Skip to content

Instantly share code, notes, and snippets.

@alterakey

alterakey/killer.c

Created November 3, 2013 16:22
Show Gist options
  • Save alterakey/7291969 to your computer and use it in GitHub Desktop.
Save alterakey/7291969 to your computer and use it in GitHub Desktop.
Download ZIP
DEFCON21 Final Application Firewall Implementation
Raw
killer.c
/* compile with: gcc -shared -fPIC -o hook.so hook.c -ldl */
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <dlfcn.h>
#include <memory.h>
static void *libc = NULL;
static const char *blacklist = "[a-zA-Z0-9]{48,}";
static regex_t blacklist_re;
static char recent_recv[2048 + 1];
static int recent_recv_len = 0;
ssize_t (*real_recv)(int socket, void *buffer, size_t size, int flags);
static int min(int v1, int v2) {
return v1 < v2 ? v1 : v2;
}
void regperror(const char *prefix, int code, const regex_t *re) {
char msg[512 + 1] = "";
regerror(code, re, msg, 512);
fprintf(stderr, "%s: %s", prefix, msg);
}
void recent_recv_clear() {
memset(recent_recv, 0, 2048);
recent_recv_len = 0;
}
int recent_recv_is_full() {
return recent_recv_len >= 2048;
}
void recent_recv_add(const void *buf, int size) {
size = min(size, 2048 - recent_recv_len);
memcpy(recent_recv + recent_recv_len, buf, size);
recent_recv_len += size;
}
void do_init() {
int ret = regcomp(&blacklist_re, blacklist, REG_EXTENDED | REG_NOSUB);
if (ret) {
regperror("regcomp", ret, &blacklist_re);
exit(1);
}
recent_recv_clear();
libc = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if (!libc) {
perror("dlopen");
exit(1);
}
real_recv = (ssize_t (*)(int, void *, size_t, int))dlsym(libc, "recv");
}
ssize_t recv(int socket, void *buffer, size_t size, int flags) {
int ret;
if (!real_recv) {
do_init();
}
ret = real_recv(socket, buffer, size, flags);
if (ret <= 0) {
return ret;
} else {
if (recent_recv_is_full()) {
recent_recv_clear();
}
recent_recv_add(buffer, ret);
if (!regexec(&blacklist_re, recent_recv, 0, NULL, 0)) {
fprintf(stderr, "blacklist matched\n");
exit(2);
}
}
}
Raw
killer_atmail.c
/* compile with: gcc -shared -fPIC -o hook.so hook.c -ldl */
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <dlfcn.h>
#include <memory.h>
static void *libc = NULL;
static const char *blacklist = "[^\x20-\x7F\t\x0d\x0a]|\\.\\.|\\/|\\\\";
static regex_t blacklist_re;
static char recent_read[2048 + 1];
static int recent_read_len = 0;
ssize_t (*real_read)(int fd, void *buffer, size_t size);
static int min(int v1, int v2) {
return v1 < v2 ? v1 : v2;
}
void regperror(const char *prefix, int code, const regex_t *re) {
char msg[512 + 1] = "";
regerror(code, re, msg, 512);
fprintf(stderr, "%s: %s", prefix, msg);
}
void recent_read_clear() {
memset(recent_read, 0, 2048);
recent_read_len = 0;
}
int recent_read_is_full() {
return recent_read_len >= 2048;
}
void recent_read_add(const void *buf, int size) {
size = min(size, 2048 - recent_read_len);
memcpy(recent_read + recent_read_len, buf, size);
recent_read_len += size;
}
void do_init() {
int ret = regcomp(&blacklist_re, blacklist, REG_EXTENDED | REG_NOSUB);
if (ret) {
regperror("regcomp", ret, &blacklist_re);
exit(1);
}
recent_read_clear();
libc = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if (!libc) {
perror("dlopen");
exit(1);
}
real_read = (ssize_t (*)(int, void *, size_t))dlsym(libc, "read");
}
ssize_t read(int fd, void *buffer, size_t size) {
int ret;
if (!real_read) {
do_init();
}
ret = real_read(fd, buffer, size);
if (ret <= 0) {
return ret;
} else {
if (recent_read_is_full()) {
recent_read_clear();
}
recent_read_add(buffer, ret);
if (!regexec(&blacklist_re, recent_read, 0, NULL, 0)) {
exit(2);
}
}
}
Raw
killer_avoir.c
/* compile with: gcc -shared -fPIC -o hook.so hook.c -ldl */
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <dlfcn.h>
#include <memory.h>
static void *libc = NULL;
static const char *blacklist = "* blacklist pattern here *";
static regex_t blacklist_re;
static char recent_recv[2048 + 1];
static int recent_recv_len = 0;
ssize_t (*real_recv)(int socket, void *buffer, size_t size, int flags);
static int min(int v1, int v2) {
return v1 < v2 ? v1 : v2;
}
void regperror(const char *prefix, int code, const regex_t *re) {
char msg[512 + 1] = "";
