From 70d068db225d5fcb1ff5aa7f7f0c2f0b07176f05 Mon Sep 17 00:00:00 2001
From: JoYo <rndpwn+bitbucket@gmail.com>
Date: Tue, 12 Jan 2016 20:05:45 -0500
Subject: [PATCH] load and execute

---
 pic-linux.c | 83 ++++++++++++++++++++++++++++-------------------------
 scrap.asm   | 20 +++++++++++++
 2 files changed, 64 insertions(+), 39 deletions(-)
 create mode 100644 scrap.asm

diff --git a/pic-linux.c b/pic-linux.c
index 4bfd299..66251e7 100644
--- a/pic-linux.c
+++ b/pic-linux.c
@@ -1,48 +1,53 @@
 #include <stdio.h>
-#include <time.h>
 #include <stdlib.h>
-#include <sys/mman.h>
+#include <malloc.h>
+#include <time.h>
 #include <string.h>
 #include <errno.h>
 #include <sysexits.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
 #include <openssl/sha.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
 
 #pragma comment(lib, "openssl/sha.lib")
 
-
-char *picProto(void *picAddr, size_t picSize, void *clonePtr) {
-  char *(*cloneFunc)(void *, size_t) = clonePtr;
-  return cloneFunc(picAddr, picSize);
+void picProto(void *picAddr, size_t picSize, void *clonePtr, char *checksum) {
+  void (*cloneFunc)(void *, size_t, char *) = clonePtr;
+  cloneFunc(picAddr, picSize, checksum);
+  return;
 }
 
-char *clone(void *picAddr, size_t picSize) {
+void clone(void *picAddr, size_t picSize, char *checksum) {
   auto retVal = EX_SOFTWARE;
 
-  srand((unsigned int)time(NULL));
+  srand(time(NULL));
 
   unsigned int picOffset = (rand() % (picSize + 1));
+  unsigned char picFlip = ((char *)picAddr)[picOffset] & (rand() % 1);
 
-  ((char *)picAddr)[picOffset] = ((char *)picAddr)[picOffset] & (rand() % 1);
+  ((char *)picAddr)[picOffset] = picFlip;
 
-  unsigned char *digest = NULL;
-  SHA_CTX sha;
+  unsigned char digest[SHA_DIGEST_LENGTH];
+  SHA1(picAddr, picSize, digest);
 
-  SHA1_Init(&sha);
-  SHA1_Update(&sha, picAddr, picSize);
-  SHA1_Final(digest, &sha);
+  for (int iter = 0; iter < SHA_DIGEST_LENGTH; iter++) {
+    sprintf(&checksum[iter * 2], "%02x", digest[iter]);
+  }
 
-  char *fileOutPath = NULL;
-  sprintf(fileOutPath, "./%s_%x.bin", digest, rand());
-
-  FILE *fileOutHandle = fopen(fileOutPath, "wb");
+  FILE *fileOutHandle = fopen(checksum, "w+");
   if (NULL == fileOutHandle) {
-    retVal = EX_SOFTWARE;
+    retVal = errno;
     goto CLONE_CLEANUP;
   }
 
   retVal = fwrite(picAddr, 1, picSize, fileOutHandle);
   if (retVal != picSize) {
-    retVal = EX_SOFTWARE;
+    retVal = errno;
     goto CLONE_CLEANUP;
   }
 
@@ -51,7 +56,7 @@ CLONE_CLEANUP:
   if (fileOutHandle) {
     fclose(fileOutHandle);
   }
-  return fileOutPath;
+  return;
 }
 
 int main(int argc, const char **argv) {
@@ -60,34 +65,33 @@ int main(int argc, const char **argv) {
 
   FILE *fileInHandle = fopen(fileInPath, "rb");
   if (NULL == fileInHandle) {
-    retVal = EX_SOFTWARE;
+    retVal = errno;
     goto MAIN_CLEANUP;
   }
 
-  fseek(fileInHandle, 0L, SEEK_END);
-  size_t picBuffer_len = ftell(fileInHandle);
-  fseek(fileInHandle, 0L, SEEK_SET);
-  if (0 >= picBuffer_len) {
-    retVal = EX_SOFTWARE;
+  struct stat picStat;
+  fstat(fileno(fileInHandle), &picStat);
+  if (-1 == picStat.st_size) {
+    retVal = errno;
     goto MAIN_CLEANUP;
   }
 
-  void *picBuffer = malloc(picBuffer_len);
+  void *picBuffer = memalign(getpagesize(), picStat.st_size);
   if (NULL == picBuffer) {
-    retVal = EX_SOFTWARE;
+    retVal = errno;
     goto MAIN_CLEANUP;
   }
 
-  memset(&picBuffer, 0, picBuffer_len);
-  retVal = mprotect(picBuffer, picBuffer_len, PROT_EXEC);
-  if (0 == retVal) {
-    retVal = EX_SOFTWARE;
+  retVal =
+      mprotect(picBuffer, picStat.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
+  if (0 != retVal) {
+    retVal = errno;
     goto MAIN_CLEANUP;
   }
 
-  retVal = fread(picBuffer, 1, picBuffer_len, fileInHandle);
-  if (retVal != picBuffer_len) {
-    retVal = EX_SOFTWARE;
+  retVal = fread(picBuffer, 1, picStat.st_size, fileInHandle);
+  if (retVal != picStat.st_size) {
+    retVal = errno;
     goto MAIN_CLEANUP;
   }
 
@@ -95,10 +99,11 @@ int main(int argc, const char **argv) {
     fclose(fileInHandle);
   }
 
-  char *(*cloneFunc)(void *, size_t) = clone;
-  void *(*picFunc)(void *, size_t, void *) = picBuffer;
+  char checksum[(SHA_DIGEST_LENGTH * 2) + 1];
+  void (*cloneFunc)(void *, size_t, char *) = clone;
+  void (*picFunc)(void *, size_t, void *, char *) = picBuffer;
 
-  char *childPath = picFunc(picBuffer, picBuffer_len, cloneFunc);
+  picFunc(picBuffer, picStat.st_size, cloneFunc, &checksum);
 
   retVal = EX_OK;
 MAIN_CLEANUP:
diff --git a/scrap.asm b/scrap.asm
new file mode 100644
index 0000000..11fdbb9
--- /dev/null
+++ b/scrap.asm
@@ -0,0 +1,20 @@
+[BITS 64]
+
+  push   rbp
+  mov    rbp,rsp
+  sub    rsp,0x30
+  mov    QWORD [rbp-0x18],rdi
+  mov    QWORD [rbp-0x20],rsi
+  mov    QWORD [rbp-0x28],rdx
+  mov    QWORD [rbp-0x30],rcx
+  mov    rax,QWORD [rbp-0x28]
+  mov    QWORD [rbp-0x8],rax
+  mov    rdx,QWORD [rbp-0x30]
+  mov    rsi,QWORD [rbp-0x20]
+  mov    rcx,QWORD [rbp-0x18]
+  mov    rax,QWORD [rbp-0x8]
+  mov    rdi,rcx
+  call   rax
+  nop
+  leave
+  ret