From 1a8b917fe4699ab0de6ecc3bb7c744f8725aa843 Mon Sep 17 00:00:00 2001 From: Tek Date: Sun, 29 Mar 2020 00:18:24 +0100 Subject: [PATCH 1/5] add several syscalls --- miasm/os_dep/linux/environment.py | 3 + miasm/os_dep/linux/syscall.py | 186 +++++++++++++++++++++++++++++- 2 files changed, 188 insertions(+), 1 deletion(-) diff --git a/miasm/os_dep/linux/environment.py b/miasm/os_dep/linux/environment.py index 53a97ce8d..aa01d0d84 100644 --- a/miasm/os_dep/linux/environment.py +++ b/miasm/os_dep/linux/environment.py @@ -183,6 +183,9 @@ def __init__(self, number, family, type_, protocol): self.type_ = type_ self.protocol = protocol + def read(self, count): + return b"" + class FileSystem(object): """File system abstraction diff --git a/miasm/os_dep/linux/syscall.py b/miasm/os_dep/linux/syscall.py index 3b612f742..018670878 100644 --- a/miasm/os_dep/linux/syscall.py +++ b/miasm/os_dep/linux/syscall.py @@ -68,6 +68,157 @@ def _dump_struct_stat_arml(info): return data +def sys_x86_32_execve(jitter, linux_env): + # int execve(const char *pathname, char *const argv[], + # char *const envp[]); + pathname_addr, argv_ptr, envp_addr = jitter.syscall_args_systemv(3) + pathname = jitter.get_c_str(pathname_addr) + argv = [] + i = 0 + argv_addr = jitter.vm.get_u32(argv_ptr) + while argv_addr != 0: + argv.append(jitter.get_c_str(argv_addr)) + argv_ptr += 4 + argv_addr = jitter.vm.get_u32(argv_ptr) + envp = [] + i = 0 + while envp_addr != 0: + argv.append(jitter.get_c_str(envp_addr)) + i += 4 + argv_addr = jitter.vm.get_u32(jitter.cpu.EDX+i) + log.debug("sys_execve(%s, [%s], [%s])", pathname, + ", ".join(argv), ", ".join(envp)) + jitter.syscall_ret_systemv(0) + + +def sys_x86_64_execve(jitter, linux_env): + # int execve(const char *pathname, char *const argv[], + # char *const envp[]); + # TODO : merge that into a generic execve + pathname_addr, argv_ptr, envp_addr = jitter.syscall_args_systemv(3) + pathname = jitter.get_c_str(pathname_addr) + argv = [] + i = 0 + argv_addr = jitter.vm.get_u64(argv_ptr) + while argv_addr != 0: + argv.append(jitter.get_c_str(argv_addr)) + argv_ptr += 8 + argv_addr = jitter.vm.get_u64(argv_ptr) + envp = [] + i = 0 + while envp_addr != 0: + argv.append(jitter.get_c_str(envp_addr)) + i += 8 + argv_addr = jitter.vm.get_u64(jitter.cpu.EDX+i) + log.debug("sys_execve(%s, [%s], [%s])", pathname, + ", ".join(argv), ", ".join(envp)) + jitter.syscall_ret_systemv(0) + + +def sys_x86_32_socket(jitter, linux_env): + # int socketcall(int call, unsigned long *args) + # Redirect to several other socket syscalls + SOCKET_DOMAINS = { + 0: "AF_UNSPEC", + 1: "AF_UNIX", + 2: "AF_INET", + 3: "AF_AX25", + 4: "AF_IPX", + 5: "AF_APPLETALK", + 6: "AF_NETROM", + 7: "AF_BRIDGE", + 8: "AF_AAL5", + 9: "AF_X25", #Who cares ? + 10: "AF_INET6", + 11: "AF_MAX" + } + + SOCKET_TYPE = { + 1: "SOCK_STREAM", + 2: "SOCK_DGRAM", + 3: "SOCK_RAW" + } + + if jitter.cpu.EBX == 1: + # int socket(int domain, int type, int protocol); + domain = jitter.vm.get_u32(jitter.cpu.ESP) + stype = jitter.vm.get_u32(jitter.cpu.ESP+4) + proto = jitter.vm.get_u32(jitter.cpu.ESP+8) + fd = linux_env.socket(domain, stype, proto) + log.debug("socket(%s, %s, %s)", SOCKET_DOMAINS[domain], + SOCKET_TYPE[stype], proto) + jitter.syscall_ret_systemv(fd) + elif jitter.cpu.EBX == 2: + # int bind(int sockfd, const struct sockaddr *addr, + # socklen_t addrlen); + fd = jitter.vm.get_u32(jitter.cpu.ESP) + socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) + sockaddr = jitter.vm.get_mem(jitter.cpu.ESP+4, socklen) + family = struct.unpack("H", sockaddr[0:2])[0] + if