assembly simplified
This commit is contained in:
parent
086bda7642
commit
b714716094
6
README
6
README
|
|
@ -1,5 +1,5 @@
|
|||
Transform payload code in hexa :
|
||||
nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload
|
||||
|
||||
nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload
|
||||
|
||||
Append : | xclip -sel clip to directly get it in clipboard
|
||||
To get it in the clipboad directly append :
|
||||
| xclip -sel clip to directly
|
||||
4
diff.txt
4
diff.txt
|
|
@ -1,4 +0,0 @@
|
|||
2c2
|
||||
< resources/sample64: file format elf64-x86-64
|
||||
---
|
||||
> woody: file format elf64-x86-64
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
#include <elf.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
|
||||
#define JUMP "\xe9";//\xdf\xff\xff\xff";
|
||||
#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
|
||||
#define JUMP "\xe9"
|
||||
|
||||
typedef struct efl_content
|
||||
{
|
||||
|
|
|
|||
64
print.s
64
print.s
|
|
@ -1,28 +1,52 @@
|
|||
; bits 64
|
||||
; default rel
|
||||
; global _start
|
||||
|
||||
; _start:
|
||||
; push rax
|
||||
; push rdi
|
||||
; push rsi
|
||||
; push rdx
|
||||
; push rbx
|
||||
|
||||
; xor eax, eax
|
||||
; cdq
|
||||
; mov dl, 10
|
||||
; inc eax
|
||||
; mov edi, eax
|
||||
; lea rsi, [rel msg]
|
||||
; syscall
|
||||
; pop rbx
|
||||
; pop rdx
|
||||
; pop rsi
|
||||
; pop rdi
|
||||
; pop rax
|
||||
; jmp 0x00000000
|
||||
|
||||
; msg db "..WOODY..",10
|
||||
|
||||
bits 64
|
||||
default rel
|
||||
global _start
|
||||
|
||||
_start:
|
||||
push rax
|
||||
push rdi
|
||||
push rsi
|
||||
push rdx
|
||||
push rbx
|
||||
push rax
|
||||
push rdi
|
||||
push rsi
|
||||
push rdx
|
||||
push rbx
|
||||
|
||||
xor eax, eax
|
||||
cdq
|
||||
mov dl, 10
|
||||
inc eax
|
||||
mov edi, eax
|
||||
lea rsi, [rel msg]
|
||||
syscall
|
||||
pop rbx
|
||||
pop rdx
|
||||
pop rsi
|
||||
pop rdi
|
||||
pop rax
|
||||
jmp 0x00000000
|
||||
mov rdi, 1
|
||||
lea rsi, [rel msg]
|
||||
mov rdx, 10
|
||||
mov rax, 1
|
||||
syscall
|
||||
|
||||
pop rbx
|
||||
pop rdx
|
||||
pop rsi
|
||||
pop rdi
|
||||
pop rax
|
||||
jmp 0x00000000
|
||||
|
||||
msg db "..WOODY..",10
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
char code[] = "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x12\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\xb0\x3c\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a";
|
||||
typedef void (*ShellcodeFunc)();
|
||||
|
||||
int main() {
|
||||
ShellcodeFunc func = (ShellcodeFunc)code;
|
||||
|
||||
size_t pagesize = 4096; // 4KB, a common page size
|
||||
uintptr_t page_start = (uintptr_t)code & ~(pagesize - 1);
|
||||
mprotect((void *)page_start, pagesize, PROT_READ | PROT_EXEC);
|
||||
func();
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -45,7 +45,6 @@ int get_load_segment(t_efl_content *woody, int start, bool executable)
|
|||
return -1;
|
||||
}
|
||||
|
||||
|
||||
int32_t find_jmp(char *code, size_t len)
|
||||
{
|
||||
char *jump = JUMP;
|
||||
|
|
@ -70,7 +69,7 @@ void inject(t_efl_content *woody)
|
|||
size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz;
|
||||
|
||||
printf("Old entry : %ld\n", woody->Ehdr->e_entry);
|
||||
printf("Code_cave_start = %ld\n", woody->Phdr[i].p_offset);
|
||||
printf("Code_cave_start = %ld\n", payload_off);
|
||||
printf("Code_cave_size = %ld\n", code_cave_size);
|
||||
printf("Payload size = %ld\n", len_payload);
|
||||
|
||||
|
|
@ -80,12 +79,11 @@ void inject(t_efl_content *woody)
|
|||
ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len));
|
||||
ft_memcpy(woody->file + payload_off, payload, len_payload);
|
||||
|
||||
printf("Backward offset = %d\n", backward_len);
|
||||
printf("Backward offset = %d (%x)\n", backward_len, backward_len);
|
||||
|
||||
woody->Ehdr->e_entry = payload_off;
|
||||
woody->Phdr[i].p_filesz += len_payload;
|
||||
woody->Phdr[i].p_memsz += len_payload;
|
||||
woody->file_size += len_payload;
|
||||
|
||||
printf("New entry = %ld\n", woody->Ehdr->e_entry);
|
||||
}
|
||||
|
|
@ -93,7 +91,7 @@ void inject(t_efl_content *woody)
|
|||
int get_elf_sections(t_efl_content *woody)
|
||||
{
|
||||
woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr));
|
||||
if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2)
|
||||
if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64)
|
||||
{
|
||||
ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path);
|
||||
return EXIT_FAILURE;
|
||||
|
|
@ -150,7 +148,6 @@ int prepare_injection(t_efl_content *woody)
|
|||
ft_memcpy(woody_file, woody->file, woody->file_size);
|
||||
|
||||
// encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size);
|
||||
|
||||
munmap(woody_file, woody->file_size);
|
||||
save_elf("woody", woody_file, woody->file_size);
|
||||
free(woody_file);
|
||||
|
|
|
|||
Loading…
Reference in New Issue