generate payload from file

This commit is contained in:
pbonilla 2024-03-21 15:44:29 +01:00
parent 2c4bdfeeec
commit fa004f3a6a
4 changed files with 54 additions and 63 deletions

View File

@ -14,9 +14,14 @@
#include <elf.h>
#include <stdint.h>
#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
#define JUMP "\xe9"
typedef struct payload
{
char *payload;
size_t len;
} t_payload;
typedef struct efl_content
{
long unsigned int file_size;

49
print.s
View File

@ -1,52 +1,27 @@
; bits 64
; default rel
; global _start
; _start:
; push rax
; push rdi
; push rsi
; push rdx
; push rbx
; xor eax, eax
; cdq
; mov dl, 10
; inc eax
; mov edi, eax
; lea rsi, [rel msg]
; syscall
; pop rbx
; pop rdx
; pop rsi
; pop rdi
; pop rax
; jmp 0x00000000
; msg db "..WOODY..",10
bits 64
default rel
global _start
_start:
push rax
push rdi
push rsi
push rdx
push rbx
push rax
push rdi
push rsi
push rdx
mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
mov rdi, 1
lea rsi, [rel msg]
mov rdx, 10
mov rax, 1
syscall
pop rbx
pop rdx
pop rdx
pop rsi
pop rdi
pop rax
jmp 0x00000000
msg db "..WOODY..",10
msg db "..WOODY..",10

View File

@ -19,7 +19,7 @@ int get_elf_file(t_efl_content *woody)
return EXIT_FAILURE;
}
woody->file_size = off;
woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0);
if (woody->file == MAP_FAILED)
{
close(fd);

View File

@ -59,10 +59,10 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse
}
}
size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment)
size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload)
{
const unsigned int page_size = 4096;// getpagesize(); not authorized
unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size;
const unsigned int page_size = 4096; // getpagesize(); not authorized
unsigned int padding_size = ((payload->len / page_size) + 1) * page_size;
unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz;
offset_sections(woody, codecave_start, padding_size);
char *new_woody = malloc(woody->file_size + padding_size);
@ -80,24 +80,34 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment)
return codecave_start;
}
int insert_payload(t_efl_content *woody, size_t payload_position)
t_payload *get_payload()
{
char payload[] = PAYLOAD;
size_t len_payload = sizeof(PAYLOAD) - 1;
char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload);
t_payload *payload = malloc(sizeof(t_payload));
if (!payload)
return NULL;
char buffer[1024];
int fd = open("payload", O_RDONLY);
payload->len = read(fd, buffer, 1024);
payload->payload = malloc(sizeof(char) * payload->len);
ft_memcpy(payload->payload, buffer, payload->len);
return payload;
}
int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position)
{
char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len);
if (ptr)
{
int32_t jmp_index = ptr - payload;
int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1;
ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value));
ft_memcpy(woody->file + payload_position, payload, len_payload);
int32_t jmp_index = ptr - payload->payload;
int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1;
ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value));
ft_memcpy(woody->file + payload_position, payload->payload, payload->len);
printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position);
printf("Payload size = %ld (%lx)\n", len_payload, len_payload);
printf("Backward offset = %d (%x)\n", jump_value, jump_value);
printf("Code cave start = %ld (%lx)\n", payload_position, payload_position);
printf("Payload size = %ld (%lx)\n", payload->len, payload->len);
printf("Backwar d offset = %d (%x)\n", jump_value, jump_value);
return EXIT_SUCCESS;
}
@ -106,29 +116,30 @@ int insert_payload(t_efl_content *woody, size_t payload_position)
void inject(t_efl_content *woody)
{
size_t len_payload = sizeof(PAYLOAD) - 1;
t_payload *payload = get_payload();
int i = get_load_segment(woody, 0, true);
int j = get_load_segment(woody, i + 1, false);
size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz);
size_t payload_position;
printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset);
printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz);
if (code_cave_size > len_payload)
if (code_cave_size > payload->len) // inverse here to test the other technique
{
payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz;
printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size);
}
else
{
payload_position = create_codecave(woody, &woody->Phdr[i]);
payload_position = create_codecave(woody, &woody->Phdr[i], payload);
}
insert_payload(woody, payload_position);
insert_payload(woody, payload, payload_position);
woody->Ehdr->e_entry = payload_position;
woody->Phdr[i].p_filesz += len_payload;
woody->Phdr[i].p_memsz += len_payload;
woody->Phdr[i].p_filesz += payload->len;
woody->Phdr[i].p_memsz += payload->len;
printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry);
}