br903 / elfkickers Goto Github PK

View Code? Open in Web Editor NEW

588.0 588.0 141.0 313 KB

A collection of programs that access and manipulate ELF files.

Home Page: http://www.muppetlabs.com/~breadbox/software/elfkickers.html

License: GNU General Public License v2.0

C 89.86% Makefile 1.27% Brainfuck 2.87% Roff 6.00%

elfkickers's People

Contributors

Stargazers

Watchers

Forkers

dougmencken z4ziggy sibghatullahsheikh adamsunyu jerry2012 cha5on amitkr bigsupersquid thurday coldnew stevenhoneyman illahaha melbshark jaanek sainxiii bluehavana dongpil jmhmccr mavendex nullx002 changeyourname babooppa6 geekmaster akpotter slanterns-fork qingchen1984 woqingchen stackoverflowin eagleusb shekkbuilder lightman2 huddy1985 jrelo g5t4r kagami k1988 lishuai1225 lsgxeva openalmeida zxgio yuchengwang zhengzhide voukpaw ygemici wzugang mazalet nhoudelot jingchenzhong wutiejun wilvk acchr permikomnaskaltara darkofthemoon skyformat99 lszr yangboyd 6u6a takitez ccc-c porocyon elshyam rampagex novelistparty lager1 fengjixuchui aa3000 li--paul nathaniel100 mcdxn seabreg sidstick yuknight moneytech windsmell chillancezen wangjieest 5l1v3r1 markjian qiyeboy st-rnd jimpeter521 erpapa shijin0925 chenfuchen bobbyzhu andruszd alexshi126 kwarrick clarkguan caketi qwemooe uttaravadina amatilda zha0 hwxp stardustman crackercat fanghuahuang clayne feiyunwill

elfkickers's Issues

There is a vulnerability in `elftoc/phdrtab.c:23`, which can cause SEGV unknown address 0x000000000000.

The 'elftoc' of the version run as "./elftoc <poc_file>", which can cause SEGV unknown address 0x000000000000. A PoC can be found at PoC.zip.

==10675==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000412dc0 bp 0x000000000038 sp 0x7ffd98578890 T0)
#0 0x412dbf in dividesegment ./ELFkickers-master/elftoc/phdrtab.c:23
#1 0x41373b in dividesegments ./ELFkickers-master/elftoc/phdrtab.c:108
#2 0x40e1bc in readelf ./ELFkickers-master/elftoc/readelf.c:185
#3 0x4028b5 in readinputfile ./ELFkickers-master/elftoc/elftoc.c:170
#4 0x4028b5 in main ./ELFkickers-master/elftoc/elftoc.c:210
#5 0x7f2e4572a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x403578 in _start (./ELFkickers-master/bin/elftoc+0x403578)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./ELFkickers-master/elftoc/phdrtab.c:23 dividesegment
==10675==ABORTING

There is a vulnerability in elftoc, which can cause heap-buffer-overflow.

The 'elftoc' of the lastest version run as "./elftoc <poc_file>", which can cause heap-buffer-overflow. A PoC can be found at PoC_elftoc.zip

==7806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000e000 at pc 0x00000040b2f9 bp 0x7ffd56219a60 sp 0x7ffd56219a50
READ of size 1 at 0x61300000e000 thread T0
#0 0x40b2f8 in setaddressnames /home/ubuntu/xxx/sources/ELFkickers-master/elftoc/address.c:92
#1 0x402d3f in processcontents /home/ubuntu/xxx/sources/ELFkickers-master/elftoc/elftoc.c:181
#2 0x402d3f in main /home/ubuntu/xxx/sources/ELFkickers-master/elftoc/elftoc.c:212
#3 0x7f72916f782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x403708 in _start (/home/ubuntu/xxx/sources/ELFkickers-master/bin/elftoc+0x403708)

0x61300000e000 is located 0 bytes to the right of 384-byte region [0x61300000de80,0x61300000e000)
allocated by thread T0 here:
#0 0x7f7291b39961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x404eff in reallocate /home/ubuntu/xxx/sources/ELFkickers-master/elftoc/gen.c:115

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/xxx/sources/ELFkickers-master/elftoc/address.c:92 setaddressnames
Shadow bytes around the buggy address:
0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7806==ABORTING

rebind is not reading the hidden symbols

Thanks for the awesome small apps! :)

I've been trying to use rebind to unhide some symbols from a shared library (so file). When I do nm libname.so I get many symbols (including hidden ones). I do rebind -v hidden -i libname.so symbol_name and I always get libname.so: nothing changed. I was sure I was giving wrong symbol names, but I edited the code to print the name of the symbols it searches over (here) and only the 'visible' symbols are printed.