family == 2: + # IPv4 + port = struct.unpack(">H", sockaddr[2:4])[0] + ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])]) + log.debug("socket_bind(fd, [%s, %i, %s], %i)", SOCKET_DOMAINS[family], + port, ip, socklen) + else: + log.debug("socket_bind(fd, sockaddr, socklen_t)") + jitter.syscall_ret_systemv(0) + elif jitter.cpu.EBX == 3: + # int connect(int sockfd, const struct sockaddr *addr, + # socklen_t addrlen); + fd = jitter.vm.get_u32(jitter.cpu.ESP) + socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) + # Not the exact size because shellcodes won't provide the full struct + sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8) + family = struct.unpack("H", sockaddr[0:2])[0] + if family == 2: + # IPv4 + port = struct.unpack(">H", sockaddr[2:4])[0] + ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])]) + log.debug("socket_connect(fd, [%s, %i, %s], %i)", SOCKET_DOMAINS[family], + port, ip, socklen) + else: + log.debug("socket_connect(fd, sockaddr, socklen)") + jitter.syscall_ret_systemv(0) + elif jitter.cpu.EBX == 4: + # int listen(int sockfd, int backlog); + sockfd = jitter.vm.get_u32(jitter.cpu.ESP) + backlog = jitter.vm.get_u32(jitter.cpu.ESP+4) + log.debug("socket_listen(%x, %x)", sockfd, backlog) + jitter.syscall_ret_systemv(0) + elif jitter.cpu.EBX == 5: + # int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); + sockfd = jitter.vm.get_u32(jitter.cpu.ESP) + sockaddr = jitter.vm.get_u32(jitter.cpu.ESP+4) + addrlen = jitter.vm.get_u32(jitter.cpu.ESP+8) + log.debug("socket_accept(%x, %x, %x)", sockfd, sockaddr, addrlen) + jitter.syscall_ret_systemv(0) + elif jitter.cpu.EBX == 14: + # SYS_SETSOCKOPT + # int setsockopt(int sockfd, int level, int optname, + # const void *optval, socklen_t optlen); + sockfd = jitter.vm.get_u32(jitter.cpu.ESP) + level = jitter.vm.get_u32(jitter.cpu.ESP+4) + optname = jitter.vm.get_u32(jitter.cpu.ESP+8) + optval_addr = jitter.vm.get_u32(jitter.cpu.ESP+12) + optlen = jitter.vm.get_u32(jitter.cpu.ESP+16) + log.debug("socket_setsockopt(%x, %x, %x, %x, %x)", sockfd, level, optname, + optval_addr, optlen) + jitter.syscall_ret_systemv(0) + else: + print(jitter.cpu.EBX) + raise NotImplemented() + + +def sys_generic_chmod(jitter, linux_env): + # int chmod(const char *pathname, mode_t mode); + path_addr, mode = jitter.syscall_args_systemv(2) + pathname = jitter.get_c_str(path_addr) + log.debug("sys_chmod(%s, %x)", pathname, mode) + jitter.syscall_ret_systemv(0) + + def sys_x86_64_rt_sigaction(jitter, linux_env): # Parse arguments sig, act, oact, sigsetsize = jitter.syscall_args_systemv(4) @@ -531,7 +682,12 @@ def sys_generic_write(jitter, linux_env): # Stub data = jitter.vm.get_mem(buf, count) - jitter.syscall_ret_systemv(linux_env.write(fd, data)) + r = linux_env.write(fd, data) + if r is None: + log.debug("-> write : failed") + jitter.syscall_ret_systemv(-1) + else: + jitter.syscall_ret_systemv(r) def sys_x86_64_getdents(jitter, linux_env): @@ -614,6 +770,14 @@ def sys_x86_64_newlstat(jitter, linux_env): jitter.cpu.RAX = 0 +def sys_generic_exit(jitter, linux_env): + # void exit(int status); + status, = jitter.syscall_args_systemv(1) + log.debug("sys_exit(%i)", status) + jitter.run = False + jitter.pc = 0 + + def sys_arml_lstat64(jitter, linux_env): # Parse arguments filename = jitter.cpu.R0 @@ -821,6 +985,14 @@ def sys_generic_setgid(jitter, linux_env): jitter.syscall_ret_systemv(0) +def sys_generic_setreuid(jitter, linux_env): + # Parse arguments + ruid, euid = jitter.syscall_args_systemv(2) + log.debug("sys_setreuid(%x, %x)", ruid, euid) + + jitter.syscall_ret_systemv(0) + + def