gbrochar
/
woody-woodpacker
1
0
Fork 0
Code Issues 1 Pull Requests 1 Packages Projects Releases Wiki Activity

generate payload from file

This commit is contained in:
pbonilla 2024-03-21 15:44:29 +01:00
parent 2c4bdfeeec
commit fa004f3a6a
4 changed files with 54 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
includes/woody.h
View File

@ -14,9 +14,14 @@
#include <elf.h> #include <elf.h>
#include <stdint.h> #include <stdint.h>
#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
#define JUMP "\xe9" #define JUMP "\xe9"
typedef struct payload
{
char *payload;
size_t len;
} t_payload;
typedef struct efl_content typedef struct efl_content
{ {
long unsigned int file_size; long unsigned int file_size;

53
print.s
View File

@ -1,52 +1,27 @@
; bits 64
; default rel
; global _start
; _start:
; push rax
; push rdi
; push rsi
; push rdx
; push rbx
; xor eax, eax
; cdq
; mov dl, 10
; inc eax
; mov edi, eax
; lea rsi, [rel msg]
; syscall
; pop rbx
; pop rdx
; pop rsi
; pop rdi
; pop rax
; jmp 0x00000000
; msg db "..WOODY..",10
bits 64 bits 64
default rel
global _start global _start
_start: _start:
push rax push rax
push rdi push rdi
push rsi push rsi
push rdx push rdx
push rbx
mov rdi, 1
mov rdi, 1 mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
lea rsi, [rel msg] lea rsi, [rel msg]
mov rdx, 10 mov rdx, 10
mov rax, 1 mov rax, 1
syscall syscall
pop rbx pop rdx
pop rdx
pop rsi pop rsi
pop rdi pop rdi
pop rax pop rax
jmp 0x00000000 jmp 0x00000000
msg db "..WOODY..",10 msg db "..WOODY..",10

2
srcs/main.c
View File

@ -19,7 +19,7 @@ int get_elf_file(t_efl_content *woody)
return EXIT_FAILURE; return EXIT_FAILURE;
} }
woody->file_size = off; woody->file_size = off;
woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0);
if (woody->file == MAP_FAILED) if (woody->file == MAP_FAILED)
{ {
close(fd); close(fd);

55
srcs/woody.c
View File

@ -59,10 +59,10 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse
} }
} }
size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload)
{ {
const unsigned int page_size = 4096;// getpagesize(); not authorized const unsigned int page_size = 4096; // getpagesize(); not authorized
unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size; unsigned int padding_size = ((payload->len / page_size) + 1) * page_size;
unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz; unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz;
offset_sections(woody, codecave_start, padding_size); offset_sections(woody, codecave_start, padding_size);
char *new_woody = malloc(woody->file_size + padding_size); char *new_woody = malloc(woody->file_size + padding_size);
@ -80,24 +80,34 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment)
return codecave_start; return codecave_start;
} }
t_payload *get_payload()
int insert_payload(t_efl_content *woody, size_t payload_position)
{ {
char payload[] = PAYLOAD; t_payload *payload = malloc(sizeof(t_payload));
size_t len_payload = sizeof(PAYLOAD) - 1; if (!payload)
char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload); return NULL;
char buffer[1024];
int fd = open("payload", O_RDONLY);
payload->len = read(fd, buffer, 1024);
payload->payload = malloc(sizeof(char) * payload->len);
ft_memcpy(payload->payload, buffer, payload->len);
return payload;
}
int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position)
{
char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len);
if (ptr) if (ptr)
{ {
int32_t jmp_index = ptr - payload; int32_t jmp_index = ptr - payload->payload;
int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1; int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1;
ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value));
ft_memcpy(woody->file + payload_position, payload, len_payload); ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value));
ft_memcpy(woody->file + payload_position, payload->payload, payload->len);
printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position);
printf("Payload size = %ld (%lx)\n", len_payload, len_payload); printf("Payload size = %ld (%lx)\n", payload->len, payload->len);
printf("Backward offset = %d (%x)\n", jump_value, jump_value); printf("Backwar d offset = %d (%x)\n", jump_value, jump_value);
return EXIT_SUCCESS; return EXIT_SUCCESS;
} }
@ -106,29 +116,30 @@ int insert_payload(t_efl_content *woody, size_t payload_position)
void inject(t_efl_content *woody) void inject(t_efl_content *woody)
{ {
size_t len_payload = sizeof(PAYLOAD) - 1; t_payload *payload = get_payload();
int i = get_load_segment(woody, 0, true); int i = get_load_segment(woody, 0, true);
int j = get_load_segment(woody, i + 1, false); int j = get_load_segment(woody, i + 1, false);
size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz);
size_t payload_position; size_t payload_position;
printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset);
printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz);
if (code_cave_size > len_payload) if (code_cave_size > payload->len) // inverse here to test the other technique
{ {
payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz;
printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size); printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size);
} }
else else
{ {
payload_position = create_codecave(woody, &woody->Phdr[i]); payload_position = create_codecave(woody, &woody->Phdr[i], payload);
} }
insert_payload(woody, payload_position); insert_payload(woody, payload, payload_position);
woody->Ehdr->e_entry = payload_position; woody->Ehdr->e_entry = payload_position;
woody->Phdr[i].p_filesz += len_payload; woody->Phdr[i].p_filesz += payload->len;
woody->Phdr[i].p_memsz += len_payload; woody->Phdr[i].p_memsz += payload->len;
printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
} }