Updated helpers and added resources to help with lib injection

2025-12-25 10:53:09 +08:00 · 2022-03-24 15:40:05 -04:00
parent 9dff5e71dc
commit 8f28c3a883
18 changed files with 12112 additions and 10036 deletions
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -1,172 +1,256 @@
-disass main
-checksec bof
-checksec 
-quit
-disass test_time_values_injection 
-disass test_time_values_injection+74 
-b test_time_values_injection+74 
-b test_time_values_injection + 74 
-b *(test_time_values_injection + 74) 
-r
-si
-si
-si
-si
 q
-b timerfd_settime
+find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+b *(test_time_values_injection+77 )
 r
-context
-q
-disass test_time_values_injection 
-b *(test_time_values_injection +74)
-r
-si
-si
-q
-b test_time_values_injection +74
-b (test_time_values_injection +74)
-b *(test_time_values_injection +74)
-r
-si
-display/i $pc
-si
-si
-si
-q
-disass test_time_values_injection 
-b *(test_time_values_injection +116)
-r
-si
-si
-q
-b *(test_time_values_injection +116)
-r
-si
-d/i 0x405130
-d/i2 0x405130
-display/i2 0x405130
-display/i 0x405130
-display/i4 0x405130
-display/2i 0x405130
-display/10i 0x405130
-disassemble /r 0x405130
-disassemble /r 0x6095d8f7ff7f
-disassemble /r 0x6095d8f7ff7f00
-disassemble /r 0x6095d8f7ff7f0000
-disassemble /r 0x6095d8f7ff7f00007612
-disassemble /r 0x6095d8f7ff7f000076
-disassemble /r 0x6095d8f7ff7f0000
-disassemble /r 0x00007ffff7d89560
-d/10i 0x00007ffff7d89560
-context
-disassemble /r 0x405130
-d/10i 0x7ffff7d89560
-disassemble 0x7ffff7d89560
-disassemble /r 0x7ffff7d89560
-disassemble timerfd_settime
-disassemble __libc_start_main 
-q
-disass test_time_values_injection 
-b *(test_time_values_injection+74)
-r
-si
-ni
-si
-disass timerfd_settime
-b 0x00007ffff7d89560
 b __timerfd_settime 
+c
+find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+x/128i 0x402e95
+x/128x 0x402e95
+x/128x 0x402e90
+x/128i 0x402e90
+x/128i 0x402e89
+x/10i 0x402e89
+x/10i 0x402e90
+x/10i 0x402e80
+x/128i 0x402e89
+x/256i 0x402e89
+x/256i 0x402e90
+find 0x90909090909090909090909090909090 0x401000 0x403000
+context
+x/10i 401520
+x/10i 0x401520
+x/10i 0x401260
+x/10i 0x401250
+q
+r
+disass /r 0x405130
+x/10i 0x401520
+q
+b *(test_time_values_injection+77 )
+disass /r test_time_values_injection
+b *(test_time_values_injection+169)
+r
+b __timerfd_settime 
+c
+x/10i 0x401250
+x/10i 0x401260
+x/10i 0x405130
+x/10 0x405130
+x/10x 0x405130
+c
+x/10x 0x405130
+x/10i 0x405130
+c
+x/10i 0x405130
+si
+c
+r
+q
+r
+b *0x4013a8
 r
 r
 r
+b test_time_values_injection 
 r
+s
+q
+b test_time_values_injection 
 r
+b 0x4013a8
+b *0x4013a8
+b *0x4013a4
 r
+q
+b *0x4013a8
 r
+b test_time_values_injection 
 r
+n
+q
+b test_time_values_injection 
 r
+n
+ni
 del 1
+del 2
+r
+b test_time_values_injection 
 r
 q
-b __timerfd_settime 
-b timerfd_S
-b timerfd_settime
 r
 q
-b timerfd_settime
-r
-si
-ni
-disass timerfd_settime
-disass /r timerfd_settime
-q
-b timerfd_settime
-r
-si
-ni
-disass /r timerfd_settime
-r
-si
-ni
-q
-b timerfd_settime
-r
-si
-ni
-stack 200
-q
-b timerfd_settime
-r
-si
-ni
-d/10i 0x7ffff7d89560
-d/i 0x7ffff7d89560
-disassemble 0x7ffff7d89560
-stack 30ç
-d/6x 7fffffffdcc8
-d/x 7fffffffdcc8
-p/x 7fffffffdcc8
-p/x 0x7fffffffdcc8
-d/x 0x7fffffffdcc8
-d/3x 0x7fffffffdcc8
-d/3x *0x7fffffffdcc8
-x/3x 0x7fffffffdcc8
-x/5i 0x7fffffffdcc8
-x/5x 0x7fffffffdcc8
-x/20x 0x7fffffffdcc8
-stack 
-p __libc_start_main 
-x/x __libc_start_main 
-stack 
-context
-context_code
-x/x __libc_start_main 
-q
-b timerfd_settime
-r
-si
-ni
-x/x __libc_start_main 
-x/x __libc_dlopen_mode
-rop
-ropsearch 0f 
-ropsearch "0f"  
-ropsearch "0f"  libc
-ropsearch "pop %rax" libc
-ropsearch "pop %rax" 
-ropsearch "pop %rax" 
-ropsearch "pop rax" 
-ropsearch "pop rax" libc
-ropsearch "pop eax" libc
-ropgadget 
-ropgadget libc
-help ropgadget
-help ropsearch
-ropsearch "pop eax" libc
-q
-disass main
-l test_time_values_injection 
 disass test_time_values_injection 
-b *(test_time_values_injection + 74)
+q
 r
+q
+si
+b test_time_values_injection 
+r
+b __timerfd_settime 
+r
+c
+del 1
+x/10i 0x405130
+c
+r
+b test
+q
+b test_time_values_injection 
+r
+n
+ni
+si
+ni
+si
 si
 q
+b test_time_values_injection 
+r
+x/10x 0x402e95
+x/10x 0x405130
+checksecq
+q
+checksecq
+checksec
+q
+checksec
+q
+q
+q
+q
+x/10x 0x402e95
+b test_time_values_injection 
+r
+x/10x 0x402e95
+x/10x 0x405130
+b __timerfd_settime 
+c
+x/10x 0x405130
+c
+x/10x 0x405130
+q
+b test_time_values_injection 
+r
+b __timerfd_settime 
+c
+si
+x/10x 0x405130
+disass test_time_values_injection 
+b *(test_time_values_injection+169 )
+c
+si
+x/10x 0x402e95
+q
+b test_time_values_injection 
+r
+b __timerfd_settime 
+c
+x/10x 0x402e95
+x/10x 0x405130
+si
+x/10x 0x405130
+b *(test_time_values_injection+169 )
+c
+si
+set *(int64_t *)0x402e95 0x10
+set *(int64_t *)0x402e95 = 0x10
+x/10x 0x405130
+x/10x 0x402e95
+set *(int64_t *)0x402e95 = 0x102131415161718191
+set *(int64_t *)0x7ffff7d89560 = 
+x/10x 0x402e95
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x50
+x/10b 0x402e95
+x/10i 0x402e95
+x/10i 0x7ffff7d89560
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/10i 0x402e95
+disass /r 0x402e95
+disass 0x402e95
+disass /r *0x402e95
+x/10i 0x402e95
+x/10x 0x405130
+x/10i 0x405130
+x/10i 0x401260
+x/10b 0x401260
+x/10i 0x402e95
+x/10b 0x401260
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+set *(int64_t *)0x402e9d = 0xffe0
+x/10b 0x402e95
+context
+si
+x/10i 0x402e95
+si
+q
+b test_time_values_injection 
+r
+b *(test_time_values_injection+169)
+r
+c
+x/10i 0x402e95
+x/10b 0x401260
+x/10x 0x405130
+si
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/10i 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+set *(int64_t *)0x402e9d = 0x0000ffe0
+x/10b 0x402e95
+set 0x402e9d = 0xffe000000
+x/10b 0x402e95
+x/12b 0x402e95
+x/10i 0x402e95
+set 0x402e95 = 0x48B86095D8F7FF7F0000
+set 0x402e95 = 0x48B86095D8F7FF7F
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/14b 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0x0000ffe0
+x/20b 0x402e95
+x/20i 0x402e95
+x/20b 0x402e95
+x/10i 0x401230
+disass /r test_time_values_injection 
+x/10i 0x4013a0
+x/10b 0x4013a0
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xffe000000
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xffe00000
+x/20b 0x402e95
+x/10i 0x4013a0
+x/20i 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+x/20b 0x402e95
+x/20i 0x402e95
+set *(int64_t *)0x402e9d = 0xe0ff00000
+x/20i 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xe0ff0000
+x/20i 0x402e95
+set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+x/20i 0x402e95
+context
+si
+si
+si
+si
+si
+c
+q
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
 	clang -g -c execve_hijack.c

