static int
getentropy_fallback(void *buf, size_t len)
{
uint8_t results[SHA512_DIGEST_LENGTH];
int save_errno = errno, e, pgs = getpagesize(), faster = 0, repeat;
static int cnt;
struct timespec ts;
struct timeval tv;
double loadavg[3];
struct rusage ru;
sigset_t sigset;
struct stat st;
SHA512_CTX ctx;
static pid_t lastpid;
pid_t pid;
size_t i, ii, m;
char *p;
pid = getpid();
if (lastpid == pid) {
faster = 1;
repeat = 2;
} else {
faster = 0;
lastpid = pid;
repeat = REPEAT;
}
for (i = 0; i < len; ) {
int j;
SHA512_Init(&ctx);
for (j = 0; j < repeat; j++) {
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
if (e != -1) {
cnt += (int)tv.tv_sec;
cnt += (int)tv.tv_usec;
}
dl_iterate_phdr(getentropy_phdr, &ctx);
for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
HX(clock_gettime(cl[ii], &ts) == -1, ts);
HX((pid = getpid()) == -1, pid);
HX((pid = getsid(pid)) == -1, pid);
HX((pid = getppid()) == -1, pid);
HX((pid = getpgid(0)) == -1, pid);
HX((e = getpriority(0, 0)) == -1, e);
HX((getloadavg(loadavg, 3) == -1), loadavg);
if (!faster) {
ts.tv_sec = 0;
ts.tv_nsec = 1;
(void) nanosleep(&ts, NULL);
}
HX(sigpending(&sigset) == -1, sigset);
HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
sigset);
HF(getentropy); /* an addr in this library */
HF(printf); /* an addr in libc */
p = (char *)&p;
HD(p); /* an addr on stack */
p = (char *)&errno;
HD(p); /* the addr of errno */
if (i == 0) {
struct sockaddr_storage ss;
struct statvfs stvfs;
struct termios tios;
socklen_t ssl;
off_t off;
/*
* Prime-sized mappings encourage fragmentation;
* thus exposing some address entropy.
*/
struct mm {
size_t npg;
void *p;
} mm[] = {
{ 17, MAP_FAILED }, { 3, MAP_FAILED },
{ 11, MAP_FAILED }, { 2, MAP_FAILED },
{ 5, MAP_FAILED }, { 3, MAP_FAILED },
{ 7, MAP_FAILED }, { 1, MAP_FAILED },
{ 57, MAP_FAILED }, { 3, MAP_FAILED },
{ 131, MAP_FAILED }, { 1, MAP_FAILED },
};
for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
HX(mm[m].p = mmap(NULL,
mm[m].npg * pgs,
PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1,
(off_t)0), mm[m].p);
if (mm[m].p != MAP_FAILED) {
size_t mo;
/* Touch some memory... */
p = mm[m].p;
mo = cnt %
(mm[m].npg * pgs - 1);
p[mo] = 1;
cnt += (int)((long)(mm[m].p)
/ pgs);
}
/* Check cnts and times... */
for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
ii++) {
HX((e = clock_gettime(cl[ii],
&ts)) == -1, ts);
if (e != -1)
cnt += (int)ts.tv_nsec;
}
HX((e = getrusage(RUSAGE_SELF,
&ru)) == -1, ru);
if (e != -1) {
cnt += (int)ru.ru_utime.tv_sec;
cnt += (int)ru.ru_utime.tv_usec;
}
}
for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
if (mm[m].p != MAP_FAILED)
munmap(mm[m].p, mm[m].npg * pgs);
mm[m].p = MAP_FAILED;
}
HX(stat(".", &st) == -1, st);
HX(statvfs(".", &stvfs) == -1, stvfs);
HX(stat("/", &st) == -1, st);
HX(statvfs("/", &stvfs) == -1, stvfs);
HX((e = fstat(0, &st)) == -1, st);
if (e == -1) {
if (S_ISREG(st.st_mode) ||
S_ISFIFO(st.st_mode) ||
S_ISSOCK(st.st_mode)) {
