generate payload from file
This commit is contained in:
parent
2c4bdfeeec
commit
fa004f3a6a
|
@ -14,9 +14,14 @@
|
|||
#include <elf.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
|
||||
#define JUMP "\xe9"
|
||||
|
||||
typedef struct payload
|
||||
{
|
||||
char *payload;
|
||||
size_t len;
|
||||
} t_payload;
|
||||
|
||||
typedef struct efl_content
|
||||
{
|
||||
long unsigned int file_size;
|
||||
|
|
35
print.s
35
print.s
|
@ -1,32 +1,4 @@
|
|||
; bits 64
|
||||
; default rel
|
||||
; global _start
|
||||
|
||||
; _start:
|
||||
; push rax
|
||||
; push rdi
|
||||
; push rsi
|
||||
; push rdx
|
||||
; push rbx
|
||||
|
||||
; xor eax, eax
|
||||
; cdq
|
||||
; mov dl, 10
|
||||
; inc eax
|
||||
; mov edi, eax
|
||||
; lea rsi, [rel msg]
|
||||
; syscall
|
||||
; pop rbx
|
||||
; pop rdx
|
||||
; pop rsi
|
||||
; pop rdi
|
||||
; pop rax
|
||||
; jmp 0x00000000
|
||||
|
||||
; msg db "..WOODY..",10
|
||||
|
||||
bits 64
|
||||
default rel
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
@ -34,15 +6,18 @@ _start:
|
|||
push rdi
|
||||
push rsi
|
||||
push rdx
|
||||
push rbx
|
||||
|
||||
mov rdi, 1
|
||||
mov rdi, 1
|
||||
mov rdi, 1
|
||||
mov rdi, 1
|
||||
mov rdi, 1
|
||||
mov rdi, 1
|
||||
lea rsi, [rel msg]
|
||||
mov rdx, 10
|
||||
mov rax, 1
|
||||
syscall
|
||||
|
||||
pop rbx
|
||||
pop rdx
|
||||
pop rsi
|
||||
pop rdi
|
||||
|
|
|
@ -19,7 +19,7 @@ int get_elf_file(t_efl_content *woody)
|
|||
return EXIT_FAILURE;
|
||||
}
|
||||
woody->file_size = off;
|
||||
woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
|
||||
woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0);
|
||||
if (woody->file == MAP_FAILED)
|
||||
{
|
||||
close(fd);
|
||||
|
|
51
srcs/woody.c
51
srcs/woody.c
|
@ -59,10 +59,10 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse
|
|||
}
|
||||
}
|
||||
|
||||
size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment)
|
||||
size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload)
|
||||
{
|
||||
const unsigned int page_size = 4096; // getpagesize(); not authorized
|
||||
unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size;
|
||||
unsigned int padding_size = ((payload->len / page_size) + 1) * page_size;
|
||||
unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz;
|
||||
offset_sections(woody, codecave_start, padding_size);
|
||||
char *new_woody = malloc(woody->file_size + padding_size);
|
||||
|
@ -80,23 +80,33 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment)
|
|||
return codecave_start;
|
||||
}
|
||||
|
||||
|
||||
int insert_payload(t_efl_content *woody, size_t payload_position)
|
||||
t_payload *get_payload()
|
||||
{
|
||||
char payload[] = PAYLOAD;
|
||||
size_t len_payload = sizeof(PAYLOAD) - 1;
|
||||
char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload);
|
||||
t_payload *payload = malloc(sizeof(t_payload));
|
||||
if (!payload)
|
||||
return NULL;
|
||||
char buffer[1024];
|
||||
int fd = open("payload", O_RDONLY);
|
||||
payload->len = read(fd, buffer, 1024);
|
||||
payload->payload = malloc(sizeof(char) * payload->len);
|
||||
ft_memcpy(payload->payload, buffer, payload->len);
|
||||
return payload;
|
||||
}
|
||||
|
||||
int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position)
|
||||
{
|
||||
char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len);
|
||||
if (ptr)
|
||||
{
|
||||
int32_t jmp_index = ptr - payload;
|
||||
int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1;
|
||||
ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value));
|
||||
ft_memcpy(woody->file + payload_position, payload, len_payload);
|
||||
int32_t jmp_index = ptr - payload->payload;
|
||||
int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1;
|
||||
|
||||
ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value));
|
||||
ft_memcpy(woody->file + payload_position, payload->payload, payload->len);
|
||||
|
||||
printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
|
||||
printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position);
|
||||
printf("Payload size = %ld (%lx)\n", len_payload, len_payload);
|
||||
printf("Code cave start = %ld (%lx)\n", payload_position, payload_position);
|
||||
printf("Payload size = %ld (%lx)\n", payload->len, payload->len);
|
||||
printf("Backwar d offset = %d (%x)\n", jump_value, jump_value);
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
|
@ -106,29 +116,30 @@ int insert_payload(t_efl_content *woody, size_t payload_position)
|
|||
|
||||
void inject(t_efl_content *woody)
|
||||
{
|
||||
size_t len_payload = sizeof(PAYLOAD) - 1;
|
||||
t_payload *payload = get_payload();
|
||||
|
||||
int i = get_load_segment(woody, 0, true);
|
||||
int j = get_load_segment(woody, i + 1, false);
|
||||
|
||||
|
||||
size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz);
|
||||
size_t payload_position;
|
||||
printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset);
|
||||
printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz);
|
||||
|
||||
if (code_cave_size > len_payload)
|
||||
if (code_cave_size > payload->len) // inverse here to test the other technique
|
||||
{
|
||||
payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz;
|
||||
printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size);
|
||||
}
|
||||
else
|
||||
{
|
||||
payload_position = create_codecave(woody, &woody->Phdr[i]);
|
||||
payload_position = create_codecave(woody, &woody->Phdr[i], payload);
|
||||
}
|
||||
insert_payload(woody, payload_position);
|
||||
insert_payload(woody, payload, payload_position);
|
||||
|
||||
woody->Ehdr->e_entry = payload_position;
|
||||
woody->Phdr[i].p_filesz += len_payload;
|
||||
woody->Phdr[i].p_memsz += len_payload;
|
||||
woody->Phdr[i].p_filesz += payload->len;
|
||||
woody->Phdr[i].p_memsz += payload->len;
|
||||
|
||||
printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue