Snakes on a Payload
Fernando Russ, Pedro Varangot
Date published
Python, C, ELF, Binutils, Ld, exploit, Tinypy, stage2, vm, security, android, Arm, Linux


This project consists of a modified version of TinyPy, and the toolchain to compile it as a position independent binary blob. This toolchain pre-processes the ELF relocations in a .so binary, and turns them into input for a runtime rebaser that runs before the VM. Currently the generated position independent payload needs the address to dlopen and dlsym, future versions will only need to make syscalls to find those functions loaded in memory. A prototype of code that searches for dlopen and dlsym was aso done and currently works only in i386 Linux and ARM Android.

Only Linux is supported, Windows will be added in the future. It can currently generate position independent code for i386 and x86_64 (tested on Ubuntu) and for ARM Android (tested on the emulator and a 2.2 ARMv6 phone). It uses the GCC version that comes with Ubuntu 11.04+ or the Android NDK to compile, respectively. More platforms can be added easily, and will be added in the near future.

See more at https://code.google.com/p/snakesonapayload/