sys_generic_setuid(jitter, linux_env): # Parse arguments uid, = jitter.syscall_args_systemv(1) @@ -899,7 +1071,16 @@ def sys_arml_gettimeofday(jitter, linux_env): syscall_callbacks_x86_32 = { + 0x1: sys_generic_exit, + 0x3: sys_generic_read, + 0x4: sys_generic_write, + 0x5: sys_generic_open, + 0xB: sys_x86_32_execve, + 0xF: sys_generic_chmod, + 0x46: sys_generic_setreuid, + 0x66: sys_x86_32_socket, 0x7A: sys_x86_32_newuname, + 0x7D: sys_generic_mprotect, } @@ -925,15 +1106,18 @@ def sys_arml_gettimeofday(jitter, linux_env): 0x27: sys_x86_64_getpid, 0x29: sys_x86_64_socket, 0x2A: sys_x86_64_connect, + 0x3B: sys_x86_64_execve, 0x3F: sys_x86_64_newuname, 0x48: sys_generic_fcntl64, 0x4E: sys_x86_64_getdents, 0x59: sys_x86_64_readlink, + 0x5A: sys_generic_chmod, 0x63: sys_x86_64_sysinfo, 0x66: sys_generic_getuid, 0x68: sys_generic_getgid, 0x6B: sys_generic_geteuid, 0x6C: sys_generic_getegid, + 0x71: sys_generic_setreuid, 0xE4: sys_x86_64_clock_gettime, 0x89: sys_x86_64_statfs, 0x9E: sys_x86_64_arch_prctl, From eca36354014cd072d72f6f3958eb1666fc89e641 Mon Sep 17 00:00:00 2001 From: Tek Date: Tue, 31 Mar 2020 01:55:45 +0200 Subject: [PATCH 2/5] fixes bugs in socket --- miasm/os_dep/linux/syscall.py | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/miasm/os_dep/linux/syscall.py b/miasm/os_dep/linux/syscall.py index 0676cafcf..35fd2b054 100644 --- a/miasm/os_dep/linux/syscall.py +++ b/miasm/os_dep/linux/syscall.py @@ -153,13 +153,20 @@ def sys_x86_32_socket(jitter, linux_env): # socklen_t addrlen); fd = jitter.vm.get_u32(jitter.cpu.ESP) socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) - sockaddr = jitter.vm.get_mem(jitter.cpu.ESP+4, socklen) + sockaddr = jitter.vm.get_mem( + jitter.vm.get_u32(jitter.cpu.ESP+4), + socklen) family = struct.unpack("H", sockaddr[0:2])[0] if family == 2: # IPv4 port = struct.unpack(">H", sockaddr[2:4])[0] ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])]) - log.debug("socket_bind(fd, [%s, %i, %s], %i)", SOCKET_DOMAINS[family], + log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET", + port, ip, socklen) + elif family == 10: + port = struct.unpack(">H", sockaddr[2:4])[0] + ip = ".".join([str(i) for i in struct.unpack("B"*16, sockaddr[8:24])]) + log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET6", port, ip, socklen) else: log.debug("socket_bind(fd, sockaddr, socklen_t)") @@ -169,14 +176,22 @@ def sys_x86_32_socket(jitter, linux_env): # socklen_t addrlen); fd = jitter.vm.get_u32(jitter.cpu.ESP) socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) - # Not the exact size because shellcodes won't provide the full struct - sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8) + try: + sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 28) + except RuntimeError: + # Not the exact size because shellcodes won't provide the full struct + sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8) family = struct.unpack("H", sockaddr[0:2])[0] if family == 2: # IPv4 port = struct.unpack(">H", sockaddr[2:4])[0] ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])]) - log.debug("socket_connect(fd, [%s, %i, %s], %i)", SOCKET_DOMAINS[family], + log.debug("socket_connect(fd, [%s, %i, %s], %i)", "AF_INET", + port, ip, socklen) + elif family == 10: + port = struct.unpack(">H", sockaddr[2:4])[0] + ip = ".".join([str(i) for i in struct.unpack("B"*16, sockaddr[8:24])]) + log.debug("socket_connect(fd, [%s, %i, %s], %i)", "AF_INET6", port, ip, socklen) else: log.debug("socket_connect(fd, sockaddr, socklen)") @@ -207,7 +222,6 @@ def sys_x86_32_socket(jitter, linux_env): optval_addr, optlen) jitter.syscall_ret_systemv(0) else: - print(jitter.cpu.EBX) raise NotImplemented() From 13e8a4fa06e7203ad810350ccaa63243fb6a3b60 Mon Sep 17 00:00:00 2001 From: Tek Date: Tue, 7 Apr 2020 22:54:09 +0200 Subject: [PATCH 3/5] Improve linux syscalls --- miasm/os_dep/linux/environment.py | 12 +++++++ miasm/os_dep/linux/syscall.py | 60 ++++++++++++++++++++++--------- 2 files changed, 56 insertions(+), 16 deletions(-) diff --git a/miasm/os_dep/linux/environment.py b/miasm/os_dep/linux/environment.py index aa01d0d84..aeefd0a4b 100644 --- a/miasm/os_dep/linux/environment.py +++ b/miasm/os_dep/linux/environment.py @@ -368,6 +368,18 @@ def open_(self, path, flags, follow_link=True): fdesc.blocks = (size + ((512 - (size % 512)) % 512)) // 512 return fd + def chmod(self, path, mode): + """Stub for 'chmod' syscall""" + sb_path = self.resolve_path(path) + if os.path.exists(sb_path): + try: + os.chmod(sb_path, mode) + except (OverflowError, FileNotFoundError): + return -1 + return 0 + else: + return -1 + class Networking(object): """Network abstraction""" diff --git a/miasm/os_dep/linux/syscall.py b/miasm/os_dep/linux/syscall.py index 35fd2b054..e01edfefb 100644 --- a/miasm/os_dep/linux/syscall.py +++ b/miasm/os_dep/linux/syscall.py @@ -83,9 +83,9 @@ def sys_x86_32_execve(jitter, linux_env): envp = [] i = 0 while envp_addr != 0: - argv.append(jitter.get_c_str(envp_addr)) + envp.append(jitter.get_c_str(envp_addr)) i += 4 - argv_addr = jitter.vm.get_u32(jitter.cpu.EDX+i) + envp_addr = jitter.vm.get_u32(jitter.cpu.EDX+i) log.debug("sys_execve(%s, [%s], [%s])", pathname, ", ".join(argv), ", ".join(envp)) jitter.syscall_ret_systemv(0) @@ -107,9 +107,9 @@ def sys_x86_64_execve(jitter, linux_env): envp = [] i = 0 while envp_addr != 0: - argv.append(jitter.get_c_str(envp_addr)) + envp.append(jitter.get_c_str(envp_addr)) i += 8 - argv_addr = jitter.vm.get_u64(jitter.cpu.EDX+i) + envp_addr = jitter.vm.get_u64(jitter.cpu.EDX+i) log.debug("sys_execve(%s, [%s], [%s])", pathname, ", ".join(argv), ", ".join(envp)) jitter.syscall_ret_systemv(0) @@ -118,6 +118,16 @@ def sys_x86_64_execve(jitter, linux_env): def sys_x86_32_socket(jitter, linux_env): # int socketcall(int call, unsigned long *args) # Redirect to several other socket syscalls + # https://github.com/torvalds/linux/blob/master/include/uapi/linux/net.h + SOCKET_CALLS = { + 1: "SYS_SOCKET", + 2: "SYS_BIND", + 3: "SYS_CONNECT", + 4: "SYS_LISTEN", + 5: "SYS_ACCEPT", + 14: "SYS_SETSOCKOPT" + } + SOCKET_DOMAINS = { 0: "AF_UNSPEC", 1: "AF_UNIX", @@ -139,7 +149,9 @@ def sys_x86_32_socket(jitter, linux_env): 3: "SOCK_RAW" } - if jitter.cpu.EBX == 1: + if jitter.cpu.EBX not in SOCKET_CALLS.keys(): + raise NotImplemented("SysCall Not Implemented") + if SOCKET_CALLS[jitter.cpu.EBX] == "SYS_SOCKET": # int socket(int domain, int type, int protocol); domain = jitter.vm.get_u32(jitter.cpu.ESP) stype = jitter.vm.get_u32(jitter.cpu.ESP+4) @@ -148,14 +160,18 @@ def sys_x86_32_socket(jitter, linux_env): log.debug("socket(%s, %s, %s)", SOCKET_DOMAINS[domain], SOCKET_TYPE[stype], proto) jitter.syscall_ret_systemv(fd) - elif jitter.cpu.EBX == 2: + elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_BIND": # int bind(int sockfd, const struct sockaddr *addr, # socklen_t addrlen); fd = jitter.vm.get_u32(jitter.cpu.ESP) socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) - sockaddr = jitter.vm.get_mem( - jitter.vm.get_u32(jitter.cpu.ESP+4), - socklen) + try: + sockaddr = jitter.vm.get_mem( + jitter.vm.get_u32(jitter.cpu.ESP+4), + socklen) + except RuntimeError: + # Not the exact size because shellcodes won't provide the full struct + sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8) family = struct.unpack("H", sockaddr[0:2])[0] if family == 2: # IPv4 @@ -164,6 +180,7 @@ def sys_x86_32_socket(jitter, linux_env): log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET", port, ip, socklen) elif family == 10: + # IPv6 port = struct.unpack(">H", sockaddr[2:4])[0] ip = ".".join([str(i) for i in struct.unpack("B"*16, sockaddr[8:24])]) log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET6", @@ -171,13 +188,15 @@ def sys_x86_32_socket(jitter, linux_env): else: log.debug("socket_bind(fd, sockaddr, socklen_t)") jitter.syscall_ret_systemv(0) - elif jitter.cpu.EBX == 3: + elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_CONNECT": # int connect(int sockfd, const struct sockaddr *addr, # socklen_t addrlen); fd = jitter.vm.get_u32(jitter.cpu.ESP) socklen = jitter.vm.get_u32(jitter.cpu.ESP+8) try: - sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 28) + sockaddr = jitter.vm.get_mem( + jitter.vm.get_u32(jitter.cpu.ESP+4), + socklen) except RuntimeError: # Not the exact size because shellcodes won't provide the full struct sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8) @@ -196,20 +215,20 @@ def sys_x86_32_socket(jitter, linux_env): else: log.debug("socket_connect(fd, sockaddr, socklen)") jitter.syscall_ret_systemv(0) - elif jitter.cpu.EBX == 4: + elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_LISTEN": # int listen(int sockfd, int backlog); sockfd = jitter.vm.get_u32(jitter.cpu.ESP) backlog = jitter.vm.get_u32(jitter.cpu.ESP+4) log.debug("socket_listen(%x, %x)", sockfd, backlog) jitter.syscall_ret_systemv(0) - elif jitter.cpu.EBX == 5: + elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_ACCEPT": # int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); sockfd = jitter.vm.get_u32(jitter.cpu.ESP) sockaddr = jitter.vm.get_u32(jitter.cpu.ESP+4) addrlen = jitter.vm.get_u32(jitter.cpu.ESP+8) log.debug("socket_accept(%x, %x, %x)", sockfd, sockaddr, addrlen) jitter.syscall_ret_systemv(0) - elif jitter.cpu.EBX == 14: + elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_SETSOCKOPT": # SYS_SETSOCKOPT # int setsockopt(int sockfd, int level, int optname, # const void *optval, socklen_t optlen); @@ -230,7 +249,10 @@ def sys_generic_chmod(jitter, linux_env): path_addr, mode = jitter.syscall_args_systemv(2) pathname = jitter.get_c_str(path_addr) log.debug("sys_chmod(%s, %x)", pathname, mode) - jitter.syscall_ret_systemv(0) + + # Stub + ret = linux_env.filesystem.chmod(pathname, mode) + jitter.syscall_ret_systemv(ret) def sys_x86_64_rt_sigaction(jitter, linux_env): @@ -789,7 +811,6 @@ def sys_generic_exit(jitter, linux_env): status, = jitter.syscall_args_systemv(1) log.debug("sys_exit(%i)", status) jitter.run = False - jitter.pc = 0 def sys_arml_lstat64(jitter, linux_env): @@ -1004,6 +1025,13 @@ def sys_generic_setreuid(jitter, linux_env): ruid, euid = jitter.syscall_args_systemv(2) log.debug("sys_setreuid(%x, %x)", ruid, euid) + # WARNING : no privilege check here + # Easy privilege escalation, just ask + if ruid > -1: + linux_env.user_uid = ruid + if euid > -1: + linux_env.user_euid = euid + jitter.syscall_ret_systemv(0) From c3854c58f0d18b5f9c94d91cc9d03e3817b37e39 Mon Sep 17 00:00:00 2001 From: Tek Date: Tue, 7 Apr 2020 23:05:08 +0200 Subject: [PATCH 4/5] add example script of shellcode emulation on linux --- example/jitter/simu_sc_linux.py | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 