gteissier / erl-matter Goto Github PK

./bruteforce-erldp.c: line 24: static: command not found
./bruteforce-erldp.c: line 25: static: command not found
./bruteforce-erldp.c: line 26: static: command not found
./bruteforce-erldp.c: line 27: static: command not found
./bruteforce-erldp.c: line 28: static: command not found
./bruteforce-erldp.c: line 29: static: command not found
./bruteforce-erldp.c: line 36: struct: command not found
./bruteforce-erldp.c: line 37: uint64_t: command not found
./bruteforce-erldp.c: line 38: uint64_t: command not found
./bruteforce-erldp.c: line 39: float: command not found
./bruteforce-erldp.c: line 40: unsigned: command not found
./bruteforce-erldp.c: line 41: pthread_barrier_t: command not found
./bruteforce-erldp.c: line 42: syntax error near unexpected token interval' ./bruteforce-erldp.c: line 42: TAILQ_ENTRY(interval) _next;'

Hi, I tried to compile bruteforce-erldp into a linux executable file but encountered an error.
Can you give me some suggestions？

#root gcc bruteforce-erldp.c -o bruteforce-erldp
/usr/bin/ld: /tmp/ccwCtYAc.o: in function create_interval': bruteforce-erldp.c:(.text+0x9d): undefined reference to pthread_barrier_init'
/usr/bin/ld: /tmp/ccwCtYAc.o: in function worker_run': bruteforce-erldp.c:(.text+0x671): undefined reference to create_cookie'
/usr/bin/ld: bruteforce-erldp.c:(.text+0xa17): undefined reference to compute_response' /usr/bin/ld: bruteforce-erldp.c:(.text+0xb76): undefined reference to pthread_barrier_wait'
/usr/bin/ld: /tmp/ccwCtYAc.o: in function main': bruteforce-erldp.c:(.text+0x13bd): undefined reference to jsmn_init'
/usr/bin/ld: bruteforce-erldp.c:(.text+0x13e4): undefined reference to jsmn_parse' /usr/bin/ld: bruteforce-erldp.c:(.text+0x1a77): undefined reference to pthread_create'
/usr/bin/ld: bruteforce-erldp.c:(.text+0x1d42): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status

The revert-prng.sage script is not compatible with recent versions of sagemath.

While sagemath 8.3 seems to produce valid output:

docker run --rm -ti -v "$PWD":/erl-matter sagemath/sagemath:8.3 'echo "ERZZMEZFKZVMABHVVCOI" | /erl-matter/revert-prng.sage'
Setting permissions of DOT_SAGE directory so only you can read and write it.
61466461736

The script fails to calculate the right cookie using sagemath 8.4

docker run --rm -ti -v "$PWD":/erl-matter sagemath/sagemath:8.4 'echo "ERZZMEZFKZVMABHVVCOI" | /erl-matter/revert-prng.sage'
Setting permissions of DOT_SAGE directory so only you can read and write it.
Traceback (most recent call last):
  File "/erl-matter/revert-prng.sage.py", line 101, in <module>
    assert(derive_cookie(seed) == cookie)
AssertionError

Recent versions work with Python 3 under the hood and therefore fail at xrange.

docker run --rm -ti -v "$PWD":/erl-matter sagemath/sagemath 'echo "ERZZMEZFKZVMABHVVCOI" | /erl-matter/revert-prng.sage'
Traceback (most recent call last):
  File "/erl-matter/revert-prng.sage.py", line 29, in <module>
    for i in xrange(_sage_const_1 , _sage_const_20 ):
NameError: name 'xrange' is not defined

I recommend to update the script or add a supported sage version to the documentation.

Hello,
I'm testing this against an endpoint that I control. I can confirm I'm able to connect via 25672 and able to join the cluster if I set the correct autogenerated cookie.

I've tried to use the brute force script to no avail on various OSes, including OSX, Ubuntu, and the version accessible from the BlackArch package manager.

When I use the options as suggested in the documentation:

./bruteforce-erldp --threads=16 --seed-start=381410768 --seed-end=386584488 --gap=1000 <my ip> 25672

I get the following error:

bruteforce-erldp: unrecognized option `--seed-start=381410768'
bruteforce-erldp: unrecognized option `--seed-end=386584488'
Erlang distribution cookie bruteforce is starting, sweeping through 0 seed intervals
[2]    15217 segmentation fault  ./bruteforce-erldp --threads=16 --seed-start=381410768 --seed-end=386584488

I presumed that this was due to an update that wasn't reflected in the documentation. The help menu appears to offer a different syntax, but this still isn't working for me:

$ ./bruteforce-erldp --interval=430413359,431413359,6.24 <my ip> 25672
bruteforce using 64 concurrent threads
creating new interval 430413359 -> 431413359 6.240000
Erlang distribution cookie bruteforce is starting, sweeping through 1 seed intervals
invalid / unexpected message received, while awaiting send_status
invalid / unexpected message received, while awaiting send_status
received :736e6f745f616c6c6f776564received :736e6f745f616c6c6f776564
invalid / unexpected message received, while awaiting send_status

invalid / unexpected message received, while awaiting send_status
received :736e6f745f616c6c6f776564

invalid / unexpected message received, while awaiting send_status
received :736e6f745f616c6c6f776564
 0 seed/s (64 conn/s, 0 fails/s)		0.00000% (1/1)

I also tried doing this using a defined JSON file as suggested.

Some info about my erlang environment:

Erlang/OTP 23 [erts-11.1.8] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [hipe] [dtrace]

Eshell V11.1.8

Can you suggest a recommended environment to where I can run this? I'm almost positive I have epmd / rabbitmq set up correctly to listen. The tool mentioned here (https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/) seems to work and will succeed when it finds the correct cookie, but only brute forces naively without considering seed intervals.

Hello,

I tried to use bruteforce-erldp.c in a pentest scenario against a software, we recently purchased. The supplier recognized the vulnerability of his software and updated Erlang to v25 and declared the vulnerability as fixed because bruteforce-erldp no longer works and gives the error "could not receive send_status".

However, after some more reading, it was obvious that there is no fix for this issue in Erlang 25, and the only fix is to disable the distribution port.
It seems, the real reason, why your tool does no longer work, is, that there are some new mandatory flags in the Erlang istribution protocol with Erlang 25.
It is documented here: https://github.com/erlang/otp/blob/master/lib/kernel/include/dist.hrl
It seems, the easiest way to fix this would be to send the DFLAG_MANDATORY_25_DIGEST flag.
Unfortunately I could not test this theory, I have barely any programming knowledge and don't know how to change the line in your program code to send the required flag.

Could you help with this, please?