Cheats with ELF: Code Injecting into ELF Headers |=-----------------------------------------------------------------------=| |=---------------------------[ HELLCODE RESEARCH ]-----------------------=| |=-----------------------------------------------------------------------=| |=--------=[ Cheats with ELF: Code Injecting into ELF Headers ]=--------=| |=-----------------------------------------------------------------------=| |=-----------------------=[ murderkey@hellcode.net ]=--------------------=| |=-----------------------------------------------------------------------=| --[ Index 0x0 - Introduction 0x1 - Requirements 0x2 - Basic ELF Structure 0x3 - Last Wordz 0x4 - Greetz --[ 0x0 - Introduction Hi Reader, In this paper, I will explain uncommon/unknown techniques to affect ELF headers directly or helping of compiler and assembly linkers. I've discovered this technique while thinking about injecting code to elf32 headers and i became succesful in my research 3 years ago..you can use this technique for different ideas, anyway i've tested it for IDS by-passing and as an anti-anti-debug technique. --[ 0x1 - Requirements You should know the topics which are below to understand this paper, because probably, you can't understand this paper if you don't have high-level knowledge about topics. -> Unix Assembly (AT&T) -> C/C++ -> ELF Structure -> Time and Brain if you know --[ 0x2 - Basic ELF Structure An elf32 file structure always include header, data and instruction segments.In this part, we will create executable files, play/change their sizes and createfiles with minimum sizes. Lets start to show that on "merv.asm" (Seni seviyorum Merve ; ------------merv.asm----------------- BITS 32 section .data merv db " murderkey ownz jo !" GLOBAL MAIN SECTION .text main: ;write() mov eax, 4 mov ebx, 1 mov ecx, merv mov edx, 28 int 0x80 ; exit() mov eax, 1 mov ebx, 0 int 0x80 -------------merv.asm----------------- As you see above, that is a simple assembly code. It prints " murderkey ownz jo !" to screen and ending via "exit call".Compiling it with "nasm" and giving link with "ld". h4x0r elf32 # nasm -felf merv.asm -o merv.o h4x0r elf32 # ld merv.o -o merv ld: warning: cannot find entry symbol _start; defaulting to 00000000080480a0 yeah, the warning is so important here! dont forget that! the program gave us "_start sectioun is not defined for elf32 in .text segment" error.even so , we are running the binary. h4x0r elf32 # ./merv murderkey ownz jo ! h4x0r elf32 # Good! there is not any problem for now so lets look at the size of program. h4x0r elf32 # wc -c merv 892 merv It is 892, we will match this value with the next code that we will write. --------------merv2.asm------------------- BITS 32 section .data merv db " murderkey ownz jo !" SECTION .text GLOBAL _start _start mov eax, 4 mov ebx, 1 mov ecx, merv mov edx, 28 int 0x80 mov eax, 1 mov ebx, 0 int 0x80 ----------------merv2.asm------------------------ Now, compiling, linking and running the program again. h4x0r elf32 # nasm -felf merv2.asm h4x0r elf32 # ld merv2.o -o merv2 h4x0r elf32 # ./merv2 murderkey ownz jo ! and lets look at the size of file h4x0r elf32 # wc -c merv2 848 merv2 h4x0r elf32 # 848! There is not a clear changing at the size. We will see this in a better way with details now. compiling "merv2.asm"; h4x0r elf32 # nasm -f elf merv2.asm h4x0r elf32 # gcc -Wall -s merv2.o merv2.o(.data+0x13): In function `_start': : multiple definition of `_start' /usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x0): first defined here /usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../crt1.o(.text+0x18): In function `_start': : undefined reference to `main' collect2: ld returned 1 exit status h4x0r elf32 # The error is so interesting at the above. "/crt1.o(.text+0x0): first defined here." This error means that _start symbol is defined in "crt1.o elf32 startup script" and also we defined a _start symbol too. So these overlaps and it causes this error :)For blocking this, We are giving a command to gcc compiler to not running "startup" script when our code is compiled.We are doing it with (gcc) "-nostartfiles" option. h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2 h4x0r elf32 # ./merv2 Segmentation fault h4x0r elf32 # UPPSSS we comiled our code but there is a (segmentation fault) memory crash! What is the problem here? Let's find! When we call _start image symbol in our assembly code ,it must be ended via _exit() call but we gave "-nostartfiles" option to it so it can not find _exit()How can we defeat it? Of course, defining the _exit as EXTERN and calling it in our code. Lets write the code