Compare commits
3 Commits
0ccf038589
...
da0d4c9f9f
Author | SHA1 | Date |
---|---|---|
JoYo | da0d4c9f9f | |
JoYo | f77e558760 | |
JoYo | b7de0bcc78 |
|
@ -0,0 +1,2 @@
|
||||||
|
__pycache__/
|
||||||
|
seed
|
|
@ -1,8 +1,6 @@
|
||||||
FROM ubuntu:bionic
|
FROM ubuntu:bionic
|
||||||
ENV DEBIAN_FRONTEND=noninteractive
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
ENV CXX clang++
|
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
clang \
|
python3-sqlalchemy \
|
||||||
llvm-dev \
|
|
||||||
yasm
|
yasm
|
||||||
|
|
|
@ -7,4 +7,10 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- ${PWD}:/app
|
- ${PWD}:/app
|
||||||
working_dir: /app
|
working_dir: /app
|
||||||
command: python waf-2.0.14 configure build
|
command: yasm seed.asm -o seed
|
||||||
|
sins_run:
|
||||||
|
image: sins_build
|
||||||
|
volumes:
|
||||||
|
- ${PWD}:/app
|
||||||
|
working_dir: /app
|
||||||
|
command: python3 -m sins
|
||||||
|
|
214
run.py
214
run.py
|
@ -1,214 +0,0 @@
|
||||||
#! /usr/bin/env python3
|
|
||||||
|
|
||||||
from datetime import datetime
|
|
||||||
from random import randint
|
|
||||||
from time import sleep
|
|
||||||
import binascii
|
|
||||||
import logging
|
|
||||||
import os
|
|
||||||
import socket
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
|
|
||||||
class Server:
|
|
||||||
_children = list()
|
|
||||||
|
|
||||||
host = ('127.0.0.1', 5000)
|
|
||||||
sock = socket.socket()
|
|
||||||
sock.bind(host)
|
|
||||||
sock.listen()
|
|
||||||
client = None
|
|
||||||
logging.info('binding [{}]'.format(host))
|
|
||||||
|
|
||||||
def __enter__(self):
|
|
||||||
return self
|
|
||||||
|
|
||||||
def __exit__(self, *args):
|
|
||||||
return
|
|
||||||
|
|
||||||
def __del__(self):
|
|
||||||
self.sock.shutdown(socket.SHUT_RD)
|
|
||||||
self.sock.close()
|
|
||||||
|
|
||||||
def accept(self):
|
|
||||||
self.client, address = self.sock.accept()
|
|
||||||
logging.info('address accpeted [{}]'.format(address))
|
|
||||||
|
|
||||||
def recv(self, size: int=int()) -> list:
|
|
||||||
if not self.client:
|
|
||||||
raise BrokenPipeError('client connection missing')
|
|
||||||
|
|
||||||
recvd = self.client.recv(size)
|
|
||||||
|
|
||||||
if recvd:
|
|
||||||
logging.info('recvd [{}]'.format(len(recvd)))
|
|
||||||
|
|
||||||
return recvd
|
|
||||||
|
|
||||||
def send(self, data: bytes):
|
|
||||||
logging.info('send [{}]'.format(binascii.b2a_hex(data)))
|
|
||||||
|
|
||||||
if not self.client:
|
|
||||||
raise BrokenPipeError('client connection missing')
|
|
||||||
|
|
||||||
self.client.sendall(data)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def children(self):
|
|
||||||
children = self._children
|
|
||||||
self._children = list()
|
|
||||||
return children
|
|
||||||
|
|
||||||
|
|
||||||
class Genorator:
|
|
||||||
seed = bytes()
|
|
||||||
|
|
||||||
def __init__(self, *, server: Server, parent: str, seed: str=str(), run_dir: str=str()):
|
|
||||||
self.server = server
|
|
||||||
self.parent = os.path.abspath(parent)
|
|
||||||
|
|
||||||
if seed:
|
|
||||||
with open(seed, 'rb') as seed_file:
|
|
||||||
self.seed = seed_file.read()
|
|
||||||
|
|
||||||
try:
|
|
||||||
os.mkdir(run_dir)
|
|
||||||
except FileNotFoundError or PermissionError:
