- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 14087
- Проверка EDB
-
- Пройдено
- Автор
- HELLCODE RESEARCH
- Тип уязвимости
- PAPERS
- Платформа
- LINUX
- CVE
- N/A
- Дата публикации
- 2010-06-28
Код:
|=-----------------------------------------------------------------------=|
|=---------------------------[ HELLCODE RESEARCH ]-----------------------=|
|=-----------------------------------------------------------------------=|
|=--------=[ Cheats with ELF: Code Injecting into ELF Headers ]=--------=|
|=-----------------------------------------------------------------------=|
|=-----------------------=[ [email protected] ]=--------------------=|
|=-----------------------------------------------------------------------=|
--[ Index
0x0 - Introduction
0x1 - Requirements
0x2 - Basic ELF Structure
0x3 - Last Wordz
0x4 - Greetz
--[ 0x0 - Introduction
Hi Reader, In this paper, I will explain uncommon/unknown techniques
to affect ELF headers directly or helping of compiler and assembly linkers.
I've discovered this technique while thinking about injecting code to elf32
headers and i became succesful in my research 3 years ago..you can use
this technique for different ideas, anyway i've tested it for IDS by-passing
and as an anti-anti-debug technique.
--[ 0x1 - Requirements
You should know the topics which are below to understand this paper,
because probably, you can't understand this paper if you don't have high-level
knowledge about topics.
-> Unix Assembly (AT&T)
-> C/C++
-> ELF Structure
-> Time and Brain
if you know
--[ 0x2 - Basic ELF Structure
An elf32 file structure always include header, data and instruction
segments.In this part, we will create executable files, play/change their sizes
and createfiles with minimum sizes.
Lets start to show that on "merv.asm" (Seni seviyorum Merve :);
------------merv.asm-----------------
BITS 32
section .data
merv db " murderkey ownz jo !"
GLOBAL MAIN
SECTION .text
main:
;write()
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80
; exit()
mov eax, 1
mov ebx, 0
int 0x80
-------------merv.asm-----------------
As you see above, that is a simple assembly code. It prints " murderkey ownz jo !"
to screen and ending via "exit call".Compiling it with "nasm" and giving link
with "ld".
h4x0r elf32 # nasm -felf merv.asm -o merv.o
h4x0r elf32 # ld merv.o -o merv
ld: warning: cannot find entry symbol _start; defaulting to 00000000080480a0
yeah, the warning is so important here! dont forget that!
the program gave us "_start sectioun is not defined for elf32 in .text segment"
error.even so , we are running the binary.
h4x0r elf32 # ./merv
murderkey ownz jo !
h4x0r elf32 #
Good! there is not any problem for now so lets look at the size of program.
h4x0r elf32 # wc -c merv
892 merv
It is 892, we will match this value with the next code that we will write.
--------------merv2.asm-------------------
BITS 32
section .data
merv db " murderkey ownz jo !"
SECTION .text
GLOBAL _start
_start
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
----------------merv2.asm------------------------
Now, compiling, linking and running the program again.
h4x0r elf32 # nasm -felf merv2.asm
h4x0r elf32 # ld merv2.o -o merv2
h4x0r elf32 # ./merv2
murderkey ownz jo !
and lets look at the size of file
h4x0r elf32 # wc -c merv2
848 merv2
h4x0r elf32 #
848! There is not a clear changing at the size. We will see this in a better
way with details now.
compiling "merv2.asm";
h4x0r elf32 # nasm -f elf merv2.asm
h4x0r elf32 # gcc -Wall -s merv2.o
merv2.o(.data+0x13): In function `_start':
: multiple definition of `_start'
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x0): first defined here
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x18): In function `_start':
: undefined reference to `main'
collect2: ld returned 1 exit status
h4x0r elf32 #
The error is so interesting at the above. "/crt1.o(.text+0x0): first defined here."
This error means that _start symbol is defined in "crt1.o elf32 startup script" and
also we defined a _start symbol too.
So these overlaps and it causes this error :)For blocking this, We are giving a command
to gcc compiler to not running "startup" script when our code is compiled.We are doing
it with (gcc) "-nostartfiles" option.
h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2
h4x0r elf32 # ./merv2
Segmentation fault
h4x0r elf32 #
UPPSSS we comiled our code but there is a (segmentation fault) memory crash!
What is the problem here? Let's find! When we call _start image symbol in our assembly
code ,it must be ended via _exit() call but we gave "-nostartfiles" option to it so it
can not find _exit()How can we defeat it? Of course, defining the _exit as EXTERN and
calling it in our code.
Lets write the code again...
----------------- merv2.asm ------------------
BITS 32
section .data
merv db " murderkey ownz jo !"
EXTERN _exit
section.text
global _start
_start
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80
call _exit
------------------- merv2.asm ----------------------
Now, compiling again and linking...
h4x0r elf32 # nasm -f elf merv2.asm
h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2
h4x0r elf32 # ./merv2
murderkey ownz jo !
WE ARE THE CHAMPION !! As you see, our function was run!
Now , looking the size of our code;
h4x0r elf32 # wc -c merv2
1392 merv2
h4x0r elf3
1392 <----- Now you understand well the difference of sizes.
Now, we will practice a deceit with a different option. Watch here carefully!
---------------- merv3.asm---------------------
BITS 32
section .data
merv db " murderkey ownz jo !"
GLOBAL _start
SECTION .text
_start
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
------------------ merv3.asm -----------------------
Compiling and linking the code;
h4x0r elf32 # nasm -f elf merv3.asm
h4x0r elf32 # gcc -Wall -s -nostdlib merv3.o -o merv3
Run it;
h4x0r elf32 # ./merv3
murderkey ownz jo !
So nice, we are wondering of size.
h4x0r elf32 # wc -c merv3
524 merv3
h4x0r elf32 #
524, what did we do here? we gave -nostdlib option to compiler and canceled _exit().
We used this code instead of it;
mov eax, 1
mov ebx, 0
int 0x80
and runned "_exit call" directly...
-----------------------------------------------------------------------------
Shortly I want to say that we can cancel elf32 file headers, we can inject sections
and can change size of fileshow we want.. or we can bypass anti-debug protections.
That provide convenience us while developing unix worms.because any ids or any
antivirus can not check elf32 file headers in this way.You can exceed every obstacle
via this method. It's up to your imagination and creativity.
Also I want to refer an issue here.
While an elf32 executable image is being mapped to memory, it is mapped at
"0x00000000080480a0" 32-bit hexadecimal address as a default in unix systems.
If you dont define _start in elf32 , linker will give an error like below;
...
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../../i386-pc-linux-gnu/bin/ld: warning:
cannot find entry
symbol _start; defaulting to 00000000080480a0
...
so kernel maps image to memory as default. If you run your head! , you can map this
image to another place!I am changing this address and making it "0x08048000" !!
Lets compile the code which is below as a bin format look its' starting place..
P.S: You should know details of elf32 file structure for this part.
------------------- lame-elf32.asm----------------------------------
BITS 32
org 0x08048000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 5 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
section .data
merv db "murderkey own jo!"
_start:
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80
; exit() call
mov eax, 1
mov ebx, 0
int 0x80
filesize equ $ - $$
----------------------------lame-elf32.asm-------------------------------
Now lets link our code in bin format and run it..
h4x0r elf32 # nasm -f bin lame-elf32.asm -o lame-elf32
h4x0r elf32 # chmod +x lame-elf32
h4x0r elf32 # ./lame-elf32
murderkey own jo!
--[ 0x3 - Last Wordz
I want to finish my paper now. After learning basic things in paper, we can
play with elf32 headers how we want..you can distribute elf32 worm to systems via
bypassing all IDS with this oh-day technique! Thats up to only your creativity.You
should have deep assembly and elf32 file system knowledge to do that.. This paper has
been written to be a basic for this bypassing methods etc..
Used linux source codes and elf headers as references in this paper..
/usr/include/linux/elf.h <--------- this header gives us all details about elf structure.
--[ 0x4 - Greetz
karak0rsan, l4m3r, n00b (dont forget about misdirection lol'd), GOBBLES, PHC and
all blackhat community...hey man, you should contact me because someone is watchin' u, i
know you hate "contributors" and still im waiting you ! someone offered me money to give
information about you but i didn't accept coz im not like the others...dont forget !
- Источник
- www.exploit-db.com