Modifications to pulsesvc.
Original pulsesvc binary md5sum: 7c17b24314af67bc7b86d4681884c844
Modified version md5sum: 274c9071501b6e66c75eec6e0f7d2559
Changes:
- do not modify /etc/hosts
- do not modify /etc/resolv.conf
- do not add routes
Modifications done with Cutter (radare2 UI).
;-- str.etc_hosts:
0x0056882d .string "/etc/hosts" ; len=11
;-- str.etc_jnpr_nc_hosts.new:
0x00568838 .string "/etc/jnpr-nc-hosts.new" ; len=23
;-- str.etc_jnpr_nc_hosts.bak:
0x0056884f .string "/etc/jnpr-nc-hosts.bak" ; len=23
Change "mv /etc/jnpr-nc-hosts.new /etc/hosts" to "mv /etc/jnpr-nc-hosts.new /etc/jnpr-nc-hosts.new"
Original:
0x00438c72 lea rsi, str.etc_hosts ; 0x56882d ; const char *newpath
0x00438c79 lea rdi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *oldpath
0x00438c80 call rename ; sym.imp.rename ; int rename(const char *oldpath, const char *newpath)
Modified:
0x00438c72 lea rsi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *newpath
0x00438c79 lea rdi, str.etc_jnpr_nc_hosts.new ; 0x568838 ; const char *oldpath
0x00438c80 call rename ; sym.imp.rename ; int rename(const char *oldpath, const char *newpath)
Change string "/etc/resolv.conf" to "/var/tmp/resolv." (keep the length) so it won't touch the /etc/resolv.conf file
The file should be in the same FS (using /tmp/resolv.conf won't work if it is a different FS)
Original:
;-- str.etc_resolv.conf:
0x00568731 .string "/etc/resolv.conf" ; len=17
Command to modify the string
wz /var/tmp/resolv. @0x00568731
Disallow adding new routes (ioctl call to NOOP) Find refs for sym.imp.ioctl and look the one who have "str.routemon.cpp" above:
Original:
0x0042b6d1 lea rcx, str.routemon.cpp ; 0x565faf
0x0042b6d8 mov edx, 0xa
0x0042b6dd lea rsi, str.rmon ; 0x565fbc
0x0042b6e4 mov rdi, rax
0x0042b6e7 mov eax, 0
0x0042b6ec call fcn.00469a04
0x0042b6f1 mov eax, 0xffffffff ; r11
0x0042b6f6 jmp 0x42b897
0x0042b6fb add r8d, 1
0x0042b6ff mov word [rsp + 0x100], r8w
0x0042b708 test rbp, rbp
0x0042b70b je 0x42b71b
0x0042b70d cmp byte [rbp], 0
0x0042b711 je 0x42b71b
0x0042b713 mov qword [rsp + 0x108], rbp
0x0042b71b lea rdx, [rsp + 0xb0]
0x0042b723 mov edi, dword [rbx + 0x24]
0x0042b726 mov esi, 0x890b
0x0042b72b mov eax, 0
0x0042b730 call ioctl ; sym.imp.ioctl ; int ioctl(int fd, unsigned long request)
Modified:
0x0042b6d1 lea rcx, str.routemon.cpp ; 0x565faf
0x0042b6d8 mov edx, 0xa
0x0042b6dd lea rsi, str.rmon ; 0x565fbc
0x0042b6e4 mov rdi, rax
0x0042b6e7 mov eax, 0
0x0042b6ec call fcn.00469a04
0x0042b6f1 mov eax, 0xffffffff ; r11
0x0042b6f6 jmp 0x42b897
0x0042b6fb add r8d, 1
0x0042b6ff mov word [rsp + 0x100], r8w
0x0042b708 test rbp, rbp
0x0042b70b je 0x42b71b
0x0042b70d cmp byte [rbp], 0
0x0042b711 je 0x42b71b
0x0042b713 mov qword [rsp + 0x108], rbp
0x0042b71b lea rdx, [rsp + 0xb0]
0x0042b723 mov edi, dword [rbx + 0x24]
0x0042b726 mov esi, 0x890b
0x0042b72b mov eax, 0
0x0042b730 nop
0x0042b731 nop
0x0042b732 nop
0x0042b733 nop
0x0042b734 nop
Change code so pulsesvc thinks it does not need to add new routes:
;-- str.no_routes_to_monitor:
0x00566063 .string "no routes to monitor" ; len=21
Original:
0x0042cf80 cmp dword [rdi + 0x7c], 0
0x0042cf84 jne 0x42cfcc
0x0042cf86 call fcn.00468be0
0x0042cf8b lea r9, str.no_routes_to_monitor ; 0x566063
Change with Edit -> Reverse jump
Modified:
0x0042cf80 cmp dword [rdi + 0x7c], 0
0x0042cf84 je 0x42cfcc
0x0042cf86 call fcn.00468be0
0x0042cf8b lea r9, str.no_routes_to_monitor ; 0x566063
Binary patched file: https://transfer.sh/deVl8/pulsesvc.patched