Commit 68546bd6 authored by Tong Sun's avatar Tong Sun

New upstream version 4.0.3

parent aad8d6b2
Francisco Garcia <frosal@fi.upm.es>
MD. JAHIDUL HAMID <jahidulhamid@yahoo.com>
intika <intika@librefox.org>
CHANGES
4.0.3 Tue Nov 20 08:22:20 UTC 2018
* Enhance -H flag by intika <https://github.com/intika> (Hide commands arguments from ps and cmdline)
* Remove -s flag (experimental feature not working as expected by intika <https://github.com/intika>)
4.0.2 Mon 01 Jul 2019 02:57:36 PM UTC
* Fix typo
* Fix NULL-ptr dereference in shll string (Thanks to Ren Kimura<https://github.com/RKX1209>)
4.0.1 Tue Nov 20 08:22:20 UTC 2018
* Add LDFLAGS environment variable (Thanks to zboszor <https://github.com/zboszor>)
4.0.0 Mon Nov 12 16:54:56 UTC 2018
* Add -H option for extra security without root (Thanks to intika <https://github.com/intika>). It protects against dumping, code injection, `cat /proc/pid/cmdline`, ptrace, etc.. (only works with Bourne shell (sh) scripts with no parameter)
* Add -H option for extra security without root (Thanks to intika <https://github.com/intika>). It protects against dumping, code injection, `cat /proc/pid/cmdline`, ptrace, etc.. (only works with Bourne shell (sh) scripts with no parameter)
* Add -s option to force single process for hardening features (requires -H) <https://github.com/intika>. (only works with Bourne shell (sh) scripts with no parameter)
* dash support
* dash support
3.9.8 Sat Oct 20 17:49:28 UTC 2018
* Add setuid option -S (Thanks to Boon Pang <https://github.com/wombat78>)
* Add setuid option -S (Thanks to Boon Pang <https://github.com/wombat78>)
3.9.7 Sat Oct 20 15:25:13 UTC 2018
* Fix issue #58
* Fix issue #58
3.9.6 Sat Jun 3 10:05:03 UTC 2017
......
# Makefile.in generated by automake 1.15.1 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -162,7 +162,7 @@ am__recursive_targets = \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
cscope distdir distdir-am dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
......@@ -310,7 +310,6 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
......@@ -348,8 +347,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
echo ' $(SHELL) ./config.status'; \
$(SHELL) ./config.status;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
......@@ -510,7 +509,10 @@ distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
$(am__remove_distdir)
test -d "$(distdir)" || mkdir "$(distdir)"
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
......
......@@ -38,7 +38,6 @@ shc [options]
shc -f script.sh -o binary
shc -U -f script.sh -o binary # Untraceable binary (prevent strace, ptrace etc..)
shc -H -f script.sh -o binary # Untraceable binary, does not require root (only bourne shell (sh) scripts with no parameter)
shc -H -s -f script.sh -o binary # Untraceable binary running in a singe process, does not require root (only bourne shell (sh) scripts with no parameter)
```
## The hardening flag -H
......
This diff is collapsed.
#! /bin/sh
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2012-10-14.11; # UTC
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
......@@ -17,7 +17,7 @@ scriptversion=2012-10-14.11; # UTC
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
......@@ -255,7 +255,8 @@ EOF
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
......@@ -339,9 +340,9 @@ exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2016-01-11.22; # UTC
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2017 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -16,7 +16,7 @@ scriptversion=2016-01-11.22; # UTC
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
......@@ -783,7 +783,7 @@ exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
......
