Patch#fake stack argv ptr

Hackerl · Nov 4, 2020 · 0ba0a46 · 0ba0a46
1 parent 20fd52e
commit 0ba0a46
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 12 deletions.
diff --git a/code/fakestack.h b/code/fakestack.h
@@ -45,10 +45,12 @@
 
 static inline uint8_t * fake_stack(uint8_t * sp, int ac, char ** av, char ** env, unsigned long * auxv)
 {
-    uint8_t *   env_ptrs[256];
+    uint8_t *   av_ptr[256];
+    uint8_t *   env_ptr[256];
     int         env_max = 0;
-    char *      av_0    = NULL;
-    memset(env_ptrs, 0, sizeof(env_ptrs));
+
+    memset(env_ptr, 0, sizeof(env_ptr));
+    memset(av_ptr, 0, sizeof(av_ptr));
 
     // align stack
     FSTACK_PUSH_STR(sp, "");
@@ -57,31 +59,32 @@ static inline uint8_t * fake_stack(uint8_t * sp, int ac, char ** av, char ** env
     while(*env && env_max < 254)
     {
         FSTACK_PUSH_STR(sp, *env);
-        env_ptrs[env_max++] = sp;
+        env_ptr[env_max++] = sp;
         env ++;
     }
 
     // add to envdata
     FSTACK_PUSH_STR(sp, "MANMAP=1");
-    env_ptrs[env_max++] = sp;
+    env_ptr[env_max++] = sp;
 
     // argv data
-    for(int i=0; i<ac; i++)
+    for(int i=0; i<ac; i++) {
         FSTACK_PUSH_STR(sp, av[ac - i - 1]);
-    av_0 = (char*)sp;
+        av_ptr[i] = sp;
+    }
 
     // auxv
     FSTACK_PUSH_AUXV(sp, auxv);
 
     // envp
     FSTACK_PUSH_LONG(sp, 0);
     for(int i=0; i<env_max; i++)
-        FSTACK_PUSH_LONG(sp, (unsigned long)env_ptrs[i]);
+        FSTACK_PUSH_LONG(sp, (unsigned long)env_ptr[i]);
 
     // argp
     FSTACK_PUSH_LONG(sp, 0);
     for(int i=0; i<ac; i++)
-        FSTACK_PUSH_LONG(sp, (unsigned long)av_0 + (ac - i - 1) * sizeof(unsigned long));
+        FSTACK_PUSH_LONG(sp, (unsigned long)av_ptr[i]);
     // argc
     FSTACK_PUSH_LONG(sp, ac);
 

diff --git a/samples/pyinject.c b/samples/pyinject.c
@@ -9,9 +9,14 @@ typedef int (*FUNC_PyRun_SimpleString)(const char *command);
 typedef int (*FUNC_PyGILState_Ensure)();
 typedef void (*FUNC_PyGILState_Release)(int);
 
-int main() {
+int main(int ac, char ** av, char ** env) {
     printf("> inject python\n");
 
+    if (ac < 2) {
+        printf("> need python command");
+        return 0;
+    }
+
     int fd = _open("/proc/self/exe", O_RDONLY, 0);
 
     if (fd < 0)
@@ -134,7 +139,7 @@ int main() {
 
     if (PyGILState_Ensure && PyRun_SimpleString && PyGILState_Release) {
         int state = PyGILState_Ensure();
-        PyRun_SimpleString("print('> message from python')");
+        PyRun_SimpleString(av[1]);
         PyGILState_Release(state);
     }
 
@@ -144,7 +149,11 @@ int main() {
 }
 
 void _main(unsigned long * sp) {
-    _exit(main());
+    int ac = *sp;
+    char **av = (char **)(sp + 1);
+    char **env = av + ac + 1;
+
+    _exit(main(ac, av, env));
 }
 
 void _start(void) {