Advertisement
Guest User

textinj

a guest
Nov 25th, 2012
44
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.30 KB | None | 0 0
  1. #include <stdio.h>
  2. #include <string.h>
  3. #include <sys/stat.h>
  4. #include <sys/types.h>
  5. #include <fcntl.h>
  6. #include <unistd.h>
  7. #include <stdlib.h>
  8. #include <errno.h>
  9. #include <elf.h>
  10.  
  11. #define ELF_ADDR 0x8049000
  12. #define PAYLOAD_LEN 6
  13.  
  14. #define XOR
  15.  
  16. int
  17. inject_text(char *file, unsigned char *string, int size)
  18. {
  19.     unsigned char asm_base_payload[] = {
  20.         //0xb9, 0x00, 0x00, 0x00, 0x00, /* movl $old_entry, %ecx */
  21.         //0xff, 0xe1,                   /* jmp  *%ecx ( jump_old_entry ) */
  22.         0x68, 0x00, 0x00, 0x00, 0x00,   /* push $old_entry */
  23.         0xc3,                     /* ret */
  24.         0x00, 0x00, 0x00, 0x00        /* size */
  25.     };
  26.  
  27.     /* Greetz to evilsocket
  28.     *  http://www.evilsocket.net
  29.     *
  30.     *  ELF Command Injector:
  31.     *  http://sprunge.us/JIWU
  32.     *
  33.     * START CODE */
  34.  
  35.     int base_size   = sizeof(asm_base_payload);
  36.  
  37.     unsigned int    srcsize;
  38.     unsigned char * srcbuffer;
  39.  
  40.     Elf32_Ehdr *elf_header;
  41.     Elf32_Phdr *program_headers;
  42.     Elf32_Shdr *section_headers;
  43.  
  44.     struct stat stat;
  45.  
  46.     int i_fd, i, move = 0, parasite_offset, bss_len, o_fd, zero = 0;
  47.  
  48.      /* alloc space for base shellcode + user command */
  49.     char *asm_payload = (char *)malloc( base_size + size );
  50.     int  asm_payload_size   = base_size + size;
  51.  
  52. #ifdef XOR
  53.     int c;
  54.  
  55.     for(c = 0;c < size;c++)
  56.         string[c] ^= 0x1;
  57. #endif
  58.  
  59.      /* asm_payload = asm_base_payload + params.command */
  60.      memcpy( asm_payload, asm_base_payload, base_size );
  61.      memcpy( asm_payload + base_size, string, size );
  62.  
  63. #ifdef _DEBUG
  64.     printf( "@ Shellcode size               : %d bytes .\n", asm_payload_size );
  65. #endif
  66.  
  67.      if( (i_fd = open( file, O_RDWR )) == -1 )
  68.         return 1;
  69.  
  70.      if( fstat( i_fd, &stat ) < 0 )
  71.         return 1;
  72.  
  73.      srcsize = stat.st_size;
  74.  
  75. #ifdef _DEBUG
  76.      printf( "@ Original file size           : %d bytes .\n", srcsize );
  77. #endif
  78.  
  79.     /* read original file into a buffer */
  80.      srcbuffer = (unsigned char *)malloc( srcsize );
  81.  
  82.      if( read( i_fd, srcbuffer, srcsize ) != srcsize )
  83.                 return 1;
  84.  
  85.      close(i_fd);
  86.  
  87.      elf_header = (Elf32_Ehdr *)srcbuffer;
  88.  
  89. #ifdef _DEBUG
  90.      printf( "@ Old entry point              : 0x%X .\n", elf_header->e_entry );
  91. #endif
  92.  
  93.      *(int*)&asm_payload[1] = elf_header->e_entry;
  94.     *(int*)&asm_payload[6] = size;
  95.  
  96. #ifdef _DEBUG
  97.     printf("@ Hexdump:\n");
  98.  
  99.     for(i = 0;i < asm_payload_size;i++)
  100.     {
  101.         printf("\\x%02x", (unsigned char)asm_payload[i] );
  102.  
  103.         if( i && (i % 16) == 0 )
  104.             putchar('\n');
  105.     }
  106.  
  107.     putchar('\n');
  108. #endif
  109.  
  110.      /* compute new elf header info and data for headers relocation */
  111.      program_headers = (Elf32_Phdr *)(srcbuffer + elf_header->e_phoff);
  112.  
  113.      for( i = 0; i < elf_header->e_phnum; i++ )
  114.     {
  115.         if( program_headers->p_type != PT_DYNAMIC )
  116.         {
  117.             if( program_headers->p_type == PT_LOAD && program_headers->p_offset )
  118.             {
  119.                     parasite_offset     = program_headers->p_offset + program_headers->p_filesz;
  120.                     elf_header->e_entry = program_headers->p_memsz  + program_headers->p_vaddr;
  121.                     bss_len             = program_headers->p_memsz  - program_headers->p_filesz;
  122.  
  123.                     break;
  124.                }
  125.           }
  126.  
  127.           ++program_headers;
  128.      }
  129.  