again... ----------------- merv2.asm ------------------ BITS 32 section .data merv db " murderkey ownz jo !" EXTERN _exit section.text global _start _start mov eax, 4 mov ebx, 1 mov ecx, merv mov edx, 28 int 0x80 call _exit ------------------- merv2.asm ---------------------- Now, compiling again and linking... h4x0r elf32 # nasm -f elf merv2.asm h4x0r elf32 # gcc -Wall -s -nostartfiles merv2.o -o merv2 h4x0r elf32 # ./merv2 murderkey ownz jo ! WE ARE THE CHAMPION !! As you see, our function was run! Now , looking the size of our code; h4x0r elf32 # wc -c merv2 1392 merv2 h4x0r elf3 1392 <----- Now you understand well the difference of sizes. Now, we will practice a deceit with a different option. Watch here carefully! ---------------- merv3.asm--------------------- BITS 32 section .data merv db " murderkey ownz jo !" GLOBAL _start SECTION .text _start mov eax, 4 mov ebx, 1 mov ecx, merv mov edx, 28 int 0x80 mov eax, 1 mov ebx, 0 int 0x80 ------------------ merv3.asm ----------------------- Compiling and linking the code; h4x0r elf32 # nasm -f elf merv3.asm h4x0r elf32 # gcc -Wall -s -nostdlib merv3.o -o merv3 Run it; h4x0r elf32 # ./merv3 murderkey ownz jo ! So nice, we are wondering of size. h4x0r elf32 # wc -c merv3 524 merv3 h4x0r elf32 # 524, what did we do here? we gave -nostdlib option to compiler and canceled _exit(). We used this code instead of it; mov eax, 1 mov ebx, 0 int 0x80 and runned "_exit call" directly... ----------------------------------------------------------------------------- Shortly I want to say that we can cancel elf32 file headers, we can inject sections and can change size of fileshow we want.. or we can bypass anti-debug protections. That provide convenience us while developing unix worms.because any ids or any antivirus can not check elf32 file headers in this way.You can exceed every obstacle via this method. It's up to your imagination and creativity. Also I want to refer an issue here. While an elf32 executable image is being mapped to memory, it is mapped at "0x00000000080480a0" 32-bit hexadecimal address as a default in unix systems. If you dont define _start in elf32 , linker will give an error like below; ... /usr/lib/gcc-lib/i386-pc-linux-gnu/3.3.5/../../../../i386-pc-linux-gnu/bin/ld: warning: cannot find entry symbol _start; defaulting to 00000000080480a0 ... so kernel maps image to memory as default. If you run your head! , you can map this image to another place!I am changing this address and making it "0x08048000" !! Lets compile the code which is below as a bin format look its' starting place.. P.S: You should know details of elf32 file structure for this part. ------------------- lame-elf32.asm---------------------------------- BITS 32 org 0x08048000 ehdr: ; Elf32_Ehdr db 0x7F, "ELF", 1, 1, 1 ; e_ident times 9 db 0 dw 2 ; e_type dw 3 ; e_machine dd 1 ; e_version dd _start ; e_entry dd phdr - $$ ; e_phoff dd 0 ; e_shoff dd 0 ; e_flags dw ehdrsize ; e_ehsize dw phdrsize ; e_phentsize dw 1 ; e_phnum dw 0 ; e_shentsize dw 0 ; e_shnum dw 0 ; e_shstrndx ehdrsize equ $ - ehdr phdr: ; Elf32_Phdr dd 1 ; p_type dd 0 ; p_offset dd $$ ; p_vaddr dd $$ ; p_paddr dd filesize ; p_filesz dd filesize ; p_memsz dd 5 ; p_flags dd 0x1000 ; p_align phdrsize equ $ - phdr section .data merv db "murderkey own jo!" _start: mov eax, 4 mov ebx, 1 mov ecx, merv mov edx, 28 int 0x80 ; exit() call mov eax, 1 mov ebx, 0 int 0x80 filesize equ $ - $$ ----------------------------lame-elf32.asm------------------------------- Now lets link our code in bin format and run it.. h4x0r elf32 # nasm -f bin lame-elf32.asm -o lame-elf32 h4x0r elf32 # chmod +x lame-elf32 h4x0r elf32 # ./lame-elf32 murderkey own jo! --[ 0x3 - Last Wordz I want to finish my paper now. After learning basic things in paper, we can play with elf32 headers how we want..you can distribute elf32 worm to systems via bypassing all IDS with this oh-day technique! Thats up to only your creativity.You should have deep assembly and elf32 file system knowledge to do that.. This paper has been written to be a basic for this bypassing methods etc.. Used linux source codes and elf headers as references in this paper.. /usr/include/linux/elf.h <--------- this header gives us all details about elf structure. --[ 0x4 - Greetz karak0rsan, l4m3r, n00b (dont forget about misdirection lol'd), GOBBLES, PHC and all blackhat community...hey man, you should contact me because someone is watchin' u, i know you hate "contributors" and still im waiting you ! someone offered me money to give information about you but i didn't accept coz im not like the others...dont forget ! © Offensive Security 2010
