arget13/noexec.c

## noexec.c
/* Compile with -znow */
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <elf.h>
#include <libgen.h>
#include <signal.h>
#include <syscall.h>
#include <termios.h>

Elf64_Addr ldbase;

Elf64_Addr search_section(int fd, char* section);

void load(char* path, Elf64_Addr rebase)
{
    int fd;
    Elf64_Ehdr ehdr;
    Elf64_Phdr* phdr;
    uint16_t phnum;
    Elf64_Addr bss;
    uint64_t flen;
    Elf64_Addr highest = 0;

    if((fd = open(path, O_RDONLY)) < 0)
    {
        perror("Error in open()");
        exit(0);
    }
    read(fd, &ehdr, sizeof(ehdr));
    phnum = ehdr.e_phnum;
    phdr = malloc(sizeof(*phdr) * phnum);
    pread(fd, phdr, sizeof(*phdr) * phnum, ehdr.e_phoff);
    flen = lseek(fd, 0, SEEK_END);
    bss = search_section(fd, ".bss");

    for(int i = 0; i < phnum; ++i)
    {
        if(phdr[i].p_type != PT_LOAD) continue;

        uint32_t   flags   = phdr[i].p_flags;
        Elf64_Off  offset  = phdr[i].p_offset;
        Elf64_Addr vaddr   = phdr[i].p_vaddr;
        size_t     filesz  = phdr[i].p_filesz;
        size_t     memsz   = phdr[i].p_memsz;
        void*      aligned = (void*) (vaddr & (~0xfff));

        uint32_t prot = ((flags & PF_R) ? PROT_READ  : 0) |
                        ((flags & PF_W) ? PROT_WRITE : 0) |
                        ((flags & PF_X) ? PROT_EXEC  : 0);

        filesz += vaddr - (Elf64_Addr) aligned;
        memsz  += vaddr - (Elf64_Addr) aligned;
        offset -= vaddr - (Elf64_Addr) aligned;
        size_t _filesz = (filesz + 0xfff) & ~0xfff;

        mmap(rebase + aligned, filesz, prot, MAP_PRIVATE | MAP_FIXED, fd, offset);
        if(memsz > _filesz)
        {
            void* extra = rebase + aligned + _filesz;
            mmap(extra, memsz - _filesz, prot, MAP_PRIVATE | MAP_FIXED | MAP_ANON, -1, 0);
        }

        if(bss != 0 && (bss >= vaddr && bss < (vaddr + filesz)))
        {
            size_t bss_size = _filesz - (bss - (Elf64_Addr) aligned);
            memset((void*) rebase + bss, '\0', bss_size);
        }
    }
    close(fd);
}

Elf64_Addr search_section(int fd, char* section)
{
    Elf64_Ehdr ehdr;
    Elf64_Shdr* shdr;
    uint16_t shnum;
    uint16_t shstrndx;
    char* shstrtab;

    pread(fd, &ehdr, sizeof(ehdr), 0);
    shnum = ehdr.e_shnum;
    shdr = malloc(sizeof(*shdr) * shnum);
    shstrndx = ehdr.e_shstrndx;
    pread(fd, shdr, sizeof(*shdr) * shnum, ehdr.e_shoff);

    shstrtab = malloc(shdr[shstrndx].sh_size);
    pread(fd, shstrtab, shdr[shstrndx].sh_size, shdr[shstrndx].sh_offset);

    for(int i = 0; i < shnum; ++i)
        if(!strcmp(&shstrtab[shdr[i].sh_name], section))
        {
            free(shstrtab);
            free(shdr);
            return shdr[i].sh_addr;
        }

    free(shstrtab);
    free(shdr);
    return 0;
}

void* ld_addr()
{
    FILE* f = fopen("/proc/self/maps", "rb");
    char buf[1024];
    void* p;
    while(fgets(buf, sizeof buf, f))
    {
        if(strncmp(basename(strchr(buf, '/')), "ld", 2)) continue;
        sscanf(buf, "%lx", &p);
        fclose(f);
        return p;
    }
    fclose(f);
    return NULL;
}

