1 个不稳定版本
| 0.1.0 | 2023 年 6 月 14 日 |
|---|
#787 in Unix API
420KB
310 行
YAUI
另一个 Unix 注入器!
- 支持 arm、aarch64、i386/x86、x86_64。
- 支持 Android bionic 链接器!
- 部分 支持 Android 模拟器
如何
通过使用 ptrace-do,我们可以在 Unix 进程中调用远程函数。我们应用了操作系统正常动态对象加载系统的相同窗口加载库注入技术。参考 libc 的 dlopen
构建
git clone https://github.com/ohchase/yaui
cd yaui
cargo build
./target/debug/yaui --pid 777 --payload evil.so
类似 Android
git clone https://github.com/ohchase/yaui
cd yaui
cross build --target aarch64-linux-android
adb push target/aarch64-linux-android/debug/yaui /data/local/tmp
adb shell "su -c 'chmod +x yaui'"
陷阱
由于 SE-Linux,在 Android 上注入有一些陷阱。如果您将一个典型的共享对象从 /data/local/tmp 注入到应用程序中,它不会映射有效负载的可执行部分。有效负载将出现在应用程序的 proc maps 中,但构造函数没有被调用。
Fadeevab 找到了一个解决方案;在底部全部都是 :)!
https://fadeevab.com/shared-library-injection-on-android-8/
SELinux Label for Injection Library
The final step is to overcome SELinux that denies to mmap a shared library from /data. Use the same trick with a label as before:
chcon -v u:object_r:apk_data_file:s0 /data/local/tmp/libinject.so
使用示例
按进程名称
yaui --target host-process --payload /target/debug/libpayload.so
按进程标识符
yaui --pid 777 --payload /target/debug/libpayload.so
输出示例
aarch64-linux-android 注入
gta7litewifi:/data/local/tmp # ./yaui --pid 3615 --payload libpayload.so
21:58:46.796938Z INFO yaui: Yaui: Yet another unix injector!
21:58:46.813933Z INFO yaui: Target payload: libpayload.so
21:58:46.814144Z INFO yaui: Target pid for injection: 3615
21:58:47.076213Z WARN yaui: Using injection configs: InjectConfig {
spoof_so_path: "/apex/com.android.runtime/lib64/bionic/libc.so",
allocater_so_path: "/apex/com.android.runtime/lib64/bionic/libc.so",
linker_so_path: "/apex/com.android.runtime/lib64/bionic/libdl.so",
}
21:58:47.076937Z INFO yaui: Injecting Payload: "/data/local/tmp/libpayload.so" into Pid: 3615
21:58:47.077242Z INFO yaui: Successfully attached to the process
21:58:47.080813Z INFO yaui: Identifed internal range "/apex/com.android.runtime/lib64/bionic/libc.so" at 7C19F4E000
21:58:47.206350Z INFO yaui: Identifed remote range "/apex/com.android.runtime/lib64/bionic/libc.so" at 7637688000
21:58:47.206574Z INFO yaui: Identified remote mmap procedure at 7637760400
21:58:47.210182Z INFO yaui: Identifed internal range "/apex/com.android.runtime/lib64/bionic/libdl.so" at 7C19F09000
21:58:47.336861Z INFO yaui: Identifed remote range "/apex/com.android.runtime/lib64/bionic/libdl.so" at 763BA16000
21:58:47.337073Z INFO yaui: Identified remote dlerror procedure at 763ba17030
21:58:47.340718Z INFO yaui: Identifed internal range "/apex/com.android.runtime/lib64/bionic/libdl.so" at 7C19F09000
21:58:47.468265Z INFO yaui: Identifed remote range "/apex/com.android.runtime/lib64/bionic/libdl.so" at 763BA16000
21:58:47.468540Z INFO yaui: Identified remote dlopen procedure at 763ba17018
21:58:47.594403Z INFO yaui: Identified spoof module base address for return address: 7637688000
21:58:47.594596Z INFO ptrace_do: WaitStatus { is_stopped: true, is_signaled: false, is_continued: false, is_exited: false, stop_code: 19 }
21:58:47.594681Z INFO yaui: Successfully waited for the mmap frame
21:58:47.595591Z INFO ptrace_do: WaitStatus { is_stopped: true, is_signaled: false, is_continued: false, is_exited: false, stop_code: 11 }
21:58:47.595810Z INFO yaui: Mmap was successful created new mapping at 763cb5d000 with size 1000
21:58:47.596081Z INFO yaui: Successfully wrote payload location to 763cb5d000
21:58:47.600293Z INFO ptrace_do: WaitStatus { is_stopped: true, is_signaled: false, is_continued: false, is_exited: false, stop_code: 11 }
21:58:47.600665Z INFO yaui: Executed remote dlopen function
21:58:47.600783Z INFO yaui: Successfully executed remote dlopen function
21:58:47.600888Z INFO ptrace_do: Successfully detached from Pid: 3615
展示
- Yaui 注入共享对象有效负载
- Plt-rs 在 android/linux 上爬取链接图以钩子 eglSwapBuffers
- EGui 和 Glow 渲染器
依赖项
~0.8–9.5MB
~88K SLoC