From 24973c323cf340b5ee58e1ba7252c17a3ecbacd1 Mon Sep 17 00:00:00 2001 From: danger Date: Sat, 2 Nov 2024 08:58:04 +0800 Subject: [PATCH] Upload files to "/" --- binary_patch.py | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/binary_patch.py b/binary_patch.py index 773f442..23de151 100644 --- a/binary_patch.py +++ b/binary_patch.py @@ -68,13 +68,13 @@ def patch_by_pltsec_jmp(elf_file, symbol, start_address_of_pltsec_jmp, target_fu shellcode = b'\xe9' + p32(jmp_offset & 0xffffffff) elf_file.write(start_address_of_pltsec_jmp, shellcode) - jmp_offset = pwn_binary.got[symbol] - (target_function_address + target_function_len + 7) + jmp_offset = elf_file.got[symbol] - (target_function_address + target_function_len + 7) shellcode = b'\xf2\xff\x25' + p32(jmp_offset & 0xffffffff) elf_file.write(target_function_address + target_function_len, shellcode) elf_file.save(save_path) -def patch_strcpy(nbytes, save_patch, output=True): +def patch_strcpy(lief_binary, nbytes, save_path, output=True): print("[\033[1;34m*\033[0m] get the length of buffer is 0x%x(%d)" % (nbytes, nbytes)) patch_strcpy_code = f""" mov rdx, {nbytes - 1}; @@ -92,11 +92,10 @@ def patch_strcpy(nbytes, save_patch, output=True): os.system("chmod +x " + save_path) elf_patch = ELF(save_path) - patch_by_pltsec_jmp(elf_patch, 'strcpy', elf_patch.plt.strcpy, new_segment_address, len(patch_code), save_path) - + patch_by_pltsec_jmp(elf_patch, 'strcpy', elf_patch.plt['strcpy'], new_segment_address, len(patch_code), save_path) # to do -def patch_dprintf(save_path, output=True): +def patch_dprintf(lief_binary, save_path, output=True): patch_dprintf_code = f""" push rsi; pop rdx; @@ -117,28 +116,25 @@ def patch_dprintf(save_path, output=True): os.system("chmod +x " + save_path) elf_patch = ELF(save_path) - patch_by_pltsec_jmp(elf_patch, 'dprintf', elf_patch.plt.dprintf, new_segment_address, len(patch_code), save_path) + patch_by_pltsec_jmp(elf_patch, 'dprintf', elf_patch.plt['dprintf'], new_segment_address, len(patch_code), save_path) -def patch_recv(nbytes, save_path, output=True): +def patch_recv(lief_binary, nbytes, save_path, output=True): patch_recv_code = f""" - mov rdx, {nbytes} - mov r10, rcx; - xor r8, r8; - xor r9, r9; - push 45; - pop rax; - syscall; - ret; + mov rdx, {nbytes}; """ patch_code = asm(patch_recv_code) if output: print("the assmebly code :\n %s" % patch_recv_code) print("the machine code :\n %s" % patch_code) new_segment = add_segment(lief_binary, types = lief._lief.ELF.Segment.TYPE.LOAD, flags = 5, content=patch_code) - lief_binary.patch_pltgot("recv", new_segment.virtual_address) + new_segment_address = new_segment.virtual_address + lief_binary.write(save_path) os.system("chmod +x " + save_path) + + elf_patch = ELF(save_path) + patch_by_pltsec_jmp(elf_patch, 'recv', elf_patch.plt['recv'], new_segment_address, len(patch_code), save_path) if __name__ == '__main__': argv = sys.argv @@ -147,6 +143,8 @@ if __name__ == '__main__': save_path = path + "_patch" lief_binary, pwn_binary = load_binary_file_information(path) if sys.argv[2] == 'dprintf': - patch_dprintf(save_path) + patch_dprintf(lief_binary, save_path) elif sys.argv[2] == 'strcpy': - patch_strcpy(int(sys.argv[3]), save_path) + patch_strcpy(lief_binary, int(sys.argv[3]), save_path) + elif sys.argv[2] == 'recv': + patch_recv(lief_binary, int(sys.argv[3]), save_path)