|
|
||||||
run_dir = os.path.dirname(self.seed)
|
|
||||||
except FileExistsError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
self.run_dir = run_dir
|
|
||||||
|
|
||||||
parent_args = {
|
|
||||||
'parent': self.parent,
|
|
||||||
'scrap': self.seed,
|
|
||||||
'cwd': self.run_dir}
|
|
||||||
|
|
||||||
self.parenting(parent=self.parent, cwd=self.run_dir)
|
|
||||||
self.seeding(scrap=self.seed)
|
|
||||||
|
|
||||||
def __del__(self):
|
|
||||||
if self.proc:
|
|
||||||
self.proc.terminate()
|
|
||||||
|
|
||||||
def scrap_recent(self, *, run_dir: str) -> str:
|
|
||||||
scraps = sorted(os.listdir(run_dir))
|
|
||||||
|
|
||||||
if scraps:
|
|
||||||
return os.path.join(run_dir, scraps[-1])
|
|
||||||
|
|
||||||
return None
|
|
||||||
|
|
||||||
def parenting(self, *, parent: str, cwd: str):
|
|
||||||
cmd = [parent]
|
|
||||||
logging.info('parent {}'.format(cmd))
|
|
||||||
|
|
||||||
self.proc = subprocess.Popen(
|
|
||||||
[parent],
|
|
||||||
cwd=cwd)
|
|
||||||
|
|
||||||
def seeding(self, *, scrap: bytes):
|
|
||||||
offset = randint(0, len(scrap))
|
|
||||||
flip = randint(0, 255)
|
|
||||||
|
|
||||||
logging.info('scrap\n{}'.format(binascii.b2a_hex(scrap)))
|
|
||||||
|
|
||||||
self.server.accept()
|
|
||||||
|
|
||||||
scrap_len = bytes([len(scrap)])
|
|
||||||
logging.info('send child len [{}]'.format(scrap_len))
|
|
||||||
|
|
||||||
self.server.send(scrap_len)
|
|
||||||
# self.server.send(scrap)
|
|
||||||
|
|
||||||
logging.info('child send')
|
|
||||||
|
|
||||||
child = self.server.recv()
|
|
||||||
if child:
|
|
||||||
raise Exception(child)
|
|
||||||
|
|
||||||
|
|
||||||
def hex_dumps(scrap_dir):
|
|
||||||
scrap_dir = os.path.abspath(scrap_dir)
|
|
||||||
dump_dir = os.path.join(scrap_dir, 'hex')
|
|
||||||
|
|
||||||
if not os.path.isdir(dump_dir):
|
|
||||||
os.mkdir(dump_dir)
|
|
||||||
|
|
||||||
scraps = os.listdir(scrap_dir)
|
|
||||||
|
|
||||||
for scrap in scraps:
|
|
||||||
scrap_path = os.path.join(scrap_dir, scrap)
|
|
||||||
hex_name = '{}.hex'.format(scrap)
|
|
||||||
hex_path = os.path.join(dump_dir, hex_name)
|
|
||||||
|
|
||||||
if os.path.isfile(scrap_path):
|
|
||||||
with open(scrap_path, 'rb') as file_in:
|
|
||||||
with open(hex_path, 'w') as file_out:
|
|
||||||
binary = bytes(file_in.read())
|
|
||||||
for each in binary:
|
|
||||||
file_out.writelines('\'\\x{:02X}\',\n'.format(each))
|
|
||||||
|
|
||||||
|
|
||||||
def provision():
|
|
||||||
provision = ['sudo', 'sh', 'provision-ubuntu.sh']
|
|
||||||
prov_proc = subprocess.run(provision)
|
|
||||||
|
|
||||||
waf = [sys.executable, 'waf.py', 'configure']
|
|
||||||
waf_proc = subprocess.run(waf)
|
|
||||||
|
|
||||||
|
|
||||||
def build():
|
|
||||||
waf = [sys.executable, 'waf.py', 'build']
|
|
||||||
waf_proc = subprocess.run(waf)
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
import argparse
|
|
||||||
import sys
|
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(
|
|
||||||
description='position independent code (PIC) mutation experiment.')
|
|
||||||
parser.add_argument('--verbose', '-v', action='count')
|
|
||||||
parser.add_argument('-build', action='store_true',
|
|
||||||
help='build parent and seed PIC image, exit.')