  130. #ifdef _DEBUG
  131.     printf( "@ New entry point              : 0x%X .\n", elf_header->e_entry );
  132. #endif
  133.  
  134.     /* update elf section headers */
  135.     section_headers = (Elf32_Shdr *)(srcbuffer + elf_header->e_shoff);
  136.  
  137.     for( i = 0; i < elf_header->e_shnum; i++ )
  138.     {
  139.         if( section_headers->sh_offset >= parasite_offset )
  140.             section_headers->sh_offset += asm_payload_size + bss_len;
  141.  
  142.         ++section_headers;
  143.     }
  144.  
  145.      /* update elf program headers */
  146.      program_headers = (Elf32_Phdr *)(srcbuffer + elf_header->e_phoff);
  147.  
  148.      for( i = 0; i < elf_header->e_phnum; i++ )
  149.     {
  150.         if( program_headers->p_type != PT_DYNAMIC ){
  151.               if(move)
  152.             {
  153.                 program_headers->p_offset += asm_payload_size + bss_len;
  154.               } else if( program_headers->p_type == PT_LOAD && program_headers->p_offset )
  155.             {
  156.                 program_headers->p_filesz += asm_payload_size + bss_len;
  157.                 program_headers->p_memsz  += asm_payload_size + bss_len;
  158.                 move = 1;
  159.               }
  160.         }
  161.  
  162.         ++program_headers;
  163.     }
  164.  
  165.     /* update elf header with new parasite code offset and write relocated data to the destination file */
  166.     elf_header->e_shoff += (elf_header->e_shoff >= parasite_offset ? asm_payload_size + bss_len : 0);
  167.     elf_header->e_phoff += (elf_header->e_phoff >= parasite_offset ? asm_payload_size + bss_len : 0);
  168.  
  169.     if( (o_fd = open( file, O_RDWR | O_EXCL, stat.st_mode )) < 0 )
  170.         return 1;
  171.  
  172.     if( write( o_fd, srcbuffer, parasite_offset ) < 0 )
  173.         return 1;
  174.  
  175.     for( i = 0; i < bss_len; i++ )
  176.         write( o_fd, &zero, 1 );
  177.  
  178.     if( write( o_fd, asm_payload, asm_payload_size ) < 0 )
  179.         return 1;
  180.        
  181.  
  182.     if( write( o_fd, srcbuffer + parasite_offset, stat.st_size - parasite_offset ) < 0 )
  183.         return 1;
  184.  
  185.     close(o_fd);
  186.  
  187.     free(srcbuffer);
  188.  
  189.     /* END CODE */
  190. }
  191.  
  192. int
  193. main(int argc,char **argv)
  194. {
  195.     int fd;
  196.     char *buf;
  197.     struct stat elf_stat;
  198.     Elf32_Ehdr *elf_header;
  199.     int size;
  200.  
  201.     if(argc < 3)
  202.     {
  203.         printf("Usage: %s -inject|-read <file> <chars> [<size>]\n", argv[0] );
  204.         return 1;
  205.     }
  206.  
  207.     if(!strcmp(argv[1],"-inject"))
  208.     {
  209.         if( argc == 5 )
  210.             inject_text(argv[2], argv[3], atoi(argv[4]) );
  211.         else
  212.             inject_text(argv[2], argv[3], strlen(argv[3]) );
  213.  
  214.         printf("Injection succeeded!\n");
  215.     } else if(!strcmp(argv[1],"-read"))
  216.     {
  217.         if ((fd = open(argv[2],O_RDONLY)) < 0) /* Open file in read mode */
  218.             return 2;
  219.    
  220.         if( fstat( fd, &elf_stat ) < 0 )  /* Getting size with fstat */
  221.             return 3;
  222.  
  223.         size = elf_stat.st_size;
  224.         buf = (char*)malloc(size + 1);
  225.  
  226.         if (read(fd,buf,size) != size) /* Read whole file */
  227.             return 4;
  228.        
  229.         elf_header = (Elf32_Ehdr *)buf; /* Copy the buffer into elf structure */
  230.  
  231.         printf("@ Entry point      \t: 0x%X\n", elf_header->e_entry );
  232.  
  233.         pread(fd, &size, sizeof(int), elf_header->e_entry - ELF_ADDR + PAYLOAD_LEN); /* Read size of the hidden file */
  234.  
  235.         printf("@ Hidden file size:\t: %d byte(s)\n", size );
  236.  
  237.         buf = realloc( buf, size );
  238.  
  239.         pread(fd, buf, size, elf_header->e_entry - ELF_ADDR + PAYLOAD_LEN + 4 );
  240.  
  241.         buf[size] = 0;
  242.  
  243.         close(fd);
  244.  
  245.         #ifdef XOR
  246.         int c;
  247.  
  248.         for(c = 0;c < size;c++)
  249.             buf[c] ^= 0x1;
  250.         #endif
  251.  
  252.         printf("@ Hidden file content:\n\n%s\n", buf );
  253.     }
  254.  
  255.     return 0;
  256. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement