danger/Patch_file
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
danger
2024-11-02 08:58:04 +08:00
parent 51db858e8d
commit 24973c323c
1 changed files with 16 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
binary_patch.py
View File

@@ -68,13 +68,13 @@ def patch_by_pltsec_jmp(elf_file, symbol, start_address_of_pltsec_jmp, target_fu
shellcode = b'\xe9' + p32(jmp_offset & 0xffffffff)
elf_file.write(start_address_of_pltsec_jmp, shellcode)
jmp_offset = pwn_binary.got[symbol] - (target_function_address + target_function_len + 7)
jmp_offset = elf_file.got[symbol] - (target_function_address + target_function_len + 7)
shellcode = b'\xf2\xff\x25' + p32(jmp_offset & 0xffffffff)
elf_file.write(target_function_address + target_function_len, shellcode)
elf_file.save(save_path)
def patch_strcpy(nbytes, save_patch, output=True):
def patch_strcpy(lief_binary, nbytes, save_path, output=True):
print("[\033[1;34m*\033[0m] get the length of buffer is 0x%x(%d)" % (nbytes, nbytes))
patch_strcpy_code = f"""
mov rdx, {nbytes - 1};
@@ -92,11 +92,10 @@ def patch_strcpy(nbytes, save_patch, output=True):
os.system("chmod +x " + save_path)
elf_patch = ELF(save_path)
patch_by_pltsec_jmp(elf_patch, 'strcpy', elf_patch.plt.strcpy, new_segment_address, len(patch_code), save_path)
patch_by_pltsec_jmp(elf_patch, 'strcpy', elf_patch.plt['strcpy'], new_segment_address, len(patch_code), save_path)
# to do
def patch_dprintf(save_path, output=True):
def patch_dprintf(lief_binary, save_path, output=True):
patch_dprintf_code = f"""
push rsi;
pop rdx;
@@ -117,28 +116,25 @@ def patch_dprintf(save_path, output=True):
os.system("chmod +x " + save_path)
elf_patch = ELF(save_path)
patch_by_pltsec_jmp(elf_patch, 'dprintf', elf_patch.plt.dprintf, new_segment_address, len(patch_code), save_path)
patch_by_pltsec_jmp(elf_patch, 'dprintf', elf_patch.plt['dprintf'], new_segment_address, len(patch_code), save_path)
def patch_recv(nbytes, save_path, output=True):
def patch_recv(lief_binary, nbytes, save_path, output=True):
patch_recv_code = f"""
mov rdx, {nbytes}
mov r10, rcx;
xor r8, r8;
xor r9, r9;
push 45;
pop rax;
syscall;
ret;
mov rdx, {nbytes};
"""
patch_code = asm(patch_recv_code)
if output:
print("the assmebly code :\n %s" % patch_recv_code)
print("the machine code :\n %s" % patch_code)
new_segment = add_segment(lief_binary, types = lief._lief.ELF.Segment.TYPE.LOAD, flags = 5, content=patch_code)
lief_binary.patch_pltgot("recv", new_segment.virtual_address)
new_segment_address = new_segment.virtual_address
lief_binary.write(save_path)
os.system("chmod +x " + save_path)
elf_patch = ELF(save_path)
patch_by_pltsec_jmp(elf_patch, 'recv', elf_patch.plt['recv'], new_segment_address, len(patch_code), save_path)
if __name__ == '__main__':
argv = sys.argv
@@ -147,6 +143,8 @@ if __name__ == '__main__':
save_path = path + "_patch"
lief_binary, pwn_binary = load_binary_file_information(path)
if sys.argv[2] == 'dprintf':
patch_dprintf(save_path)
patch_dprintf(lief_binary, save_path)
elif sys.argv[2] == 'strcpy':
patch_strcpy(int(sys.argv[3]), save_path)
patch_strcpy(lief_binary, int(sys.argv[3]), save_path)
elif sys.argv[2] == 'recv':
patch_recv(lief_binary, int(sys.argv[3]), save_path)