Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <string.h>
- #include <sys/stat.h>
- #include <sys/types.h>
- #include <fcntl.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <elf.h>
- #define ELF_ADDR 0x8049000
- #define PAYLOAD_LEN 6
- #define XOR
- int
- inject_text(char *file, unsigned char *string, int size)
- {
- unsigned char asm_base_payload[] = {
- //0xb9, 0x00, 0x00, 0x00, 0x00, /* movl $old_entry, %ecx */
- //0xff, 0xe1, /* jmp *%ecx ( jump_old_entry ) */
- 0x68, 0x00, 0x00, 0x00, 0x00, /* push $old_entry */
- 0xc3, /* ret */
- 0x00, 0x00, 0x00, 0x00 /* size */
- };
- /* Greetz to evilsocket
- * http://www.evilsocket.net
- *
- * ELF Command Injector:
- * http://sprunge.us/JIWU
- *
- * START CODE */
- int base_size = sizeof(asm_base_payload);
- unsigned int srcsize;
- unsigned char * srcbuffer;
- Elf32_Ehdr *elf_header;
- Elf32_Phdr *program_headers;
- Elf32_Shdr *section_headers;
- struct stat stat;
- int i_fd, i, move = 0, parasite_offset, bss_len, o_fd, zero = 0;
- /* alloc space for base shellcode + user command */
- char *asm_payload = (char *)malloc( base_size + size );
- int asm_payload_size = base_size + size;
- #ifdef XOR
- int c;
- for(c = 0;c < size;c++)
- string[c] ^= 0x1;
- #endif
- /* asm_payload = asm_base_payload + params.command */
- memcpy( asm_payload, asm_base_payload, base_size );
- memcpy( asm_payload + base_size, string, size );
- #ifdef _DEBUG
- printf( "@ Shellcode size : %d bytes .\n", asm_payload_size );
- #endif
- if( (i_fd = open( file, O_RDWR )) == -1 )
- return 1;
- if( fstat( i_fd, &stat ) < 0 )
- return 1;
- srcsize = stat.st_size;
- #ifdef _DEBUG
- printf( "@ Original file size : %d bytes .\n", srcsize );
- #endif
- /* read original file into a buffer */
- srcbuffer = (unsigned char *)malloc( srcsize );
- if( read( i_fd, srcbuffer, srcsize ) != srcsize )
- return 1;
- close(i_fd);
- elf_header = (Elf32_Ehdr *)srcbuffer;
- #ifdef _DEBUG
- printf( "@ Old entry point : 0x%X .\n", elf_header->e_entry );
- #endif
- *(int*)&asm_payload[1] = elf_header->e_entry;
- *(int*)&asm_payload[6] = size;
- #ifdef _DEBUG
- printf("@ Hexdump:\n");
- for(i = 0;i < asm_payload_size;i++)
- {
- printf("\\x%02x", (unsigned char)asm_payload[i] );
- if( i && (i % 16) == 0 )
- putchar('\n');
- }
- putchar('\n');
- #endif
- /* compute new elf header info and data for headers relocation */
- program_headers = (Elf32_Phdr *)(srcbuffer + elf_header->e_phoff);
- for( i = 0; i < elf_header->e_phnum; i++ )
- {
- if( program_headers->p_type != PT_DYNAMIC )
- {
- if( program_headers->p_type == PT_LOAD && program_headers->p_offset )
- {
- parasite_offset = program_headers->p_offset + program_headers->p_filesz;
- elf_header->e_entry = program_headers->p_memsz + program_headers->p_vaddr;
- bss_len = program_headers->p_memsz - program_headers->p_filesz;
- break;
- }
- }
- ++program_headers;
- }
- #ifdef _DEBUG
- printf( "@ New entry point : 0x%X .\n", elf_header->e_entry );
- #endif
- /* update elf section headers */
- section_headers = (Elf32_Shdr *)(srcbuffer + elf_header->e_shoff);
- for( i = 0; i < elf_header->e_shnum; i++ )
- {
- if( section_headers->sh_offset >= parasite_offset )
- section_headers->sh_offset += asm_payload_size + bss_len;
- ++section_headers;
- }
- /* update elf program headers */
- program_headers = (Elf32_Phdr *)(srcbuffer + elf_header->e_phoff);
- for( i = 0; i < elf_header->e_phnum; i++ )
- {
- if( program_headers->p_type != PT_DYNAMIC ){
- if(move)
- {
- program_headers->p_offset += asm_payload_size + bss_len;
- } else if( program_headers->p_type == PT_LOAD && program_headers->p_offset )
- {
- program_headers->p_filesz += asm_payload_size + bss_len;
- program_headers->p_memsz += asm_payload_size + bss_len;
- move = 1;
- }
- }
- ++program_headers;
- }
- /* update elf header with new parasite code offset and write relocated data to the destination file */
- elf_header->e_shoff += (elf_header->e_shoff >= parasite_offset ? asm_payload_size + bss_len : 0);
- elf_header->e_phoff += (elf_header->e_phoff >= parasite_offset ? asm_payload_size + bss_len : 0);
- if( (o_fd = open( file, O_RDWR | O_EXCL, stat.st_mode )) < 0 )
- return 1;
- if( write( o_fd, srcbuffer, parasite_offset ) < 0 )
- return 1;
- for( i = 0; i < bss_len; i++ )
- write( o_fd, &zero, 1 );
- if( write( o_fd, asm_payload, asm_payload_size ) < 0 )
- return 1;
- if( write( o_fd, srcbuffer + parasite_offset, stat.st_size - parasite_offset ) < 0 )
- return 1;
- close(o_fd);
- free(srcbuffer);
- /* END CODE */
- }
- int
- main(int argc,char **argv)
- {
- int fd;
- char *buf;
- struct stat elf_stat;
- Elf32_Ehdr *elf_header;
- int size;
- if(argc < 3)
- {
- printf("Usage: %s -inject|-read <file> <chars> [<size>]\n", argv[0] );
- return 1;
- }
- if(!strcmp(argv[1],"-inject"))
- {
- if( argc == 5 )
- inject_text(argv[2], argv[3], atoi(argv[4]) );
- else
- inject_text(argv[2], argv[3], strlen(argv[3]) );
- printf("Injection succeeded!\n");
- } else if(!strcmp(argv[1],"-read"))
- {
- if ((fd = open(argv[2],O_RDONLY)) < 0) /* Open file in read mode */
- return 2;
- if( fstat( fd, &elf_stat ) < 0 ) /* Getting size with fstat */
- return 3;
- size = elf_stat.st_size;
- buf = (char*)malloc(size + 1);
- if (read(fd,buf,size) != size) /* Read whole file */
- return 4;
- elf_header = (Elf32_Ehdr *)buf; /* Copy the buffer into elf structure */
- printf("@ Entry point \t: 0x%X\n", elf_header->e_entry );
- pread(fd, &size, sizeof(int), elf_header->e_entry - ELF_ADDR + PAYLOAD_LEN); /* Read size of the hidden file */
- printf("@ Hidden file size:\t: %d byte(s)\n", size );
- buf = realloc( buf, size );
- pread(fd, buf, size, elf_header->e_entry - ELF_ADDR + PAYLOAD_LEN + 4 );
- buf[size] = 0;
- close(fd);
- #ifdef XOR
- int c;
- for(c = 0;c < size;c++)
- buf[c] ^= 0x1;
- #endif
- printf("@ Hidden file content:\n\n%s\n", buf );
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement