Enough research will tend to support your theory. | |
Murphy's Law of Research |
This is the platform dependent part of Scanners (i). It contains three things:
Verifying peculiarities of system files.
Choosing appropriate targets to demonstrate infection methods.
Testing scanners on all infected executables.
All together this results in a kind of time warp. The infection methods detected here are described later on.
First a sample from file to show how the sed part is supposed to work.
Source: pre/i386-redhat7.3-linux/scanner/file.sh
#!/bin/bash
/usr/bin/file /bin/bash | /usr/bin/fmt |
Output: out/i386-redhat7.3-linux/scanner/file
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), stripped |
And now the output of find_exec.sh for both the big and the small set of target executables. Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.
Output: out/i386-redhat7.3-linux/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
12 out/i386-redhat7.3-linux/scanner/big.static
1147 out/i386-redhat7.3-linux/scanner/big.dynamic
1159 total |
Output: out/i386-redhat7.3-linux/scanner/small.wc
[_infected] tmp/i386-redhat7.3-linux
0 out/i386-redhat7.3-linux/scanner/small.static
35 out/i386-redhat7.3-linux/scanner/small.dynamic
35 total |
See Sections for the illustrative description of a dumped ELF header.
Output: out/i386-redhat7.3-linux/scanner/entry_point/big.static
files=0012; detected=0000 |
Output: out/i386-redhat7.3-linux/scanner/entry_point/big.dynamic
files=1147; detected=0000 |
Well, on a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".
Output: out/i386-redhat7.3-linux/scanner/entry_point/small.dynamic
segment_padding/e1i1/tcsh_infected ep=0x808af70 sot=0x804a1f0
segment_padding/e1i1/perl_infected ep=0x80f2260 sot=0x8059b20
segment_padding/e1i1/mt_infected ep=0x804a590 sot=0x8048690
segment_padding/e1i1/bash_infected ep=0x80c6420 sot=0x8059440
segment_padding/e1i1/strip_bash_infected ep=0x80c6420 sot=0x8059440
files=0035; detected=0005 |
Note that only the last few lines of output are shown.
Output: out/i386-redhat7.3-linux/scanner/segment/big.static
CHECK: 2844 > 4096; 0xb1c > 0x1000
CHECK: /sbin/restore
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 2180 > 4096; 0x884 > 0x1000
CHECK: /sbin/restore
CHECK: src/scanner/segment/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 2180 > 4096; 0x884 > 0x1000
files=12; ok=7; det_page=5; det_align=5; min=0x0150; max=0x0884 |
Output: out/i386-redhat7.3-linux/scanner/segment/big.dynamic
CHECK: 264 > 4096; 0x108 > 0x1000
CHECK: /usr/lib/autofs/autofs-ldap-auto-master
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 4096 > 4096; 0x1000 > 0x1000
CHECK: /usr/lib/autofs/autofs-ldap-auto-master
CHECK: src/scanner/segment/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 4096 > 4096; 0x1000 > 0x1000
files=1147; ok=500; det_page=647; det_align=647; min=0x0012; max=0x1000 |
On this installation at least 500 + 7 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.
Output: out/i386-redhat7.3-linux/scanner/segment/small.dynamic
CHECK: 12 > 4096; 0xc > 0x1000
CHECK: tmp/i386-redhat7.3-linux/doing_it_in_c/e3i4/strip_bash_infected
CHECK: src/scanner/segment/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 12 > 4096; 0xc > 0x1000
CHECK: tmp/i386-redhat7.3-linux/doing_it_in_c/e3i4/strip_bash_infected
CHECK: src/scanner/segment/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 12 > 4096; 0xc > 0x1000
files=35; ok=0; det_page=35; det_align=30; min=0x000c; max=0x001e |
I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection.
Source: pre/i386-redhat7.3-linux/scanner/find-shell.sh
#!/bin/bash
/bin/sed -ne 's/ \.\.\. .* Ok$//p' \
out/i386-redhat7.3-linux/scanner/segment/big.dynamic.full \
out/i386-redhat7.3-linux/scanner/segment/big.static.full \
| /bin/grep -f ./src/scanner/find-shell.lst
/bin/echo status=$? |
Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/sash\>
bin/sh\>
bin/tcsh\> |
Output: out/i386-redhat7.3-linux/scanner/find-shell
/bin/bash
/bin/ash
/bin/tcsh
/bin/ash.static
status=0 |
Output: out/i386-redhat7.3-linux/scanner/filesize/big.dynamic
files=1147; ok=1147; detected=0 |
Output: out/i386-redhat7.3-linux/scanner/filesize/big.static
files=12; ok=12; detected=0 |
Output: out/i386-redhat7.3-linux/scanner/filesize/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: tmp/i386-redhat7.3-linux/additional_cs/e3i1/bash_infected
CHECK: src/scanner/filesize/get_seg.inc#23
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: tmp/i386-redhat7.3-linux/additional_cs/e3i1/strip_bash_infected
CHECK: src/scanner/filesize/get_seg.inc#23
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=35; ok=30; detected=5 |