Architecture
SPECTER FOUNDRY is a 10-subsystem autonomous exploit code generation engine targeting AI inference infrastructure. Sessions are identified by FND-{hex12} IDs and persisted in SQLite WAL-mode — meaning a machine reboot during a long fuzzing or R1 reasoning session does not lose progress.
The pipeline is: FINGERPRINT → FUZZ → SEARCH → REASON → GENERATE → TEST → (ADAPT loop ≤5) → CHAIN → EXECUTE. Each stage stores its output in SQLite and passes the result to the next. Any stage can be invoked independently via CLI.
Requirements
| Component | Purpose | Required for |
|---|---|---|
| Python 3.11+ | Runtime | All subsystems |
| Ollama + deepseek-r1:32b | R1 reasoning | REASON-EXPLOIT, ADAPT-EXPLOIT |
| AFL++ | Binary fuzzing | FUZZ-TARGET (afl-fuzz binary) |
| Docker SDK | Sandbox auto-provision | TEST-EXPLOIT |
| cryptography≥41.0 | AES, Ed25519 | GENERATE-VARIANTS, REPORT-GENERATOR |
| liboqs (optional) | ML-DSA-65 | REPORT-GENERATOR (falls back to HMAC-SHA3-256 + "SIM-" prefix) |
Installation
cd red-specter-specter-foundry pip install -e . specter-foundry --help
FINGERPRINT-TARGET
Gate: OPEN. No authentication required.
Probes 11 AI service ports via TCP connect + HTTP GET. Known ports: Ollama:11434, vLLM:8000, LiteLLM:8080, MLflow:5000, Ray dashboard:8265, Gradio:7860, Flowise:3000, Qdrant:6333, Triton:8001, llama.cpp:8080, Streamlit:8501. Builds a TargetProfile with service name, version (extracted from banner/HTTP response), CVE matches, and a defence profile (ASLR/NX/stack canary/PIE defaults to True).
specter-foundry fingerprint --target 192.168.1.100 --port 11434
FUZZ-TARGET
Gate: INJECT. Requires FOUNDRY_INJECT_KEY.
Sends boundary inputs, format strings, and protocol mutations to the target service. If the afl-fuzz binary is present, launches AFL++ instrumented fuzzing against binary targets. Crash types detected: segfault, heap overflow, null pointer dereference, stack overflow, format string, integer overflow. Exploitability rated EXPLOITABLE / PROBABLY_EXPLOITABLE / UNKNOWN based on crash type and crash count.
export FOUNDRY_INJECT_KEY=your-key specter-foundry fuzz --target 192.168.1.100 --port 11434 --session-id FND-ABC123
SEARCH-EXPLOITS
Gate: OPEN.
Three search paths run in order. First: ARMORY DB keyword search (path from ARMORY_DB_PATH env var). Second: NVD CVE API lookup for each known_cve in the target profile. Third: local filesystem scan for matching exploit files. Confidence scoring: NVD CVSS 9.8 → confidence 0.99, local file found → 0.9. Returns highest-confidence result.
REASON-EXPLOIT
Gate: GENERATE. Requires FOUNDRY_GENERATE_KEY.
Selects a named CVE template from the 6 AI inference templates based on target service name and known CVE match. Builds a prompt from the TargetProfile + FuzzResult + ExploitSearchResult and submits to DeepSeek R1:32b via Ollama (localhost:11434, POST /api/generate). Strips <think>...</think> tags from the reasoning output. GPU thermal guard: queries nvidia-smi; warns at 85°C, pauses at 90°C (raises RuntimeError until temperature drops).
GENERATE-VARIANTS
Gate: GENERATE.
Generates N exploit variants from the base ExploitCode, applying one of 5 mutation strategies: alternate_encoding, rop_chain_variant, different_injection_technique, syscall_direct, heap_spray. Each variant runs through the full AV/EDR evasion pipeline before being stored.
Shellcode encoding
| Method | Notes |
|---|---|
| XOR | Smallest key producing zero null bytes; x86_64 decoder stub generated |
| AES-CTR | Random 16-byte key + nonce via os.urandom |
| AES-CBC | Random 16-byte key + IV; PKCS7 padding |
| ADD/SUB | Null-byte removal via ADD delta |
Windows injection techniques
| Technique | Mechanism |
|---|---|
| direct_syscall | NtAllocateVirtualMemory(0x18) / NtWriteVirtualMemory(0x3A) / NtCreateThreadEx(0xC1) — Win10 21H2 SSNs |
| process_hollow | CreateProcess(SUSPENDED) → NtUnmapViewOfSection → VirtualAllocEx → WriteProcessMemory → SetThreadContext |
| early_bird_apc | CreateProcess(SUSPENDED) → VirtualAllocEx → WriteProcessMemory → QueueUserAPC → ResumeThread |
| etw_patch | VirtualProtect ntdll!EtwEventWrite → write 0xC3 (RET) |
| amsi_bypass | VirtualProtect AmsiScanBuffer → write mov eax,0x80070057;ret (6 bytes) |
Linux injection techniques
| Technique | Mechanism |
|---|---|
| got_overwrite | Arbitrary-write primitive → GOT entry → shellcode address in two 4-byte chunks |
| ld_preload | gcc -shared -fPIC constructor library; deploy via LD_PRELOAD env var |
TEST-EXPLOIT
Gate: INJECT.
Builds a Dockerfile from target OS name / OS version / libraries / services / defences and provisions a Docker container. Runs the exploit code as a subprocess inside the container (or directly if Docker is unavailable). Success indicators: uid=0, root@, /etc/shadow, got shell, rce confirmed, whoami. Returns ExploitTestResult with success/stdout/stderr/sandbox_image.
