12 byte code cave inside an elf header

-
So I was playing around with minimalism, and I like to get pretty dirty when this happens. So i started seeing what i could corrupt in an elf header until Linux refused the binary. I found that I could corrupt the twelve bytes directly following the magic sequence. This has some interesting side effects. The first being that all debugging software I attempted to run this in refused to acknowledge that it was even an executable lol. readelf was able to see that there was in fact an elf header, but gave back false information. The GNU file command can see that it is in fact an elf, but doesn't recognize anything other than that, given that most of that information was defaced. The incredibly scary bit is that Linux is able to in fact run this file without any issue lol. 


; [madmouse@yourmomsb0x ~]$ nasm -f bin -o test test.s&&chmod +x test&&./test;cat test|xxd
; 0000000: 7f45 4c46 31c0 31db 40cd 8041 4141 4141  .ELF1.1.@..AAAAA
; 0000010: 0200 0300 0100 0000 0480 0408 3400 0000  ............4...
; 0000020: 0000 0000 0000 0000 3400 2000 0100 0000  ........4. .....
; 0000030: 0000 0000 0100 0000 0000 0000 0080 0408  ................
; 0000040: 0080 0408 5400 0000 5400 0000 0700 0000  ....T...T.......
; 0000050: 0010 0000                                ....
; [madmouse@yourmomsb0x ~]$ readelf -e test
; ELF Header:
;   Magic:   7f 45 4c 46 31 c0 31 db 40 cd 80 41 41 41 41 41 
;   Class:                             <unknown: 31>
;   Data:                              <unknown: c0>
;   Version:                           49 <unknown: %lx>
;   OS/ABI:                            <unknown: db>
;   ABI Version:                       64
;   Type:                              EXEC (Executable file)
;   Machine:                           Intel 80386
;   Version:                           0x1
;   Entry point address:               0x8048004
;   Start of program headers:          52 (bytes into file)
;   Start of section headers:          0 (bytes into file)
;   Flags:                             0x0
;   Size of this header:               52 (bytes)
;   Size of program headers:           32 (bytes)
;   Number of program headers:         1
;   Size of section headers:           0 (bytes)
;   Number of section headers:         0
;   Section header string table index: 0
; 
; There are no sections in this file.
; 
; Program Headers:
;   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
;   LOAD           0x000000 0x08048000 0x08048000 0x00054 0x00054 RWE 0x1000
; [madmouse@yourmomsb0x ~]$ 


[bits 32]
section .text
global start

org 0x08048000
ehdr:                                      ; Elf32_Ehdr
	db 0x7F,"ELF" ;, 1, 1, 1, 0         ;   e_ident
;                   ^ 4 more bytes for code caving
;	times 8 db 0
; We can replace ^ this with the following for a code cave inside the elf header itself
start:
	xor eax, eax
	xor ebx, ebx
	inc eax
	int 0x80
end:
	times 12-(end-start) db 'A'	; we need bytes for padding, the code cave here is 12 bytes long
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	dw 2                               ;   e_type
	dw 3                               ;   e_machine
	dd 1                               ;   e_version
	dd start                           ;   e_entry
	dd phdr - $$                       ;   e_phoff
	dd 0                               ;   e_shoff
	dd 0                               ;   e_flags
	dw ehdrsize                        ;   e_ehsize
	dw phdrsize                        ;   e_phentsize
	dw 1                               ;   e_phnum
	dw 0                               ;   e_shentsize
	dw 0                               ;   e_shnum
	dw 0                               ;   e_shstrndx
	ehdrsize equ $ - ehdr

phdr:                                      ; Elf32_Phdr
	dd 1                               ;   p_type
	dd 0                               ;   p_offset
	dd $$                              ;   p_vaddr
	dd $$                              ;   p_paddr
	dd filesize                        ;   p_filesz
	dd filesize                        ;   p_memsz
	dd 7                               ;   p_flags
	dd 0x1000                          ;   p_align
	phdrsize equ $ - phdr

filesize equ $ - $$

Comments

Post a Comment

Popular posts from this blog

What is a canary, how does it work, and what does that mean if I want to write a modern exploit.

-
Image
Canaries were  once regularly used  in  coal mining as an early warning system . Toxic gases such as carbon monoxide or asphyxiant gases such as methane  in the mine  would kill the bird before affecting the  miners . Signs of distress from the bird indicated  to  the  miners  that conditions  were  unsafe . Let's start with some history Oh the good old days. I remember a time when hackthissite.org , and  Smash The Stack  were fresh, and BOF's were often as easy as shoving your shellcode where the buffer was supposed to be and overwriting the return pointer with where that buffer was... Then they had to go and ruin the fun by widely adopting ASLR (Address Space Layout Randomization), DEP (Data execution protection), and  canaries  (stack cookies). Now in these dark times not only do we have to ROP with return to libc, we have to chain that with a memory leak vulnerability if we have any hope of  smashing the stack. While I plan to do posts soon covering all of these exciti
Read more

Better visualization of data formats using assembly POC's to better implement them in C

-
Image
Are you tired of staring at hex dumps, white papers and manual pages? Want to feel like you truly know how a data type like a file format, or a disk partition LOOKS like. Well I can't help you with the manual pages and white papers, ( https://staff.washington.edu/dittrich/misc/fatgen103.pdf , http://www.eit.lth.se/fileadmin/eit/courses/eitn50/Projekt1/FAT12Description.pdf ) but here is a great example of implementing a fat12 floppy image in assembly. ;//////////////////////////////////////////////////////////////////////////////// ;// THE SCOTCH-WARE LICENSE (Revision 0): ;// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you ;// can do whatever you want with this stuff. If we meet some day, and you think ;// this stuff is worth it, you can buy me a shot of scotch in return ;//////////////////////////////////////////////////////////////////////////////// ; This assembles to a floppy disk image [bits 16] [org 0x7C00] ;;;;;;;;;;;;;;;;;
Read more

Putting Linux on your Android device using debootstrap and chroot

-
Image
Ok, so first thing first. You will need a few things done BEFORE you attempt this tutorial: A rooted android device of sorts with debugging enabled and busybox installed An sdcard to store the debian image on A Linux machine (or live cd) to prepare the debian system image ADB for remounting the system partition and pushing startup scripts A terminal application installed on your droid and about an hour of free time Lets get right into it open up a terminal, and make a directory that you will be storing all of the files and things we create for easy cleanup later. I called mine linux_on_android. change to that directory, all instructions from here on out will be relative to whatever directory you are currently residing in after this step. Next, we create an empty raw disk image, make a directory to mount it under, create a filesystem on the image, and mount it under our new mount point. Now lets change into our mnt directory, install debootstrap, and use it to install a base system into
Read more