HX(fstatvfs(0, &stvfs) == -1,
stvfs);
HX((off = lseek(0, (off_t)0,
SEEK_CUR)) < 0, off);
}
if (S_ISCHR(st.st_mode)) {
HX(tcgetattr(0, &tios) == -1,
tios);
} else if (S_ISSOCK(st.st_mode)) {
memset(&ss, 0, sizeof ss);
ssl = sizeof(ss);
HX(getpeername(0,
(void *)&ss, &ssl) == -1,
ss);
}
}
HX((e = getrusage(RUSAGE_CHILDREN,
&ru)) == -1, ru);
if (e != -1) {
cnt += (int)ru.ru_utime.tv_sec;
cnt += (int)ru.ru_utime.tv_usec;
}
} else {
/* Subsequent hashes absorb previous result */
HD(results);
}
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
if (e != -1) {
cnt += (int)tv.tv_sec;
cnt += (int)tv.tv_usec;
}
HD(cnt);
}
SHA512_Final(results, &ctx);
memcpy((char *)buf + i, results, min(sizeof(results), len - i));
i += min(sizeof(results), len - i);
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
if (gotdata(buf, len) == 0) {
errno = save_errno;
return 0; /* satisfied */
}
errno = EIO;
return -1;
}
int main(void)
{
int choice;
char buf[15] = { 0 };
struct sigaction sa;
struct addr_info info = { 0 };
memset(&sa, 0, sizeof(sa));
sa.sa_handler = timer_handler;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGALRM, &sa, NULL) == -1) {
perror("sigaction()");
exit(EXIT_FAILURE);
}
alarm(60);
setbuf(stdin, NULL);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
dl_iterate_phdr(callback, &info);
for (;;) {
printf("ROP helper 13.37\n");
printf("1. print libc address\n");
printf("2. print function address\n");
printf("3. insert ROP chain\n");
printf("4. search for string\n");
printf("5. quit\n");
printf("Choice: ");
if (!fgets(buf, sizeof(buf), stdin))
break;
choice = atoi(buf);
switch (choice) {
case 1:
printf("[+] libc start address: %p\n", info.base);
break;
case 2:
print_func_addr();
break;
case 3:
insert_rop();
break;
case 4:
search_string(info.base, info.size);
break;
case 5:
printf("Bye!\n");
goto out;
default:
printf("Invalid option!\n");
}
printf("\n");
}
out:
return 0;
}
void addOSComponentsToSoMap(BSONObjBuilder* soMap) {
BSONArrayBuilder soList(soMap->subarrayStart("somap"));
dl_iterate_phdr(outputSOInfo, &soList);
soList.done();
}
char *
lookup_symbol (char *buf, int buflen, const void *ptr)
{
struct file_match match;
#if HAVE_BFD
struct symtab symtab;
struct symbol symbol;
#endif
struct symbol_cache_entry *cache;
int bucket;
int len;
bucket = (unsigned long) ptr % (sizeof (symbol_cache_hash) / sizeof (symbol_cache_hash[0]));
pthread_mutex_lock (&symbol_cache_mutex);
for (cache = symbol_cache_hash[bucket];
cache != NULL;
cache = cache->hash_next)
{
if (cache->ptr == ptr) {
if (cache->hash_prev != NULL) {
cache->hash_prev->hash_next = cache->hash_next;
if (cache->hash_next != NULL)
cache->hash_next->hash_prev = cache->hash_prev;
cache->hash_prev = NULL;
cache->hash_next = symbol_cache_hash[bucket];
symbol_cache_hash[bucket]->hash_prev = cache;
symbol_cache_hash[bucket] = cache;
}
pthread_mutex_unlock (&symbol_cache_mutex);
return cache->name;
}
}
pthread_mutex_unlock (&symbol_cache_mutex);
match.file = NULL;
match.address = (ElfW(Addr)) ptr;
dl_iterate_phdr (find_matching_file, &match);
snprintf (buf, buflen, "0x%llx",
(long long unsigned int) match.address);
if (match.file == NULL || *match.file == '\0')
match.file = "/proc/self/exe";
#if HAVE_BFD
if (_symtab_init (&symtab, match.file)) {
_symbol_init (&symbol, &symtab, match.address - match.base);
bfd_map_over_sections (symtab.bfd, find_address_in_section, &symbol);
if (symbol.found)
_symbol_print (&symbol, buf, buflen, match.file);
_symbol_fini (&symbol);
_symtab_fini (&symtab);
}
#endif
len = strlen (buf);
cache = malloc (sizeof (struct symbol_cache_entry) + len + 1);
if (cache != NULL) {
cache->ptr = ptr;
memcpy (cache->name, buf, len + 1);
pthread_mutex_lock (&symbol_cache_mutex);
cache->hash_prev = NULL;
cache->hash_next = symbol_cache_hash[bucket];
if (symbol_cache_hash[bucket] != NULL)
symbol_cache_hash[bucket]->hash_prev = cache;
symbol_cache_hash[bucket] = cache;
pthread_mutex_unlock (&symbol_cache_mutex);
}
return buf;
}
void
_env_dump_libs_init()
{
/* Show what we are currently linking against */
dl_iterate_phdr(ldd_callback, NULL);
}
HIDDEN int
tdep_find_proc_info (unw_addr_space_t as, unw_word_t ip,
unw_proc_info_t *pi, int need_unwind_info, void *arg)
{
# if defined(HAVE_DL_ITERATE_PHDR)
unw_dyn_info_t di, *dip = &di;
intrmask_t saved_mask;
int ret;
di.u.ti.segbase = ip; /* this is cheap... */
SIGPROCMASK (SIG_SETMASK, &unwi_full_mask, &saved_mask);
ret = dl_iterate_phdr (callback, &di);
SIGPROCMASK (SIG_SETMASK, &saved_mask, NULL);
if (ret <= 0)
{
if (!kernel_table.u.ti.table_data)
{
if ((ret = get_kernel_table (&kernel_table)) < 0)
return ret;
}
if (ip < kernel_table.start_ip || ip >= kernel_table.end_ip)
return -UNW_ENOINFO;
dip = &kernel_table;
}
# elif defined(HAVE_DLMODINFO)
# define UNWIND_TBL_32BIT 0x8000000000000000
struct load_module_desc lmd;
unw_dyn_info_t di, *dip = &di;
struct unwind_header
{
uint64_t header_version;
uint64_t start_offset;
uint64_t end_offset;
}
*uhdr;
if (!dlmodinfo (ip, &lmd, sizeof (lmd), NULL, 0, 0))
return -UNW_ENOINFO;
di.format = UNW_INFO_FORMAT_TABLE;
di.start_ip = lmd.text_base;
di.end_ip = lmd.text_base + lmd.text_size;
di.gp = lmd.linkage_ptr;
di.u.ti.name_ptr = 0; /* no obvious table-name available */
di.u.ti.segbase = lmd.text_base;
uhdr = (struct unwind_header *) lmd.unwind_base;
if ((uhdr->header_version & ~UNWIND_TBL_32BIT) != 1
&& (uhdr->header_version & ~UNWIND_TBL_32BIT) != 2)
{
Debug (1, "encountered unknown unwind header version %ld\n",
(long) (uhdr->header_version & ~UNWIND_TBL_32BIT));
return -UNW_EBADVERSION;
}
if (uhdr->header_version & UNWIND_TBL_32BIT)
{
Debug (1, "32-bit unwind tables are not supported yet\n");
return -UNW_EINVAL;
}
di.u.ti.table_data = (unw_word_t *) (di.u.ti.segbase + uhdr->start_offset);
di.u.ti.table_len = ((uhdr->end_offset - uhdr->start_offset)
/ sizeof (unw_word_t));