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2014-09-12.12; # UTC
scriptversion=2018-03-11.20; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
......@@ -271,15 +271,18 @@ do
fi
dst=$dst_arg
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
# If destination is a directory, append the input filename.
if test -d "$dst"; then
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstbase=`basename "$src"`
case $dst in
*/) dst=$dst$dstbase;;
*) dst=$dst/$dstbase;;
esac
dstdir_status=0
else
dstdir=`dirname "$dst"`
......@@ -288,6 +291,11 @@ do
fi
fi
case $dstdir in
*/) dstdirslash=$dstdir;;
*) dstdirslash=$dstdir/;;
esac
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
......@@ -324,14 +332,16 @@ do
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
# Note that $RANDOM variable is not portable (e.g. dash); Use it
# here however when possible just to lower collision chance.
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
# Because "mkdir -p" follows existing symlinks and we likely work
# directly in world-writeable /tmp, make sure that the '$tmpdir'
# directory is successfully created first before we actually test
# 'mkdir -p' feature.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
......@@ -434,8 +444,8 @@ do
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
dsttmp=${dstdirslash}_inst.$$_
rmtmp=${dstdirslash}_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
......@@ -500,9 +510,9 @@ do
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:
#! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2013-10-28.13; # UTC
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
......@@ -17,7 +17,7 @@ scriptversion=2013-10-28.13; # UTC
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
......@@ -101,9 +101,9 @@ else
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
perl_URL=https://www.perl.org/
flex_URL=https://github.com/westes/flex
gnu_software_URL=https://www.gnu.org/software
program_details ()
{
......@@ -207,9 +207,9 @@ give_advice "$1" | sed -e '1s/^/WARNING: /' \
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:
This diff is collapsed.
AC_INIT([shc], [4.0.1], [http://github.com/neurobin/shc/issues])
AC_INIT([shc], [4.0.3], [http://github.com/neurobin/shc/issues])
AC_CONFIG_AUX_DIR(config)
#prefix="/usr"
AC_CONFIG_SRCDIR([src/shc.c])
......
......@@ -6,7 +6,7 @@ shc \- Generic shell script compiler
.PP
\f[B]shc\f[] [ \-e \f[I]date\f[] ] [ \-m \f[I]addr\f[] ] [ \-i
\f[I]iopt\f[] ] [ \-x \f[I]cmnd\f[] ] [ \-l \f[I]lopt\f[] ] [ \-o
\f[I]outfile\f[] ] [ \-ABCDhUHsvSr ] \-f \f[I]script\f[]
\f[I]outfile\f[] ] [ \-ABCDhUHvSr ] \-f \f[I]script\f[]
.SH DESCRIPTION
.PP
\f[B]shc\f[] creates a stripped binary executable version of the script
......@@ -86,15 +86,7 @@ Extra security flag without root access requirement that protects
against dumping, code injection, \f[C]cat\ /proc/pid/cmdline\f[],
ptrace, etc..
This feature is \f[B]experimental\f[] and may not work on all systems.
This option currently only works with Bourne shell (sh) scripts without
any positional parameters.
.PP
\-s : Hardening with single process.
Requires \-H option, runs the binary in a single process, shell is
called in the main process otherwise its called in a child process.
This feature is \f[B]experimental\f[] (may hang) and may not work on all
systems.
This option currently only works with Bourne shell (sh) scripts without
it require bourne shell (sh) scripts
any positional parameters.
.PP
\-C : Display license and exit
......@@ -147,6 +139,8 @@ limited by the operating system configuration parameter
.PP
Francisco Rosales <frosal@fi.upm.es>
.PP
intika <intika@librefox.org>
.PP
Md Jahidul Hamid <jahidulhamid@yahoo.com>
.SH REPORT BUGS TO
.PP
......
# Makefile.in generated by automake 1.15.1 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -115,7 +115,8 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/config/depcomp
am__depfiles_maybe = depfiles
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = ./$(DEPDIR)/shc.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
......@@ -236,7 +237,6 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
......@@ -267,8 +267,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
......@@ -332,7 +332,13 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shc.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shc.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
......@@ -400,7 +406,10 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
......@@ -472,7 +481,7 @@ clean: clean-am
clean-am: clean-binPROGRAMS clean-generic mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/shc.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
......@@ -518,7 +527,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/shc.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
......@@ -538,7 +547,7 @@ uninstall-am: uninstall-binPROGRAMS
.MAKE: install-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-binPROGRAMS clean-generic cscopelist-am ctags ctags-am \
distclean distclean-compile distclean-generic distclean-tags \
distdir dvi dvi-am html html-am info info-am install \
......
......@@ -17,7 +17,7 @@
*/
static const char my_name[] = "shc";
static const char version[] = "Version 4.0.1";
static const char version[] = "Version 4.0.3";
static const char subject[] = "Generic Shell Script Compiler";
static const char cpright[] = "GNU GPL Version 3";
static const struct { const char * f, * s, * e; }
......@@ -68,7 +68,7 @@ static const char * abstract[] = {
0};
static const char usage[] =
"Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-o outfile] [-rvDSUHCABhs] -f script";
"Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-o outfile] [-rvDSUHCABh] -f script";
static const char * help[] = {
"",
......@@ -85,14 +85,7 @@ static const char * help[] = {
" -D Switch ON debug exec calls [OFF]",
" -U Make binary untraceable [no]",
" -H Hardening : extra security protection [no]",
" untraceable, undumpable, etc. and root is not required",
" * currently only works with bourne shell (sh)",
" * does not work with positional parameters",
" -s Hardening : use a single process (no child) [no]",
" option available only with -H otherwise its ignored",
" experimental feature may hang...",
" * currently only works with bourne shell (sh)",
" * does not work with positional parameters",
" Require bourne shell (sh) and parameters are not supported",
" -C Display license and exit",
" -A Display abstract and exit",
" -B Compile for busybox",
......@@ -148,15 +141,92 @@ static int TRACEABLE_flag = 1;
static const char HARDENING_line[] =
"#define HARDENING %d /* Define as 1 to disable ptrace/dump the executable */\n";
static int HARDENING_flag = 0;
static const char HARDENINGSP_line[] =
"#define HARDENINGSP %d /* Define as 1 to disable bash child process */\n";
static int HARDENINGSP_flag = 0;
static const char BUSYBOXON_line[] =
"#define BUSYBOXON %d /* Define as 1 to enable work with busybox */\n";
static int BUSYBOXON_flag = 0;
static const char * RTC[] = {
"",
"#if HARDENING",
"static const char * shc_x[] = {",
"\"/*\",",
"\" * Copyright 2019 - Intika <intika@librefox.org>\",",
"\" * Replace ******** with secret read from fd 21\",",
"\" * Also change arguments location of sub commands (sh script commands)\",",
"\" * gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl\",",
"\" */\",",
"\"\",",
"\"#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */\",",
"\"#define PLACEHOLDER \\\"********\\\"\",",
"\"#include <dlfcn.h>\",",
"\"#include <stdlib.h>\",",
"\"#include <string.h>\",",
"\"#include <unistd.h>\",",
"\"#include <stdio.h>\",",
"\"#include <signal.h>\",",
"\"\",",
"\"static char secret[128000]; //max size\",",
"\"typedef int (*pfi)(int, char **, char **);\",",
"\"static pfi real_main;\",",
"\"\",",
"\"// copy argv to new location\",",
"\"char **copyargs(int argc, char** argv){\",",
"\" char **newargv = malloc((argc+1)*sizeof(*argv));\",",
"\" char *from,*to;\",",
"\" int i,len;\",",
"\"\",",
"\" for(i = 0; i<argc; i++){\",",
"\" from = argv[i];\",",
