exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cheats With ELF - Code Injecting Into ELF Headers

Cheats With ELF - Code Injecting Into ELF Headers
Posted Jun 29, 2010
Authored by murderkey | Site tcc.hellcode.net

Whitepaper called Cheats with ELF - Code Injecting into ELF Headers.

tags | paper
SHA-256 | 2737a2b61dd3e9303deffc4c5ed16acb439de026f629f5909b558e4d76f6372b

Cheats With ELF - Code Injecting Into ELF Headers

Change Mirror Download
|=-----------------------------------------------------------------------=|
|=---------------------------[ HELLCODE RESEARCH ]-----------------------=|
|=-----------------------------------------------------------------------=|
|=--------=[ Cheats with ELF: Code Injecting into ELF Headers ]=--------=|
|=-----------------------------------------------------------------------=|
|=-----------------------=[ murderkey@hellcode.net ]=--------------------=|
|=-----------------------------------------------------------------------=|




--[ Index


0x0 - Introduction
0x1 - Requirements
0x2 - Basic ELF Structure
0x3 - Last Wordz
0x4 - Greetz



--[ 0x0 - Introduction

Hi Reader, In this paper, I will explain uncommon/unknown techniques
to affect ELF headers directly or helping of compiler and assembly linkers.
I've discovered this technique while thinking about injecting code to elf32
headers and i became succesful in my research 3 years ago..you can use
this technique for different ideas, anyway i've tested it for IDS by-passing
and as an anti-anti-debug technique.



--[ 0x1 - Requirements

You should know the topics which are below to understand this paper,
because probably, you can't understand this paper if you don't have high-level
knowledge about topics.


-> Unix Assembly (AT&T)
-> C/C++
-> ELF Structure
-> Time and Brain

if you know




--[ 0x2 - Basic ELF Structure

An elf32 file structure always include header, data and instruction
segments.In this part, we will create executable files, play/change their sizes
and createfiles with minimum sizes.


Lets start to show that on "merv.asm" (Seni seviyorum Merve :);


------------merv.asm-----------------

BITS 32
section .data
merv db " murderkey ownz jo !"

GLOBAL MAIN
SECTION .text
main:
;write()
mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80

; exit()
mov eax, 1
mov ebx, 0
int 0x80

-------------merv.asm-----------------


As you see above, that is a simple assembly code. It prints " murderkey ownz jo !"
to screen and ending via "exit call".Compiling it with "nasm" and giving link
with "ld".



h4x0r elf32 # nasm -felf merv.asm -o merv.o
h4x0r elf32 # ld merv.o -o merv
ld: warning: cannot find entry symbol _start; defaulting to 00000000080480a0


yeah, the warning is so important here! dont forget that!
the program gave us "_start sectioun is not defined for elf32 in .text segment"
error.even so , we are running the binary.

h4x0r elf32 # ./merv
murderkey ownz jo !

h4x0r elf32 #

Good! there is not any problem for now so lets look at the size of program.

h4x0r elf32 # wc -c merv
892 merv

It is 892, we will match this value with the next code that we will write.

--------------merv2.asm-------------------



BITS 32
section .data
merv db " murderkey ownz jo !"

SECTION .text
GLOBAL _start
_start

mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80

mov eax, 1
mov ebx, 0
int 0x80

----------------merv2.asm------------------------

Now, compiling, linking and running the program again.

h4x0r elf32 # nasm -felf merv2.asm
h4x0r elf32 # ld merv2.o -o merv2
h4x0r elf32 # ./merv2
murderkey ownz jo !



and lets look at the size of file



h4x0r elf32 # wc -c merv2
848 merv2
h4x0r elf32 #


848! There is not a clear changing at the size. We will see this in a better
way with details now.


compiling "merv2.asm";


h4x0r elf32 # nasm -f elf merv2.asm
h4x0r elf32 # gcc -Wall -s merv2.o
merv2.o(.data+0x13): In function `_start':
: multiple definition of `_start'
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x0): first defined here
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x18): In function `_start':
: undefined reference to `main'
collect2: ld returned 1 exit status
h4x0r elf32 #


The error is so interesting at the above. "/crt1.o(.text+0x0): first defined here."
This error means that _start symbol is defined in "crt1.o elf32 startup script" and
also we defined a _start symbol too.

So these overlaps and it causes this error :)For blocking this, We are giving a command
to gcc compiler to not running "startup" script when our code is compiled.We are doing
it with (gcc) "-nostartfiles" option.

h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2
h4x0r elf32 # ./merv2
Segmentation fault
h4x0r elf32 #

UPPSSS we comiled our code but there is a (segmentation fault) memory crash!


