Enough research will tend to support your theory. | |
Murphy's Law of Research |
This is the platform dependent part of Scanners (i).
First a sample from file to show how the sed part is supposed to work.
Source: pre/sparc-sunos5.7/scanner/file.sh
#!/usr/xpg4/bin/sh
/usr/bin/file /usr/xpg4/bin/sh | /usr/bin/fmt |
Output: out/sparc-sunos5.7/scanner/file
/usr/xpg4/bin/sh: ELF 32-bit MSB executable SPARC Version 1,
dynamically linked, stripped |
And now the output of find_exec.sh for both the big and the small set of target executables. Typical Linux distributions have very few statically linked programs. On traditional system the number is much higher.
Output: out/sparc-sunos5.7/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
10 out/sparc-sunos5.7/scanner/big.static
729 out/sparc-sunos5.7/scanner/big.dynamic
739 total |
Output: out/sparc-sunos5.7/scanner/small.wc
[_infected] tmp/sparc-sunos5.7
0 out/sparc-sunos5.7/scanner/small.static
5 out/sparc-sunos5.7/scanner/small.dynamic
5 total |
See Sections for the illustrative description of a dumped ELF header.
Output: out/sparc-sunos5.7/scanner/entry_point/big.static
files=0010; detected=0000 |
Output: out/sparc-sunos5.7/scanner/entry_point/big.dynamic
files=0729; detected=0000 |
Well, on a clean system there are absolutely no deviations. Now we let the script oose on all infected executables produced from the sources of this document. Only a few are detected. Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".
Output: out/sparc-sunos5.7/scanner/entry_point/small.dynamic
segment_padding/e1i1/csh_infected ep=0x32da0 sot=0x18a14
segment_padding/e1i1/perl_infected ep=0xf74c0 sot=0x24440
segment_padding/e1i1/mt_infected ep=0x117a0 sot=0x10a90
segment_padding/e1i1/sh_infected ep=0x3e510 sot=0x175c4
segment_padding/e1i1/strip_sh_infected ep=0x3e510 sot=0x175c4
files=0005; detected=0005 |
Source: pre/sparc-sunos5.7/scanner/plain.sh
#!/usr/xpg4/bin/sh
src=$1
dst=$2
scanner=${3:-segment}
[ -s ${src} ] || exit 0
TEVWH_TMP=tmp/sparc-sunos5.7; export TEVWH_TMP
tmp/sparc-sunos5.7/scanner/${scanner} < ${src} 2>&1 \
| /usr/bin/tee ${dst}.full \
| /usr/xpg4/bin/grep -v ' Ok$' \
| /usr/xpg4/bin/tail \
> ${dst} |
Note that only the last few lines of output are shown.
Output: out/sparc-sunos5.7/scanner/segment/big.static
files=10; ok=10; det_page=0; det_align=0; min=0x10001; max=0x10002 |
Output: out/sparc-sunos5.7/scanner/segment/big.dynamic
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/svr4.make
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/smrsh
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=729; ok=729; det_page=0; det_align=269; min=0x10000; max=0x10002 |
On this installation at least 729 + 10 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.
Output: out/sparc-sunos5.7/scanner/segment/small.dynamic
CHECK: 61440 > 65536; 0xf000 > 0x10000
CHECK: tmp/sparc-sunos5.7/segment_padding/e1i1/sh_infected
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61442 > 65536; 0xf002 > 0x10000
CHECK: tmp/sparc-sunos5.7/segment_padding/e1i1/strip_sh_infected
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61442 > 65536; 0xf002 > 0x10000
files=5; ok=5; det_page=0; det_align=5; min=0xf000; max=0xf002 |