char* search_path(char* cmd)
{
    if(*cmd == '/') return cmd;
    char* dup, * path, * p;
    char* filepath;
    dup = path = p = strdup(getenv("PATH"));
    struct stat buf;
    do
    {
        p = strchr(p, ':');
        if(p != NULL)
            *p++ = '\0';

        filepath = malloc(strlen(path) + strlen(cmd) + 1 + 1);
        strcpy(filepath, path);
        strcat(filepath, "/");
        strcat(filepath, cmd);
        if(fstatat(AT_FDCWD, filepath, &buf, 0) == 0)
        {
            free(dup);
            return filepath;
        }

        free(filepath);
        path = p;
    }
    while(p != NULL);

    free(dup);
    return NULL;
}

__attribute__((noreturn))
void run(int argc, char** argv, int readfd, int writefd)
{
    Elf64_Addr base = 0x400000;
    uint64_t ldentry, entry, phnum, phentsize, phaddr;
    uint64_t auxv[8 * 2];
    char* stack;
    void** sp;

    load(argv[0], base);

    ldentry   = ((Elf64_Ehdr*) ldbase)->e_entry + ldbase;
    entry     = ((Elf64_Ehdr*)   base)->e_entry + base;
    phnum     = ((Elf64_Ehdr*)   base)->e_phnum;
    phentsize = ((Elf64_Ehdr*)   base)->e_phentsize;
    phaddr    = ((Elf64_Ehdr*)   base)->e_phoff + base;

    stack = mmap(NULL, 0x21000, PROT_READ | PROT_WRITE,
                 MAP_ANONYMOUS | MAP_PRIVATE | MAP_STACK, -1, 0);
    sp = (void**) &stack[0x21000];
    *--sp = NULL; // End of stack

    if(argc & 1)
        *--sp = NULL; // Keep stack aligned
    auxv[ 0] = 0x06; auxv[ 1] = 0x1000;    // AT_PAGESZ
    auxv[ 2] = 0x19; auxv[ 3] = ldentry;   // AT_RANDOM (whatever)
    auxv[ 4] = 0x09; auxv[ 5] = entry;     // AT_ENTRY
    auxv[ 6] = 0x07; auxv[ 7] = ldbase;    // AT_BASE
    auxv[ 8] = 0x05; auxv[ 9] = phnum;     // AT_PHNUM
    auxv[10] = 0x04; auxv[11] = phentsize; // AT_PHENT
    auxv[12] = 0x03; auxv[13] = phaddr;    // AT_PHDR
    auxv[14] =    0; auxv[15] = 0;         // End of auxv
    sp -= sizeof(auxv) / sizeof(*auxv); memcpy(sp, auxv, sizeof(auxv));
    *--sp = NULL; // End of envp
    *--sp = NULL; // End of argv
    sp -= argc; memcpy(sp, argv, argc * 8);
    *(size_t*) --sp = argc;

    if(readfd >= 0)
    {
        dup2(readfd, fileno(stdin));
        close(readfd);
    }
    if(writefd >= 0)
    {
        dup2(writefd, fileno(stdout));
        close(writefd);
    }

    #if defined(__x86_64__)
    asm volatile("mov %0, %%rsp;"
                 "jmp *%1;"
                 : : "r"(sp), "r"(ldentry));
    #elif defined(__aarch64__)
    asm volatile("mov sp, %0;"
                 "br  %1;"
                 : : "r"(sp), "r"(ldentry) : "x0");
    #endif
    __builtin_unreachable();
}

void runline(char* cmd)
{
    int* argc;
    char*** argv, * saveptr = NULL;
    int count;
    int pipefds[2], writefd, readfd = -1;

    argc = NULL;
    argv = NULL;
    strtok_r(cmd, "|", &saveptr);
    count = 0;
    do
    {
        argv = realloc(argv, (count + 1) * sizeof(*argv));
        argc = realloc(argc, (count + 1) * sizeof(*argc));
        cmd += strspn(cmd, " ");
        argv[count] = NULL;
        argc[count] = 0;

