Injected payload is constructed from base opcodes for bypassing PIE and forking, and from our compiled assembly code
Forking part of our base opcodes is very simple, just syscall fork and check if we are child or parent, if parent return to original entry point, if child execute our assembly code:
mov rax,57
syscall
cmp eax, 0
jz childFor bypassing PIE relative addresses we have to calculate the offset between original entry point and our code at point where we can get relative address. We get relative address from:
call parent
parent:
pop raxnow we have relative address of our code in rax, so we just sub our calculated offset from it:
sub rax, 0xOUR_CALCULATED_OFFSETand then just push it to the stack and ret:
push rax
retThis way we can get relative address of original entry point and jump to it
Then we connect our payload to our base payload and insert it into the binary as separate section.
$ sudo apt install libelf-dev
$ make
$ nasm -f bin -o payload.bin src/assembly/hello_world.s
$ sudo cp /bin/ls .
$ sudo ./injector ls payload.bin
$ ./ls
hello world!
injector ls Makefile payload.bin srcBinary injection based on Dennis Andriesse book https://practicalbinaryanalysis.com/
For Educational Purposes Only