I also tried to change the visibility of a visible symbol to hidden and although I got the verbose output that was saying the libname.so got changed, nothing was changed (verified by nm).

Is there something more that I need to take into account? The file is 64bit and sadly I cannot share it since it is proprietary. Any ideas?

Actually, I just tried on a very simple lib that I created and the issue persists (I tried on the .o object created as well with no luck). Either I have not understood something well about the rebind utility or there is something that I am missing. Thanks in advance!

There is a vulnerability in `elftoc`, which can cause stack-buffer-overflow.

The 'elftoc' of the version run as "./elftoc <poc_file>", which can cause stack-buffer-overflow. A PoC can be found at PoC.zip

==1685==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcb1772f98 at pc 0x7fdf62796904 bp 0x7ffcb1772e90 sp 0x7ffcb1772638
WRITE of size 60 at 0x7ffcb1772f98 thread T0
#0 0x7fdf62796903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x410534 in copytable ./ELFkickers-master/elftoc/shdrtab.c:114
#2 0x410534 in dividesections ./ELFkickers-master/elftoc/shdrtab.c:284
#3 0x40e320 in readelf ./ELFkickers-master/elftoc/readelf.c:186
#4 0x4028b5 in readinputfile ./ELFkickers-master/elftoc/elftoc.c:170
#5 0x4028b5 in main ./ELFkickers-master/elftoc/elftoc.c:210
#6 0x7fdf6236082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x403578 in _start (./ELFkickers-master/bin/elftoc+0x403578)

Address 0x7ffcb1772f98 is located in stack of thread T0 at offset 136 in frame
#0 0x40fbff in dividesections ./ELFkickers-master/elftoc/shdrtab.c:251

how to install this (?) ..

There is a vulnerability in `elfls`, which can cause SEGV on unknown address.

The 'elfls' of the lastest version run as "./elfls <poc_file>", which can cause SEGV on unknown address. A PoC can be found at PoC_elfls.zip

==13047==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000401ff0 bp 0x000000000000 sp 0x7ffe5a7c2430 T0)
#0 0x401fef in makenumberfmts ./ELFkickers-master/elfls/elfls.c:568
#1 0x401fef in main ./ELFkickers-master/elfls/elfls.c:916
#2 0x7f25a169782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x406f28 in _start (./ELFkickers-master/install/bin/elfls+0x406f28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./ELFkickers-master/elfls/elfls.c:568 makenumberfmts
==13047==ABORTING

DT_NEEDED not listed for ELF32 files.

On line 504 getlibraries() in elfls.c:
count = proghdr[i].p_filesz / sizeof *dyns;
Where sizeof(*dyns) == sizeof(Elf64_Dyn). Given a 32-bit ELF file, where count is half of what it's supposed to be, given sufficiently many dynamic sections, DT_STRSZ or DT_STRTAB might be beyond the erronuous count, and getlibraries returns 0 prematurely, without listings any needed libraries.

Empty directories bin and doc not in git

git clone + make is not working because there are no directories bin and doc.

Maybe something like:

diff --git a/Makefile b/Makefile
index c562378..031949f 100644
--- a/Makefile
+++ b/Makefile
@@ -7,10 +7,12 @@ PROGRAMS = elfls objres rebind sstrip elftoc ebfc infect
 all: $(PROGRAMS)

 bin/%:
+       mkdir -p bin
        $(MAKE) -C$* $*
        cp $*/$* $@

 doc/%.1:
+       mkdir -p doc
        cp $*/$*.1 $@

 elfls: bin/elfls doc/elfls.1

There is a vulnerability at`elftoc/shdrtab.c:206`, which can cause SEGV on unknown address.

The 'elftoc' of the version run as "./elftoc <poc_file>", which can cause SEGV unknown address. A PoC can be found at PoC.zip.
.

