Merge pull request #26 from h3xduck/injection

Library injection + sudo bypass + initial version of C2

resources/.gdb_history

@@ -0,0 +1,91 @@
+q
+disass main
+b main
+r
+q
+b * 0x0000000000001189
+r
+si
+q
+b main
+del 1
+b 0x0000000000001189
+b *0x0000000000001189
+r
+q
+b main
+r
+disass main
+b __init
+q
+starti
+si
+disass main
+q
+starti
+q
+b main
+r
+x/16x *(rbp)
+x/16x *(rbp-0x14)
+d *(rbp-0x14)
+d ç(rbp-0x14)
+p (rbp-0x14)
+p ($rbp-0x14)
+p/d ($rbp-0x14)
+p/x ($rbp-0x14)
+p ($rbp-0x14)
+x/2b ($rbp-0x14)
+x/2b ($rbp-0x20)
+x/8b ($rbp-0x20)
+x/10b ($rbp-0x20)
+x/12b ($rbp-0x20)
+x/20b ($rbp-0x20)
+x/22b ($rbp-0x20)
+x/26b ($rbp-0x20)
+x/28b ($rbp-0x20)
+x/12b ($rbp-0x20)
+x/14b ($rbp-0x20)
+si
+x/10i $rax
+x/10i 0x555555555070
+x/20i 0x555555555070
+x/30i 0x555555555070
+si
+q
+starti
+b main
+c
+si
+b __dlopen
+c
+q
+b main
+r
+si
+ni
+si
+ni
+c
+q
+b main
+r
+si
+ni
+si
+ni
+q
+b main
+r
+si
+find dlopen
+q
+b main
+r
+si
+ni
+q
+b main
+r
+si
+q

resources/example_dlopen.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <dlfcn.h>
+
+int main(int argc, char* argv[]){
+    
+    void *handle = dlopen("/home/osboxes/TFG/src/helpers/injection_lib.so", RTLD_LAZY);
+    
+    if(handle==NULL){
+        perror(dlerror());
+    }
+
+    return 0;
+}

resources/libinjection_shellcode.asm

@@ -0,0 +1,13 @@
+<nop>
+push rax # 50
+push rdx # 52
+push rsi # 56
+push rdi # 57
+mov rax, <dlopen> # 48b8 <addr little endian> --> gdb: set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
+jmp rax # ffe0  --> gdb: set *(int64_t *)0x402e9d = 0xe0ff0000
+
+pop rdi 
+pop rsi
+pop rdx
+pop rax
+ret

resources/peda-session-example_dlopen.txt

@@ -0,0 +1,2 @@
+break main
+