GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ixty → Mandibule

ixty / Mandibule

linux elf injector for x86 x86_64 arm arm64

Programming Languages

c
50402 projects - #5 most used programming language

Labels

armx86x86-64injectionaarch64arm64procesself

Projects that are alternatives of or similar to Mandibule

Rappel
A linux-based assembly REPL for x86, amd64, armv7, and armv8
Stars: ✭ 818 (+378.36%)
Mutual labels:  arm64, x86, x86-64, aarch64
Reko
Reko is a binary decompiler.
Stars: ✭ 942 (+450.88%)
Mutual labels:  arm, x86, x86-64, aarch64
fdtd3d
fdtd3d is an open source 1D, 2D, 3D FDTD electromagnetics solver with MPI, OpenMP and CUDA support for x86, arm, arm64 architectures
Stars: ✭ 77 (-54.97%)
Mutual labels:  arm, x86, arm64, aarch64
Rop Tool
A tool to help you write binary exploits
Stars: ✭ 590 (+245.03%)
Mutual labels:  arm, x86, x86-64, elf
Unicorn
Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, X86)
Stars: ✭ 4,934 (+2785.38%)
Mutual labels:  arm64, arm, x86, x86-64
Capstone.NET
.NET Core and .NET Framework binding for the Capstone Disassembly Framework
Stars: ✭ 108 (-36.84%)
Mutual labels:  arm, x86-64, x86, arm64
Keypatch
Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
Stars: ✭ 939 (+449.12%)
Mutual labels:  arm64, arm, x86, x86-64
alpine-php-fpm
Lightweight and optimised PHP-FPM (PHP 7.4, 8.0, 8.1) Docker images with essential extensions on top of latest Alpine Linux.
Stars: ✭ 53 (-69.01%)
Mutual labels:  arm, x86-64, x86, arm64
Sse2neon
A translator from Intel SSE intrinsics to Arm/Aarch64 NEON implementation
Stars: ✭ 316 (+84.8%)
Mutual labels:  arm64, arm, x86, aarch64
Asmdb
Instructions database and utilities for X86/X64 and ARM (THUMB/A32/A64) architectures.
Stars: ✭ 258 (+50.88%)
Mutual labels:  arm, x86, x86-64, aarch64
profiler-api
The portable version of JetBrains profiler API for .NET Framework / .NET Core / .NET / .NET Standard / Mono
Stars: ✭ 21 (-87.72%)
Mutual labels:  x86-64, x86, arm64, aarch64
Docker Homebridge
Homebridge Docker. HomeKit support for the impatient using Docker on x86_64, Raspberry Pi (armhf) and ARM64. Includes ffmpeg + libfdk-aac.
Stars: ✭ 1,847 (+980.12%)
Mutual labels:  arm64, arm, x86-64, aarch64
Corehook
A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
Stars: ✭ 191 (+11.7%)
Mutual labels:  arm64, arm, x86, x86-64
Capstone
Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings.
Stars: ✭ 5,374 (+3042.69%)
Mutual labels:  arm64, arm, x86, x86-64
pinktrace
Pink's Tracing Library
Stars: ✭ 20 (-88.3%)
Mutual labels:  x86-64, x86, arm64, aarch64
Docker Cloudflare Ddns
A small amd64/ARM/ARM64 Docker image that allows you to use CloudFlare as a DDNS / DynDNS Provider.
Stars: ✭ 467 (+173.1%)
Mutual labels:  arm64, arm, x86-64, aarch64
Keystone
Keystone assembler framework: Core (Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86) + bindings
Stars: ✭ 1,654 (+867.25%)
Mutual labels:  arm64, arm, x86, x86-64
Remill
Library for lifting of x86, amd64, and aarch64 machine code to LLVM bitcode
Stars: ✭ 633 (+270.18%)
Mutual labels:  x86, x86-64, aarch64
Cemu
Cheap EMUlator: lightweight multi-architecture assembly playground
Stars: ✭ 666 (+289.47%)
Mutual labels:  arm, x86-64, aarch64
Build
Armbian Linux build framework
Stars: ✭ 1,827 (+968.42%)
Mutual labels:  arm, aarch64, x86
View All Similar Projects ➔

mandibule: linux elf injector

intro

Mandibule is a program that allows to inject an ELF file into a remote process.