"\" len = strlen(from)+1;\",",
"\" to = malloc(len);\",",
"\" memcpy(to,from,len);\",",
"\" // zap old argv space\",",
"\" memset(from,'\\\\0',len);\",",
"\" newargv[i] = to;\",",
"\" argv[i] = 0;\",",
"\" }\",",
"\" newargv[argc] = 0;\",",
"\" return newargv;\",",
"\"}\",",
"\"\",",
"\"static int mymain(int argc, char** argv, char** env) {\",",
"\" //fprintf(stderr, \\\"Inject main argc = %d\\\\n\\\", argc);\",",
"\" return real_main(argc, copyargs(argc,argv), env);\",",
"\"}\",",
"\"\",",
"\"int __libc_start_main(int (*main) (int, char**, char**),\",",
"\" int argc,\",",
"\" char **argv,\",",
"\" void (*init) (void),\",",
"\" void (*fini)(void),\",",
"\" void (*rtld_fini)(void),\",",
"\" void (*stack_end)){\",",
"\" static int (*real___libc_start_main)() = NULL;\",",
"\" int n;\",",
"\"\",",
"\" if (!real___libc_start_main) {\",",
"\" real___libc_start_main = dlsym(RTLD_NEXT, \\\"__libc_start_main\\\");\",",
"\" if (!real___libc_start_main) abort();\",",
"\" }\",",
"\"\",",
"\" n = read(21, secret, sizeof(secret));\",",
"\" if (n > 0) {\",",
"\" int i;\",",
"\"\",",
"\" if (secret[n - 1] == '\\\\n') secret[--n] = '\\\\0';\",",
"\" for (i = 1; i < argc; i++)\",",
"\" if (strcmp(argv[i], PLACEHOLDER) == 0)\",",
"\" argv[i] = secret;\",",
"\" }\",",
"\"\",",
"\" real_main = main;\",",
"\"\",",
"\" return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);\",",
"\"}\",",
"\"\",",
"0};",
"#endif /* HARDENING */",
"",
"/* rtc.c */",
"",
"#include <sys/stat.h>",
......@@ -291,64 +361,51 @@ static const char * RTC[] = {
"} ",
"/* End Seccomp Sandboxing Init */",
"",
"void shc_x_file() {",
" FILE *fp;",
" int line = 0;",
"",
" if ((fp = fopen(\"/tmp/shc_x.c\", \"w\")) == NULL ) {exit(1); exit(1);}",
" for (line = 0; shc_x[line]; line++) fprintf(fp, \"%s\\n\", shc_x[line]);",
" fflush(fp);fclose(fp);",
"}",
"",
"int make() {",
" char * cc, * cflags, * ldflags;",
" char cmd[4096];",
"",
" cc = getenv(\"CC\");",
" if (!cc) cc = \"cc\";",
"",
" sprintf(cmd, \"%s %s -o %s %s\", cc, \"-Wall -fpic -shared\", \"/tmp/shc_x.so\", \"/tmp/shc_x.c -ldl\");",
" if (system(cmd)) {remove(\"/tmp/shc_x.c\"); return -1;}",
" remove(\"/tmp/shc_x.c\"); return 0;",
"}",
"",
"void arc4_hardrun(void * str, int len) {",
" //Decode locally",
" char tmp2[len];",
" char tmp3[len+1024];",
" memcpy(tmp2, str, len);",
"",
" unsigned char tmp, * ptr = (unsigned char *)tmp2;",
"",
" int lentmp = len;",
" int pid, status;",
" pid = fork();",
"",
"#if HARDENINGSP",
" //Start tracing to protect from dump & trace",
" if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {",
" printf(\"Operation not permitted\\n\");",
" kill(getpid(), SIGKILL);",
" exit(1);",
" }",
"",
" //Decode Bash",
" while (len > 0) {",
" indx++;",
" tmp = stte[indx];",
" jndx += tmp;",
" stte[indx] = stte[jndx];",
" stte[jndx] = tmp;",
" tmp += stte[indx];",
" *ptr ^= stte[tmp];",
" ptr++;",
" len--;",
" }",
"",
" //Exec bash script",
" system(tmp2);",