ADAPT-EXPLOIT
Gate: GENERATE.
Takes the list of failed variants and their test results, feeds them back to R1:32b with a failure analysis prompt, and generates new adapted variants. MAX_ADAPTATION_BUDGET = 5 iterations. budget_exhausted = True when iteration exceeds budget. Each adaptation cycle logs its reasoning trace in the AdaptationLog.
CHAIN-EXPLOITS
Gate: INJECT.
Executes one of 5 named multi-stage exploit chains. JWT none-alg tokens forged via the litellm_jwt_to_corruption chain (alg:none, empty signature, exp:9999999999). Per-step privilege tracking from user through root or cloud_iam. Returns ChainReport with CHN-{hex12} ID and full step sequence.
EXECUTE-EXPLOIT
Gate: UNLEASHED. Requires FOUNDRY_UNLEASHED_KEY + ROE file.
Writes the exploit code to a temp file and executes via subprocess (60s timeout). Privilege detection: uid=0 / root@ / id=0 → "root"; AccessKeyId / cloud_iam → "cloud_iam". Returns ExecutionReport with EXE-{hex12} ID.
ROE file must contain the exact phrase: autonomous exploit generation authorised
REPORT-GENERATOR
Gate: OPEN.
Assembles FoundryReport from all SQLite-stored subsystem outputs. Dual-signs with Ed25519 (from FOUNDRY_SIGNING_KEY env var, base64-encoded 32-byte seed) and ML-DSA-65 (via liboqs). Falls back to HMAC-SHA3-256 with "SIM-" prefix if liboqs is not installed. Writes JSON to /tmp/{report_id}.json by default.
Gate Architecture
| Gate | Env Var | Subsystems |
|---|---|---|
| OPEN | — | fingerprint, search-exploits, report, templates, thermal |
| INJECT | FOUNDRY_INJECT_KEY | fuzz, test-exploit, chain-exploits |
| GENERATE | FOUNDRY_GENERATE_KEY | reason, generate, adapt |
| UNLEASHED | FOUNDRY_UNLEASHED_KEY + ROE file | execute |
Session Schema
SQLite database at $FOUNDRY_SESSION_DIR/{session_id}.db (default: /tmp/foundry_sessions/). WAL journal mode. 10 tables: sessions, target_profiles, fuzz_results, exploit_search_results, exploit_codes, variant_sets, exploit_test_results, adaptation_logs, chain_reports, execution_reports.
AV/EDR Evasion Pipeline
Applied during GENERATE-VARIANTS. Each variant receives: null-byte removal (XOR key search smallest 1–255), selected encoding (XOR/AES-CTR/AES-CBC), injection technique template, and optional ETW patch + AMSI bypass stubs prepended to the payload code.
ETW patch byte: 0xC3 (RET). AMSI patch: \xB8\x57\x00\x07\x80\xC3 (mov eax,0x80070057;ret). Direct syscall SSNs are for Win10 21H2 — patch for other Windows versions by overriding alloc_ssn/write_ssn/thread_ssn.
CVE Templates
| Template Key | CVE | CVSS | Attack Vector |
|---|---|---|---|
| vllm_ssrf | CVE-2024-5483 | 9.0 | SSRF via /v1/completions model name injection → internal metadata service |
| ollama_lfi | CVE-2024-37032 | 9.8 | LFI via /api/pull modelfile path traversal → arbitrary file read |
| litellm_jwt_bypass | CVE-2024-5480 | 9.8 | JWT algorithm confusion — RS256 → HS256 / none-alg → admin API access |
| llamacpp_rce | CVE-2024-34359 | 9.6 | GGUF model file loading → Jinja2 template injection → RCE via chat template |
| mlflow_pickle_rce | CVE-2023-6709 | 9.8 | Pickle deserialization in MLflow model loading → RCE via crafted model artifact |
| ray_unauth_rce | CVE-2023-48022 | 9.8 | Unauthenticated job submission to Ray dashboard → RCE via submitted job code |
Exploit Chains
| Chain | Steps | Final Privilege |
|---|---|---|
| ssrf_to_iam | ssrf_probe → metadata_access → iam_credential_harvest | cloud_iam |
| rce_to_gpu_pivot | rce_initial → gpu_discovery → gpu_lateral_movement | root |
| mcp_to_payload | mcp_error_inject → tool_abuse → payload_delivery | root |
| ollama_to_registry | ollama_lfi → registry_creds_harvest → model_poison | cloud_iam |
| litellm_jwt_to_corruption | jwt_none_alg_forge → admin_api_access → model_weight_corruption | root |
Reports
Report IDs use the FND-{hex12} prefix (same as session IDs — make_report_id() generates a fresh one). Signing structure: sha256 of report JSON (before signing field), Ed25519 signature (base64), ML-DSA-65 signature (base64 or "SIM-"+HMAC-SHA3-256). Algorithm field: "Ed25519+ML-DSA-65" or "Ed25519+HMAC-SHA3-256-SIM".
Verify a report: specter-foundry report --verify /tmp/FND-XXXXXX.json
MITRE Mapping
| ID | Technique |
|---|---|
| T1203 | Exploitation for Client Execution |
| T1068 | Exploitation for Privilege Escalation |
| T1210 | Exploitation of Remote Services |
| T1059 | Command and Scripting Interpreter |
| T1552 | Unsecured Credentials |
| AML.T0043 | Craft Adversarial Data |
| AML.T0063 | ML Supply Chain Compromise |
SPECTER FOUNDRY is a controlled adversarial testing tool. Use only in authorised penetration testing engagements against systems you own or have written permission to test. The UNLEASHED gate requires a valid ROE file. All activity is logged and signed.