diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-04-05 14:22:49 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-04-05 14:22:49 +0200 |
| commit | 04176b2c5e8fbc8279c90e4e84cc6d83c7c17b19 (patch) | |
| tree | 1398220de5e4482a0c6ad907c0dd9655c904eda0 | |
| parent | 66d1d63f6155b6a2037e1792fd6eda2f17e4be7e (diff) | |
* replaced entropy calculation with a !broken one
* README update
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | README | 3 | ||||
| -rwxr-xr-x | exploit.py | 2 | ||||
| -rw-r--r-- | funccrypt.c | 4 | ||||
| -rw-r--r-- | utils.h | 34 |
4 files changed, 22 insertions, 21 deletions
@@ -6,3 +6,6 @@ It does also provide some example shellcodes and a set of different crypter. The crypter designed to work with shellcode are located in the crypter subdir. Additional crypter based on function/exec level can be found in the rootdir. + +Some exploits require a disabled randomized virtual address space (kernel.randomize_va_space) and exec-shield (kernel.exec-shield). +Both can be disabled with the script ./disable_prot.sh @@ -80,4 +80,4 @@ if __name__ == '__main__': print('Return Address: {}'.format(hex(new_return_addr_tuple[1]))) ret = run_exploit(new_return_addr_tuple[1], exploit_buffer, optional_destination_offset) - print('Exit Code: {}'.format(ret)) + print('Exit Code: {}'.format("SIGSEGV (-11)" if ret == -11 else str(ret))) diff --git a/funccrypt.c b/funccrypt.c index d9a64ce..c80e215 100644 --- a/funccrypt.c +++ b/funccrypt.c @@ -228,8 +228,8 @@ static void printHexBuf(uint8_t *buf, size_t siz, size_t chars_per_line) static void calcAndPrintEntropy(struct crypt_header * const func_crypt_header, size_t const func_body_size) { - printf("entropy of %s function: %lf\n", (func_crypt_header->crypted == 0xFF ? "encrypted" : "unencrypted"), - entropy_from_buffer((uint8_t *)func_crypt_header->func_body, func_body_size)); + printf("entropy of %s function: %f\n", (func_crypt_header->crypted == 0xFF ? "encrypted" : "unencrypted"), + entropy((uint8_t *)func_crypt_header->func_body, func_body_size)); } static void initRandom(void) @@ -3,6 +3,7 @@ #include <math.h> #include <stdlib.h> +#include <string.h> #include <unistd.h> #define MAXLEN 961 // maximum string length @@ -23,29 +24,26 @@ static inline size_t makehist(unsigned char const * const buf, ssize_t * const h return histlen; } -static inline double entropy(ssize_t * const hist, size_t histlen, size_t len) { +static inline float entropy(u_int8_t const * const buf, size_t len) { + float entropy = 0.0f; + u_int32_t byte_counters[256]; size_t i; - double H; - H = 0.0; - for (i = 0; i < histlen; i++) { - H -= (double)hist[i] / len * log2((double)hist[i] / len); - } - return H; -} -static inline double entropy_from_buffer(unsigned char const * const buffer, size_t size) -{ - ssize_t * const hist_array = malloc(size * sizeof(*hist_array)); + memset(byte_counters, 0, sizeof(byte_counters)); - if (!hist_array) { - return -1.0; + for(i = 0; i < len; ++i) { + byte_counters[buf[i]]++; } - size_t hist_length = makehist(buffer, hist_array, size); - double entr = entropy(hist_array, hist_length, size); + for(i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) { + if(byte_counters[i] == 0) { + continue; + } + + float const p = (float)byte_counters[i] / len; + entropy += p * log2f(1 / p); + } - free(hist_array); - return entr; + return entropy; } - #endif |