Jump to content
Nytro

0pack

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

0pack

Description

An ELF x64 binary payload injector written in c++ using the LIEF library. Injects shellcode written in fasm as relocations into the header. Execution begins at entrypoint 0 aka the header, this confuses or downright breaks debuggers. The whole first segment is rwx, this can be mitigated at runtime through an injected payload which sets the binaries segment to just rx.

Compiler flags

The targeted binary must have following flags: gcc -m64 -fPIE -pie

Statically linking is not possible as -pie and -static are incompatible flags. Or in other terms: 

-static means a statically linked executable with no dynamic
> relocations and only PT_LOAD segments.  -pie means a shared library with
> dynamic relocations and PT_INTERP and PT_DYNAMIC segments.

Presentation links

HTML: https://luis-hebendanz.github.io/0pack/
PDF: https://github.com/Luis-Hebendanz/0pack/raw/master/0pack-presentation.pdf
Video: https://github.com/Luis-Hebendanz/0pack/raw/master/html/showcase_video.webm

Debugger behaviour

Debuggers don't generally like 0 as the entrypoint and oftentimes it is impossible to set breakpoints at the header area. Another often occured issue is that the entry0 label gets set incorrectly to the main label. Which means the attacker can purposely mislead the reverse engineer into reverse engineering fake code by jumping over the main method. Executing db entry0 in radare2 has this behaviour.

Affected debuggers

  • radare2
  • Hopper
  • gdb
  • IDA Pro --> Not tested

0pack help 

Injects shellcode as relocations into an ELF binary
Usage:
  0pack [OPTION...]

  -d, --debug            Enable debugging
  -i, --input arg        Input file path. Required.
  -p, --payload arg      Fasm payload path.
  -b, --bin_payload arg  Binary payload path.
  -o, --output arg       Output file path. Required.
  -s, --strip            Strip the binary. Optional.

-b, --bin_payload

The bin_payload option reads a binary file and converts it to ELF relocations. 0pack appends to the binary payload a jmp to the original entrypoint.

-p, --payload

Needs a fasm payload, 0pack prepends and appends a "push/pop all registers" and a jmp to the original entrypoint to the payload.

Remarks

Altough I used the LIEF library to accomplish this task, I wouldn't encourage to use it. It is very inconsistent and intransparant in what it is doing. Often times the library is downright broken. I did not find a working library for x64 PIE enabled ELF binaries. If someone has suggestions, feel free to email me on: luis.nixos@gmail.com

Dependencies

  • cmake version 3.12.2 or higher
  • build-essential
  • gcc
  • fasm

Use build script

$ ./build.sh

Build it manually 

  $ mkdir build
  $ cd build
  $ cmake ..
  $ make
  $ ./../main.elf

Sursa: https://github.com/Luis-Hebendanz/0pack

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...