예제 #1
0
  mov eax,0x2
  mov ebx,0x1
  mov esi,0x0
  int 0x80
  popa
  ret
  '''

patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))

# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets
mov ebx, 4
call {transmit_function}
'''

patches.append(
    InsertCodePatch(0x8048166,
                    injected_code,
                    name="injected_code_after_receive"))

# now we ask to the backend to inject all our patches
backend.apply_patches(patches)

# and then we save the file
backend.save("/tmp/CADET_00003_mod1")
# at this point you can try to run /tmp/CADET_00003_mod1 inside the DECREE VM or using our modified version of QEMU
예제 #2
0
        "Usage: {} [binary] [architecture] [autorun]\n\tValid architectures: {}"
        .format(sys.argv[0], ", ".join(archs.keys())))
    sys.exit(1)

name = sys.argv[1]
arch = sys.argv[2]
autorun = True if len(sys.argv) == 4 else False
backend = ReassemblerBackend(name)
patches = []

out_file = "a.out"
out_asm = "/tmp/{}_mod".format(name.replace("/", "_"))
# and then we save the file
backend._binary.remove_unnecessary_stuff()  #Seriously?
try:
    backend.save(out_asm)
except Exception as e:
    s = str(e)
    if "/tmp/" in s:
        fname = "/tmp/" + s.split("/tmp/")[1].split(" ")[0]
        print("Builtin RAMBLR assembler failed. Asm file at {}".format(fname))
    else:
        raise

if arch in archs.keys():
    print("\nTrying to autobuild for {}".format(arch))
    try:
        dir_path = os.path.dirname(os.path.realpath(__file__))
        print(
            subprocess.check_output(archs[arch].format(in_file=fname,
                                                       outfile=out_file),
예제 #3
0
  mov eax,0x2
  mov ebx,0x1
  mov esi,0x0
  int 0x80
  popa
  ret
  '''

patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))

# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets
mov ebx, 4
call {transmit_function}
'''

patches.append(
    InsertCodePatch(0x8048166,
                    injected_code,
                    name="injected_code_after_receive"))

# now we ask to the backend to inject all our patches
backend.apply_patches(patches)

# and then we save the file
backend.save("/tmp/sh_mod1.exe")
# at this point you can try to run /tmp/CADET_00003_mod1 inside the DECREE VM or using our modified version of QEMU