example/jitter/simu_sc_linux.py diff --git a/example/jitter/simu_sc_linux.py b/example/jitter/simu_sc_linux.py new file mode 100644 index 000000000..1899ff0a5 --- /dev/null +++ b/example/jitter/simu_sc_linux.py @@ -0,0 +1,63 @@ +from argparse import ArgumentParser +from pdb import pm +from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_INT_XX, EXCEPT_ACCESS_VIOL, EXCEPT_PRIV_INSN +from miasm.analysis.machine import Machine +from miasm.os_dep.linux import environment, syscall +import logging + + +def code_sentinelle(jitter): + print("Done") + jitter.run = False + jitter.pc = 0 + return True + +def priv(jitter): + print("Privilege Exception") + return False + + +if __name__ == '__main__': + parser = ArgumentParser(description="Linux shellcode") + parser.add_argument("filename", help="Shellcode filename") + parser.add_argument("-j", "--jitter", + help="Jitter engine", + default="python") + parser.add_argument("-a", "--arch", help="Architecture (x86_32, \ + x86_64, arml)", choices=["x86_32", "x86_64", "arml"], + default="x86_32") + parser.add_argument("--verbose", "-v", action="store_true", + help="Verbose mode") + args = parser.parse_args() + + myjit = Machine(args.arch).jitter(args.jitter) + myjit.init_stack() + + + data = open(args.filename, 'rb').read() + run_addr = 0x40000000 + myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data) + if args.verbose: + myjit.set_trace_log() + myjit.add_exception_handler(EXCEPT_PRIV_INSN, priv) + myjit.add_exception_handler(EXCEPT_ACCESS_VIOL, code_sentinelle) + + # Log syscalls + log = logging.getLogger('syscalls') + log.setLevel(logging.DEBUG) + + # Enable syscall handling + if args.arch == "x86_32": + myjit.push_uint32_t(0x1337beef) + myjit.add_breakpoint(0x1337beef, code_sentinelle) + env = environment.LinuxEnvironment_x86_32() + syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_x86_32) + elif args.arch == "x86_64": + myjit.push_uint64_t(0x1337beef) + myjit.add_breakpoint(0x1337beef, code_sentinelle) + env = environment.LinuxEnvironment_x86_64() + syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_x86_64) + else: + env = environment.LinuxEnvironment_arml() + syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_arml) + myjit.run(run_addr) From 84d96a1e6e7740b1e0200148a5a3d4c6be285b35 Mon Sep 17 00:00:00 2001 From: Tek Date: Tue, 7 Apr 2020 23:11:56 +0200 Subject: [PATCH 5/5] Add additional test --- .travis.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3a9d4b075..b55280968 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,7 +24,8 @@ env: - MIASM_TEST_EXTRA_ARG="-o python -t qemu,long" - MIASM_TEST_EXTRA_ARG="-o z3" - MIASM_TEST_EXTRA_ARG="-o cparser" - - MIASM_EXTENTED_TESTS="ls_x64" + - MIASM_EXTENTED_TESTS_1="ls_x64" + - MIASM_EXTENTED_TESTS_2="shellcode_x86" before_script: - pip install -r optional_requirements.txt # codespell @@ -36,4 +37,5 @@ before_script: - git clone https://github.com/cea-sec/miasm-extended-tests script: - test -z "$MIASM_TEST_EXTRA_ARG" || (cd test && flags=""; python --version |& grep -q "Python 3" || flags="-W error"; python $flags test_all.py $MIASM_TEST_EXTRA_ARG && git ls-files -o --exclude-standard) - - test -z "$MIASM_EXTENTED_TESTS" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS" && ./run.sh "$TRAVIS_BUILD_DIR") + - test -z "$MIASM_EXTENTED_TESTS_1" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS_1" && ./run.sh "$TRAVIS_BUILD_DIR") + - test -z "$MIASM_EXTENTED_TESTS_2" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS_2" && ./run.sh "$TRAVIS_BUILD_DIR")