Debug (16, "found table `%s': segbase=%lx, len=%lu, gp=%lx, "
"table_data=%p\n", (char *) di.u.ti.name_ptr, di.u.ti.segbase,
di.u.ti.table_len, di.gp, di.u.ti.table_data);
# endif
/* now search the table: */
return tdep_search_unwind_table (as, ip, dip, pi, need_unwind_info, arg);
}
void
trap_init(const char *ver)
{
int r;
uint8_t digest[20];
struct sigaction sa, old;
char path[256];
SHA_CTX binsum;
int fd;
r = readlink("/proc/self/exe", self, sizeof(self) - 1);
if(r == -1)
self[0] = 0;
else
self[r] = 0;
memset(digest, 0, sizeof(digest));
if((fd = open("/proc/self/exe", O_RDONLY)) != -1) {
struct stat st;
if(!fstat(fd, &st)) {
char *m = malloc(st.st_size);
if(m != NULL) {
if(read(fd, m, st.st_size) == st.st_size) {
SHA1_Init(&binsum);
SHA1_Update(&binsum, (void *)m, st.st_size);
SHA1_Final(digest, &binsum);
}
free(m);
}
}
close(fd);
}
snprintf(line1, sizeof(line1),
"PRG: %s (%s) "
"[%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x] "
"CWD: %s ", ver, tvheadend_version,
digest[0],
digest[1],
digest[2],
digest[3],
digest[4],
digest[5],
digest[6],
digest[7],
digest[8],
digest[9],
digest[10],
digest[11],
digest[12],
digest[13],
digest[14],
digest[15],
digest[16],
digest[17],
digest[18],
digest[19],
getcwd(path, sizeof(path)));
memcpy(tvh_binshasum, digest, 20);
dl_iterate_phdr(callback, NULL);
memset(&sa, 0, sizeof(sa));
sigset_t m;
sigemptyset(&m);
sigaddset(&m, SIGSEGV);
sigaddset(&m, SIGBUS);
sigaddset(&m, SIGILL);
sigaddset(&m, SIGABRT);
sigaddset(&m, SIGFPE);
sa.sa_sigaction = traphandler;
sa.sa_flags = SA_SIGINFO | SA_RESETHAND;
sigaction(SIGSEGV, &sa, &old);
sigaction(SIGBUS, &sa, &old);
sigaction(SIGILL, &sa, &old);
sigaction(SIGABRT, &sa, &old);
sigaction(SIGFPE, &sa, &old);
sigprocmask(SIG_UNBLOCK, &m, NULL);
}
void
trap_init(void)
{
uint8_t digest[20];
struct sigaction sa, old;
char path[256];
int r;
memset(digest, 0, sizeof(digest));
r = readlink("/proc/self/exe", self, sizeof(self) - 1);
if(r == -1)
self[0] = 0;
else
self[r] = 0;
snprintf(line1, sizeof(line1),
"PRG: Showtime (%s) "
"[%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x] "
"EXE: %s, CWD: %s ", htsversion_full,
digest[0],
digest[1],
digest[2],
digest[3],
digest[4],
digest[5],
digest[6],
digest[7],
digest[8],
digest[9],
digest[10],
digest[11],
digest[12],
digest[13],
digest[14],
digest[15],
digest[16],
digest[17],
digest[18],
digest[19],
self, getcwd(path, sizeof(path)));
dl_iterate_phdr(callback, NULL);
memset(&sa, 0, sizeof(sa));
sigset_t m;
sigemptyset(&m);
sigaddset(&m, SIGSEGV);
sigaddset(&m, SIGBUS);
sigaddset(&m, SIGILL);
sigaddset(&m, SIGABRT);
sigaddset(&m, SIGFPE);
sa.sa_sigaction = traphandler;
sa.sa_flags = SA_SIGINFO | SA_RESETHAND;
sigaction(SIGSEGV, &sa, &old);
sigaction(SIGBUS, &sa, &old);
sigaction(SIGILL, &sa, &old);
sigaction(SIGABRT, &sa, &old);
sigaction(SIGFPE, &sa, &old);
sigprocmask(SIG_UNBLOCK, &m, NULL);
}
VirtualMemoryData::VirtualMemoryData() {
array_size = 0;
dl_iterate_phdr(callback, this);
}