Both static & dynamically linked programs can be targetted. Supported archs:

  • x86
  • x86_64
  • arm
  • aarch64

Example usage: https://asciinema.org/a/KkOHP2Jef0E6wViPCglkXLRcV

@ixty 2018

installation

git clone https://github.com/ixty/mandibule
make

usage

usage: ./mandibule <elf> [-a arg]* [-e env]* [-m addr] <pid>

loads an ELF binary into a remote process.

arguments:
    - elf: path of binary to inject into <pid>
    - pid: pid of process to inject into

options:
    -a arg: argument to send to injected program - can be repeated
    -e env: environment value sent to injected program - can be repeated
    -m mem: base address at which program is loaded in remote process, default=AUTO

Note: order of arguments must be respected (no getopt sry)

example run

$ make x86_64

# in shell 1
$ ./target
> started.
......

# in shell 2
$ ./mandibule ./toinject `pidof target`
> target pid: 6266
> arg[0]: ./toinject
> args size: 51
> shellcode injection addr: 0x7f0f4719c000 size: 0x5000 (available: 0x195000)
> success attaching to pid 6266
> backed up mem & registers
> injected shellcode at 0x7f0f4719c000
> running shellcode..
> shellcode executed!
> restored memory & registers
> successfully injected shellcode into pid 6266

# back to shell 1
...
> target pid: 6266
> arg[0]: ./toinject
> args size: 51
> auxv len: 304
> auto-detected manual mapping address 0x55f6e1000000
> mapping './toinject' into memory at 0x55f6e1000000
> reading elf file './toinject'
> loading elf at: 0x55f6e1000000
> load segment addr 0x55f6e1000000 len 0x1000 => 0x55f6e1000000
> load segment addr 0x55f6e1200dd8 len 0x1000 => 0x55f6e1200000
> max vaddr 0x55f6e1212000
> loading interp '/lib64/ld-linux-x86-64.so.2'
> reading elf file '/lib64/ld-linux-x86-64.so.2'
> loading elf at: 0x55f6e1212000
> load segment addr 0x55f6e1212000 len 0x23000 => 0x55f6e1212000
> load segment addr 0x55f6e1435bc0 len 0x2000 => 0x55f6e1435000
> max vaddr 0x55f6e1448000
> eop 0x55f6e1212c20
> setting auxv
> set auxv[3] to 0x55f6e1000040
> set auxv[5] to 0x9
> set auxv[9] to 0x55f6e10006e0
> set auxv[7] to 0x55f6e1000000
> eop 0x55f6e1212c20
> starting ...

# oh hai from pid 6266
# arg[0]: ./toinject
# :)
# :)
# :)
# bye!
...........

injection proces

mandibule has no dependency (not even libc) and is compiled with pie and fpie in order to make it fully relocatable.

This way we can copy mandibule's code into any process and it will be able to run as if it were a totally independant shellcode.

Here is how mandibule works:

  • find an executable section in target process with enough space (~5Kb)
  • attach to process with ptrace
  • backup register state
  • backup executable section
  • inject mandibule code into executable section
  • let the execution resume on our own injected code
  • wait until exit() is called by the remote process
  • restore registers & memory
  • detach from process

In the remote process, mandibule does the following:

  • read arguments, environment variables and other options from its own memory
  • find a suitable memory address to load the target elf file if needed
  • manually load & map the elf file into memory using only syscalls
  • load the ld-linux interpreter if needed
  • call the main function of the manually loaded binary

tested on

  • x86: Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
  • x86_64: Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
  • arm64: Linux buildroot 4.13.6 #1 SMP Sat Mar 3 16:40:18 UTC 2018 aarch64 GNU/Linux
  • arm: Linux buildroot 4.11.3 #1 SMP Sun Mar 4 02:36:56 UTC 2018 armv7l GNU/Linux

arm & arm64 where tested using arm_now by @chaignc to easily spawn qemu vms with the desired arch.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].