Enough research will tend to support your theory. | |
| Murphy's Law of Research |
This is the platform dependent part of Scanners (i). It contains three things:
Verifying peculiarities of system files.
Choosing appropriate targets to demonstrate infection methods.
Testing scanners on all infected executables.
All together this results in a kind of time warp. The infection methods detected here are described later on. And the list of found clean targets has already been used.
This is the output of find-exec.sh as described in Finding executables (i). The sample of file's output down below (at Food for segment padding) might explain how the sed part is supposed to work.
Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.
Output: out/sparc-sunos5.9/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
15 out/sparc-sunos5.9/scanner/big.static
928 out/sparc-sunos5.9/scanner/big.dynamic
943 total |
Output: out/sparc-sunos5.9/scanner/small.wc
[_infected] tmp/sparc-sunos5.9
1 out/sparc-sunos5.9/scanner/small.static
7 out/sparc-sunos5.9/scanner/small.dynamic
8 total |
See Sections for the illustrative description of a dumped ELF header. The script itself is at Scan entry point (i).
Output: out/sparc-sunos5.9/scanner/entry_point/big.static
files=0015; detected=0000 |
Output: out/sparc-sunos5.9/scanner/entry_point/big.dynamic
files=0928; detected=0000 |
On a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".
Output: out/sparc-sunos5.9/scanner/entry_point/small.static
segment_padding/e1i1/sync_infected ep=0x45cc0 sot=0x10098
files=0001; detected=0001 |
Output: out/sparc-sunos5.9/scanner/entry_point/small.dynamic
segment_padding/e1i1/csh_infected ep=0x334b0 sot=0x17f0c
segment_padding/e1i1/crle_infected ep=0x18660 sot=0x1126c
segment_padding/e1i1/strip_csh_infected ep=0x334b0 sot=0x17f0c
additional_cs/e1i1/crle_infected ep=0xe300 sot=0x1126c
additional_cs/e1i1/ldd_infected ep=0xe400 sot=0x10df0
additional_cs/e1i1/pvs_infected ep=0xe5d0 sot=0x10d20
additional_cs/e1i1/strip_crle_infected ep=0xe300 sot=0x1126c
files=0007; detected=0007 |
This is the output of Scan segments (i); only the last few lines of output are shown.
Output: out/sparc-sunos5.9/scanner/segment_padding/big.static
files=15; ok=15; det_page=0; det_align=0; min=0x10003; max=0x10003 |
Output: out/sparc-sunos5.9/scanner/segment_padding/big.dynamic
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/ssh/sftp-server
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/ssh/sshd
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=928; ok=922; det_page=6; det_align=288; min=0x03a6; max=0x11fe8 |
On this installation at least 922 + 15 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.
Output: out/sparc-sunos5.9/scanner/segment_padding/small.static
CHECK: segment_padding/e1i1/sync_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61443 > 65536; 0xf003 > 0x10000
files=1; ok=1; det_page=0; det_align=1; min=0xf003; max=0xf003 |
Output: out/sparc-sunos5.9/scanner/segment_padding/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/pvs_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_crle_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=7; ok=3; det_page=4; det_align=3; min=0xf003; max=0xfb5c |
I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection. A systematic search for targets starts with extraction of pure file names from the scanner logs.
Source: pre/sparc-sunos5.9/scanner/find-ok.sh
#!/usr/xpg4/bin/sh
scanner=${1:-segment_padding}
prefix=$2
for src in out/sparc-sunos5.9/scanner/$1/big.*.full
do
/usr/xpg4/bin/sed -ne 's/ \.\.\. .* Ok$//p' \
< ${src} > ${src%.full}.ok
done
/usr/bin/wc -l out/sparc-sunos5.9/scanner/$1/*.ok |
Output: out/sparc-sunos5.9/scanner/segment_padding/find-ok
922 out/sparc-sunos5.9/scanner/segment_padding/big.dynamic.ok
15 out/sparc-sunos5.9/scanner/segment_padding/big.static.ok
937 total |
These lists can be searched for acceptable file names.
Source: pre/sparc-sunos5.9/scanner/find-shell.sh
#!/usr/xpg4/bin/sh
scanner="$1"
/usr/xpg4/bin/grep -h -f ./src/scanner/find-shell.lst \
out/sparc-sunos5.9/scanner/${scanner}/*.ok
exit 0 |
Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/nash\>
bin/sash\>
bin/sh\>
bin/tcsh\> |
And the winner is …
Output: out/sparc-sunos5.9/scanner/segment_padding/find-shell
/usr/bin/csh
/usr/bin/sh
/usr/bin/bash
/usr/bin/tcsh
/sbin/sh |
This is the output of Food for segment padding (i)
Output: out/sparc-sunos5.9/scanner/segment_padding/infect
/usr/bin/csh
/sbin/sync
/usr/bin/crle |
To avoid any suspicion of inadequate paranoia another test with file.
Output: out/sparc-sunos5.9/scanner/segment_padding/infect.filetype
/usr/bin/csh: ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped
/sbin/sync: ELF 32-bit MSB executable SPARC Version 1, statically
linked, stripped
/usr/bin/crle: ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped |
Output: out/sparc-sunos5.9/scanner/filesize/big.dynamic
files=928; ok=928; detected=0 |
Output: out/sparc-sunos5.9/scanner/filesize/big.static
files=15; ok=15; detected=0 |
No detected system files is a strong indication that the heuristic is working. The reverse test requires another infection method, the "File virus". Not implemented, yet. Note that the diagnostics below are issued by function target_get_seg (i), not Scan file size (i).
Output: out/sparc-sunos5.9/scanner/filesize/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/pvs_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_crle_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=7; ok=3; detected=4 |