oblique / elf-infector Goto Github PK
View Code? Open in Web Editor NEWELF binary infector
License: Other
elf-infector's Introduction
This is an elf infector based on Silvio's algorithm with some extra things. You can edit parasite.h to put your parasite. The parasite will be executed before the original code starts. oblique 2010
elf-infector's People
Contributors
Stargazers
Watchers
Forkers
clflush pandazheng sigma-random shuixi2013 melbshark tempbottle unws hacklinux captincook qingchen1984 zandycc chimelab techlord-rce redapplesoso d4sh3r mrjoeyjohnson usersauce coolmsfelf-infector's Issues
Infected binary either segfaults or loops indefinitely
I am trying to inject a piece of shellcode inside a 32-bit LF executable. I am running Ubuntu 14.04 64 bit. Hence, all the commands I have run require explicit switches to produce 32 bit code.
C source of the host binary is given below
/* simple_if.c */
#include <stdio.h>
#include "s2e.h"
int main()
{
int var_cond;
printf("Enter 0/1: ");
scanf("%d", &var_cond);
if(!var_cond)
printf("Entered value: 0\n");
else
printf("Entered value: 1\n");
return 0;
}
First I tried with a "Hello World" ASM payload
; hello.asm
global _start
section .text
_start:
jmp MESSAGE ; 1) lets jump to MESSAGE
GOBACK:
mov eax, 0x4
mov ebx, 0x1
pop ecx ; 3) we are poping into `ecx`, now we have the
; address of "Hello, World!\r\n"
mov edx, 0xF
int 0x80
jmp end ; Injector will insert a jump to original entry point
;mov eax, 0x1 ; Intentionally not returning the control
;mov ebx, 0x0
;int 0x80
MESSAGE:
call GOBACK ; 2) we are going back, since we used `call`, that means
; the return address, which is in this case the address
; of "Hello, World!\r\n", is pushed into the stack.
db "Hello, World!", 0dh, 0ah
end:
Compiled both the host and the parasite and injected the shellcode at the end.
gcc -m32 simple_if.c -o simple_if
nasm -f elf hello.asm -o hello.o
ld -m elf_i386 hello.o -o hello
# Test the assembled code
./hello
Hello, World!
Segmentation fault (core dumped)
# Segfault is natural, we are not gracefully returning to OS
# Now extract the shellcode
for i in `objdump -d ./hello | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' `; do echo -n "\\\\x$i" ; done | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'
"\xeb\x14\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x59\xba\x0f\x00\x00\x00\xcd\x80\xeb\x14\xe8\xe7\xff\xff\xff\x48\x65\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0d\x0a"
# Update parasite.h
make
./infector simple_if
Run the infected file
./simple_if
Hello, World!
Enter 0/1: 8
Entered value: 1
Segmentation fault (core dumped)
But, I expect the program should gracefully exit. Because, the infector inserts a jump to the OEP at the end of the shellcode. I tried the same with a different payload. But, in this case, the program runs in an infinite loop a never exits.
global _start
section .text
_start:
mov ecx,0x23f0
mov edx,0x804869c
jmp prog_name
stub:
pop eax
push ebx
mov ebx,edx
;db 0x0f,0x3f,0x00,0xaa,0x00,0x00,0x00,0x00,0x00,0x00
pop ebx
xor eax,eax
jmp jump_start
prog_name:
call stub
db "simple_if",0x00,0x90
jump_start:
This is what the infected file produces.
./simple_if
Enter 0/1: 9
Entered value: 1
Enter 0/1: 7
Entered value: 1
Enter 0/1: 6
Entered value: 1
Enter 0/1: 5
Entered value: 1
Enter 0/1: ^C
With GDB, I can see the shellcode is executed first and then the program jumps to OEP. The crash occurs thereafter.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.