feat: added kill flag to just exit remote process

This commit is contained in:
əlemi 2023-03-28 22:29:08 +02:00
parent dadf81831c
commit 7c6d4f35cc
Signed by: alemi
GPG key ID: A4895B84D311642C
2 changed files with 22 additions and 1 deletions

View file

@ -14,7 +14,7 @@ use executors::RemoteShellcode;
use senders::RemoteString;
use explorers::step_to_syscall;
use crate::explorers::{find_libc, find_dlopen};
use crate::{explorers::{find_libc, find_dlopen}, syscalls::RemoteExit};
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
@ -41,6 +41,10 @@ struct NeedleArgs {
/// path of libc shared object on disk, used to calculate symbol offset in ELF
#[arg(long)]
path: Option<PathBuf>,
/// instead of injecting a library, execute an exit syscall with code 69
#[arg(long, default_value_t = false)]
kill: bool,
}
fn nasty_stuff(args: NeedleArgs) -> Result<()> {
@ -54,6 +58,12 @@ fn nasty_stuff(args: NeedleArgs) -> Result<()> {
let syscall = step_to_syscall(pid)?; // TODO no real need to step...
let original_regs = ptrace::getregs(pid)?; // store original regs to restore after injecting
if args.kill {
RemoteExit::args(69).exit(pid, syscall)?;
println!("Killed process #{}", args.pid);
return Ok(());
}
// move path to our payload into target address space
let tetanus = RemoteString::new(args.payload + "\0")
.inject(pid, syscall)?;

View file

@ -102,6 +102,17 @@ impl RemoteExit {
pub fn args(code: i64) -> Self {
RemoteExit { code }
}
/// since the exit syscall will never return, normal inject() will always return an error.
/// calling this will just return success once the syscall has been invoked
pub fn exit(&mut self, pid: Pid, syscall: usize) -> Result<u64> {
let mut regs = ptrace::getregs(pid)?;
regs.rip = syscall as u64;
self.registers(&mut regs);
ptrace::setregs(pid, regs)?;
ptrace::step(pid, None)?;
Ok(self.code as u64)
}
}
impl RemoteSyscall for RemoteExit {