The ELF Virus Writing HOWTO: i386-redhat8.0-linux
PrevNext

9. Additional code segments

 

Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away.

 Antoine de Saint-Exupery

This is the platform dependent part of Additional code segments (i).

9.1. Scanning for NOTE

Using the scanner in Scanning for NOTE (i) we exercise a systematic search for targets. The scripts and intermediate steps are shown in Food for segment padding. Here come just the results:

Output: out/i386-redhat8.0-linux/scanner/additional_cs/find-ok 
   1763 out/i386-redhat8.0-linux/scanner/additional_cs/big.dynamic.ok
     15 out/i386-redhat8.0-linux/scanner/additional_cs/big.static.ok
   1778 total

Output: out/i386-redhat8.0-linux/scanner/additional_cs/infect.filetype 
/bin/bash:       ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), stripped
/bin/ash.static: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), statically linked, not stripped
/bin/rpm:        ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), statically linked, not stripped

And this should give you an idea of minimum and maximum size of found segments.

Output: out/i386-redhat8.0-linux/scanner/additional_cs/big.dynamic 
files=1763; ok=1763; detected=0; min=32; max=32

9.2. Give me NOTE

9.2.1. objdump

Before we overwrite the section we should take a close at what's in there. Both objdump and readelf can show the contents of sections, specified by name or index. There is no direct access according to section type. The name of the section differs between Linux and Solaris, however. Unfortunately the output of objdump -h does not include section types. As a work around we can search for a pattern matching both names. If more than one entry is found the first one will win.

Command: pre/i386-redhat8.0-linux/additional_cs/note/objdump-name.sh 
#!/bin/bash
shell=$( /bin/sed 1q \
	out/i386-redhat8.0-linux/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1

/bin/echo shell="${shell}"
/usr/bin/objdump -h ${shell} \
| /usr/bin/perl -ane \
	'if (/\s+\.note[A-Za-z\.-]*\s+/) {
		print "index=$F[0]\nname=\"$F[1]\"\n# $_";
		exit 0;
	}'

Output: out/i386-redhat8.0-linux/additional_cs/note/objdump-name 
shell=/bin/bash
index=1
name=".note.ABI-tag"
#   1 .note.ABI-tag 00000020  08048128  08048128  00000128  2**2

objdump can disassemble sections specified by name. There is no similar support for segments. There is nothing like a plain old hexdump. And even the disassembly is refused if the executable has no symbol table. But don't let useless oddity stop our zeal.

Command: pre/i386-redhat8.0-linux/additional_cs/note/objdump.sh 
#!/bin/bash
. out/i386-redhat8.0-linux/additional_cs/note/objdump-name
/usr/bin/objdump -j ${name} -d ${shell} -Mintel \
2>&1 | pre/i386-redhat8.0-linux/magic_elf/objdump_format.pl

Output: out/i386-redhat8.0-linux/additional_cs/note/objdump 
 8048128:   04 00               add     al,0x0
 804812a:   00 00               add     BYTE PTR [eax],al
 804812c:   10 00               adc     BYTE PTR [eax],al
 804812e:   00 00               add     BYTE PTR [eax],al
 8048130:   01 00               add     DWORD PTR [eax],eax
 8048132:   00 00               add     BYTE PTR [eax],al
 8048134:   47                  inc     edi
 8048135:   4e                  dec     esi
 8048136:   55                  push    ebp
 8048137:   00 00               add     BYTE PTR [eax],al
 8048139:   00 00               add     BYTE PTR [eax],al
 804813b:   00 02               add     BYTE PTR [edx],al
 804813d:   00 00               add     BYTE PTR [eax],al
 804813f:   00 02               add     BYTE PTR [edx],al
 8048141:   00 00               add     BYTE PTR [eax],al
 8048143:   00                  .byte   0x0
 8048144:   05                  .byte   0x5
 8048145:   00 00               add     BYTE PTR [eax],al

9.2.2. readelf

readelf can hexdump sections specified by index. There is no similar support for segments. But at least the output of readelf -S includes section types, so we don't have to rely on matching the name.

