7. Scanners

 

Enough research will tend to support your theory.

 Murphy's Law of Research

This is the platform dependent part of Scanners (i). It contains three things:

All together this results in a kind of time warp. The infection methods detected here are described later on.

7.1. Finding executables

First a sample from file to show how the sed part is supposed to work.

And now the output of find_exec.sh for both the big and the small set of target executables. Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.

7.2. Scan entry point

See Sections for the illustrative description of a dumped ELF header.

Output: out/sparc-sunos5.7/scanner/entry_point/big.static
files=0010; detected=0000

Output: out/sparc-sunos5.7/scanner/entry_point/big.dynamic
files=0729; detected=0000

Well, on a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".

Output: out/sparc-sunos5.7/scanner/entry_point/small.dynamic
segment_padding/e1i1/csh_infected            ep=0x32da0    sot=0x18a14   
segment_padding/e1i1/perl_infected           ep=0xf74c0    sot=0x24440   
segment_padding/e1i1/mt_infected             ep=0x117a0    sot=0x10a90   
segment_padding/e1i1/sh_infected             ep=0x3e510    sot=0x175c4   
segment_padding/e1i1/strip_sh_infected       ep=0x3e510    sot=0x175c4   
files=0005; detected=0005

7.3. Scan segments

Note that only the last few lines of output are shown.

On this installation at least 729 + 10 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.

Output: out/sparc-sunos5.7/scanner/segment/small.dynamic
CHECK: 61440 > 65536; 0xf000 > 0x10000
CHECK: tmp/sparc-sunos5.7/segment_padding/e1i1/sh_infected
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61442 > 65536; 0xf002 > 0x10000
CHECK: tmp/sparc-sunos5.7/segment_padding/e1i1/strip_sh_infected
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61442 > 65536; 0xf002 > 0x10000
files=5; ok=5; det_page=0; det_align=5; min=0xf000; max=0xf002

7.4. A shell for segment padding

I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection.

Source: pre/sparc-sunos5.7/scanner/find-shell.sh
#!/usr/xpg4/bin/sh
/usr/xpg4/bin/sed -ne 's/ \.\.\. .* Ok$//p' \
	out/sparc-sunos5.7/scanner/segment/big.dynamic.full \
	out/sparc-sunos5.7/scanner/segment/big.static.full \
| /usr/xpg4/bin/grep -f ./src/scanner/find-shell.lst
/usr/bin/echo status=$?

Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/sash\>
bin/sh\>
bin/tcsh\>

Output: out/sparc-sunos5.7/scanner/find-shell
/usr/bin/csh
/usr/bin/ksh
/usr/bin/sh
/sbin/sh
status=0

7.5. Scan file size