"",
" //Empty script variable",
" memcpy(tmp2, str, lentmp);",
"",
" //Sinal to detach ptrace",
" ptrace(PTRACE_DETACH, 0, 0, 0);",
" exit(0);",
"",
" /* Seccomp Sandboxing - Start */",
" seccomp_hardening();",
" shc_x_file();",
" if (make()) {exit(1);}",
"",
" exit(0);",
"#endif /* HARDENINGSP Exit here anyway*/",
" setenv(\"LD_PRELOAD\",\"/tmp/shc_x.so\",1);",
"",
" int pid, status;",
" pid = fork();",
"",
" if(pid==0) {",
"",
" //Start tracing to protect from dump & trace",
" if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {",
" printf(\"Operation not permitted\\n\");",
" kill(getpid(), SIGKILL);",
" _exit(1);",
" }",
"",
"",
" //Decode Bash",
" while (len > 0) {",
" indx++;",
......@@ -362,25 +419,29 @@ static const char * RTC[] = {
" len--;",
" }",
"",
" //Exec bash script",
" //Do the magic",
" sprintf(tmp3, \"%s %s\", \"'********' 21<<<\", tmp2);",
"",
" //Exec bash script //fork execl with 'sh -c'",
" system(tmp2);",
"",
" //Empty script variable",
" memcpy(tmp2, str, lentmp);",
"",
" //Clean temp",
" remove(\"/tmp/shc_x.so\");",
"",
" //Sinal to detach ptrace",
" ptrace(PTRACE_DETACH, 0, 0, 0);",
" exit(0);",
" }",
" else {",
" wait(&status);",
" }",
" else {wait(&status);}",
"",
" /* Seccomp Sandboxing - Start */",
" seccomp_hardening();",
"",
" exit(0);",
"} ",
"}",
"#endif /* HARDENING */",
"",
"/*",
......@@ -689,7 +750,7 @@ static const char * RTC[] = {
static int parse_an_arg(int argc, char * argv[])
{
extern char * optarg;
const char * opts = "e:m:f:i:x:l:o:rvDSUHCABhs";
const char * opts = "e:m:f:i:x:l:o:rvDSUHCABh";
struct tm tmp[1];
time_t expdate;
int cnt, l;
......@@ -756,9 +817,6 @@ static int parse_an_arg(int argc, char * argv[])
case 'H':
HARDENING_flag = 1;
break;
case 's':
HARDENINGSP_flag = 1;
break;
case 'C':
fprintf(stderr, "%s %s, %s\n", my_name, version, subject);
fprintf(stderr, "%s %s %s %s %s\n", my_name, cpright, provider.f, provider.s, provider.e);
......@@ -826,11 +884,6 @@ static void parse_args(int argc, char * argv[])
err++;
} while (ret);
if (HARDENING_flag == 0 && HARDENINGSP_flag == 1) {
fprintf(stderr, "\n%s '-s' feature is only available with '-H'\n",my_name);
err++;
}
if (err) {
fprintf(stderr, "\n%s %s\n\n", my_name, usage);
exit(1);
......@@ -971,6 +1024,10 @@ int eval_shell(char * text)
shll = realloc(shll, strlen(shll) + 1);
ptr = strrchr(shll, (int)'/');
if (!ptr) {
fprintf(stderr, "%s: invalid shll\n", my_name);
return -1;
}
if (*ptr == '/')
ptr++;
if (verbose) fprintf(stderr, "%s shll=%s\n", my_name, ptr);
......@@ -1218,7 +1275,6 @@ int write_C(char * file, char * argv[])
fprintf(o, DEBUGEXEC_line, DEBUGEXEC_flag);
fprintf(o, TRACEABLE_line, TRACEABLE_flag);
fprintf(o, HARDENING_line, HARDENING_flag);
fprintf(o, HARDENINGSP_line, HARDENINGSP_flag);
fprintf(o, BUSYBOXON_line, BUSYBOXON_flag);
for (indx = 0; RTC[indx]; indx++)
fprintf(o, "%s\n", RTC[indx]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment