├── .gitignore ├── ida-upup ├── main ├── test ├── std2socket32.so ├── std2socket64.so ├── test.c ├── Makefile └── std2socket.c ├── global_libs └── bin │ ├── hello_test32 │ ├── hello_test64 │ └── hello_test.c ├── readme.assets ├── QQ20201123-0.png ├── image-20201123235225644.png ├── image-20201123235806030.png ├── image-20201123235947848.png ├── image-20201124012348568.png ├── image-20201124012429365.png ├── image-20201124012658202.png ├── image-20201124012752357.png ├── image-20201216175359222.png ├── 52D92B965EE406AF17E7BF400FE2E9A5.jpg └── D8F72452E208BADF3991E4842F2941FA.jpg ├── setup.sh ├── download.sh ├── readme.md └── mkenv.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.git 3 | *.o 4 | -------------------------------------------------------------------------------- /ida-upup/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/ida-upup/main -------------------------------------------------------------------------------- /ida-upup/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/ida-upup/test -------------------------------------------------------------------------------- /ida-upup/std2socket32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/ida-upup/std2socket32.so -------------------------------------------------------------------------------- /ida-upup/std2socket64.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/ida-upup/std2socket64.so -------------------------------------------------------------------------------- /global_libs/bin/hello_test32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/global_libs/bin/hello_test32 -------------------------------------------------------------------------------- /global_libs/bin/hello_test64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/global_libs/bin/hello_test64 -------------------------------------------------------------------------------- /readme.assets/QQ20201123-0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/QQ20201123-0.png -------------------------------------------------------------------------------- /readme.assets/image-20201123235225644.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201123235225644.png -------------------------------------------------------------------------------- /readme.assets/image-20201123235806030.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201123235806030.png -------------------------------------------------------------------------------- /readme.assets/image-20201123235947848.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201123235947848.png -------------------------------------------------------------------------------- /readme.assets/image-20201124012348568.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201124012348568.png -------------------------------------------------------------------------------- /readme.assets/image-20201124012429365.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201124012429365.png -------------------------------------------------------------------------------- /readme.assets/image-20201124012658202.