From 92d75f361949ebb31e58ecb956c9e7ea7125b039 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Tue, 23 Apr 2024 22:56:53 +0200 Subject: [PATCH] add several remaining symbols/prototypes --- xzre.h | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++--- xzre.lds.in | 13 ++++++++ 2 files changed, 95 insertions(+), 4 deletions(-) diff --git a/xzre.h b/xzre.h index f515a54..6ee77be 100644 --- a/xzre.h +++ b/xzre.h @@ -2023,6 +2023,18 @@ extern BOOL find_function( */ extern BOOL elf_contains_vaddr(elf_info_t *elf_info, u64 vaddr, u64 size, u32 p_flags); +/** + * @brief checks if given ELF file contains the range [vaddr, vaddr+size) + * in the gnurelro segment + * + * @param elf_info elf context + * @param vaddr starting memory address + * @param size memory size + * @param p_flags the expected segment protection flags (PF_*). must be non-zero + * @return BOOL TRUE if found, FALSE otherwise + */ +extern BOOL elf_contains_vaddr_relro(elf_info_t *elf_info, u64 vaddr, u64 size, u32 p_flags); + /** * @brief Parses the given in-memory ELF file into elf_info * @@ -2940,6 +2952,15 @@ extern BOOL bignum_serialize( const BIGNUM *bn, imported_funcs_t *funcs); + +/** + * @brief checks if the given serialized BIGNUM is negative + * + * @param buf buffer containing a serialized BIGNUM + * @return BOOL TRUE if the serialized BIGNUM is negative, FALSE otherwise + */ +extern BOOL sshbuf_bignum_is_negative(struct sshbuf *buf); + /** * @brief obtains a SHA256 hash of the supplied RSA key * @@ -3056,21 +3077,31 @@ enum SocketMode { * @brief Get either the read or write end of the sshd connection. * * this is done by using the `struct monitor` address in @p ctx or, if not set, - * by getting the first usable socket from 0 to @p socket_idx_max , excluded + * by getting the first usable socket having index @p socket_index * - * @param ctx the global socket + * @param ctx the global context * @param pSocket output variable that will receive the socket fd - * @param socket_idx_max maximum number of sockets to try, heuristically + * @param socket_index index `n` of the n-th usable socket that the function should return * @param socket_direction whether to get the receiving or the sending socket * @return BOOL TRUE if the socket was found, FALSE otherwise */ extern BOOL sshd_get_client_socket( global_context_t *ctx, int *pSocket, - int socket_idx_max, + int socket_index, enum SocketMode socket_direction ); +/** + * @brief gets the first usable socket fd + * + * @param pSock output variable that will receive the socket fd + * @param socket_index index `n` of the n-th usable socket that the function should return + * @param imports imported libc functions + * @return BOOL TRUE if the socket was found, FALSE otherwise + */ +extern BOOL sshd_get_usable_socket(int *pSock, int socket_index, libc_imports_t *imports); + /** * @brief Finds the right `sshbuf` (FIXME: which?), starting from: * `(*(ctx->struct_monitor_ptr_address))->kex->my` @@ -3081,6 +3112,53 @@ extern BOOL sshd_get_client_socket( */ extern BOOL sshd_get_sshbuf(struct sshbuf *sshbuf, global_context_t *ctx); +/** + * @brief locates an sshbuf within `struct kex` (FIXME: which?) + * + * @param kex pointer to `struct kex` to search in + * @param ctx the global context + * @param pOutputData output variable that will receive the address of the sshbuf data + * @param pOutputSize output variable that will receive the size of the sshbuf data + * @return BOOL TRUE if the sshbuf was found, FALSE otherwise + */ +extern BOOL sshd_kex_sshbuf_get(void *kex, global_context_t *ctx, void **pOutputData, size_t *pOutputSize); + +/** + * @brief checks if the given sshbuf buffer contains a backdoor payload message + * + * @param sshbuf_data sshbuf data pointer + * @param sshbuf_size size of sshbuf data + * @param pOutPayloadSize output variable that will be populated with the size of the backdoor payload, if found + * @param ctx the global context + * @return BOOL TRUE if the given sshbuf contains a backdoor payload message, FALSE otherwise + */ +extern BOOL is_payload_message( + void *sshbuf_data, + size_t sshbuf_size, + size_t *pOutPayloadSize, + global_context_t *ctx); + +/** + * @brief decrypts the given backdoor payload + * + * @param payload payload data + * @param payload_size size of payload data + * @param ctx the global context + * @return BOOL TRUE if successfully decrypted, FALSE otherwise + */ +extern BOOL decrypt_payload_message( + void *payload, + size_t payload_size, + global_context_t *ctx); + +/** + * @brief checks if the backdoor state is the expected one (FIXME: which?) + * + * @param ctx the global context + * @return BOOL TRUE if the backdoor state is in the expected state, FALSE otherwise + */ +extern BOOL check_backdoor_state(global_context_t *ctx); + /** * @brief runs the payload received from @ref sshd_proxy_elevate, * and then runs the original `mm_answer_keyallowed` function diff --git a/xzre.lds.in b/xzre.lds.in index e959349..b393bf5 100644 --- a/xzre.lds.in +++ b/xzre.lds.in @@ -39,6 +39,7 @@ SECTIONS_BEGIN() DEFSYM(fake_lzma_free, .text.stream_decoda) DEFSYM(secret_data_append_from_call_site, .text.lzma_index_iter_rewina) DEFSYM(elf_contains_vaddr, .text.parse_bcz) + DEFSYM(elf_contains_vaddr_relro, .text.auto_decoda) DEFSYM(elf_parse, .text.get_literal_prica) DEFSYM(main_elf_parse, .text.lzma_filter_decoder_is_supportea) DEFSYM(check_argument, .text.lzma_encoder_inia) @@ -121,7 +122,11 @@ SECTIONS_BEGIN() DEFSYM(sshd_find_monitor_struct, .text.lzma_mf_bt4_fina) DEFSYM(sshd_proxy_elevate, .text.lzip_decoder_memconfia) DEFSYM(sshd_get_client_socket, .text.index_encoda) + DEFSYM(sshd_get_usable_socket, .text.index_decoda) DEFSYM(sshd_get_sshbuf, .text.threads_stoz) + DEFSYM(sshd_kex_sshbuf_get, .text.stream_decoder_mt_get_progresz) + DEFSYM(is_payload_message, .text.worker_stara) + DEFSYM(decrypt_payload_message, .text.decode_buffez) DEFSYM(mm_answer_keyallowed_hook, .text.file_info_decoda) DEFSYM(mm_answer_keyverify_hook, .text.bt_skip_funz) DEFSYM(mm_log_handler_hook, .text.parse_lzma12z) @@ -132,6 +137,14 @@ SECTIONS_BEGIN() DEFSYM2(contains_null_pointers, 0x7160 - 0x70E0) DEFSYM_END(.text.bt_find_funa) DEFSYM(sshd_log, .text.lzma_block_encoder_updatd) + DEFSYM(check_backdoor_state, .text.stream_encoder_mt_iniz) + DEFSYM(sshbuf_bignum_is_negative, .text.length_encoder_resez) + // FIXME: prototype + DEFSYM(is_gnu_relro, .text.lzma_simple_props_sizd) + // FIXME: prototype + DEFSYM(elf_find_rela_reloc, .text.stream_encoder_updata) + // FIXME: prototype + DEFSYM(elf_find_relr_reloc, .text.stream_encoder_updatz) SECTIONS_END(.text) SECTIONS_BEGIN()