Upload files to "/"

binary_patch.py

@@ -61,39 +61,24 @@ def add_segment(lief_binary, content, types, flags, base=0x405000):
   print(segment.FLAGS.value)
   return segment
 
-'''
-def patch_by_call(start_address_of_call, target_function_address):
-  # caculate the offset
-  jmp_offset = target_function_address - (start_address_of_call + 5)
-  # call + p32(jmp_offset)
-'''
 
-def patch_strcpy(nbytes, save_path, output=True):
+def patch_by_pltsec_jmp(elf_file, symbol, start_address_of_pltsec_jmp, target_function_address, target_function_len, save_path):
+  # caculate the offset
+  jmp_offset = target_function_address - (start_address_of_pltsec_jmp + 5)
+  shellcode = b'\xe9' + p32(jmp_offset & 0xffffffff)
+  elf_file.write(start_address_of_pltsec_jmp, shellcode)
+  
+  jmp_offset = pwn_binary.got[symbol] - (target_function_address + target_function_len + 7)
+  shellcode = b'\xf2\xff\x25' + p32(jmp_offset & 0xffffffff)
+  elf_file.write(target_function_address + target_function_len, shellcode)
+  elf_file.save(save_path)
+
+
+def patch_strcpy(nbytes, save_patch, output=True):
   print("[\033[1;34m*\033[0m] get the length of buffer is 0x%x(%d)" % (nbytes, nbytes))
   patch_strcpy_code = f"""
-  save_register:
+    mov rdx, {nbytes - 1};
-    push rax;
-    push rcx;
-    push rdx;
-    xor rcx, rcx;
-    mov rdx, {nbytes-1};
     mov byte ptr [rdx + rsi], 0;
-  loop:
-    mov al, [rsi + rcx];
-    test al, al;
-    je ret_code;
-    
-    mov [rdi + rcx], al;
-    
-    inc rcx;
-    jmp loop;
-
-  ret_code:
-    mov [rsi + rcx], al;
-    pop rdx;
-    pop rcx;
-    pop rax;
-    ret;
   """
   patch_code = asm(patch_strcpy_code)
   if output:
@@ -101,46 +86,38 @@ def patch_strcpy(nbytes, save_path, output=True):
     print("the machine code :\n %s" % patch_code)
   
   new_segment = add_segment(lief_binary, types = lief._lief.ELF.Segment.TYPE.LOAD, flags = 5, content=patch_code)
-  lief_binary.patch_pltgot("strcpy", new_segment.virtual_address)
+  new_segment_address = new_segment.virtual_address
+  #lief_binary.patch_pltgot("strcpy", new_segment.virtual_address)
   lief_binary.write(save_path)
   os.system("chmod +x " + save_path)
+  
+  elf_patch = ELF(save_path)
+  patch_by_pltsec_jmp(elf_patch, 'strcpy', elf_patch.plt.strcpy, new_segment_address, len(patch_code), save_path)
 
 
 # to do
 def patch_dprintf(save_path, output=True):
   patch_dprintf_code = f"""
-  save_register:
+  push rsi;
-    push rdx;
+  pop rdx;
-    push rcx;
+  mov rax, [rsp];
-  
+  push 0x7325;
-  init_register:
+  push rsp
-    push rsi;
+  pop rsi;
-    pop rcx;
+  push rax;
-    xor rdx, rdx;
-    
-  get_the_buffer_len:
-    mov al, [rsi+rdx];
-    inc rdx;
-    test al, al;
-    jnz get_the_buffer_len;
-    
-  xor rax, rax;
-  mov al, 1;
-  syscall;
-  
-  ret_code:
-    pop rcx;
-    pop rdx;
-    ret;
   """
   patch_code = asm(patch_dprintf_code)
   if output:
     print("the assmebly code :\n %s" % patch_dprintf_code)
     print("the machine code :\n %s" % patch_code)
   new_segment = add_segment(lief_binary, types = lief._lief.ELF.Segment.TYPE.LOAD, flags = 5, content=patch_code)
-  lief_binary.patch_pltgot("dprintf", new_segment.virtual_address)
+  new_segment_address = new_segment.virtual_address
+  #lief_binary.patch_pltgot("dprintf", new_segment.virtual_address)
   lief_binary.write(save_path)
   os.system("chmod +x " + save_path)
+  
+  elf_patch = ELF(save_path)
+  patch_by_pltsec_jmp(elf_patch, 'dprintf', elf_patch.plt.dprintf, new_segment_address, len(patch_code), save_path)
 
 
 def patch_recv(nbytes, save_path, output=True):
@@ -163,10 +140,13 @@ def patch_recv(nbytes, save_path, output=True):
   lief_binary.write(save_path)
   os.system("chmod +x " + save_path)
 
-'''
-designed for console command
-'''
 if __name__ == '__main__':
   argv = sys.argv
   argc = len(sys.argv)
-
+  path = sys.argv[1]
+  save_path = path + "_patch" 
+  lief_binary, pwn_binary = load_binary_file_information(path)
+  if sys.argv[2] == 'dprintf':
+    patch_dprintf(save_path)
+  elif sys.argv[2] == 'strcpy':
+    patch_strcpy(int(sys.argv[3]), save_path)