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201124012658202.png -------------------------------------------------------------------------------- /readme.assets/image-20201124012752357.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201124012752357.png -------------------------------------------------------------------------------- /readme.assets/image-20201216175359222.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/image-20201216175359222.png -------------------------------------------------------------------------------- /readme.assets/52D92B965EE406AF17E7BF400FE2E9A5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/52D92B965EE406AF17E7BF400FE2E9A5.jpg -------------------------------------------------------------------------------- /readme.assets/D8F72452E208BADF3991E4842F2941FA.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notify-bibi/libc-anyenv/HEAD/readme.assets/D8F72452E208BADF3991E4842F2941FA.jpg -------------------------------------------------------------------------------- /global_libs/bin/hello_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argn, char** argc){ 4 | 5 | void* p1 = malloc(0x20); 6 | void* p2 = malloc(0x20); 7 | void* p3 = malloc(0x20); 8 | free(p1); 9 | free(p2); 10 | free(p3); 11 | printf("well done!\n sizeof(size_t) = %d\n",sizeof(size_t)); 12 | 13 | } 14 | 15 | -------------------------------------------------------------------------------- /ida-upup/test.c: -------------------------------------------------------------------------------- 1 | 2 | #define _GNU_SOURCE 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | int main(){ 9 | int fdf = fcntl(STDOUT_FILENO, F_GETFD); 10 | int fdfl = fcntl(STDOUT_FILENO, F_GETFL); 11 | 12 | 13 | fcntl(STDOUT_FILENO, F_SETFL, 0x402); 14 | 15 | printf("%p\n", O_RDWR|O_APPEND|O_LARGEFILE); 16 | int n = puts("hello\n"); 17 | puts("word "); 18 | 19 | int fdfc = fcntl(STDOUT_FILENO, F_GETFD); 20 | int fdflc = fcntl(STDOUT_FILENO, F_GETFL); 21 | 22 | printf("%d [%p %p | %p %p]", n, fdf, fdfl, fdfc, fdflc); 23 | write(1, "gggggggg\n", 9); 24 | getchar(); 25 | } 26 | -------------------------------------------------------------------------------- /ida-upup/Makefile: -------------------------------------------------------------------------------- 1 | override CFLAGS+=-Wall -g3 -fPIC 2 | CC=clang 3 | CXX=clang++ 4 | LLVM_CONFIG=llvm-config 5 | 6 | 7 | OBJS=std2socket32.o std2socket64.o 8 | PREFIX=/usr/local 9 | 10 | all: std2socket32.so std2socket64.so 11 | 12 | std2socket32.o: std2socket.c 13 | $(CC) $(CFLAGS) -m32 -c $^ -o $@ 14 | std2socket64.o: std2socket.c 15 | $(CC) $(CFLAGS) -m64 -c $^ -o $@ 16 | 17 | std2socket32.so: std2socket32.o 18 | $(LINK.c) -shared -m32 $^ -o $@ 19 | 20 | std2socket64.so: std2socket64.o 21 | $(LINK.c) -shared -m64 $^ -o $@ 22 | 23 | 24 | clean: 25 | rm -f std2socket64.so std2socket64.d std2socket32.so std2socket32.d $(OBJS) 26 | 27 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | LibcSearcher="$HOME/.local/LibcSearcher" 5 | libcdatabase="$HOME/libc-database" 6 | tmp=".libc-database-tmp-git" 7 | git clone https://github.com/lieanu/LibcSearcher.git $LibcSearcher 8 | 9 | 10 | git clone --no-checkout https://github.com/niklasb/libc-database.git $tmp/libc-database 11 | rm -rf $LibcSearcher/libc-database/.git 12 | mv $tmp/libc-database/.git $LibcSearcher/libc-database/ && rm -rf $tmp 13 | 14 | 15 | mkdir $LibcSearcher/libc-database/db 16 | ln -sf --relative $LibcSearcher/libc-database/db db 17 | 18 | 19 | cd $LibcSearcher/libc-database 20 | git reset --hard HEAD 21 | 22 | 23 | echo "you can download the librepo" 24 | echo "cd $LibcSearcher/libc-database && ./get ubuntu debian" 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /download.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | target_path=$(cd "$(dirname "$0")"; pwd) 4 | echo $target_path 5 | 6 | 7 | 8 | die() { 9 | echo >&2 $1 10 | exit 1 11 | } 12 | 13 | usage() { 14 | echo >&2 "Usage: $0 id" 15 | exit 2 16 | } 17 | 18 | 19 | mk_dbg_info(){ 20 | local debugpath=$1 21 | for file in `find "$debugpath/usr/lib/debug/lib" -name "*.so"` 22 | do 23 | local buildid=`readelf -n $file|grep 'Build ID'|awk '{print $3}'` 24 | local dir=`echo $buildid | cut -c1-2` 25 | local fn=`echo $buildid | cut -c3-` 26 | local target=${debugpath}/usr/lib/debug/.build-id/$dir 27 | local tdfile=$target/$fn 28 | 29 | echo "making dbg $file" 30 | mkdir -p $target 31 | ln -sf --relative $file $tdfile 32 | ln -sf --relative $file $tdfile.debug 33 | done 34 | } 35 | 36 | download_single() { 37 | local id=$1 38 | echo "Getting $id" 39 | if [ -d $target_path"/$id" ]; then 40 | mk_dbg_info $id 41 | die " --> Downloaded before. Remove it to download again." 42 | fi 43 | 44 | if [ ! -f "db/$1.url" ]; then 45 | die "Invalid ID, maybe the library was fetched in an older version or added manually?" 46 | fi 47 | 48 | local url="$(cat "db/$1.url")" 49 | echo " -> Location: $url" 50 | local tmp=${target_path}/${id} 51 | mkdir $tmp 52 | echo " -> Downloading package to ${tmp}" 53 | wget "$url" 2>/dev/null -O $tmp/pkg.deb || die "Failed to download package from $url" 54 | 55 | local dbgurl=`echo $url | sed "s/libc6_/libc6-dbg_/"` 56 | if [[ $dbgurl = $url ]]; then 57 | dbgurl=`echo $url | sed "s/libc6-amd64_/libc6-dbg_/"` 58 | fi 59 | [[ $dbgurl = $url ]] && die "dbg url of $url not support" 60 | 61 | echo " -> Downloading package-dbg to ${tmp}" 62 | wget "$dbgurl" 2>/dev/null -O $tmp/pkg-dbg.deb || die "Failed to download package from $dbgurl" 63 | 64 | 65 | echo " -> Extracting package" 66 | 67 | pushd $tmp 1>/dev/null 68 | ar x pkg.deb || die "ar failed" 69 | tar xf data.tar.* || die "tar failed" 70 | rm -rf data.tar.* 71 | 72 | ar x pkg-dbg.deb || die "ar failed" 73 | tar xf data.tar.