        strtok(cmd, " ");
        do
        {
            argv[count] = realloc(argv[count], ++argc[count] * sizeof(**argv));
            argv[count][argc[count] - 1] = cmd;
        }
        while(cmd = strtok(NULL, " "));

        char* filepath;
        if((filepath = search_path(argv[count][0])) == NULL)
        {
            perror("Error in fstatat");
            free(argv[count]);
            count--;
            continue;
        }
        argv[count][0] = filepath;
        count++;
    }
    while(cmd = strtok_r(NULL, "|", &saveptr));

    for(int i = 0; i < count; ++i)
    {
        if(i > 0)
            readfd = pipefds[0];
        if(i < (count - 1))
        {
            pipe(pipefds);
            writefd = pipefds[1];
        }

        if(syscall(SYS_clone, SIGCHLD, NULL, NULL, NULL, NULL) == 0)
            run(argc[i], argv[i], readfd, writefd);

        if(i < (count - 1))
            close(writefd);
        writefd = -1;
        if(i > 0)
            close(readfd);

        free(argv[i]);
    }

    for(int i = 0; i < count; ++i)
        wait(NULL);
}

int main()
{
    char interp[128];
    int self;

    char buf[1024];

    ldbase = (Elf64_Addr) ld_addr();
    self = open("/proc/self/exe", O_RDONLY);
    interp[pread(self, interp, sizeof(interp) - 1,
                 search_section(self, ".interp"))] = '\0';
    close(self);
    load(interp, ldbase);

    int terminal = isatty(fileno(stdin));
    while(1)
    {
        if(terminal)
            printf("> ");

        fgets(buf, sizeof buf, stdin);
        if(feof(stdin)) break;
        buf[strcspn(buf, "\n")] = '\0';
        if(strlen(buf) == 0) continue;
        runline(buf);
        wait(NULL);
    }
    puts("\nexit");
    _exit(0);
}
	/* Compile with -znow */
	#include <stdlib.h>
	#include <stdio.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <string.h>
	#include <sys/mman.h>
	#include <sys/stat.h>
	#include <sys/wait.h>
	#include <elf.h>
	#include <libgen.h>
	#include <signal.h>
	#include <syscall.h>
	#include <termios.h>

	Elf64_Addr ldbase;

	Elf64_Addr search_section(int fd, char* section);

	void load(char* path, Elf64_Addr rebase)
	{
	int fd;
	Elf64_Ehdr ehdr;
	Elf64_Phdr* phdr;
	uint16_t phnum;
	Elf64_Addr bss;
	uint64_t flen;
	Elf64_Addr highest = 0;

	if((fd = open(path, O_RDONLY)) < 0)
	{
	perror("Error in open()");
	exit(0);
	}
	read(fd, &ehdr, sizeof(ehdr));
	phnum = ehdr.e_phnum;
	phdr = malloc(sizeof(phdr) phnum);
	pread(fd, phdr, sizeof(phdr) phnum, ehdr.e_phoff);
	flen = lseek(fd, 0, SEEK_END);
	bss = search_section(fd, ".bss");

	for(int i = 0; i < phnum; ++i)
	{
	if(phdr[i].p_type != PT_LOAD) continue;

	uint32_t flags = phdr[i].p_flags;
	Elf64_Off offset = phdr[i].p_offset;
	Elf64_Addr vaddr = phdr[i].p_vaddr;
	size_t filesz = phdr[i].p_filesz;
	size_t memsz = phdr[i].p_memsz;
	void* aligned = (void*) (vaddr & (~0xfff));

	uint32_t prot = ((flags & PF_R) ? PROT_READ : 0) \|
	((flags & PF_W) ? PROT_WRITE : 0) \|
	((flags & PF_X) ? PROT_EXEC : 0);

	filesz += vaddr - (Elf64_Addr) aligned;
	memsz += vaddr - (Elf64_Addr) aligned;
	offset -= vaddr - (Elf64_Addr) aligned;
	size_t _filesz = (filesz + 0xfff) & ~0xfff;

