feedface [WIP] - OS X

Users browsing this thread: 1 Guest(s)
bottomy bottomy Offline | 27-07-2012, 09:24 AM | #1
Registered
feedface is a little injector/scanner and general process interaction tool for Mac OS X. Development on the tool is very slow, as it's only a small side project, and I will be holding off from doing anymore work on it until I upgrade to Mountain Lion and can do some testing on there (note that if it's severely broken on ML I'll just axe the project).

As of now the tool can only perform some simple injections, and has no scanning or more general interaction functionality yet.

The features that I plan on implementing are:

- Thread injection (the majority of it is complete, but still some issues I need to fix)
- Bundle injection (is dependent on thread injection)
- Memory scanning (similar style of scanning to Cheat Engine, e.g. filtering capabilities, etc.)
- Hooking functions
- Automatic class posing, either for those in the bundle or already in the application.
- Also cleaning up the usage, it's an unintelligible mess at the moment.


Usage examples:

***
Codecave examples
--------------------------
Program source.
Code:
#include <stdio.h>

int main(int argc, char *argv[])
{
    scanf("%*[^\n]");
    printf("some text\n");

    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");

    return 0;
}

Launch the program and attach GDB to it (so we can get pid "info pid" and look up injection address at the same time; but can go about this however you prefer), then detach it. If you want the addresses to be fixed, then just launch it in GDB.
Code:
(gdb) info pid
Inferior has process ID 2863.
(gdb) print/x main+72
$1 = 0x108b45ef9

Here is the code we want to inject/codecave to. It is asm written for GAS.
Code:
/*
e9 17 00 00 00 70 75 74 73 00 62 6c 61 68 20 62
6c 61 68 20 62 6c 61 68 20 3a 29 00 48 c7 c7 fe
ff ff ff 48 8d 35 db ff ff ff ff 15 17 00 00 00
48 8d 3d d3 ff ff ff ff d0
*/
    jmp Skip
puts_String:
    .asciz "puts"
Message:
    .asciz "blah blah blah :)"
Skip:

    movq $-2,%rdi
    leaq puts_String(%rip),%rsi
    call *dlsym(%rip)

    leaq Message(%rip),%rdi
    call *%rax

.space 14 //Space that the returning code would normal consume. On 32 bits it will use 5 bytes.
dlsym:

Then the command to inject the codecave.
Code:
sudo ./feedface 2863 -codecave 0x108b45ef9 e917007075747300626c616820626c616820626c6168203a290048c7c7feff488d35dbff15170048​8d3dd3ffd0
Password:
Injected to: 0x108b79000

Press enter on the program, and it should print:
Code:
some text
blah blah blah :)


Alternatively we could use the automatic relocation functionality to get the address for the puts function. Here is an example, it also demonstrates multiple inputs.
Code:
nm -m /usr/lib/system/libsystem_c.dylib
0011d9a (__TEXT,__text) external _puts

And the code to be injected:
Code:
/*
e9 1a 00 00 00

-relocated puts address-

62 6c 61 68 20 62 6c 61 68 20 62 6c 61 68 20 3a
29 00 48 8d 3d e7 ff ff ff ff 15 d9 ff ff ff
*/
    .section __TEXT,__text
    .globl _main
_main:

    jmp Skip
puts:
    .quad 0
Message:
    .asciz "blah blah blah :)"
Skip:

    leaq Message(%rip),%rdi
    call *puts(%rip)

The command:
Code:
sudo ./feedface 4220 -codecave rel[0x100ef8] e91a00 rel[0x11d9a:libsystem_c.dylib] 626c616820626c616820626c6168203a2900488d3de7ff15d9ff
Password:
Injected to: 0x10eff5000

The program will now print:
Code:
some text
blah blah blah :)
***
Byte Injection example
------------------------------
Using same program as above. Though running with fixed offsets.
Code:
sudo ./feedface 3008 -bytes 9090909090 0x100ef3

Press enter on the program, and it should not print anything.
***
String Injection example
------------------------------
Using same program as above. Though running with fixed offsets.
Code:
sudo ./feedface 2980 -string new\ string 0x100f63

Press enter on the program, and it should print:
Code:
new string


Or example of using relocations.
0x100f63 = the fixed virtual offset "some text" is located at.
Code:
sudo ./feedface 4214 -string blah rel[0x100f63]

Will then make it print:
Code:
blah text
***


A note of the syntax for relocations.
The general format is basically "rel[address:image name or path]", and if the image is omitted it will default to task as image. The syntax can also vary a bit.
e.g.
rel\ address
rel(address,/usr/lib/system/libsystem_c.dylib)


Source: http://pastebin.com/cxBb7AUU
For Compilation instructions or executable: See source. I'll keep the update information in there.

Use at your own risk. :)


On a side note, wow I'm so terrible at formatting posts. :P


Messages In This Thread
feedface [WIP] - by bottomy - 27-07-2012, 09:24 AM
RE: feedface [WIP] - by yrmt - 27-07-2012, 09:29 AM
RE: feedface [WIP] - by bottomy - 02-10-2012, 03:12 AM
RE: feedface [WIP] - by xyzodiac - 03-10-2012, 09:30 AM
RE: feedface [WIP] - by bottomy - 10-07-2013, 10:09 PM

View a Printable Version