Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require 'metasm'
- include Metasm
- require 'socket'
- require 'ipaddr'
- require 'thread'
- def ntohl(x)
- #return x
- [x].pack('N').unpack('L').first
- end
- def make_ip_string(sockaddr)
- ip = IPAddr.new(ntohl(sockaddr.sin_addr.s_addr),Socket::AF_INET).to_s
- port = ntohs(sockaddr.sin_port)
- return "%s:%d" % [ip,port]
- end
- def ntohs(x)
- #return x
- [x].pack('n').unpack('S').first
- end
- def convert_ip(ip)
- IPAddr.new(ntohl(ip),Socket::AF_INET).to_s
- end
- def fix_signed(x,t)
- return [x].pack(t).unpack(t).first
- end
- def accept_get_args(dbg)
- case dbg.ptrace.tgcpu.shortname
- ## x64 is easy.. but there is still something wrong...
- when 'x64' then [:rdi,:rsi,:rdx].map {|reg| dbg[reg] }
- when 'ia32'
- ## sys_socketcall - ecx points to *args
- ## ecx[0] -> fd
- ## ecx[1] -> &sockaddr_in
- ## ecx[2] -> &sizeof(sockaddr_in)
- ecx = dbg[:ecx]
- [ecx,ecx+4,ecx+8].map {|addr| dbg.memory_read_int(addr) }
- end
- end
- def decode_accept(dbg,cp,acc=true,dupa2=false)
- sysreg = dbg.ptrace.syscallreg
- reg_off= dbg.ptrace.reg_off
- retreg = sysreg.sub(/ORIG_/,'')
- args = accept_get_args(dbg)
- make_syscall(dbg)
- retval = dbg.sysret
- return retval if retval < 0 ## nothing here go out
- ## straith-forward dump of parameters
- slen = args[2].zero? ? 0 : dbg.memory_read_int(args[2]) & 0xffff_ffff
- sockaddr_in = cp.decode_c_struct('sockaddr_in',dbg[args[1],slen],0)
- ip_str = make_ip_string(sockaddr_in)
- return if ip_str =="0.0.0.0:0"
- return ip_str
- end
- def make_syscall(dbg)
- bcs = dbg.callback_syscall
- dbg.callback_syscall =nil
- dbg.syscall_wait
- dbg.callback_syscall =bcs
- end
- def extend_dbg(dbg)
- class << dbg
- def get_reg_value(r)
- return 0 if @state != :stopped
- ctx.get_reg(r.downcase.to_sym)
- rescue Errno::ESRCH
- 0
- end
- def set_reg_value(r, v)
- ctx.set_reg(r.downcase.to_sym, v)
- end
- def sysret
- retval = @ptrace.peekusr(@ptrace.reg_off[retreg])
- [retval].pack(@ptrace.packint).unpack(@ptrace.packint).first
- end
- def sysreg
- @ptrace.syscallreg
- end
- def retreg
- sysreg.sub(/ORIG_/,'')
- end
- def sysreg=(v)
- set_reg_value(sysreg, v)
- end
- def retreg=(v)
- set_reg_value(retreg, v)
- end
- end
- end
- sockaddr_in =<<EOS
- typedef unsigned short u_short;
- typedef unsigned __int32 uint32_t;
- typedef uint32_t in_addr_t;
- struct in_addr
- {
- in_addr_t s_addr;
- };
- struct sockaddr_in
- {
- u_short sin_family; /* must be AF_INET */
- u_short sin_port;
- struct in_addr sin_addr;
- char sin_zero[8]; /* Not used, must be zero */
- };
- EOS
- pid1= ARGV.shift.to_i
- begin
- $dbg = LinDebugger.new(pid1)
- extend_dbg($dbg)
- # $dbg.bpx(0x8048754) {
- # puts "[+] (#{$dbg.pc}) foo"
- # }
- cp = $dbg.cpu.new_cparser
- cp.parse sockaddr_in
- $dbg.callback_syscall = lambda do |info|
- #p info
- if is_accept?(info,$dbg) and ip_str = decode_accept($dbg,cp,true,true)
- rip_str = ip_str
- # if ip_str.kind_of? String and ip_str.split(':')[0] == "127.0.0.1"
- # rip_str = $mutex.synchronize {
- # cv.wait($mutex)
- # p $map
- # $map[ip_str]
- # }
- # end
- $stderr.puts "(t2) conn: #{ip_str} | real: #{rip_str}"
- $stderr.flush
- ## move-on
- # $dbg.ptrace.syscall ; ::Process.waitpid($dbg.pid)
- end
- end
- $dbg.syscall_wait until $dbg.state == :dead
- rescue Interrupt
- $stderr.puts "[*] C-c detaching"
- # Thread.list.each { |t| t.exit }
- rescue => e
- $stderr.puts "(t2)[-] (#{Time.now.strftime("%s")}) Error: #{e.message}"
- $stderr.puts e.backtrace.join("\n")
- $stderr.puts ""
- $stderr.puts $dbg.ctx.do_getregs if !$dbg.nil?
- ensure
- $stderr.puts "asdf"
- $dbg.detach if !$dbg.nil?
- end
Add Comment
Please, Sign In to add comment