* || die "tar failed" 74 | popd 1>/dev/null 75 | 76 | #mkdir libs/$id 77 | #cp $tmp/lib/*/* libs/$id 2>/dev/null || cp $tmp/lib32/* libs/$id 2>/dev/null \ 78 | # || die "Failed to save. Check it manually $tmp" 79 | echo " -> Package saved to $id" 80 | 81 | #rm -rf $tmp 82 | 83 | 84 | mk_dbg_info $id 85 | } 86 | 87 | if [[ $# != 1 ]]; then 88 | usage 89 | fi 90 | download_single "$1" 91 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # libc-anyenv 2 | 3 | ------ 4 | 5 | 一个快速搭建任何版本环境的工具,使用chroot具备环境隔离的功能; 6 | 另外包含ida自动加载DWARF符号功能(完美f5)、被调试程序输入输出重定向等功能,侵入性低所有版本ida均适用; 7 | 适合IDA调试**病毒**和**PWN** 8 | 9 | # instation 10 | 11 | ------ 12 | 13 | ## setup 14 | 15 | **vim setup.sh** 16 | 修改安装路径(最好指定到当前已有的环境,无破坏) 17 | 18 | **LibcSearcher**="$HOME/.local/LibcSearcher" 19 | **libcdatabase**="$HOME/libc-database" 20 | 21 | ```bash 22 | $ ./setup.sh 23 | ``` 24 | 25 | 检查当前目录是否含有**db**文件夹链接到正确 **libc-database/db** 26 | 27 | 28 | 29 | ## download 30 | 31 | ```bash 32 | $ ./download.sh 33 | like $./download libc6_2.23-0ubuntu11.2_amd64 34 | ``` 35 | 36 | 37 | 38 | 将会安装DWARF符号到 $bin_root/usr/lib/debug/.build-id , 方便gdb or ida 39 | 将库解压到 ****目录 40 | 41 | 42 | 43 | ## Make env 44 | 45 | ```bash 46 | $ ./mkenv.sh -h 47 | --- help --- 48 | sudo ./mkenv.sh [ dep_bins ... ] -- Program execution in any environment 49 | sudo ./mkenv.sh uninstall -- uninstall the change_root 50 | example: sudo ./mkenv.sh libc6_2.23-0ubuntu11.2_amd64 bash linux_server64 sh ls cat id 51 | 52 | ``` 53 | 54 | ![image-20201216175359222](readme.assets/image-20201216175359222.png) 55 | 56 | **lib 32&64 mix it all up** 57 | 58 | # ida调试能力增强 59 | 60 | ------ 61 | 62 | **td2socket.so** 63 | 64 | ```bash 65 | $ ln -s `which clang-10` /usr/bin/clang 66 | $ cd ida-upup && make clean && make 67 | ``` 68 | 69 | 70 | 71 | ## 功能1 72 | 73 | IDA远程调试的**linux_server**和其调试**目标程序**的**标准输入输出分开** 74 | 75 | **目标程序**的**标准输入输出可以 重定向到socket** 76 | 77 | ![QQ20201123-0](readme.assets/QQ20201123-0.png) 78 | 79 | 52D92B965EE406AF17E7BF400FE2E9A5 80 | 81 | ### **阻塞模式** 82 | 83 | **`LD_PRELOAD=[path to std2socket.so] BLOCK= ./linux_server`** 84 | 85 | ![image-20201123235806030](readme.assets/image-20201123235806030.png) 86 | 87 | ### **非阻塞模式** 88 | 89 | 将 `BLOCK=`去掉 90 | 91 | ![image-20201123235947848](readme.assets/image-20201123235947848.png) 92 | 93 | 阻塞模式就是一定要有`pwntools remote`上了server那么ida才会响应执行;否则,如果无remote连接请求, 和server原来那样直接输入输出到混一起 94 | 95 | ## 功能2 96 | 97 | ubuntu、debian系统库(含libc6)环境 **全符号** 调试支持。 98 | 99 | 一般来说libc的DWARF是分离出去的,需要安装libc6-dbg , 路径为`/usr/lib/debug/lib/x86_64-linux-gnu` 100 | ida默认会从so库直接加载DWARF文件, 由于符号分离,所以就加载失败。 101 | 102 | 分析linux_server后,发现其支持自动加载DWARF文件(含优先级),但是路径为空(格式: **path1;path2;....**),需要指定。 103 | 104 | 1. 配合**download.sh**后会自动安装符号到**\/usr/lib/debug/.build-id** 105 | 106 | 2. **`LD_PRELOAD=[path to std2socket.so] BLOCK= ./linux_server** 开启调试 107 | 108 | 不能是`LD_PRELOAD=[path to std2socket.so] BLOCK= ./xxx/linux_server` 109 | 110 | 111 | 112 | 3. **sudo -s** 113 | 114 | **echo 0 > /proc/sys/kernel/randomize_va_space(必要条件)** 115 | 116 | 对pwn爷爷来说这也是本方法的一个弊端,但是问题不大。 117 | 118 | 4. **lunch ida > moudle > choose libc.so.6 > load symbols > debug > take snapshot > enable source-debug level > save database** 119 | 120 | load symbols将会花费你几分钟时间,但是之后将会是1秒钟。 121 | 122 | ![image-20201123235225644](readme.assets/image-20201123235225644.png) 123 | 124 | 5. **可以配合上面的chroot,所有版本的库都能支持符号加载 !