diff options
| author | jvoisin | 2013-01-15 21:31:40 +0100 |
|---|---|---|
| committer | jvoisin | 2013-01-15 21:31:40 +0100 |
| commit | 808069c906a036f3b8c5de51e302245154131584 (patch) | |
| tree | c8e046626973ee28a793c24faba312ace286c8c1 /crash | |
First commit with an ugly makefile !
Diffstat (limited to 'crash')
| -rw-r--r-- | crash/10123.c | 32 | ||||
| -rw-r--r-- | crash/header_screwer.c | 65 |
2 files changed, 97 insertions, 0 deletions
diff --git a/crash/10123.c b/crash/10123.c new file mode 100644 index 0000000..48a9304 --- /dev/null +++ b/crash/10123.c | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | /* | ||
| 2 | *Excerpt of the bug's description: | ||
| 3 | GDB fails to interrupt the program being debugged if the program is blocking SIGINT. | ||
| 4 | |||
| 5 | When using the sigwait function to retrieve signals, the program is expected to block them. SIGINT is a commonly handled signal. Any | ||
| 6 | program using sigwait to retrieve signals and handling SIGINT this way will not be interruptible by GDB. | ||
| 7 | */ | ||
| 8 | |||
| 9 | #include <stddef.h> | ||
| 10 | #include <stdio.h> | ||
| 11 | #include <unistd.h> | ||
| 12 | #include <signal.h> | ||
| 13 | |||
| 14 | int main(){ | ||
| 15 | sigset_t sigs; | ||
| 16 | sigfillset(&sigs); | ||
| 17 | sigprocmask(SIG_SETMASK, &sigs, NULL); | ||
| 18 | |||
| 19 | if(fork()){ | ||
| 20 | sleep(1); // to be sure that | ||
| 21 | kill(getppid(), SIGINT); | ||
| 22 | _exit(0); | ||
| 23 | } | ||
| 24 | while(1){ | ||
| 25 | pause(); | ||
| 26 | printf("[*] No GBD detected\n"); | ||
| 27 | /* | ||
| 28 | * Put your code here | ||
| 29 | */ | ||
| 30 | } | ||
| 31 | return 0; | ||
| 32 | } | ||
diff --git a/crash/header_screwer.c b/crash/header_screwer.c new file mode 100644 index 0000000..735aecd --- /dev/null +++ b/crash/header_screwer.c | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | /* | ||
| 2 | * Elf header screwer, based on an idea of svenka's crackme, named Thellurik (http://crackmes.de/users/svenka/thellurik/) | ||
| 3 | * Unfortunately for me, ioactive was quicker than me : http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-debuggers.html | ||
| 4 | * Kudos to them ! | ||
| 5 | * | ||
| 6 | */ | ||
| 7 | |||
| 8 | |||
| 9 | #include <stdio.h> | ||
| 10 | #include <sys/mman.h> | ||
| 11 | #include <unistd.h> | ||
| 12 | #include <stdlib.h> | ||
| 13 | #include <elf.h> | ||
| 14 | #include <sys/stat.h> | ||
| 15 | #include <sys/types.h> | ||
| 16 | #include <sys/procfs.h> | ||
| 17 | #include <fcntl.h> | ||
| 18 | |||
| 19 | |||
| 20 | int main(int argc, char** argv){ | ||
| 21 | int f; | ||
| 22 | static Elf32_Ehdr* header; | ||
| 23 | |||
| 24 | printf(".: Elf corrupt :.\n"); | ||
| 25 | |||
| 26 | if(argc < 2){ | ||
| 27 | printf("Usage: %s file", argv[0]); | ||
| 28 | return 1; | ||
| 29 | } | ||
| 30 | |||
| 31 | if((f = open(argv[1], O_RDWR)) < 0){ | ||
| 32 | perror("open"); | ||
| 33 | return 1; | ||
| 34 | } | ||
| 35 | |||
| 36 | //MAP_SHARED is required to actually update the file | ||
| 37 | if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PROT_WRITE, MAP_SHARED, f, 0)) == MAP_FAILED){ | ||
| 38 | perror("mmap"); | ||
| 39 | close(f); | ||
| 40 | return 1; | ||
| 41 | } | ||
| 42 | |||
| 43 | printf("[*] Current header values:\n"); | ||
| 44 | printf("\te_shoff:%d\n\te_shnum:%d\n\te_shstrndx:%d\n", | ||
| 45 | header->e_shoff, header->e_shnum, header->e_shstrndx); | ||
| 46 | |||
| 47 | header->e_shoff = 0xffff; | ||
| 48 | header->e_shnum = 0xffff; | ||
| 49 | header->e_shstrndx = 0xffff; | ||
| 50 | |||
| 51 | printf("[*] Patched header values:\n"); | ||
| 52 | printf("\te_shoff:%d\n\te_shnum:%d\n\te_shstrndx:%d\n", | ||
| 53 | header->e_shoff, header->e_shnum, header->e_shstrndx); | ||
| 54 | |||
| 55 | if(msync(NULL, 0, MS_SYNC) == -1){ | ||
| 56 | perror("msync"); | ||
| 57 | close(f); | ||
| 58 | return 1; | ||
| 59 | } | ||
| 60 | |||
| 61 | close(f); | ||
| 62 | munmap(header, 0); | ||
| 63 | printf("You should no more be able to run \"%s\" inside GDB\n", argv[1]); | ||
| 64 | return 0; | ||
| 65 | } | ||