7. Segment padding infection

 

I am extremely surprised and pleased. I'm surprised because as far as I am concerned I have always done what I wanted to do and followed my own way. Really, the honor has as much to do with Paddington as myself.

 Michael Bond, creator of "Paddington Bear", on receiving an OBE

This infection method got a lot of press under the name Remote shell trojan. It is based on a peculiarity described in the platform specific part, Segment padding infection[ABC]. On i386 its future is bleak. It seems that the gap is being actively closed. On Slackware 8.1 and Red Hat 8.0 /bin/bash is not vulnerable anymore. On other platforms the gap is much larger and will probably remain.

Table 1. Platform specific defaults of ELF

PlatformAddress sizeByte orderBase address_SC_PAGESIZEAlignmentPages below base
alpha64L120000000200010000589824
i38632L080480001000100032840
sparc32M0001000010001000016

_SC_PAGESIZE is a hardware constant and nothing a compiler can choose. On the other hand column "Alignment" varies from challengingly tiny to exceedingly large. A quote from the ELF specification (values are specific to i386): [4]

[…] executable and shared object files must have segment images whose file offsets and virtual addresses are congruent, modulo the page size. Virtual addresses and file offsets for the SYSTEM V architecture segments are congruent modulo 4 KB (0x1000) or larger powers of 2. Because 4 KB is the maximum page size, the files will be suitable for paging regardless of physical page size. […]

This means that for every segment the last three hexadecimal digits of Offset equal the last three hexadecimal digits of VirtAddr in every healthy output of readelf and objdump. So unless we change VirtAddr as well - which means enormous trouble like relocation of every access to a global variable - we are stuck with allocating memory in chunks of _SC_PAGESIZE.

7.1. _SC_PAGESIZE

getpagesize(2) sounds like the obvious way to retrieve this value. But not all systems have it, and modern standards prefer sysconf(3) instead.

Obviously the output is platform dependent, see Segment padding infection[ABC]. The lesson to learn is that Using free space resulting from alignment is problematic on i386 but comfortable on other platforms.

7.2. The plan

This setup has a few problems.

7.3. target_new_entry_addr #1

7.4. target_patch_phdr #1

7.5. target_patch_shdr #1

7.6. target_copy_and_infect #1