** 125 | 126 | 127 | 128 | 129 | 130 | # Error:![image-20201124012348568](readme.assets/image-20201124012348568.png) 131 | 132 | Sorry,根据libc-id去定位libc-dbg-id是困难的,你可以访问如上`http://archive.ubuntu.com/ubuntu/pool/main/e/eglibc/` 133 | 134 | 搜索`2.15-0ubuntu10.18_i386` 的dbg项目 135 | 136 | 将转换规则添加到download.sh![image-20201124012752357](readme.assets/image-20201124012752357.png) 137 | 138 | -------------------------------------------------------------------------------- /mkenv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | user=chroot 3 | group=gchroot 4 | 5 | user_home="/home/${user}" 6 | bin_root="/home/${user}/bin_root" 7 | 8 | 9 | 10 | help(){ 11 | exec 1>&2 12 | echo "--- help ---" 13 | echo "sudo ./mkenv.sh [ dep_bins ... ] -- Program execution in any environment" 14 | echo "sudo ./mkenv.sh uninstall -- uninstall the change_root" 15 | echo "example: sudo ./mkenv.sh libc6_2.23-0ubuntu11.2_amd64 bash linux_server64 sh ls cat id" 16 | exit 1 17 | } 18 | 19 | if [[ " $@ " == *" uninstall "* ]] ; then 20 | umount ${bin_root}/proc 21 | read -r -p "rm -rf ${bin_root} ? [Y/n]" sure 22 | if [[ ! "$sure" =~ ^(No|N|n)$ ]] 23 | then 24 | rm -rf ${bin_root}/ 25 | fi 26 | exit 27 | fi 28 | 29 | 30 | [[ "$#" -le 1 ]] || [ "$1" == "-h" ] && help 31 | 32 | 33 | # ------------------------- do it -------------------------- 34 | 35 | 36 | echo -e "user: $user:$group \nroot at $bin_root" 37 | 38 | #create group if not exists 39 | egrep "^$group" /etc/group >& /dev/null 40 | if [ $? -ne 0 ] 41 | then 42 | groupadd $group 43 | fi 44 | 45 | #create user if not exists 46 | egrep "^$user" /etc/passwd >& /dev/null 47 | if [ $? -ne 0 ] 48 | then 49 | useradd -g $group -m -d $user_home $user 50 | fi 51 | 52 | 53 | 54 | 55 | id=$1 56 | die(){ 57 | echo $@ 58 | help 59 | exit 1 60 | } 61 | 62 | [[ ! -d "$id" ]] && die "not exist $id" 63 | 64 | mkdir -p -m 755 $bin_root 65 | 66 | [[ ! -d "${bin_root}/proc" ]] && mkdir -p ${bin_root}/proc && mount --bind /proc ${bin_root}/proc 67 | # [[ ! -d "${bin_root}/proc" ]] && mkdir ${bin_root}/proc && mount -t proc none ${bin_root}/proc 68 | 69 | # [[ ! -d "${bin_root}/dev" ]] && mount --bind /dev ${bin_root}/dev 70 | 71 | exec 666>&2 2>/dev/null 72 | 73 | mkdir -p -m 755 ${bin_root}/bin 74 | mkdir -p -m 755 ${bin_root}/dev 75 | mknod -m 666 ${bin_root}/dev/null c 1 3 76 | mknod -m 666 ${bin_root}/dev/zero c 1 5 77 | mknod -m 444 ${bin_root}/dev/random c 1 8 78 | mknod -m 444 ${bin_root}/dev/urandom c 1 9 79 | mknod -m 666 ${bin_root}/dev/tty c 5 0 80 | mknod -m 666 ${bin_root}/dev/ptmx c 5 2 81 | mknod -m 622 ${bin_root}/dev/console c 5 1 82 | 83 | cp -r $id/etc/ ${bin_root}/ 84 | cp -r $id/lib/ ${bin_root}/ 85 | cp -r $id/lib32/ ${bin_root}/ 86 | cp -r $id/lib64/ ${bin_root}/ 87 | cp -r $id/usr/ ${bin_root}/ 88 | cp -r global_libs/* ${bin_root}/ 89 | 90 | exec 2>&666 91 | 92 | cmd="" 93 | bin_fix_dep(){ 94 | local arg=$1 95 | if [[ ! -f "$arg" ]] ; then 96 | arg=`which $arg` 97 | [[ ! -f "$arg" ]] && die "Cannot locate the $arg file" 98 | fi 99 | if [[ -z "$cmd" ]] ;then 100 | cmd=$arg 101 | fi 102 | local p=$(cd "$(dirname "$arg")"; pwd) 103 | echo -e "$arg \033[43;31;4m=>\033[0m ${bin_root}$arg" 104 | mkdir -p -m 755 ${bin_root}$p 105 | cp $arg ${bin_root}$arg 106 | for deplib in $(ldd $arg | awk '{print $3}') ; do 107 | mkdir -p -m 755 `dirname ${bin_root}${deplib}` 108 | cp -r -f -n ${deplib} ${bin_root}${deplib} || die "error cp" 109 | [[ ! -f "${bin_root}${deplib}" ]] && echo -e " |_${deplib} \033[32m=>\033[0m ${bin_root}${deplib}" 110 | [[ -f "${bin_root}${deplib}" ]] && echo -e " |_${deplib} \033[31;1m=X>\033[0m ${bin_root}${deplib}" 111 | [[ ! -f "${bin_root}${deplib}" ]] && cp -n -f `readlink -f $deplib` ${bin_root}`readlink -f $deplib` 112 | done 113 | 114 | } 115 | 116 | 117 | 118 | for bin in ${@:2} ;do 119 | bin_fix_dep $bin 120 | done 121 | 122 | 123 | echo -e "start \033[43;31;4m$cmd\033[0m " 124 | 125 | chroot --userspec=${user}:${group} ${bin_root} $cmd 126 | 127 | 128 | -------------------------------------------------------------------------------- /ida-upup/std2socket.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | static int gsfd = 0; 19 | static int (*func_fork) () = NULL; 20 | static size_t (*func_strspn)(const char *, const char *) = NULL; 21 | 22 | // const char debuginfopath[] = "/usr/lib/debug/;"; 23 | const char debuginfopath[] = \ 24 | "/usr/lib/debug/;" 25 | "/lib/x86_64-linux-gnu;" 26 | "/lib;" 27 | "/lib64;" 28 | "/usr/lib;" 29 | "/usr/lib64;" 30 | "/usr/x86_64-linux-gnu/lib;" 31 | "/usr/x86_64-linux-gnu/lib64;" 32 | "/usr/local/lib;" 33 | "/usr/local/lib64;" 34 | "/usr/lib/x86_64-linux-gnu;" 35 | "/usr/lib/x86_64-linux-gnu64;" 36 | "/usr/local/lib/x86_64-linux-gnu"; 37 | 38 | 39 | const char DWARF_sign[2] = { ";" }; 40 | 41 | static pid_t no_cache_getpid() 42 | { 43 | pid_t pid; 44 | 45 | #if defined(__x86_64__) || defined(__arm__) || defined(__powerpc__) 46 | pid = syscall(__NR_getpid); 47 | #elif defined(__i386__) 48 | __asm__( 49 | "int $0x80" 50 | : 51 | "=a"(pid) 52 | : 53 | "a"(__NR_getpid) 54 | ); 55 | #endif 56 | 57 | return pid; 58 | } 59 | 60 | int srv_listen() 61 | { 62 | struct addrinfo hint, *result; 63 | int res, sfd; 64 | 65 | memset(&hint, 0, sizeof(hint)); 66 | hint.ai_family = AF_INET; 67 | hint.ai_socktype = SOCK_STREAM; 68 | hint.ai_protocol = 0; 69 | hint.ai_flags = AI_PASSIVE; 70 | 71 | res = getaddrinfo(NULL, "12345", &hint, &result); 72 | if (res != 0) { 73 | perror("error : cannot get socket address!\n"); 74 | exit(1); 75 | } 76 | 77 | sfd = socket(result->ai_family, result->ai_socktype, result->ai_protocol); 78 | if (sfd == -1) { 79 | perror("error : cannot get socket file descriptor!\n"); 80 | goto faild; 81 | } 82 | int option = 1; 83 | setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option)); 84 | 85 | fcntl(sfd, F_SETFD, fcntl(sfd, F_GETFD, 0) | FD_CLOEXEC); 86 | 87 | if (getenv("BLOCK") != NULL) { 88 | fcntl(sfd, F_SETFL, fcntl(sfd, F_GETFL, 0) & (~O_NONBLOCK)); 89 | printf("[*] blocking mode\n"); 90 | }else{ 91 | fcntl(sfd, F_SETFL, fcntl(sfd, F_GETFL, 0) | O_NONBLOCK); 92 | printf("[*] non-blocking mode\n"); 93 | } 94 | 95 | 96 | 97 | if (getenv("LD_PRELOAD") != NULL) { 98 | if (strstr(getenv("LD_PRELOAD"), "std2socket") > 0 ){ 99 | unsetenv("LD_PRELOAD"); 100 | printf("unsetenv(\"LD_PRELOAD\");\n"); 101 | } 102 | } 103 | if (getenv("BLOCK") != NULL) { 104 | unsetenv("BLOCK"); 105 | } 106 | 107 | 108 | 109 | res = bind(sfd, result->ai_addr, result->ai_addrlen); 110 | if (res == -1) { 111 | perror("error : cannot bind the socket with the given address!