What is the problem here? Let's find! When we call _start image symbol in our assembly
code ,it must be ended via _exit() call but we gave "-nostartfiles" option to it so it
can not find _exit()How can we defeat it? Of course, defining the _exit as EXTERN and
calling it in our code.


Lets write the code again...

----------------- merv2.asm ------------------


BITS 32
section .data
merv db " murderkey ownz jo !"

EXTERN _exit
section.text
global _start
_start

mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80

call _exit

------------------- merv2.asm ----------------------


Now, compiling again and linking...


h4x0r elf32 # nasm -f elf merv2.asm
h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2
h4x0r elf32 # ./merv2
murderkey ownz jo !

WE ARE THE CHAMPION !! As you see, our function was run!



Now , looking the size of our code;

h4x0r elf32 # wc -c merv2
1392 merv2
h4x0r elf3

1392 <----- Now you understand well the difference of sizes.



Now, we will practice a deceit with a different option. Watch here carefully!

---------------- merv3.asm---------------------

BITS 32
section .data
merv db " murderkey ownz jo !"

GLOBAL _start
SECTION .text
_start

mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80

mov eax, 1
mov ebx, 0
int 0x80

------------------ merv3.asm -----------------------

Compiling and linking the code;

h4x0r elf32 # nasm -f elf merv3.asm
h4x0r elf32 # gcc -Wall -s -nostdlib merv3.o -o merv3

Run it;

h4x0r elf32 # ./merv3
murderkey ownz jo !

So nice, we are wondering of size.

h4x0r elf32 # wc -c merv3
524 merv3
h4x0r elf32 #

524, what did we do here? we gave -nostdlib option to compiler and canceled _exit().
We used this code instead of it;
mov eax, 1
mov ebx, 0
int 0x80

and runned "_exit call" directly...


-----------------------------------------------------------------------------

Shortly I want to say that we can cancel elf32 file headers, we can inject sections
and can change size of fileshow we want.. or we can bypass anti-debug protections.
That provide convenience us while developing unix worms.because any ids or any
antivirus can not check elf32 file headers in this way.You can exceed every obstacle
via this method. It's up to your imagination and creativity.


Also I want to refer an issue here.

While an elf32 executable image is being mapped to memory, it is mapped at
"0x00000000080480a0" 32-bit hexadecimal address as a default in unix systems.
If you dont define _start in elf32 , linker will give an error like below;

...
/usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../../i386-pc-linux-gnu/bin/ld: warning:
cannot find entry
symbol _start; defaulting to 00000000080480a0
...

so kernel maps image to memory as default. If you run your head! , you can map this
image to another place!I am changing this address and making it "0x08048000" !!

Lets compile the code which is below as a bin format look its' starting place..

P.S: You should know details of elf32 file structure for this part.


------------------- lame-elf32.asm----------------------------------

BITS 32

org 0x08048000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx

ehdrsize equ $ - ehdr

phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 5 ; p_flags
dd 0x1000 ; p_align

phdrsize equ $ - phdr

section .data
merv db "murderkey own jo!"

_start:

mov eax, 4
mov ebx, 1
mov ecx, merv
mov edx, 28
int 0x80

; exit() call

mov eax, 1
mov ebx, 0
int 0x80

filesize equ $ - $$

----------------------------lame-elf32.asm-------------------------------




Now lets link our code in bin format and run it..


h4x0r elf32 # nasm -f bin lame-elf32.asm -o lame-elf32
h4x0r elf32 # chmod +x lame-elf32
h4x0r elf32 # ./lame-elf32

murderkey own jo!




--[ 0x3 - Last Wordz

I want to finish my paper now. After learning basic things in paper, we can
play with elf32 headers how we want..you can distribute elf32 worm to systems via
bypassing all IDS with this oh-day technique! Thats up to only your creativity.You
should have deep assembly and elf32 file system knowledge to do that.. This paper has
been written to be a basic for this bypassing methods etc..

Used linux source codes and elf headers as references in this paper..


/usr/include/linux/elf.h <--------- this header gives us all details about elf structure.



--[ 0x4 - Greetz


karak0rsan, l4m3r, n00b (dont forget about misdirection lol'd), GOBBLES, PHC and
all blackhat community...hey man, you should contact me because someone is watchin' u, i
know you hate "contributors" and still im waiting you ! someone offered me money to give
information about you but i didn't accept coz im not like the others...dont forget !


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close