==15191==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3444d5e102 (pc 0x0000004107d2 bp 0x000000000006 sp 0x7ffdb64d4f00 T0)
#0 0x4107d1 in dividesection ./ELFkickers-master/elftoc/shdrtab.c:206
#1 0x4107d1 in dividesections ./ELFkickers-master/elftoc/shdrtab.c:304
#2 0x40e320 in readelf ./ELFkickers-master/elftoc/readelf.c:186
#3 0x4028b5 in readinputfile ./ELFkickers-master/elftoc/elftoc.c:170
#4 0x4028b5 in main ./ELFkickers-master/elftoc/elftoc.c:210
#5 0x7f3442ee482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x403578 in _start (./ELFkickers-master/bin/elftoc+0x403578)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./ELFkickers-master/elftoc/shdrtab.c:206 dividesection

Unified versioning of tools

Hi,

the source version and version stored in tools is different. Would it be possible to keep them in sync?

For example, sstrip would show version 2.1 even if the current code is 3.1.a:

ELFkickers/sstrip/sstrip.c

Line 33 in dbeb497

"sstrip, version 2.1\n"

mknames crashes by default during the compile time

To reproduce it is enough to compile with -fsanitize=address:

echo '#include <elf.h>' | gcc -E -dM -xc /dev/stdin | ./mknames elfnames.c
=================================================================
==206==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d7 at pc 0x0000004325e9 bp 0x7fff066f4380 sp 0x7fff066f3b28
READ of size 9 at 0x6020000000d7 thread T0
    #0 0x4325e8 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:834:7
    #1 0x432b3a in bcmp /var/tmp/portage/sys-libs/compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:880:10
    #2 0x4c2e8e in readdefine /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:197:7
    #3 0x4c2e8e in readinput /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:227:2
    #4 0x4c2e8e in main /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:363:5
    #5 0x7ff3011d1dca in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16
    #6 0x41b369 in _start (/var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames+0x41b369)

0x6020000000d7 is located 0 bytes to the right of 7-byte region [0x6020000000d0,0x6020000000d7)
allocated by thread T0 here:
    #0 0x49325d in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x4c2dc1 in readdefine /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:193:12
    #2 0x4c2dc1 in readinput /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:227:2
    #3 0x4c2dc1 in main /var/tmp/portage/dev-util/elfkickers-3.1/work/ELFkickers-3.1/elftoc/mknames.c:363:5
    #4 0x7ff3011d1dca in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:834:7 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 07 fa fa fd fd fa fa 00 07 fa fa fd fd
=>0x0c047fff8010: fa fa 00 06 fa fa 00 05 fa fa[07]fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==206==ABORTING

elfls.c: Compilation warning about format-overflow (false positive)

Gcc 13 warns:

elfls.c:587:25: warning: ‘%d’ directive writing between 1 and 10
bytes into a region of size 7 [-Wformat-overflow=]
sprintf(sizefmt, "%%%dlX", i);
                    ^~
note: directive argument in the range [6, 2147483647]

Gcc apparently doesn't see i's upper bound. But I see it: Each loop that increments it can max iterate 16 times.

Actually, Gcc is doubly wrong: If i was unconstrained, INT_MIN = -2147483648 – 11 bytes – would be the actual size constraint. Of course, C compilers aren't supposed to know that integers can overflow. An unsigned type would eliminate this concern.

Funnily, changing it to an unsigned type, even size_t, silences the warning without increasing the buffer.
Clang 17 is happy in any case.

Tip: I think you could avoid these dynamically formatted format strings by using dynamic field widths:

snprintf(buf, sizeof(buf), "%*lX", width, value);

Incorrect FSF address in COPYING

Hello.
I'm trying to build a RPM package for ELFkickers, but the rpmlint complains about the incorrect fsf address.

ELFkickers.x86_64: E: incorrect-fsf-address /usr/share/licenses/ELFkickers/COPYING

https://fedoraproject.org/wiki/Common_Rpmlint_issues#incorrect-fsf-address sais I should report this.

The current address is https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

Please change it.

It is another vulnerability in `elfls`, which can cause SEGV on unknown address.

The 'elfls' of the version run as "./elfls <poc_file>", which can cause SEGV on unknown address. A PoC can be found at elfls576.zip.

It is different from issue#10, and the vulnerability is at elfls.c:576.

==16259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x0000004020ba bp 0x000000000000 sp 0x7fffa64f0580 T0)
#0 0x4020b9 in makenumberfmts ./ELFkickers-master/elfls/elfls.c:576
#1 0x4020b9 in main ./ELFkickers-master/elfls/elfls.c:916
#2 0x7fea3126d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x406f28 in _start (./ELFkickers-master/install/bin/elfls+0x406f28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./ELFkickers-master/elfls/elfls.c:576 makenumberfmts
==16259==ABORTING