	mmap(rebase + aligned, filesz, prot, MAP_PRIVATE \| MAP_FIXED, fd, offset);
	if(memsz > _filesz)
	{
	void* extra = rebase + aligned + _filesz;
	mmap(extra, memsz - _filesz, prot, MAP_PRIVATE \| MAP_FIXED \| MAP_ANON, -1, 0);
	}

	if(bss != 0 && (bss >= vaddr && bss < (vaddr + filesz)))
	{
	size_t bss_size = _filesz - (bss - (Elf64_Addr) aligned);
	memset((void*) rebase + bss, '\0', bss_size);
	}
	}
	close(fd);
	}

	Elf64_Addr search_section(int fd, char* section)
	{
	Elf64_Ehdr ehdr;
	Elf64_Shdr* shdr;
	uint16_t shnum;
	uint16_t shstrndx;
	char* shstrtab;

	pread(fd, &ehdr, sizeof(ehdr), 0);
	shnum = ehdr.e_shnum;
	shdr = malloc(sizeof(shdr) shnum);
	shstrndx = ehdr.e_shstrndx;
	pread(fd, shdr, sizeof(shdr) shnum, ehdr.e_shoff);

	shstrtab = malloc(shdr[shstrndx].sh_size);
	pread(fd, shstrtab, shdr[shstrndx].sh_size, shdr[shstrndx].sh_offset);

	for(int i = 0; i < shnum; ++i)
	if(!strcmp(&shstrtab[shdr[i].sh_name], section))
	{
	free(shstrtab);
	free(shdr);
	return shdr[i].sh_addr;
	}

	free(shstrtab);
	free(shdr);
	return 0;
	}

	void* ld_addr()
	{
	FILE* f = fopen("/proc/self/maps", "rb");
	char buf[1024];
	void* p;
	while(fgets(buf, sizeof buf, f))
	{
	if(strncmp(basename(strchr(buf, '/')), "ld", 2)) continue;
	sscanf(buf, "%lx", &p);
	fclose(f);
	return p;
	}
	fclose(f);
	return NULL;
	}

	char* search_path(char* cmd)
	{
	if(*cmd == '/') return cmd;
	char* dup, * path, * p;
	char* filepath;
	dup = path = p = strdup(getenv("PATH"));
	struct stat buf;
	do
	{
	p = strchr(p, ':');
	if(p != NULL)
	*p++ = '\0';

	filepath = malloc(strlen(path) + strlen(cmd) + 1 + 1);
	strcpy(filepath, path);
	strcat(filepath, "/");
	strcat(filepath, cmd);
	if(fstatat(AT_FDCWD, filepath, &buf, 0) == 0)
	{
	free(dup);
	return filepath;
	}

	free(filepath);
	path = p;
	}
	while(p != NULL);

	free(dup);
	return NULL;
	}

	__attribute__((noreturn))
	void run(int argc, char** argv, int readfd, int writefd)
	{
	Elf64_Addr base = 0x400000;
	uint64_t ldentry, entry, phnum, phentsize, phaddr;
	uint64_t auxv[8 * 2];
	char* stack;
	void** sp;

	load(argv[0], base);

	ldentry = ((Elf64_Ehdr*) ldbase)->e_entry + ldbase;
	entry = ((Elf64_Ehdr*) base)->e_entry + base;
	phnum = ((Elf64_Ehdr*) base)->e_phnum;
	phentsize = ((Elf64_Ehdr*) base)->e_phentsize;
	phaddr = ((Elf64_Ehdr*) base)->e_phoff + base;

	stack = mmap(NULL, 0x21000, PROT_READ \| PROT_WRITE,
	MAP_ANONYMOUS \| MAP_PRIVATE \| MAP_STACK, -1, 0);
	sp = (void**) &stack[0x21000];
	*--sp = NULL; // End of stack