|
|
||||||
parser.add_argument('-provision', action='store_true',
|
|
||||||
help='provision ubuntu for run, exit.')
|
|
||||||
parser.add_argument('-log', default='log_sins', help='log to file.')
|
|
||||||
parser.add_argument('-seed', default='build/seed.asm.2.o',
|
|
||||||
help='path to PIC image.')
|
|
||||||
parser.add_argument('-parent', default='build/generation.elf',
|
|
||||||
help='path to generation lib.')
|
|
||||||
parser.add_argument('-dir', default='sandbox',
|
|
||||||
help='path to execution directory.')
|
|
||||||
parser.add_argument('-dumps', action='store_true',
|
|
||||||
help='dump hex values of scraps in directory, exit.')
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
logger = logging.getLogger()
|
|
||||||
logger.setLevel(
|
|
||||||
logging.DEBUG) if args.verbose else logger.setLevel(logging.INFO)
|
|
||||||
formatter = logging.Formatter('# %(filename)s:%(lineno)s\n%(message)s')
|
|
||||||
|
|
||||||
stream_handler = logging.StreamHandler()
|
|
||||||
stream_handler.setFormatter(formatter)
|
|
||||||
logger.addHandler(stream_handler)
|
|
||||||
|
|
||||||
file_handler = logging.FileHandler(args.log, 'a')
|
|
||||||
file_handler.setFormatter(formatter)
|
|
||||||
logger.addHandler(file_handler)
|
|
||||||
|
|
||||||
logging.info(args)
|
|
||||||
|
|
||||||
if args.provision:
|
|
||||||
provision()
|
|
||||||
|
|
||||||
if args.build:
|
|
||||||
build()
|
|
||||||
|
|
||||||
if args.dumps:
|
|
||||||
hex_dumps(args.dir)
|
|
||||||
|
|
||||||
with Server() as server:
|
|
||||||
gen = Genorator(server=server, parent=args.parent,
|
|
||||||
seed=args.seed, run_dir=args.dir)
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
#! /usr/bin/env python3
|
||||||
|
from .run import example, shell_function
|
||||||
|
# from .orm import SeedNode
|
|
@ -0,0 +1,4 @@
|
||||||
|
#! /usr/bin/env python3
|
||||||
|
from .run import example
|
||||||
|
|
||||||
|
example()
|
|
@ -0,0 +1,48 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
from datetime import datetime
|
||||||
|
from sqlalchemy import Blob, Column, ForeignKey, Integer, String, DateTime, create_engine, exists, desc
|
||||||
|
from sqlalchemy.ext.declarative import declarative_base
|
||||||
|
from sqlalchemy.orm import Session, relationship, backref
|
||||||
|
from sqlalchemy.orm.collections import attribute_mapped_collection
|
||||||
|
import logging
|
||||||
|
from hashlib import sha1
|
||||||
|
|
||||||
|
logger = logging.getLogger('sins')
|
||||||
|
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
|
||||||
|
|
||||||
|
Base = declarative_base()
|
||||||
|
|
||||||
|
|
||||||
|
class SeedNode(Base):
|
||||||
|
ctime = Column(DateTime, default=datetime.utcnow)
|
||||||
|
id = Column(Integer, primary_key=True)
|
||||||
|
length = Column(Integer, default=0)
|
||||||
|
mtime = Column(DateTime, onupdate=datetime.utcnow)
|
||||||
|
parent_id = Column(Integer, ForeignKey(id))
|
||||||
|
checksum = Column(String)
|
||||||
|
stdout = Column(String)
|
||||||
|
image = Column(Blob)
|
||||||
|
|
||||||
|
children = relationship(
|
||||||
|
"SeedNode",
|
||||||
|
cascade="all, delete-orphan",
|
||||||
|
backref=backref("parent", remote_side=id),
|
||||||
|
collection_class=attribute_mapped_collection('name'))
|
||||||
|
|
||||||
|
def __init__(self, *, child: bytes, parent: SeedNode = None):
|
||||||
|
if parent:
|
||||||
|
self.parent_id = parent.id
|
||||||
|
|
||||||
|
self.image = child
|
||||||
|
self.length = len(child)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def sha1sum(self):
|
||||||
|
if self.checksum:
|
||||||
|
return self.checksum
|
||||||
|
|
||||||
|
checksum = sha1()
|
||||||
|
checksum.update(self.image)
|
||||||
|
self.checksum = checksum.hexdigest()
|
||||||
|
|
||||||
|
return self.checksum
|
|
@ -0,0 +1,65 @@
|
||||||
|
#! /usr/bin/env python3
|
||||||
|
from argparse import ArgumentParser
|
||||||
|
from datetime import datetime
|
||||||
|
from pathlib import Path
|
||||||
|
from random import randint
|
||||||
|
import binascii
|
||||||
|
import ctypes
|
||||||
|
import logging
|
||||||
|
import subprocess
|
||||||
|
import mmap
|
||||||
|
|
||||||
|
whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"
|
||||||
|
|
||||||
|
|
||||||
|
def example():
|
||||||
|
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
|
||||||
|
parser = ArgumentParser(
|
||||||
|
description='position independent code (PIC) mutation experiment.')