\n"); 112 | goto faild; 113 | } 114 | 115 | res = listen(sfd, SOMAXCONN); 116 | if (res == -1) { 117 | perror("error : cannot listen at the given socket!\n"); 118 | goto faild; 119 | } 120 | printf("[*] Listening on 0.0.0.0:12345...\n"); 121 | 122 | return sfd; 123 | faild: 124 | close(sfd); 125 | shutdown(sfd, SHUT_RDWR); 126 | exit(1); 127 | return -1; 128 | } 129 | 130 | 131 | int srv_accept(int sfd){ 132 | 133 | struct sockaddr remote; 134 | socklen_t len = sizeof(struct sockaddr); 135 | int fd = accept(sfd, &remote, &len); 136 | return fd; 137 | } 138 | 139 | 140 | pid_t fork(){ 141 | pid_t rval, tid; 142 | 143 | if(!gsfd) gsfd = srv_listen(); 144 | if (!func_fork) func_fork = (int (*) ()) dlsym (RTLD_NEXT, "fork"); 145 | 146 | int fd = srv_accept(gsfd); 147 | printf("[*] accept: %d fd:%x fl:%x\n", fd, fcntl(fd, F_GETFD), fcntl(fd, F_GETFL)); 148 | 149 | 150 | fcntl(fd, F_SETFD, 0); 151 | fcntl(fd, F_SETFL, 0x8402 | FD_CLOEXEC); 152 | 153 | 154 | tid = no_cache_getpid(); 155 | #if 0 156 | // rval = syscall(__NR_clone, CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 0, 0, &tid); 157 | // CLONE_VM|CLONE_VFORK 158 | rval = syscall(__NR_clone, CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 0, 0, &tid); 159 | #else 160 | rval = func_fork(); 161 | #endif 162 | 163 | if (fd<0) return rval; 164 | 165 | if (rval < 0){ 166 | close(fd); 167 | perror("error : cannot fork! \n"); 168 | exit(rval); 169 | }else if (rval == 0){ 170 | dup2(fd, 0); 171 | dup2(fd, 1); 172 | dup2(fd, 2); 173 | }else{ 174 | printf("[*] p:%d fork cid:%d\n", no_cache_getpid(), rval); 175 | } 176 | close(fd); 177 | return rval; 178 | } 179 | 180 | void handler(char *caller) { 181 | void *array[10]; 182 | size_t size; 183 | printf("Stack Trace Start for %s\n",caller); 184 | size = backtrace(array, 10); 185 | backtrace_symbols_fd(array, size, 2); 186 | printf("Stack Trace End\n"); 187 | } 188 | 189 | static int count = 0; 190 | size_t strspn(const char *s, const char *accept){ 191 | // handler("strspn"); 192 | if (!func_strspn) func_strspn = (size_t (*)(const char *, const char *)) dlsym (RTLD_NEXT, "strspn"); 193 | 194 | if (*(short*)accept == *(short*)DWARF_sign){ 195 | if(!*s && !count){ 196 | printf("[*] %d attach strspn orig debuginfo:[ %s ] changed!\n", count, s); 197 | strcpy((char *)(size_t)s, debuginfopath); 198 | count += 1; 199 | }else if(!*s && count){ 200 | count = 0; 201 | }else{ 202 | count += 1; 203 | } 204 | 205 | // printf("[*] %d %p :[ %s ]\n",count, s, s); 206 | } 207 | size_t ret = func_strspn(s, accept); 208 | return ret; 209 | } 210 | 211 | 212 | 213 | --------------------------------------------------------------------------------