Skip to content

Instantly share code, notes, and snippets.

@adrianlzt

adrianlzt/radare2.md

Last active July 12, 2021 17:40
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save adrianlzt/dc932eee56d65132b303d7e81efb5fed to your computer and use it in GitHub Desktop.
Save adrianlzt/dc932eee56d65132b303d7e81efb5fed to your computer and use it in GitHub Desktop.
Download ZIP
pulsesvc binary patching remove unwanted features, pulse-secure 9.1r5.0_b151-2
Raw
radare2.md

Modifications to pulsesvc.

Original pulsesvc binary md5sum: 7c17b24314af67bc7b86d4681884c844

Modified version md5sum: 274c9071501b6e66c75eec6e0f7d2559

Changes:

  • do not modify /etc/hosts
  • do not modify /etc/resolv.conf
  • do not add routes

Modifications done with Cutter (radare2 UI).

Do not modify /etc/hosts

;-- str.etc_hosts:
0x0056882d          .string "/etc/hosts" ; len=11
;-- str.etc_jnpr_nc_hosts.new:
0x00568838          .string "/etc/jnpr-nc-hosts.new" ; len=23
;-- str.etc_jnpr_nc_hosts.bak:
0x0056884f          .string "/etc/jnpr-nc-hosts.bak" ; len=23

Change "mv /etc/jnpr-nc-hosts.new /etc/hosts" to "mv /etc/jnpr-nc-hosts.new /etc/jnpr-nc-hosts.new"

Original:

0x00438c72      lea     rsi, str.etc_hosts ; 0x56882d ; const char *newpath
0x00438c79      lea     rdi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *oldpath
0x00438c80      call    rename     ; sym.imp.rename ; int rename(const char *oldpath, const char *newpath)

Modified:

0x00438c72      lea     rsi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *newpath
0x00438c79      lea     rdi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *oldpath
0x00438c80      call    rename     ; sym.imp.rename ; int rename(const char *oldpath, const char *newpath)

Do not modify /etc/resolv.conf

Change string "/etc/resolv.conf" to "/var/tmp/resolv." (keep the length) so it won't touch the /etc/resolv.conf file

The file should be in the same FS (using /tmp/resolv.conf won't work if it is a different FS)

Original:

;-- str.etc_resolv.conf:
0x00568731          .string "/etc/resolv.conf" ; len=17

Command to modify the string

wz /var/tmp/resolv. @0x00568731

Do not add new routes

Disallow adding new routes (ioctl call to NOOP) Find refs for sym.imp.ioctl and look the one who have "str.routemon.cpp" above:

Original:

0x0042b6d1      lea     rcx, str.routemon.cpp ; 0x565faf
0x0042b6d8      mov     edx, 0xa
0x0042b6dd      lea     rsi, str.rmon ; 0x565fbc
0x0042b6e4      mov     rdi, rax
0x0042b6e7      mov     eax, 0
0x0042b6ec      call    fcn.00469a04
0x0042b6f1      mov     eax, 0xffffffff ; r11
0x0042b6f6      jmp     0x42b897
0x0042b6fb      add     r8d, 1
0x0042b6ff      mov     word [rsp + 0x100], r8w
0x0042b708      test    rbp, rbp
0x0042b70b      je      0x42b71b
0x0042b70d      cmp     byte [rbp], 0
0x0042b711      je      0x42b71b
0x0042b713      mov     qword [rsp + 0x108], rbp
0x0042b71b      lea     rdx, [rsp + 0xb0]
0x0042b723      mov     edi, dword [rbx + 0x24]
0x0042b726      mov     esi, 0x890b
0x0042b72b      mov     eax, 0
0x0042b730      call    ioctl      ; sym.imp.ioctl ; int ioctl(int fd, unsigned long request)

Modified:

0x0042b6d1      lea     rcx, str.routemon.cpp ; 0x565faf
0x0042b6d8      mov     edx, 0xa
0x0042b6dd      lea     rsi, str.rmon ; 0x565fbc
0x0042b6e4      mov     rdi, rax
0x0042b6e7      mov     eax, 0
0x0042b6ec      call    fcn.00469a04
0x0042b6f1      mov     eax, 0xffffffff ; r11
0x0042b6f6      jmp     0x42b897
0x0042b6fb      add     r8d, 1
0x0042b6ff      mov     word [rsp + 0x100], r8w
0x0042b708      test    rbp, rbp
0x0042b70b      je      0x42b71b
0x0042b70d      cmp     byte [rbp], 0
0x0042b711      je      0x42b71b
0x0042b713      mov     qword [rsp + 0x108], rbp
0x0042b71b      lea     rdx, [rsp + 0xb0]
0x0042b723      mov     edi, dword [rbx + 0x24]
0x0042b726      mov     esi, 0x890b
0x0042b72b      mov     eax, 0
0x0042b730      nop
0x0042b731      nop
0x0042b732      nop
0x0042b733      nop
0x0042b734      nop

Avoid trying to add routes at each monitor interval

Change code so pulsesvc thinks it does not need to add new routes:

;-- str.no_routes_to_monitor:
0x00566063          .string "no routes to monitor" ; len=21

Original:

0x0042cf80      cmp dword [rdi + 0x7c], 0
0x0042cf84      jne 0x42cfcc
0x0042cf86      call fcn.00468be0
0x0042cf8b      lea r9, str.no_routes_to_monitor ; 0x566063

Change with Edit -> Reverse jump

Modified:

0x0042cf80      cmp     dword [rdi + 0x7c], 0
0x0042cf84      je      0x42cfcc
0x0042cf86      call    fcn.00468be0
0x0042cf8b      lea     r9, str.no_routes_to_monitor ; 0x566063
@adrianlzt
Copy link
Author

Binary patched file: https://transfer.sh/deVl8/pulsesvc.patched

@jlaw
Copy link

jlaw commented Jul 12, 2021

Thank you for your work @adrianlzt! Do you have an update for latest version?

@adrianlzt
Copy link
Author

No. I stopped using pulsevlc. But it will be probably similar, just new memory addresses. So following the guide you could probably modify it

@jlaw
Copy link

jlaw commented Jul 12, 2021

I've been able to do that for a few releases, but now the binaries are completely different and rewritten.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment