passing and ret params to shellcode
parent
d0a9a38ede
commit
f5c7a4375d
|
@ -1,3 +1,3 @@
|
||||||
#! /usr/bin/env python3
|
#! /usr/bin/env python3
|
||||||
from .run import example, shell_function
|
from .run import example, shell_func
|
||||||
# from .orm import SeedNode
|
# from .orm import SeedNode
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#! /usr/bin/env python3
|
#! /usr/bin/env python3
|
||||||
from .run import example
|
from .run import sins
|
||||||
|
|
||||||
example()
|
sins()
|
||||||
|
|
51
sins/run.py
51
sins/run.py
|
@ -10,15 +10,30 @@ import subprocess
|
||||||
import mmap
|
import mmap
|
||||||
|
|
||||||
whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"
|
whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"
|
||||||
|
seed_shell = b'U\x90H\x89\xe5\x90H\x89}\xf8\x90H\x8bE\xf8\x90]\x90\xc3'
|
||||||
|
|
||||||
|
def shell_func(shellcode: bytes):
|
||||||
|
exec_mem = mmap.mmap(
|
||||||
|
-1, len(shellcode),
|
||||||
|
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
|
||||||
|
flags=mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
|
||||||
|
|
||||||
|
exec_mem.write(shellcode)
|
||||||
|
|
||||||
|
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
|
||||||
|
function = ctypes.CFUNCTYPE(ctypes.c_uint, ctypes.c_uint)(
|
||||||
|
ctypes.addressof(ctypes_buffer))
|
||||||
|
function._avoid_gc_for_mmap = exec_mem
|
||||||
|
|
||||||
|
return function
|
||||||
|
|
||||||
|
|
||||||
def example():
|
def sins():
|
||||||
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
|
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
|
||||||
parser = ArgumentParser(
|
parser = ArgumentParser(
|
||||||
description='position independent code (PIC) mutation experiment.')
|
description='position independent code (PIC) mutation experiment.')
|
||||||
parser.add_argument('-v', '--verbose', action='count')
|
parser.add_argument('-v', '--verbose', action='count')
|
||||||
parser.add_argument('-s', '--seed', default='seed',
|
parser.add_argument('-s', '--seed', help='path to PIC image.')
|
||||||
help='path to PIC image.')
|
|
||||||
parser.add_argument('-o', '--output', help='path to results directory.')
|
parser.add_argument('-o', '--output', help='path to results directory.')
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
@ -45,11 +60,25 @@ def example():
|
||||||
file_handler.setFormatter(log_format)
|
file_handler.setFormatter(log_format)
|
||||||
logger.addHandler(file_handler)
|
logger.addHandler(file_handler)
|
||||||
|
|
||||||
logger.info(whoami_shell)
|
logger.info(now)
|
||||||
shell_function(whoami_shell)()
|
|
||||||
|
|
||||||
|
seed_data = seed_shell
|
||||||
|
|
||||||
def shell_function(shellcode: bytes):
|
if args.seed:
|
||||||
|
seed = Path(args.seed)
|
||||||
|
|
||||||
|
with seed.open('rb') as seed_file:
|
||||||
|
seed_data = seed_file.read()
|
||||||
|
|
||||||
|
logger.info(f'seed_data\n{seed_data}')
|
||||||
|
logger.info(f'seed_len: {len(seed_data)}')
|
||||||
|
|
||||||
|
seed = shell_func(seed_shell)
|
||||||
|
ret_val = seed(ctypes.c_uint(len(seed_data)))
|
||||||
|
|
||||||
|
logger.info(f'ret_val: {ret_val}')
|
||||||
|
|
||||||
|
def func_void(shellcode: bytes):
|
||||||
exec_mem = mmap.mmap(
|
exec_mem = mmap.mmap(
|
||||||
-1, len(shellcode),
|
-1, len(shellcode),
|
||||||
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
|
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
|
||||||
|
@ -63,3 +92,13 @@ def shell_function(shellcode: bytes):
|
||||||
function._avoid_gc_for_mmap = exec_mem
|
function._avoid_gc_for_mmap = exec_mem
|
||||||
|
|
||||||
return function
|
return function
|
||||||
|
|
||||||
|
|
||||||
|
def example():
|
||||||
|
logging.basicConfig(level=logging.DEBUG)
|
||||||
|
logging.info(whoami_shell)
|
||||||
|
logging.info('wtfm8')
|
||||||
|
whoami = func_void(whoami_shell)
|
||||||
|
ret_val = whoami()
|
||||||
|
# whoami doesn't ret
|
||||||
|
logging.info(ret_val)
|
Loading…
Reference in New Issue