	if(argc & 1)
	*--sp = NULL; // Keep stack aligned
	auxv[ 0] = 0x06; auxv[ 1] = 0x1000; // AT_PAGESZ
	auxv[ 2] = 0x19; auxv[ 3] = ldentry; // AT_RANDOM (whatever)
	auxv[ 4] = 0x09; auxv[ 5] = entry; // AT_ENTRY
	auxv[ 6] = 0x07; auxv[ 7] = ldbase; // AT_BASE
	auxv[ 8] = 0x05; auxv[ 9] = phnum; // AT_PHNUM
	auxv[10] = 0x04; auxv[11] = phentsize; // AT_PHENT
	auxv[12] = 0x03; auxv[13] = phaddr; // AT_PHDR
	auxv[14] = 0; auxv[15] = 0; // End of auxv
	sp -= sizeof(auxv) / sizeof(*auxv); memcpy(sp, auxv, sizeof(auxv));
	*--sp = NULL; // End of envp
	*--sp = NULL; // End of argv
	sp -= argc; memcpy(sp, argv, argc * 8);
	(size_t) --sp = argc;

	if(readfd >= 0)
	{
	dup2(readfd, fileno(stdin));
	close(readfd);
	}
	if(writefd >= 0)
	{
	dup2(writefd, fileno(stdout));
	close(writefd);
	}

	#if defined(__x86_64__)
	asm volatile("mov %0, %%rsp;"
	"jmp *%1;"
	: : "r"(sp), "r"(ldentry));
	#elif defined(__aarch64__)
	asm volatile("mov sp, %0;"
	"br %1;"
	: : "r"(sp), "r"(ldentry) : "x0");
	#endif
	__builtin_unreachable();
	}

	void runline(char* cmd)
	{
	int* argc;
	char*** argv, * saveptr = NULL;
	int count;
	int pipefds[2], writefd, readfd = -1;

	argc = NULL;
	argv = NULL;
	strtok_r(cmd, "\|", &saveptr);
	count = 0;
	do
	{
	argv = realloc(argv, (count + 1) * sizeof(*argv));
	argc = realloc(argc, (count + 1) * sizeof(*argc));
	cmd += strspn(cmd, " ");
	argv[count] = NULL;
	argc[count] = 0;

	strtok(cmd, " ");
	do
	{
	argv[count] = realloc(argv[count], ++argc[count] * sizeof(**argv));
	argv[count][argc[count] - 1] = cmd;
	}
	while(cmd = strtok(NULL, " "));

	char* filepath;
	if((filepath = search_path(argv[count][0])) == NULL)
	{
	perror("Error in fstatat");
	free(argv[count]);
	count--;
	continue;
	}
	argv[count][0] = filepath;
	count++;
	}
	while(cmd = strtok_r(NULL, "\|", &saveptr));

	for(int i = 0; i < count; ++i)
	{
	if(i > 0)
	readfd = pipefds[0];
	if(i < (count - 1))
	{
	pipe(pipefds);
	writefd = pipefds[1];
	}

	if(syscall(SYS_clone, SIGCHLD, NULL, NULL, NULL, NULL) == 0)
	run(argc[i], argv[i], readfd, writefd);

	if(i < (count - 1))
	close(writefd);
	writefd = -1;
	if(i > 0)
	close(readfd);

	free(argv[i]);
	}

	for(int i = 0; i < count; ++i)
	wait(NULL);
	}

	int main()
	{
	char interp[128];
	int self;

	char buf[1024];

	ldbase = (Elf64_Addr) ld_addr();
	self = open("/proc/self/exe", O_RDONLY);
	interp[pread(self, interp, sizeof(interp) - 1,
	search_section(self, ".interp"))] = '\0';
	close(self);
	load(interp, ldbase);

	int terminal = isatty(fileno(stdin));
	while(1)
	{
	if(terminal)
	printf("> ");

	fgets(buf, sizeof buf, stdin);
	if(feof(stdin)) break;
	buf[strcspn(buf, "\n")] = '\0';
	if(strlen(buf) == 0) continue;
	runline(buf);
	wait(NULL);
	}
	puts("\nexit");
	_exit(0);
	}