/notes/improving-patchelf/patchelf.py

patchelf.py
PYTHON
   1  

   2  

   3  

   4  

   5  

   6  

   7  

   8  

   9  

  10  

  11  

  12  

  13  

  14  

  15  

  16  

  17  

  18  

  19  

  20  

  21  

  22  

  23  

  24  

  25  

  26  

  27  

  28  

  29  

  30  

  31  

  32  

  33  

  34  

  35  

  36  

  37  

  38  

  39  

  40  

  41  

  42  

  43  

  44  

  45  

  46  

  47  

  48  

  49  

  50  

  51  

  52  

  53  

  54  

  55  

  56  

  57  

  58  

  59  

  60  

  61  

  62  

  63  

  64  

  65  

  66  

  67  

  68  

  69  

  70  

  71  

  72  

  73  

  74  

  75  

  76  

  77  

  78  

  79  

  80  

  81  

  82  

  83  

  84  

  85  

  86  

  87  

  88  

  89  

#!/usr/bin/env python3

from pwnc.minelf import *
from argparse import ArgumentParser, BooleanOptionalAction
from pathlib import Path
from ctypes import sizeof

def err(msg: str):
    print(f"[-] {msg}")
    exit(1)

def warn(msg: str):
    print(f"[*] {msg}")

parser = ArgumentParser()
parser.add_argument("--bits", choices=[32, 64])
parser.add_argument("--endian", choices=["big", "little"])
parser.add_argument("--rpath", type=str)
parser.add_argument("--interp", type=str)
parser.add_argument("path")
parser.add_argument("outfile", nargs="?")

args = parser.parse_args()
path = Path(args.path)
if args.outfile is None:
    outfile = path
else:
    outfile = Path(args.outfile)

try:
    raw_elf_bytes = open(path, "rb").read()
except Exception as e:
    err(f"failed to read file: {e}")

little_endian = None
match args.endian:
    case "big":
        little_endian = False
    case _:
        little_endian = True 
elf = ELF(raw_elf_bytes, args.bits, little_endian)

dynamic = elf.section_from_name(b".dynamic")
if dynamic is None:
    err(f".dyanmic section not present")

offset = 0
contents = elf.section_content(dynamic)
dyntags = []
while offset < dynamic.size:
    dyntag = elf.Dyntag.from_buffer_copy(contents, offset)
    dyntags.append(dyntag)
    if dyntag.tag == 0:
        break
    offset += sizeof(elf.Dyntag)

used = offset + 0x10
size = dynamic.size & ~0x0f
extra = (size - used) // sizeof(elf.Dyntag)

warn(f"used {offset:#x} out of {dynamic.size:#x} ({offset/dynamic.size*100:.0f}%) of DYNAMIC")
warn(f"space for {extra} extra dynamic tags")

if args.rpath:
    rpath_bytes = bytes(args.rpath, "utf8")
    if extra == 0:
        err(f"not enough space for rpath in dynamic table")
    if len(rpath_bytes) >= elf.Dyntag.val.size:
        err(f"not enough space for rpath str (max {elf.Dyntag.val.size} bytes)")
    strtab = next(filter(lambda dt: dt.tag == 5, dyntags))
    address = next(filter(lambda segment: segment.type == 2, elf.segments)).virtual_address
    rpath_offset = offset + sizeof(elf.Dyntag) + elf.Dyntag.val.offset
    rpath = elf.Dyntag(tag=15, val=address + rpath_offset - strtab.val)
    contents[offset:offset+sizeof(elf.Dyntag)] = bytes(rpath)
    contents[rpath_offset:rpath_offset+len(rpath_bytes)] = rpath_bytes
    offset += sizeof(elf.Dyntag)
    warn(f"rpath     set to {args.rpath}")

if args.interp:
    interp = next(filter(lambda segment: segment.type == 3, elf.segments))
    new_interp_path = bytes(args.interp, encoding="utf8")
    if len(new_interp_path) < interp.file_size:
        elf.raw_elf_bytes[interp.offset:interp.offset+interp.file_size] = new_interp_path.ljust(interp.file_size, b"\x00")
        warn(f"interp    set to {args.interp}")
    else:
        err(f"new interp path is too long")

with open(outfile, "wb+") as fp:
    fp.write(elf.raw_elf_bytes)
`#`CONTENT

`#`TOP

#CONTENT

#TOP

`#`CONTENT

`#`TOP
