9. Additional code segments


Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away.

 Antoine de Saint-Exupery

This is the platform dependent part of Additional code segments (i).

9.1. Scanning for NOTE

Using the scanner in Scanning for NOTE (i) we exercise a systematic search for targets. The scripts and intermediate steps are shown in Food for segment padding. Here come just the results:

Output: out/sparc-debian2.2-linux/scanner/additional_cs/find-ok
    631 out/sparc-debian2.2-linux/scanner/additional_cs/big.dynamic.ok
      2 out/sparc-debian2.2-linux/scanner/additional_cs/big.static.ok
    633 total

Output: out/sparc-debian2.2-linux/scanner/additional_cs/infect.filetype
/bin/bash:    ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped
/usr/bin/ldd: ELF 32-bit MSB executable, SPARC, version 1, statically
linked, stripped
/bin/sync:    ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped

And this should give you an idea of minimum and maximum size of found segments.

Output: out/sparc-debian2.2-linux/scanner/additional_cs/big.dynamic
CHECK: /usr/lib/lddstub
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
files=632; ok=631; detected=1; min=32; max=32

9.2. Give me NOTE

9.2.1. objdump

Before we overwrite the section we should take a close at what's in there. Both objdump and readelf can show the contents of sections, specified by name or index. There is no direct access according to section type. The name of the section differs between Linux and Solaris, however. Unfortunately the output of objdump -h does not include section types. As a work around we can search for a pattern matching both names. If more than one entry is found the first one will win.

objdump can disassemble sections specified by name. There is no similar support for segments. There is nothing like a plain old hexdump. And even the disassembly is refused if the executable has no symbol table. But don't let useless oddity stop our zeal.

9.2.3. Classic dump

Enough of that crap. To actually see the bytes of a segment we first have to retrieve the file offset. The following evil perl script could almost be implemented with even more evil sed. But I found no equally evil way to convert numbers from hexadecimal.

At this point the actual dump is just a variation on Strings and dumps. A classic byte-wise octal dump using only classic options of classic tools:

Command: pre/sparc-debian2.2-linux/additional_cs/note/od.sh
. out/sparc-debian2.2-linux/additional_cs/note/offset
/bin/dd if=${shell} bs=1 skip=${off} count=${filesz} \
| /usr/bin/od -c

Output: out/sparc-debian2.2-linux/additional_cs/note/od
0000000  \0  \0  \0 004  \0  \0  \0 020  \0  \0  \0 001   G   N   U  \0
0000020  \0  \0  \0  \0  \0  \0  \0 002  \0  \0  \0  \0  \0  \0  \0  \0

9.3. To serve & detect

This method works, but is not safe to strip. Well, let's compare the infected target with the the original.

Output: out/sparc-debian2.2-linux/additional_cs/readelf
-rwxr-xr-x    1 alba     alba       513020 Feb 15 23:58 bash_infected
-rwxr-xr-x    1 alba     alba       512932 Feb 15 23:58 strip_bash_infected
-rwxr-xr-x    1 root     root       512932 Jul 17  2002 /bin/bash

Elf file type is EXEC (Executable file)
Entry point 0xe3b0
There are 6 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x00010034 0x00010034 0x000c0 0x000c0 R E 0x4
  INTERP         0x0000f4 0x000100f4 0x000100f4 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x00010000 0x00010000 0x75763 0x75763 R E 0x10000
  LOAD           0x075768 0x00095768 0x00095768 0x057cc 0x09070 RWE 0x10000
  DYNAMIC        0x07ae84 0x0009ae84 0x0009ae84 0x000b0 0x000b0 RW  0x4
  LOAD           0x07d3b0 0x0000e3b0 0x0000e3b0 0x0004c 0x0004c R E 0x10000

 Section to Segment mapping:
  Segment Sections...
   01     .interp 
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.bss .rela.plt .init .text .fini .rodata 
   03     .data .eh_frame .ctors .dtors .plt .got .dynamic .bss 
   04     .dynamic 

File size grew 513020 - 512932 = 88 bytes. This number is meaningless if the original target was stripped. In that case the additional bytes of the symbol table far outweigh the infection. Anyway, even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.

Command: pre/sparc-debian2.2-linux/additional_cs/scan_segment.sh
export TEVWH_TMP
shell=$( /bin/sed 1q \
	out/sparc-debian2.2-linux/scanner/segment_padding/infect )

/bin/echo "${shell}
tmp/sparc-debian2.2-linux/additional_cs/e1i1/${shell##*/}_infected" \
| tmp/sparc-debian2.2-linux/scanner/segment_padding

Output: out/sparc-debian2.2-linux/additional_cs/scan
/bin/bash ... delta=0x10005, Ok
CHECK: additional_cs/e1i1/bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=2; ok=1; det_page=1; det_align=0; min=0x10005; max=0x10005

Case closed. Guilty of failure.