, and defence profile. Success indicators: uid=0, root@, /etc/shadow, "got shell", "rce confirmed", "whoami". Returns ExploitTestResult with stdout/stderr/execution_time/sandbox_image. Falls back to local subprocess when Docker unavailable.
R1:32b feedback loop: failed variant code + failure reason → adapted exploit code. MAX_ADAPTATION_BUDGET = 5 iterations. budget_exhausted flag set on iteration > 5. Adaptation ID stored in SQLite. Reasoning trace preserved for each iteration.
5 named exploit chains. Per-step success/failure/privilege tracking. JWT none-alg forging (alg:none, empty signature, exp:9999999999). Step execution via httpx with configurable timeout. Chain report: CHN-{hex12} ID, chain_sequence, successes/failures, final_privilege_level. FOUNDRY_INJECT_KEY required.
Live subprocess execution of generated exploit code (60s timeout). Privilege detection: uid=0 / root@ / id=0 → "root"; AccessKeyId / cloud_iam → "cloud_iam". ExecutionReport with EXE-{hex12} ID, timestamp_utc, privilege_gained, return_code. FOUNDRY_UNLEASHED_KEY + ROE file required: "autonomous exploit generation authorised".
Assembles full FoundryReport from all subsystem outputs. FND-{hex12} report ID. Ed25519 + ML-DSA-65 dual-signed (HMAC-SHA3-256 + "SIM-" prefix when liboqs unavailable). MITRE ATT&CK T1203/T1068/T1210/T1059/T1552. ATLAS AML.T0043/AML.T0063. Writes to /tmp/{report_id}.json by default.
| Gate | Env Var | Capability |
|---|---|---|
OPEN | — | Fingerprint, search exploits, report, session management, GPU thermal |
INJECT | FOUNDRY_INJECT_KEY | Fuzz target, test exploit, chain exploits |
GENERATE | FOUNDRY_GENERATE_KEY | R1 exploit reasoning, variant generation, adaptation feedback loop |
UNLEASHED | FOUNDRY_UNLEASHED_KEY + ROE file | Live exploit execution against live targets |
ROE file must contain: "autonomous exploit generation authorised"
Service detection across 11 AI ports, CVE mapping, defence profile
AFL++ / boofuzz crash discovery, exploitability classification
ARMORY + NVD + local exploit filesystem scan
R1:32b exploit code from CVE template + target context
5 mutation strategies × AV/EDR evasion pipeline
Docker sandbox — success = uid=0 / root@ / got shell
R1 feedback on failure → new variants (≤5 iterations)
Multi-stage exploit chain across AI infrastructure
UNLEASHED gate — live subprocess, privilege detection
# Fingerprint target (OPEN gate) specter-foundry fingerprint --target 192.168.1.100 --port 11434 # Fuzz target (INJECT gate) export FOUNDRY_INJECT_KEY=your-inject-token specter-foundry fuzz --target 192.168.1.100 --port 11434 # Reason over exploit (GENERATE gate) export FOUNDRY_GENERATE_KEY=your-generate-token specter-foundry reason --session-id <FND-SID> # Generate AV-evading variants specter-foundry generate --session-id <FND-SID> --n-variants 5 \ --shellcode-encoding xor --injection-technique process_hollow \ --platform windows --patch-etw --bypass-amsi # Run exploit chain specter-foundry chain --session-id <FND-SID> --chain-name ssrf_to_iam # Execute (UNLEASHED gate) export FOUNDRY_UNLEASHED_KEY=your-unleashed-token specter-foundry execute \ --session-id <FND-SID> \ --variant-id VAR-XXXXXX \ --roe-path /path/to/roe.txt
SPECTER FOUNDRY requires DeepSeek R1:32b via Ollama on localhost:11434 for exploit reasoning and adaptation. AFL++ must be installed for fuzzing. Docker must be running for sandbox testing. UNLEASHED execution requires a signed ROE file containing the exact phrase "autonomous exploit generation authorised". All reports are Ed25519+ML-DSA-65 dual-signed.