Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary.

Related tags

Security related resourcesMidas-ELF64-Injector
Overview

Midas ELF64 Injector

Description

Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary. All you need is to write a C program like you always do, and this tool will compile and inject it into the target binary for you, no shellcoding required. The advantage of this over shellcode injection is that you can actually include any library and it would still work, also of course it's more comfortable writing C than ASM.

Note: This tool was written for an Attack & Defense CTF with an intention to be a one-time-use thing. Therefore, I was only trying to make it works without caring too much about scalability or maintainability.

Dependencies

Please note that all the dependencies MUST be installed with the exact version stated below. Any other version will almost certainly won't work.

  1. gcc 9.3.0: link
  2. lief 0.11.5: pip3 install lief==0.11.5
  3. pwntools 4.4.0: pip3 install pwntools==4.4.0
  4. gdb (any version)

Usage

python3 inject.py
  • : the target binary to be injected to
  • : a file contains the build command of the C file you want to inject, it MUST be statically compiled with -static, and the output file name MUST be tmp.bin

How it works?

  1. It compiles the C code using the provided build command.
  2. It executes the compiled file in gdb, use a temporary gdb script to break at main and dump the process's text and data.
  3. It adds a segment into the target binary to store some shellcode and the memory snapshot dumped above.
  4. It patches __libc_csu_init of the target binary to jump to that shellcode. This is what that shellcode does:
    • Map 2 fixed pages for the text and data at the exact same addresses as a statically compiled binary.
    • Copy injected text and data to the mapped pages.
    • Call injected main.
    • Unmap the 2 pages.
    • Return back to the original target process.

Limitations

  1. There are a lot of hard-coded values, so I'm not sure if it will work 100% of the time.
  2. Rely on exact dependencies version.
  3. Take a while to run.
  4. Will inflate your target size by a lot (expect around 1MB).
  5. The target file MUST be an ELF64 dynamically compiled with PIE enabled.
  6. No checking for input files, you have to make sure they are correct by yourself.
Owner
midas
CE student @ HCMUT, Flag capturer @ Team Efiens, Reverser, Pwner
midas
GitHub Repository
Acc-Data-Gen - Allows you to generate a password, e-mail & token for your Minecraft Account

Acc-Data-Gen Allows you to generate a password, e-mail & token for your Minecraft Account How to use the generator: Move all the files in a single dir

KarmaBait 2 May 16, 2022
NS-Defacer: a auto html injecter, In other words It's a auto defacer to deface a lot of websites in less time

Overview NS-Defacer is a auto html injecter, In other words It's a auto defacer

NightSec 10 Nov 19, 2022
🎻 Modularized exploit generation framework

Modularized exploit generation framework for x86_64 binaries Overview This project is still at early stage of development, so you might want to come b

ᴀᴇꜱᴏᴘʜᴏʀ 30 Jan 17, 2022
CVE-2021-26855: PoC (Not a HoneyPoC for once!)

Exch-CVE-2021-26855 ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker b

ZephrFish 24 Nov 14, 2022
Use FOFA automatic vulnerability scanning tool

AutoSRC Use FOFA automatic vulnerability scanning tool Usage python3 autosrc.py -e FOFA EMAIL -k TOKEN Screenshots License MIT Dev 6613GitHub6613

PwnWiki 48 Oct 25, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

M4rtin Hsu 81 Dec 12, 2022
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting

Alban Diquet 2.8k Jan 03, 2023
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
Just your basic port scanner - with multiprocessing capabilities & further nmap enumeration.

Just-Your-Basic-Port-Scanner Just your basic port scanner - with multiprocessing capabilities & further nmap enumeration. Use at your own discretion,

Edward Zhou 0 Nov 06, 2021
Automatic ProxyShell Exploit

proxyshell-auto usage: proxyshell.py [-h] -t T Automatic Exploit ProxyShell optional arguments: -h, --help show this help message and exit -t T

lulz 93 Jan 05, 2023
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
Infection Monkey - An automated pentest tool

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a

Guardicore Ltd. 6k Jan 09, 2023
A brute force tool for password-protected zip file

Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g

3 Nov 13, 2021
This is a repository filled with scripts that were made with Python, and designed to exploit computer systems.

PYTHON-EXPLOITATION This is a repository filled with scripts that were made with Python, and designed to exploit computer systems. Networking tcp_clin

Nathan Galindo 1 Oct 30, 2021
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

📂 Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

Bug Bounty Resources 87 Dec 13, 2022
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021