Command: pre/i386-redhat8.0-linux/additional_cs/note/readelf-name.sh 
#!/bin/bash
shell=$( /bin/sed 1q \
	out/i386-redhat8.0-linux/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1

/bin/echo shell="${shell}"
/usr/bin/readelf -S ${shell} \
| /usr/bin/perl '-anF/[\s\[\]]+/' -e \
	'if ($F[3] eq "NOTE") {
		print "index=$F[1]\nname=\"$F[2]\"\n";
		exit 0;
	}'

Output: out/i386-redhat8.0-linux/additional_cs/note/readelf-name 
shell=/bin/bash
index=2
name=".note.ABI-tag"

Command: pre/i386-redhat8.0-linux/additional_cs/note/readelf.sh 
#!/bin/bash
.  out/i386-redhat8.0-linux/additional_cs/note/readelf-name
/usr/bin/readelf -x ${index} ${shell}
/bin/echo "section=${index} status=$?"

The output of both readelf 2.11.93 (shipped with Red Hat 7.3) and readelf 2.13.9 (shipped with Red Hat 8.0) is broken. Looks like a very strange byte order issue on i386. And readelf 2.11 on Solaris 9 core dumps right out on -x.

Output: out/i386-redhat8.0-linux/additional_cs/note/readelf 

Hex dump of section '.note.ABI-tag':
  0x08048128 00554e47 00000001 00000010 00000004 ............GNU.
  0x08048138 00000005 00000002 00000002 00000000 ................
section=2 status=0

9.2.3. Classic dump

Enough of that crap. To actually see the bytes of a segment we first have to retrieve the file offset. The following evil perl script could almost be implemented with even more evil sed. But I found no equally evil way to convert numbers from hexadecimal.

Command: pre/i386-redhat8.0-linux/additional_cs/note/offset.sh 
#!/bin/bash
shell=$( /bin/sed 1q \
	out/i386-redhat8.0-linux/scanner/additional_cs/infect )
echo "shell='${shell}'"

/usr/bin/objdump -p ${shell} \
| /usr/bin/perl -ne \
	'if (s/^\s*NOTE\s+//) {
	   # convert all hexadecimal fields into assignments
	   s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
	   s/\n .*//;	# cut off trailing "align 2**2"
	   $_ .= <>;	# append second line
	   # convert all appended hexadecimal fields into assignments
	   s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
	   s/\n .*//;	# cut off trailing "flags r--"
	   print $_;
	   exit 0;
	}'

Output: out/i386-redhat8.0-linux/additional_cs/note/offset 
shell='/bin/bash'
off=296
vaddr=134512936
paddr=134512936
filesz=32
memsz=32

At this point the actual dump is just a variation on Strings and dumps. A classic byte-wise octal dump using only classic options of classic tools:

Command: pre/i386-redhat8.0-linux/additional_cs/note/od.sh 
#!/bin/bash
. out/i386-redhat8.0-linux/additional_cs/note/offset
/bin/dd if=${shell} bs=1 skip=${off} count=${filesz} \
| /usr/bin/od -c

Output: out/i386-redhat8.0-linux/additional_cs/note/od 
0000000 004  \0  \0  \0 020  \0  \0  \0 001  \0  \0  \0   G   N   U  \0
0000020  \0  \0  \0  \0 002  \0  \0  \0 002  \0  \0  \0 005  \0  \0  \0
0000040

9.2.4. hexdump

hexdump is both more astetical and easier to use. Unfortunately the version shipped with Slackware 8.1 fails on -s.

Command: pre/i386-redhat8.0-linux/additional_cs/note/hexdump.sh 
#!/bin/bash
. out/i386-redhat8.0-linux/additional_cs/note/offset
/usr/bin/hexdump \
	-f ./src/format.hex \
	-s ${off} -n ${filesz} < ${shell}

Output: out/i386-redhat8.0-linux/additional_cs/note/hexdump 
0128  04 00 00 00 10 00 00 00  01 00 00 00 47 4e 55 00  ............GNU.
0138  00 00 00 00 02 00 00 00  02 00 00 00 05 00 00 00  ................

9.2.5. xxd

xxd is obviously the best.

Command: pre/i386-redhat8.0-linux/additional_cs/note/xxd.sh 
#!/bin/bash
. out/i386-redhat8.0-linux/additional_cs/note/offset
/usr/bin/xxd -l ${filesz} -s ${off} ${shell}

Output: out/i386-redhat8.0-linux/additional_cs/note/xxd 
0000128: 0400 0000 1000 0000 0100 0000 474e 5500  ............GNU.
0000138: 0000 0000 0200 0000 0200 0000 0500 0000  ................

9.3. To serve & detect

Output: out/i386-redhat8.0-linux/additional_cs/e1i1/infect 
/bin/bash ... wrote 26 bytes, Ok
/bin/ash.static ... wrote 26 bytes, Ok
/bin/rpm ... wrote 26 bytes, Ok
files=3; ok=3; failed=0

Output = Command: out/i386-redhat8.0-linux/additional_cs/test-e1i1.sh 
#!tmp/i386-redhat8.0-linux/additional_cs/e1i1/bash_infected
echo "pid=[$$]"
cd tmp/i386-redhat8.0-linux/additional_cs/e1i1
echo "TERM=[$TERM]"
./ash.static_infected -c 'echo $$'
./rpm_infected --version

echo "---"
/bin/cat bash_infected > strip_bash_infected \
&& /usr/bin/strip strip_bash_infected \
&& /bin/chmod 755 strip_bash_infected \
&& ./strip_bash_infected -version

Output: out/i386-redhat8.0-linux/additional_cs/test-e1i1 
ELFpid=[22644]
TERM=[xterm]
ELF22645
ELFRPM version 4.1
---
BFD: strip_bash_infected: warning: Empty loadable segment detected, is this intentional ?

out/i386-redhat8.0-linux/additional_cs/test-e1i1.sh: line 12: 22650 Segmentation fault      (core dumped) ./strip_bash_infected -version

This method works, but is not safe to strip. Well, let's compare the infected target with the the original.

Output: out/i386-redhat8.0-linux/additional_cs/readelf 
-rwxrwxr-x    1 alba     alba       626218 Feb 15 23:49 bash_infected
-rwxr-xr-x    1 alba     alba       626188 Feb 15 23:49 strip_bash_infected
-rwxr-xr-x    1 root     root       626188 Aug 23 22:01 /bin/bash

Elf file type is EXEC (Executable file)
Entry point 0x8046e10
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
  INTERP         0x000114 0x08048114 0x08048114 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x9293c 0x9293c R E 0x1000
  LOAD           0x093000 0x080db000 0x080db000 0x05958 0x09bf4 RW  0x1000
  DYNAMIC        0x0985b0 0x080e05b0 0x080e05b0 0x000d8 0x000d8 RW  0x4
  LOAD           0x098e10 0x08046e10 0x08046e10 0x0001a 0x0001a R E 0x1000
  GNU_EH_FRAME   0x0928f0 0x080da8f0 0x080da8f0 0x0004c 0x0004c R   0x4

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr 
   03     .data .eh_frame .dynamic .ctors .dtors .jcr .got .bss 
   04     .dynamic 
   05     
   06     .eh_frame_hdr

File size grew 626218 - 626188 = 30 bytes. This number is meaningless if the original target was stripped. In that case the additional bytes of the symbol table far outweigh the infection. Anyway, even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.

Command: pre/i386-redhat8.0-linux/additional_cs/scan_segment.sh 
#!/bin/bash
TEVWH_TMP=tmp/i386-redhat8.0-linux
export TEVWH_TMP
shell=$( /bin/sed 1q \
	out/i386-redhat8.0-linux/scanner/segment_padding/infect )

/bin/echo "${shell}
tmp/i386-redhat8.0-linux/additional_cs/e1i1/${shell##*/}_infected" \
| tmp/i386-redhat8.0-linux/scanner/segment_padding

Output: out/i386-redhat8.0-linux/additional_cs/scan 
/bin/tcsh ... delta=0x1008, Ok
(2) No such file or directory
CHECK: additional_cs/e1i1/tcsh_infected
CHECK: src/one_step_closer/open_src.inc#9
CHECK: (0) <= (t->fd_src = open(t->src_file, 00))
CHECK: 0 <= -1; 0 <= 0xffffffff
files=2; ok=1; det_page=1; det_align=0; min=0x1008; max=0x1008

Case closed. Guilty of failure.

PrevHomeNext
Segment padding infection The entry point