 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	clang -lm -g -fno-plt -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
+	clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a

 clean:
 	-rm -f execve_hijack.o
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.c
+++ b/src/helpers/execve_hijack.c
@@ -24,8 +24,8 @@

 int test_time_values_injection(){

-    struct itimerspec new_value;
-    int max_exp, fd;
+    struct itimerspec new_value, new_value2;
+    int max_exp, fd, fd2;
    struct timespec now;
    uint64_t exp, tot_exp;
    ssize_t s;
@@ -40,6 +40,16 @@ int test_time_values_injection(){

    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)
        return -1;
+
+    fd2 = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd2 == -1)
+        return -1;
+
+    new_value2.it_interval.tv_sec = 30;
+    new_value2.it_interval.tv_nsec = 0;
+
+    if (timerfd_settime(fd2, TFD_TIMER_ABSTIME, &new_value2, NULL) == -1)
+        return -1;
    
        
    printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/injection_lib.c
+++ b/src/helpers/injection_lib.c
@@ -1,7 +1,10 @@
 #include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>

 __attribute__((constructor))
 static void init()
 {
-    puts("It worked\n");
+    printf("It worked\n");
+    syslog(LOG_CRIT, "Library called\n");
 }
--- a/src/helpers/injection_lib.o
+++ b/src/helpers/injection_lib.o
--- a/src/helpers/injection_lib.so
+++ b/src/helpers/injection_lib.so
--- a/src/helpers/peda-session-execve_hijack.txt
+++ b/src/helpers/peda-session-execve_hijack.txt
@@ -1,3 +1,4 @@
-break timerfd_settime
-break timerfd_settime
+break test_time_values_injection
+break __dlopen
+break *(test_time_values_injection+169)

--- a/src/helpers/peda-session-sudo.txt
+++ b/src/helpers/peda-session-sudo.txt
@@ -0,0 +1,5 @@
+break test_time_values_injection
+disable $bpnum
+break *(test_time_values_injection+169)
+disable $bpnum
+