int main ()
{
#ifdef usestubs
  set_debug_traps();
  breakpoint();
#endif

  malloc_stub ();

  /* Initialize ascii_string.  */
  init_string (ascii_string,
               120,
               7, 8, 12,
               10, 13, 9,
               11, 120, 17);
  fill_run (ascii_string, 7, 26, 65);
  fill_run (ascii_string, 33, 26, 97);
  fill_run (ascii_string, 59, 10, 48);

  /* Initialize iso_8859_1_string.  */
  init_string (iso_8859_1_string,
               120,
               7, 8, 12,
               10, 13, 9,
               11, 162, 17);
  fill_run (iso_8859_1_string, 7, 26, 65);
  fill_run (iso_8859_1_string, 33, 26, 97);
  fill_run (iso_8859_1_string, 59, 10, 48);

  /* Initialize ebcdic_us_string.  */
  init_string (ebcdic_us_string,
               167,
               47, 22, 12,
               37, 13, 5,
               11, 74, 17);
  /* In EBCDIC, the upper-case letters are broken into three separate runs.  */
  fill_run (ebcdic_us_string, 7, 9, 193);
  fill_run (ebcdic_us_string, 16, 9, 209);
  fill_run (ebcdic_us_string, 25, 8, 226);
  /* The lower-case letters are, too.  */
  fill_run (ebcdic_us_string, 33, 9, 129);
  fill_run (ebcdic_us_string, 42, 9, 145);
  fill_run (ebcdic_us_string, 51, 8, 162);
  /* The digits, at least, are contiguous.  */
  fill_run (ebcdic_us_string, 59, 10, 240);

  /* Initialize ibm1047_string.  */
  init_string (ibm1047_string,
               167,
               47, 22, 12,
               37, 13, 5,
               11, 74, 17);
  /* In EBCDIC, the upper-case letters are broken into three separate runs.  */
  fill_run (ibm1047_string, 7, 9, 193);
  fill_run (ibm1047_string, 16, 9, 209);
  fill_run (ibm1047_string, 25, 8, 226);
  /* The lower-case letters are, too.  */
  fill_run (ibm1047_string, 33, 9, 129);
  fill_run (ibm1047_string, 42, 9, 145);
  fill_run (ibm1047_string, 51, 8, 162);
  /* The digits, at least, are contiguous.  */
  fill_run (ibm1047_string, 59, 10, 240);

  init_utf32 ();

  myvar = utf_32_string[7];

  return 0;            /* all strings initialized */
}
Ejemplo n.º 2
0
void gain_code_exec(pid_t remote_pid) {
   malloc_stub();

   ptrace_detach(remote_pid);
   exit(1);
 
   int status;

   // Find remote function adresses for malloc, free, __libc_dlopen_mode
   unsigned long remote_malloc_addr = find_remote_function("libc", find_libc_function("malloc"), remote_pid);
   unsigned long remote_free_addr = find_remote_function("libc", find_libc_function("free"), remote_pid);
   unsigned long remote_dlopen_addr = find_remote_function("libc", find_libc_function("__libc_dlopen_mode"), remote_pid);
   
   // Initialize global regs structs variables
   memset(&_regs_backup, 0, sizeof(struct user_regs_struct));
   memset(&_regs_fiddle, 0, sizeof(struct user_regs_struct));
   ptrace_getregs(remote_pid, &_regs_backup);
   reset_regs_fiddle();

   // Get Addr to write our initial stub to:
   unsigned long free_space_addr = find_free_space_addr(remote_pid);
   
   // Set RIP to addr start (2 byte long start instruction)
   _regs_fiddle.rip = free_space_addr + 2;
   
   // TODO TMP
   // Setup parameters in registers (see malloc_stub definition)
   _regs_fiddle.rbx = 1073741824; // exactly one GB
   _regs_fiddle.rax = remote_malloc_addr;
   
   // Upload registers
   printf("Uploading payload regs\n");
   ptrace_setregs(remote_pid, &_regs_fiddle);
   
   // Figure out stub size
   size_t stub_size = (intptr_t)malloc_stub_end - (intptr_t)malloc_stub;
   
   // Create buffer holdig our stub
   printf("Crafting payload stub\n");
   char* stub_code = malloc(stub_size * sizeof(char));
   memset(stub_code, 0, stub_size * sizeof(char));
   memcpy(stub_code, malloc_stub, stub_size);

   // Backup everything that we'll overwrite in target location
   printf("Backing up data\n");
   char* backup = malloc(stub_size * sizeof(char));
   read_data(remote_pid, free_space_addr, backup, stub_size);
   
   // Write our code to target location
   printf("Uploading payload\n");
   write_data(remote_pid, free_space_addr, stub_code, stub_size);
   
   // Continue execution and wait for int3
   printf("Code injection successfull, executing\n"); 
   ptrace_cont(remote_pid);
   sleep(1);
   printf("Pid returned ... probably\n");
   
   // Reupload old data
   printf("Reuploading old data\n");
   write_data(remote_pid, free_space_addr, backup, stub_size);
   ptrace_setregs(remote_pid, &_regs_backup);
   printf("Reset execution flow, continuing execution");
   
   ptrace_cont(remote_pid);
   
   free(backup);
   free(stub_code);
   
   printf("TMP; HALTING FOR 30 seconds\n");
   sleep(30);
}