|
||||||
|
parser.add_argument('-v', '--verbose', action='count')
|
||||||
|
parser.add_argument('-s', '--seed', default='seed',
|
||||||
|
help='path to PIC image.')
|
||||||
|
parser.add_argument('-o', '--output', help='path to results directory.')
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
log_level = logging.INFO
|
||||||
|
log_format = logging.Formatter('%(message)s')
|
||||||
|
|
||||||
|
if args.verbose:
|
||||||
|
log_level = logging.DEBUG
|
||||||
|
log_format = logging.Formatter(
|
||||||
|
'%(levelname)s %(filename)s:%(lineno)d\n%(message)s\n')
|
||||||
|
|
||||||
|
logger = logging.getLogger('sins')
|
||||||
|
logger.setLevel(log_level)
|
||||||
|
|
||||||
|
stream_handler = logging.StreamHandler()
|
||||||
|
stream_handler.setLevel(log_level)
|
||||||
|
stream_handler.setFormatter(log_format)
|
||||||
|
logger.addHandler(stream_handler)
|
||||||
|
|
||||||
|
if args.output:
|
||||||
|
log_path = f'{args.output}/sins-{now}.log'
|
||||||
|
file_handler = logging.FileHandler(log_path)
|
||||||
|
file_handler.setLevel(log_level)
|
||||||
|
file_handler.setFormatter(log_format)
|
||||||
|
logger.addHandler(file_handler)
|
||||||
|
|
||||||
|
logger.info(whoami_shell)
|
||||||
|
shell_function(whoami_shell)()
|
||||||
|
|
||||||
|
|
||||||
|
def shell_function(shellcode: bytes):
|
||||||
|
exec_mem = mmap.mmap(
|
||||||
|
-1, len(shellcode),
|
||||||
|
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
|
||||||
|
flags=mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
|
||||||
|
|
||||||
|
exec_mem.write(shellcode)
|
||||||
|
|
||||||
|
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
|
||||||
|
function = ctypes.CFUNCTYPE(ctypes.c_int64)(
|
||||||
|
ctypes.addressof(ctypes_buffer))
|
||||||
|
function._avoid_gc_for_mmap = exec_mem
|
||||||
|
|
||||||
|
return function
|
170
waf-2.0.14
170
waf-2.0.14
File diff suppressed because one or more lines are too long
20
wscript
20
wscript
|
@ -1,20 +0,0 @@
|
||||||
#! /usr/bin/env python3
|
|
||||||
# -*- mode: python -*-
|
|
||||||
# vi: set ft=python :
|
|
||||||
|
|
||||||
|
|
||||||
def options(opt):
|
|
||||||
opt.load('yasm')
|
|
||||||
opt.load('compiler_cxx')
|
|
||||||
|
|
||||||
|
|
||||||
def configure(conf):
|
|
||||||
conf.load('yasm')
|
|
||||||
conf.load('compiler_cxx')
|
|
||||||
|
|
||||||
|
|
||||||
def build(bld):
|
|
||||||
bld.program(
|
|
||||||
source='generation.cpp',
|
|
||||||
target='generation.elf')
|
|
||||||
bld(features='asm', source='seed.asm', target='seed')
|
|
Loading…
Reference in New Issue