regerror(code, re, msg, 512);
fprintf(stderr, "%s: %s", prefix, msg);
}
void recent_recv_clear() {
memset(recent_recv, 0, 2048);
recent_recv_len = 0;
}
int recent_recv_is_full() {
return recent_recv_len >= 2048;
}
void recent_recv_add(const void *buf, int size) {
size = min(size, 2048 - recent_recv_len);
memcpy(recent_recv + recent_recv_len, buf, size);
recent_recv_len += size;
}
void do_init() {
int ret = regcomp(&blacklist_re, blacklist, REG_EXTENDED | REG_NOSUB);
if (ret) {
regperror("regcomp", ret, &blacklist_re);
exit(1);
}
recent_recv_clear();
libc = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if (!libc) {
perror("dlopen");
exit(1);
}
real_recv = (ssize_t (*)(int, void *, size_t, int))dlsym(libc, "recv");
}
ssize_t recv(int socket, void *buffer, size_t size, int flags) {
int ret;
if (!real_recv) {
do_init();
}
ret = real_recv(socket, buffer, size, flags);
if (ret <= 0) {
return ret;
} else {
if (recent_recv_is_full()) {
recent_recv_clear();
}
recent_recv_add(buffer, ret);
if (!regexec(&blacklist_re, recent_recv, 0, NULL, 0)) {
exit(2);
}
}
}
Raw
killer_lonetuna.c
/* compile with: gcc -shared -fPIC -o hook.so hook.c -ldl */
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <dlfcn.h>
#include <memory.h>
char *memstr(char *haystack, char *needle, int size);
static void *libc = NULL;
static char *blacklist = "/home/tokens/lonetuna";
static regex_t blacklist_re;
static char recent_read[8192 + 1];
static int recent_read_len = 0;
ssize_t (*real_read)(int fd, void *buffer, size_t size);
static int min(int v1, int v2) {
return v1 < v2 ? v1 : v2;
}
void recent_read_clear() {
memset(recent_read, 0, 8192);
recent_read_len = 0;
}
int recent_read_is_underfilled() {
return recent_read_len < 900;
}
int recent_read_is_full() {
return recent_read_len >= 8192;
}
void recent_read_add(const void *buf, int size) {
size = min(size, 8192 - recent_read_len);
memcpy(recent_read + recent_read_len, buf, size);
recent_read_len += size;
}
int recent_read_search(void *needle) {
return memstr(recent_read, needle, recent_read_len) ? 1 : 0;
}
void do_init() {
recent_read_clear();
libc = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if (!libc) {
perror("dlopen");
exit(1);
}
real_read = (ssize_t (*)(int, void *, size_t))dlsym(libc, "read");
}
ssize_t read(int fd, void *buffer, size_t size) {
int ret;
if (!real_read) {
do_init();
}
ret = real_read(fd, buffer, size);
if (ret <= 0) {
return ret;
} else {
if (recent_read_is_full()) {
recent_read_clear();
}
recent_read_add(buffer, ret);
if (!recent_read_is_underfilled()) {
if (recent_read_search(blacklist)) {
exit(2);
}
}
}
}
Raw
killer_reeses.c
/* compile with: gcc -shared -fPIC -o hook.so hook.c -ldl */
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <dlfcn.h>
#include <memory.h>
char *memstr(char *haystack, char *needle, int size);
static void *libc = NULL;
static char *blacklist = "* token here *";
static regex_t blacklist_re;
static char recent_read[8192 + 1];
static int recent_read_len = 0;
ssize_t (*real_read)(int fd, void *buffer, size_t size);
static int min(int v1, int v2) {
return v1 < v2 ? v1 : v2;
}
void recent_read_clear() {
memset(recent_read, 0, 8192);
recent_read_len = 0;
}
int recent_read_is_underfilled() {
return recent_read_len < 900;
}
int recent_read_is_full() {
return recent_read_len >= 8192;
}
void recent_read_add(const void *buf, int size) {
size = min(size, 8192 - recent_read_len);
memcpy(recent_read + recent_read_len, buf, size);
recent_read_len += size;
}
int recent_read_search(void *needle) {
return memstr(recent_read, needle, recent_read_len) ? 1 : 0;
}
void do_init() {
recent_read_clear();
libc = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if (!libc) {
perror("dlopen");
exit(1);
}
real_read = (ssize_t (*)(int, void *, size_t))dlsym(libc, "read");
}
ssize_t read(int fd, void *buffer, size_t size) {
int ret;
if (!real_read) {
do_init();
}
ret = real_read(fd, buffer, size);
if (ret <= 0) {
return ret;
} else {
if (recent_read_is_full()) {
recent_read_clear();
}
recent_read_add(buffer, ret);
if (!recent_read_is_underfilled()) {
if (recent_read_search(blacklist)) {
exit(2);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment